* [meta-selinux][PATCH] Enable SELinux support in native packages
@ 2026-02-13 15:42 Uwe Kleine-König
2026-03-09 12:23 ` [yocto-patches] " Yi Zhao
0 siblings, 1 reply; 13+ messages in thread
From: Uwe Kleine-König @ 2026-02-13 15:42 UTC (permalink / raw)
To: yocto-patches
With SELinux enabled for the target it makes sense to have SELinux
support enabled for the native tools, too.
Note that for native packages DISTRO_FEATURES is filtered, thus up to now
it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to
make "selinux" propagate also to DISTRO_FEATURES for native packages.
---
Hello,
I use this on scarthgap, but the patch applies fine to master, too.
During a debug session it took me quite a while to find out why
ls -lZ "${IMAGE_ROOTFS}
at the end of selinux_set_labels() didn't show the labels added by
setfiles.
Best regards
Uwe
classes/enable-selinux.bbclass | 2 +-
conf/layer.conf | 4 ++++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass
index 3dc61d6931ff..0c9f52e74cec 100644
--- a/classes/enable-selinux.bbclass
+++ b/classes/enable-selinux.bbclass
@@ -1,3 +1,3 @@
inherit selinux
-PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}"
+PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
diff --git a/conf/layer.conf b/conf/layer.conf
index 4e04e5cc7e6a..ca981db57019 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \
"
PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted"
+
+# With target support for SELinux it is very helpful during debug when the
+# native tools support SELinux, too.
+DISTRO_FEATURES_FILTER_NATIVE:append = " selinux"
base-commit: 536df5a4fbce3c9fd63f51580f43d248a0d1b0ef
--
2.47.3
^ permalink raw reply related [flat|nested] 13+ messages in thread* Re: [yocto-patches] [meta-selinux][PATCH] Enable SELinux support in native packages 2026-02-13 15:42 [meta-selinux][PATCH] Enable SELinux support in native packages Uwe Kleine-König @ 2026-03-09 12:23 ` Yi Zhao 2026-03-09 14:21 ` Richard Purdie 0 siblings, 1 reply; 13+ messages in thread From: Yi Zhao @ 2026-03-09 12:23 UTC (permalink / raw) To: yocto-patches On 2/13/26 23:42, "Uwe Kleine-König wrote: > With SELinux enabled for the target it makes sense to have SELinux > support enabled for the native tools, too. > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to > make "selinux" propagate also to DISTRO_FEATURES for native packages. > --- > Hello, > > I use this on scarthgap, but the patch applies fine to master, too. > > During a debug session it took me quite a while to find out why > > ls -lZ "${IMAGE_ROOTFS} > > at the end of selinux_set_labels() didn't show the labels added by > setfiles. > > Best regards > Uwe > > classes/enable-selinux.bbclass | 2 +- > conf/layer.conf | 4 ++++ > 2 files changed, 5 insertions(+), 1 deletion(-) > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass > index 3dc61d6931ff..0c9f52e74cec 100644 > --- a/classes/enable-selinux.bbclass > +++ b/classes/enable-selinux.bbclass > @@ -1,3 +1,3 @@ > inherit selinux > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}" > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}" > diff --git a/conf/layer.conf b/conf/layer.conf > index 4e04e5cc7e6a..ca981db57019 100644 > --- a/conf/layer.conf > +++ b/conf/layer.conf > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \ > " > > PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted" > + > +# With target support for SELinux it is very helpful during debug when the > +# native tools support SELinux, too. > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux" Can we add this to the doc (e.g. README) instead of enabling it directly in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = "selinux" in layer.conf either. Thanks, Yi > > base-commit: 536df5a4fbce3c9fd63f51580f43d248a0d1b0ef ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [yocto-patches] [meta-selinux][PATCH] Enable SELinux support in native packages 2026-03-09 12:23 ` [yocto-patches] " Yi Zhao @ 2026-03-09 14:21 ` Richard Purdie 2026-03-17 17:40 ` Hiago De Franco 0 siblings, 1 reply; 13+ messages in thread From: Richard Purdie @ 2026-03-09 14:21 UTC (permalink / raw) To: yocto-patches