Re: [yocto-patches] [meta-selinux][PATCH] Enable SELinux support in native packages

["Uwe Kleine-König" <u.kleine-koenig@baylibre.com>]

[-- Attachment #1: Type: text/plain, Size: 3644 bytes --]

On Tue, Mar 17, 2026 at 07:23:35PM +0100, Yoann Congal wrote:
> On Tue Mar 17, 2026 at 6:40 PM CET, Hiago De Franco via lists.yoctoproject.org wrote:
> > Hi Richard,
> >
> > On Mon, Mar 09, 2026 at 02:21:51PM +0000, Richard Purdie wrote:
> >> On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote:
> >> > 
> >> > On 2/13/26 23:42, "Uwe Kleine-König wrote:
> >> > > With SELinux enabled for the target it makes sense to have SELinux
> >> > > support enabled for the native tools, too.
> >> > > 
> >> > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now
> >> > > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to
> >> > > make "selinux" propagate also to DISTRO_FEATURES for native packages.
> >> > > ---
> >> > > Hello,
> >> > > 
> >> > > I use this on scarthgap, but the patch applies fine to master, too.
> >> > > 
> >> > > During a debug session it took me quite a while to find out why
> >> > > 
> >> > > 	ls -lZ "${IMAGE_ROOTFS}
> >> > > 
> >> > > at the end of selinux_set_labels() didn't show the labels added by
> >> > > setfiles.
> >> > > 
> >> > > Best regards
> >> > > Uwe
> >> > > 
> >> > >   classes/enable-selinux.bbclass | 2 +-
> >> > >   conf/layer.conf                | 4 ++++
> >> > >   2 files changed, 5 insertions(+), 1 deletion(-)
> >> > > 
> >> > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass
> >> > > index 3dc61d6931ff..0c9f52e74cec 100644
> >> > > --- a/classes/enable-selinux.bbclass
> >> > > +++ b/classes/enable-selinux.bbclass
> >> > > @@ -1,3 +1,3 @@
> >> > >   inherit selinux
> >> > >   
> >> > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}"
> >> > > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
> >> > > diff --git a/conf/layer.conf b/conf/layer.conf
> >> > > index 4e04e5cc7e6a..ca981db57019 100644
> >> > > --- a/conf/layer.conf
> >> > > +++ b/conf/layer.conf
> >> > > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \
> >> > >   "
> >> > >   
> >> > >   PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted"
> >> > > +
> >> > > +# With target support for SELinux it is very helpful during debug when the
> >> > > +# native tools support SELinux, too.
> >> > > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux"
> >> > 
> >> > Can we add this to the doc (e.g. README) instead of enabling it directly 
> >> > in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = 
> >> > "selinux" in layer.conf either.
> >> 
> >> I just wanted to add that putting that directly in layer.conf will mean
> >> the layer isn't Yocto Project Compatible too.
> >
> > I am going to send a v2 and take over this work, already asked Uwe about
> > that.
> >
> > But before doing it, I was wondering why changing layer.conf will make
> > the layer not compatible with Yocto Project anymore. Can you explain to
> > us the reason?
> 
> I'd guess it is from this criteria of the Yocto Compatible layer[0]:
> > Inclusion of any layer in the submission does not change the
> > behavior/configuration of the overall system without the user
> > explicitly opting into those changes
> 
> By putting a 'DISTRO_FEATURES += "selinux"' in layer.conf, the
> configuration changes globally without explicit opt-in of the user.

Note that the patch didn't change DISTRO_FEATURES, it appended "selinux"
to DISTRO_FEATURES_FILTER_NATIVE. If DISTRO_FEATURES doesn't already
contain "selinux", this is a noop. So I don't see how this violates the
quoted critera.

What am I missing?

Best regards
Uwe

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]