On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote: > > On 2/13/26 23:42, "Uwe Kleine-König wrote: > > With SELinux enabled for the target it makes sense to have SELinux > > support enabled for the native tools, too. > > > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now > > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to > > make "selinux" propagate also to DISTRO_FEATURES for native packages. > > --- > > Hello, > > > > I use this on scarthgap, but the patch applies fine to master, too. > > > > During a debug session it took me quite a while to find out why > > > > ls -lZ "${IMAGE_ROOTFS} > > > > at the end of selinux_set_labels() didn't show the labels added by > > setfiles. > > > > Best regards > > Uwe > > > > classes/enable-selinux.bbclass | 2 +- > > conf/layer.conf | 4 ++++ > > 2 files changed, 5 insertions(+), 1 deletion(-) > > > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass > > index 3dc61d6931ff..0c9f52e74cec 100644 > > --- a/classes/enable-selinux.bbclass > > +++ b/classes/enable-selinux.bbclass > > @@ -1,3 +1,3 @@ > > inherit selinux > > > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}" > > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}" > > diff --git a/conf/layer.conf b/conf/layer.conf > > index 4e04e5cc7e6a..ca981db57019 100644 > > --- a/conf/layer.conf > > +++ b/conf/layer.conf > > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \ > > " > > > > PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted" > > + > > +# With target support for SELinux it is very helpful during debug when the > > +# native tools support SELinux, too. > > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux" > > Can we add this to the doc (e.g. README) instead of enabling it directly > in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = > "selinux" in layer.conf either. I just wanted to add that putting that directly in layer.conf will mean the layer isn't Yocto Project Compatible too. Cheers, Richard ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [yocto-patches] [meta-selinux][PATCH] Enable SELinux support in native packages 2026-03-09 14:21 ` Richard Purdie @ 2026-03-17 17:40 ` Hiago De Franco 2026-03-17 18:23 ` Yoann Congal 0 siblings, 1 reply; 13+ messages in thread From: Hiago De Franco @ 2026-03-17 17:40 UTC (permalink / raw) To: Richard Purdie; +Cc: yocto-patches, Yi Zhao, Uwe Kleine-König Hi Richard, On Mon, Mar 09, 2026 at 02:21:51PM +0000, Richard Purdie wrote: > On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote: > > > > On 2/13/26 23:42, "Uwe Kleine-K�nig wrote: > > > With SELinux enabled for the target it makes sense to have SELinux > > > support enabled for the native tools, too. > > > > > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now > > > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to > > > make "selinux" propagate also to DISTRO_FEATURES for native packages. > > > --- > > > Hello, > > > > > > I use this on scarthgap, but the patch applies fine to master, too. > > > > > > During a debug session it took me quite a while to find out why > > > > > > ls -lZ "${IMAGE_ROOTFS} > > > > > > at the end of selinux_set_labels() didn't show the labels added by > > > setfiles. > > > > > > Best regards > > > Uwe > > > > > > � classes/enable-selinux.bbclass | 2 +- > > > � conf/layer.conf��������������� | 4 ++++ > > > � 2 files changed, 5 insertions(+), 1 deletion(-) > > > > > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass > > > index 3dc61d6931ff..0c9f52e74cec 100644 > > > --- a/classes/enable-selinux.bbclass > > > +++ b/classes/enable-selinux.bbclass > > > @@ -1,3 +1,3 @@ > > > � inherit selinux > > > � > > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}" > > > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}" > > > diff --git a/conf/layer.conf b/conf/layer.conf > > > index 4e04e5cc7e6a..ca981db57019 100644 > > > --- a/conf/layer.conf > > > +++ b/conf/layer.conf > > > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \ > > > � " > > > � > > > � PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted" > > > + > > > +# With target support for SELinux it is very helpful during debug when the > > > +# native tools support SELinux, too. > > > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux" > > > > Can we add this to the doc (e.g. README) instead of enabling it directly > > in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = > > "selinux" in layer.conf either. > > I just wanted to add that putting that directly in layer.conf will mean > the layer isn't Yocto Project Compatible too. I am going to send a v2 and take over this work, already asked Uwe about that. But before doing it, I was wondering why changing layer.conf will make the layer not compatible with Yocto Project anymore. Can you explain to us the reason? > > Cheers, > > Richard > Thanks! Hiago. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [yocto-patches] [meta-selinux][PATCH] Enable SELinux support in native packages 2026-03-17 17:40 ` Hiago De Franco @ 2026-03-17 18:23 ` Yoann Congal 2026-03-17 20:19 ` Hiago De Franco 2026-03-18 7:50 ` Uwe Kleine-König 0 siblings, 2 replies; 13+ messages in thread From: Yoann Congal @ 2026-03-17 18:23 UTC (permalink / raw) To: yocto-patches, Richard Purdie; +Cc: Yi Zhao, Uwe Kleine-König On Tue Mar 17, 2026 at 6:40 PM CET, Hiago De Franco via lists.yoctoproject.org wrote: > Hi Richard, > > On Mon, Mar 09, 2026 at 02:21:51PM +0000, Richard Purdie wrote: >> On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote: >> > >> > On 2/13/26 23:42, "Uwe Kleine-König wrote: >> > > With SELinux enabled for the target it makes sense to have SELinux >> > > support enabled for the native tools, too. >> > > >> > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now >> > > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to >> > > make "selinux" propagate also to DISTRO_FEATURES for native packages. >> > > --- >> > > Hello, >> > > >> > > I use this on scarthgap, but the patch applies fine to master, too. >> > > >> > > During a debug session it took me quite a while to find out why >> > > >> > > ls -lZ "${IMAGE_ROOTFS} >> > > >> > > at the end of selinux_set_labels() didn't show the labels added by >> > > setfiles. >> > > >> > > Best regards >> > > Uwe >> > > >> > > classes/enable-selinux.bbclass | 2 +- >> > > conf/layer.conf | 4 ++++ >> > > 2 files changed, 5 insertions(+), 1 deletion(-) >> > > >> > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass >> > > index 3dc61d6931ff..0c9f52e74cec 100644 >> > > --- a/classes/enable-selinux.bbclass >> > > +++ b/classes/enable-selinux.bbclass >> > > @@ -1,3 +1,3 @@ >> > > inherit selinux >> > > >> > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}" >> > > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}" >> > > diff --git a/conf/layer.conf b/conf/layer.conf >> > > index 4e04e5cc7e6a..ca981db57019 100644 >> > > --- a/conf/layer.conf >> > > +++ b/conf/layer.conf >> > > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \ >> > > " >> > > >> > > PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted" >> > > + >> > > +# With target support for SELinux it is very helpful during debug when the >> > > +# native tools support SELinux, too. >> > > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux" >> > >> > Can we add this to the doc (e.g. README) instead of enabling it directly >> > in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = >> > "selinux" in layer.conf either. >> >> I just wanted to add that putting that directly in layer.conf will mean >> the layer isn't Yocto Project Compatible too. > > I am going to send a v2 and take over this work, already asked Uwe about > that. > > But before doing it, I was wondering why changing layer.conf will make > the layer not compatible with Yocto Project anymore. Can you explain to > us the reason? I'd guess it is from this criteria of the Yocto Compatible layer[0]: > Inclusion of any layer in the submission does not change the > behavior/configuration of the overall system without the user > explicitly opting into those changes By putting a 'DISTRO_FEATURES += "selinux"' in layer.conf, the configuration changes globally without explicit opt-in of the user. [0]: https://www.yoctoproject.org/compatible-registration/ >> Cheers, >> >> Richard >> > > Thanks! > > Hiago. > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#3491): https://lists.yoctoproject.org/g/yocto-patches/message/3491 > Mute This Topic: https://lists.yoctoproject.org/mt/117794339/4316185 > Group Owner: yocto-patches+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/yocto-patches/leave/13179410/4316185/929767106/xyzzy [yoann.congal@smile.fr] > -=-=-=-=-=-=-=-=-=-=-=- -- Yoann Congal Smile ECS ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [yocto-patches] [meta-selinux][PATCH] Enable SELinux support in native packages 2026-03-17 18:23 ` Yoann Congal @ 2026-03-17 20:19 ` Hiago De Franco 2026-03-18 7:50 ` Uwe Kleine-König 1 sibling, 0 replies; 13+ messages in thread From: Hiago De Franco @ 2026-03-17 20:19 UTC (permalink / raw) To: Yoann Congal Cc: yocto-patches, Richard Purdie, Yi Zhao, Uwe Kleine-König On Tue, Mar 17, 2026 at 07:23:35PM +0100, Yoann Congal wrote: > On Tue Mar 17, 2026 at 6:40 PM CET, Hiago De Franco via lists.yoctoproject.org wrote: > > Hi Richard, > > > > On Mon, Mar 09, 2026 at 02:21:51PM +0000, Richard Purdie wrote: > >> On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote: > >> > > >> > On 2/13/26 23:42, "Uwe Kleine-K�nig wrote: > >> > > With SELinux enabled for the target it makes sense to have SELinux > >> > > support enabled for the native tools, too. > >> > > > >> > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now > >> > > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to > >> > > make "selinux" propagate also to DISTRO_FEATURES for native packages. > >> > > --- > >> > > Hello, > >> > > > >> > > I use this on scarthgap, but the patch applies fine to master, too. > >> > > > >> > > During a debug session it took me quite a while to find out why > >> > > > >> > > ls -lZ "${IMAGE_ROOTFS} > >> > > > >> > > at the end of selinux_set_labels() didn't show the labels added by > >> > > setfiles. > >> > > > >> > > Best regards > >> > > Uwe > >> > > > >> > > � classes/enable-selinux.bbclass | 2 +- > >> > > � conf/layer.conf��������������� | 4 ++++ > >> > > � 2 files changed, 5 insertions(+), 1 deletion(-) > >> > > > >> > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass > >> > > index 3dc61d6931ff..0c9f52e74cec 100644 > >> > > --- a/classes/enable-selinux.bbclass > >> > > +++ b/classes/enable-selinux.bbclass > >> > > @@ -1,3 +1,3 @@ > >> > > � inherit selinux > >> > > � > >> > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}" > >> > > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}" > >> > > diff --git a/conf/layer.conf b/conf/layer.conf > >> > > index 4e04e5cc7e6a..ca981db57019 100644 > >> > > --- a/conf/layer.conf > >> > > +++ b/conf/layer.conf > >> > > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \ > >> > > � " > >> > > � > >> > > � PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted" > >> > > + > >> > > +# With target support for SELinux it is very helpful during debug when the > >> > > +# native tools support SELinux, too. > >> > > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux" > >> > > >> > Can we add this to the doc (e.g. README) instead of enabling it directly > >> > in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = > >> > "selinux" in layer.conf either. > >> > >> I just wanted to add that putting that directly in layer.conf will mean > >> the layer isn't Yocto Project Compatible too. > > > > I am going to send a v2 and take over this work, already asked Uwe about > > that. > > > > But before doing it, I was wondering why changing layer.conf will make > > the layer not compatible with Yocto Project anymore. Can you explain to > > us the reason? > > I'd guess it is from this criteria of the Yocto Compatible layer[0]: > > Inclusion of any layer in the submission does not change the > > behavior/configuration of the overall system without the user > > explicitly opting into those changes > > By putting a 'DISTRO_FEATURES += "selinux"' in layer.conf, the > configuration changes globally without explicit opt-in of the user. > > [0]: https://www.yoctoproject.org/compatible-registration/ Got it, thanks for the explanation! I will send the v2 patch soon. > > >> Cheers, > >> > >> Richard > >> > > > > Thanks! > > > > Hiago. > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#3491): https://lists.yoctoproject.org/g/yocto-patches/message/3491 > > Mute This Topic: https://lists.yoctoproject.org/mt/117794339/4316185 > > Group Owner: yocto-patches+owner@lists.yoctoproject.org > > Unsubscribe: https://lists.yoctoproject.org/g/yocto-patches/leave/13179410/4316185/929767106/xyzzy [yoann.congal@smile.fr] > > -=-=-=-=-=-=-=-=-=-=-=- > > > -- > Yoann Congal > Smile ECS > > Regards, Hiago. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [yocto-patches] [meta-selinux][PATCH] Enable SELinux support in native packages 2026-03-17 18:23 ` Yoann Congal 2026-03-17 20:19 ` Hiago De Franco @ 2026-03-18 7:50 ` Uwe Kleine-König 2026-03-18 9:12 ` Richard Purdie 1 sibling, 1 reply; 13+ messages in thread From: Uwe Kleine-König @ 2026-03-18 7:50 UTC (permalink / raw) To: Yoann Congal; +Cc: yocto-patches, Richard Purdie, Yi Zhao [-- Attachment #1: Type: text/plain, Size: 3644 bytes --] On Tue, Mar 17, 2026 at 07:23:35PM +0100, Yoann Congal wrote: > On Tue Mar 17, 2026 at 6:40 PM CET, Hiago De Franco via lists.yoctoproject.org wrote: > > Hi Richard, > > > > On Mon, Mar 09, 2026 at 02:21:51PM +0000, Richard Purdie wrote: > >> On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote: > >> > > >> > On 2/13/26 23:42, "Uwe Kleine-König wrote: > >> > > With SELinux enabled for the target it makes sense to have SELinux > >> > > support enabled for the native tools, too. > >> > > > >> > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now > >> > > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to > >> > > make "selinux" propagate also to DISTRO_FEATURES for native packages. > >> > > --- > >> > > Hello, > >> > > > >> > > I use this on scarthgap, but the patch applies fine to master, too. > >> > > > >> > > During a debug session it took me quite a while to find out why > >> > > > >> > > ls -lZ "${IMAGE_ROOTFS} > >> > > > >> > > at the end of selinux_set_labels() didn't show the labels added by > >> > > setfiles. > >> > > > >> > > Best regards > >> > > Uwe > >> > > > >> > > classes/enable-selinux.bbclass | 2 +- > >> > > conf/layer.conf | 4 ++++ > >> > > 2 files changed, 5 insertions(+), 1 deletion(-) > >> > > > >> > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass > >> > > index 3dc61d6931ff..0c9f52e74cec 100644 > >> > > --- a/classes/enable-selinux.bbclass > >> > > +++ b/classes/enable-selinux.bbclass > >> > > @@ -1,3 +1,3 @@ > >> > > inherit selinux > >> > > > >> > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}" > >> > > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}" > >> > > diff --git a/conf/layer.conf b/conf/layer.conf > >> > > index 4e04e5cc7e6a..ca981db57019 100644 > >> > > --- a/conf/layer.conf > >> > > +++ b/conf/layer.conf > >> > > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \ > >> > > " > >> > > > >> > > PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted" > >> > > + > >> > > +# With target support for SELinux it is very helpful during debug when the > >> > > +# native tools support SELinux, too. > >> > > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux" > >> > > >> > Can we add this to the doc (e.g. README) instead of enabling it directly > >> > in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = > >> > "selinux" in layer.conf either. > >> > >> I just wanted to add that putting that directly in layer.conf will mean > >> the layer isn't Yocto Project Compatible too. > > > > I am going to send a v2 and take over this work, already asked Uwe about > > that. > > > > But before doing it, I was wondering why changing layer.conf will make > > the layer not compatible with Yocto Project anymore. Can you explain to > > us the reason? > > I'd guess it is from this criteria of the Yocto Compatible layer[0]: > > Inclusion of any layer in the submission does not change the > > behavior/configuration of the overall system without the user > > explicitly opting into those changes > > By putting a 'DISTRO_FEATURES += "selinux"' in layer.conf, the > configuration changes globally without explicit opt-in of the user. Note that the patch didn't change DISTRO_FEATURES, it appended "selinux" to DISTRO_FEATURES_FILTER_NATIVE. If DISTRO_FEATURES doesn't already contain "selinux", this is a noop. So I don't see how this violates the quoted critera. What am I missing? Best regards Uwe [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 488 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [yocto-patches] [meta-selinux][PATCH] Enable SELinux support in native packages 2026-03-18 7:50 ` Uwe Kleine-König @ 2026-03-18 9:12 ` Richard Purdie 2026-03-18 11:13 ` Uwe Kleine-König 0 siblings, 1 reply; 13+ messages in thread From: Richard Purdie @ 2026-03-18 9:12 UTC (permalink / raw) To: Uwe Kleine-König, Yoann Congal; +Cc: yocto-patches, Yi Zhao On Wed, 2026-03-18 at 08:50 +0100, Uwe Kleine-König wrote: > On Tue, Mar 17, 2026 at 07:23:35PM +0100, Yoann Congal wrote: > > On Tue Mar 17, 2026 at 6:40 PM CET, Hiago De Franco via lists.yoctoproject.org wrote: > > > Hi Richard, > > > > > > On Mon, Mar 09, 2026 at 02:21:51PM +0000, Richard Purdie wrote: > > > > On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote: > > > > > > > > > > On 2/13/26 23:42, "Uwe Kleine-König wrote: > > > > > > With SELinux enabled for the target it makes sense to have SELinux > > > > > > support enabled for the native tools, too. > > > > > > > > > > > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now > > > > > > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to > > > > > > make "selinux" propagate also to DISTRO_FEATURES for native packages. > > > > > > --- > > > > > > Hello, > > > > > > > > > > > > I use this on scarthgap, but the patch applies fine to master, too. > > > > > > > > > > > > During a debug session it took me quite a while to find out why > > > > > > > > > > > > ls -lZ "${IMAGE_ROOTFS} > > > > > > > > > > > > at the end of selinux_set_labels() didn't show the labels added by > > > > > > setfiles. > > > > > > > > > > > > Best regards > > > > > > Uwe > > > > > > > > > > > > classes/enable-selinux.bbclass | 2 +- > > > > > > conf/layer.conf | 4 ++++ > > > > > > 2 files changed, 5 insertions(+), 1 deletion(-) > > > > > > > > > > > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass > > > > > > index 3dc61d6931ff..0c9f52e74cec 100644 > > > > > > --- a/classes/enable-selinux.bbclass > > > > > > +++ b/classes/enable-selinux.bbclass > > > > > > @@ -1,3 +1,3 @@ > > > > > > inherit selinux > > > > > > > > > > > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}" > > > > > > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}" > > > > > > diff --git a/conf/layer.conf b/conf/layer.conf > > > > > > index 4e04e5cc7e6a..ca981db57019 100644 > > > > > > --- a/conf/layer.conf > > > > > > +++ b/conf/layer.conf > > > > > > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \ > > > > > > " > > > > > > > > > > > > PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted" > > > > > > + > > > > > > +# With target support for SELinux it is very helpful during debug when the > > > > > > +# native tools support SELinux, too. > > > > > > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux" > > > > > > > > > > Can we add this to the doc (e.g. README) instead of enabling it directly > > > > > in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = > > > > > "selinux" in layer.conf either. > > > > > > > > I just wanted to add that putting that directly in layer.conf will mean > > > > the layer isn't Yocto Project Compatible too. > > > > > > I am going to send a v2 and take over this work, already asked Uwe about > > > that. > > > > > > But before doing it, I was wondering why changing layer.conf will make > > > the layer not compatible with Yocto Project anymore. Can you explain to > > > us the reason? > > > > I'd guess it is from this criteria of the Yocto Compatible layer[0]: > > > Inclusion of any layer in the submission does not change the > > > behavior/configuration of the overall system without the user > > > explicitly opting into those changes > > > > By putting a 'DISTRO_FEATURES += "selinux"' in layer.conf, the > > configuration changes globally without explicit opt-in of the user. > > Note that the patch didn't change DISTRO_FEATURES, it appended "selinux" > to DISTRO_FEATURES_FILTER_NATIVE. If DISTRO_FEATURES doesn't already > contain "selinux", this is a noop. So I don't see how this violates the > quoted critera. > > What am I missing? I guess it would depend whether any of the functions/variables in core have hard dependencies on that variable. I was assuming that they do but that might not be the case, I'm not sure without checking and you may be right. Cheers, Richard ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [yocto-patches] [meta-selinux][PATCH] Enable SELinux support in native packages 2026-03-18 9:12 ` Richard Purdie @ 2026-03-18 11:13 ` Uwe Kleine-König 2026-03-18 12:37 ` Richard Purdie 0 siblings, 1 reply; 13+ messages in thread From: Uwe Kleine-König @ 2026-03-18 11:13 UTC (permalink / raw) To: Richard Purdie; +Cc: Yoann Congal, yocto-patches, Yi Zhao, Hiago De Franco [-- Attachment #1: Type: text/plain, Size: 5193 bytes --] On Wed, Mar 18, 2026 at 09:12:52AM +0000, Richard Purdie wrote: > On Wed, 2026-03-18 at 08:50 +0100, Uwe Kleine-König wrote: > > On Tue, Mar 17, 2026 at 07:23:35PM +0100, Yoann Congal wrote: > > > On Tue Mar 17, 2026 at 6:40 PM CET, Hiago De Franco via lists.yoctoproject.org wrote: > > > > Hi Richard, > > > > > > > > On Mon, Mar 09, 2026 at 02:21:51PM +0000, Richard Purdie wrote: > > > > > On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote: > > > > > > > > > > > > On 2/13/26 23:42, "Uwe Kleine-König wrote: > > > > > > > With SELinux enabled for the target it makes sense to have SELinux > > > > > > > support enabled for the native tools, too. > > > > > > > > > > > > > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now > > > > > > > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to > > > > > > > make "selinux" propagate also to DISTRO_FEATURES for native packages. > > > > > > > --- > > > > > > > Hello, > > > > > > > > > > > > > > I use this on scarthgap, but the patch applies fine to master, too. > > > > > > > > > > > > > > During a debug session it took me quite a while to find out why > > > > > > > > > > > > > > ls -lZ "${IMAGE_ROOTFS} > > > > > > > > > > > > > > at the end of selinux_set_labels() didn't show the labels added by > > > > > > > setfiles. > > > > > > > > > > > > > > Best regards > > > > > > > Uwe > > > > > > > > > > > > > > classes/enable-selinux.bbclass | 2 +- > > > > > > > conf/layer.conf | 4 ++++ > > > > > > > 2 files changed, 5 insertions(+), 1 deletion(-) > > > > > > > > > > > > > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass > > > > > > > index 3dc61d6931ff..0c9f52e74cec 100644 > > > > > > > --- a/classes/enable-selinux.bbclass > > > > > > > +++ b/classes/enable-selinux.bbclass > > > > > > > @@ -1,3 +1,3 @@ > > > > > > > inherit selinux > > > > > > > > > > > > > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}" > > > > > > > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}" > > > > > > > diff --git a/conf/layer.conf b/conf/layer.conf > > > > > > > index 4e04e5cc7e6a..ca981db57019 100644 > > > > > > > --- a/conf/layer.conf > > > > > > > +++ b/conf/layer.conf > > > > > > > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \ > > > > > > > " > > > > > > > > > > > > > > PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted" > > > > > > > + > > > > > > > +# With target support for SELinux it is very helpful during debug when the > > > > > > > +# native tools support SELinux, too. > > > > > > > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux" > > > > > > > > > > > > Can we add this to the doc (e.g. README) instead of enabling it directly > > > > > > in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = > > > > > > "selinux" in layer.conf either. > > > > > > > > > > I just wanted to add that putting that directly in layer.conf will mean > > > > > the layer isn't Yocto Project Compatible too. > > > > > > > > I am going to send a v2 and take over this work, already asked Uwe about > > > > that. > > > > > > > > But before doing it, I was wondering why changing layer.conf will make > > > > the layer not compatible with Yocto Project anymore. Can you explain to > > > > us the reason? > > > > > > I'd guess it is from this criteria of the Yocto Compatible layer[0]: > > > > Inclusion of any layer in the submission does not change the > > > > behavior/configuration of the overall system without the user > > > > explicitly opting into those changes > > > > > > By putting a 'DISTRO_FEATURES += "selinux"' in layer.conf, the > > > configuration changes globally without explicit opt-in of the user. > > > > Note that the patch didn't change DISTRO_FEATURES, it appended "selinux" > > to DISTRO_FEATURES_FILTER_NATIVE. If DISTRO_FEATURES doesn't already > > contain "selinux", this is a noop. So I don't see how this violates the > > quoted critera. > > > > What am I missing? > > I guess it would depend whether any of the functions/variables in core > have hard dependencies on that variable. I was assuming that they do > but that might not be the case, I'm not sure without checking and you > may be right. Wouldn't that be a bug if a function changes behaviour depending on DISTRO_FEATURES_FILTER_NATIVE containing "selinux" or not? (Apart from having "selinux" for native packages iff the global DISTRO_FEATURES has "selinux".) I grepped for DISTRO_FEATURES_FILTER_NATIVE in oe-core, bitbake and meta-openembedded, there are only matches in the first and these are about default settings, appending DISTRO_FEATURES_OVERRIDES and providing a filtered version of the global DISTRO_FEATURES for native packages. So unless I missed something, I'd claim setting DISTRO_FEATURES_FILTER_NATIVE:append in a layer doesn't result in a relevant change without an explicit opt-in (by adding "selinux" to DISTRO_FEATURES) and then this (implicit) v1 is better than the v2 that Hiago sent. Best regards Uwe [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 488 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [yocto-patches] [meta-selinux][PATCH] Enable SELinux support in native packages 2026-03-18 11:13 ` Uwe Kleine-König @ 2026-03-18 12:37 ` Richard Purdie 2026-03-18 14:22 ` Uwe Kleine-König 0 siblings, 1 reply; 13+ messages in thread From: Richard Purdie @ 2026-03-18 12:37 UTC (permalink / raw) To: Uwe Kleine-König Cc: Yoann Congal, yocto-patches, Yi Zhao, Hiago De Franco On Wed, 2026-03-18 at 12:13 +0100, Uwe Kleine-König wrote: > On Wed, Mar 18, 2026 at 09:12:52AM +0000, Richard Purdie wrote: > > On Wed, 2026-03-18 at 08:50 +0100, Uwe Kleine-König wrote: > > > On Tue, Mar 17, 2026 at 07:23:35PM +0100, Yoann Congal wrote: > > > > On Tue Mar 17, 2026 at 6:40 PM CET, Hiago De Franco via lists.yoctoproject.org wrote: > > > > > Hi Richard, > > > > > > > > > > On Mon, Mar 09, 2026 at 02:21:51PM +0000, Richard Purdie wrote: > > > > > > On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote: > > > > > > > > > > > > > > On 2/13/26 23:42, "Uwe Kleine-König wrote: > > > > > > > > With SELinux enabled for the target it makes sense to have SELinux > > > > > > > > support enabled for the native tools, too. > > > > > > > > > > > > > > > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now > > > > > > > > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to > > > > > > > > make "selinux" propagate also to DISTRO_FEATURES for native packages. > > > > > > > > --- > > > > > > > > Hello, > > > > > > > > > > > > > > > > I use this on scarthgap, but the patch applies fine to master, too. > > > > > > > > > > > > > > > > During a debug session it took me quite a while to find out why > > > > > > > > > > > > > > > > ls -lZ "${IMAGE_ROOTFS} > > > > > > > > > > > > > > > > at the end of selinux_set_labels() didn't show the labels added by > > > > > > > > setfiles. > > > > > > > > > > > > > > > > Best regards > > > > > > > > Uwe > > > > > > > > > > > > > > > > classes/enable-selinux.bbclass | 2 +- > > > > > > > > conf/layer.conf | 4 ++++ > > > > > > > > 2 files changed, 5 insertions(+), 1 deletion(-) > > > > > > > > > > > > > > > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass > > > > > > > > index 3dc61d6931ff..0c9f52e74cec 100644 > > > > > > > > --- a/classes/enable-selinux.bbclass > > > > > > > > +++ b/classes/enable-selinux.bbclass > > > > > > > > @@ -1,3 +1,3 @@ > > > > > > > > inherit selinux > > > > > > > > > > > > > > > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}" > > > > > > > > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}" > > > > > > > > diff --git a/conf/layer.conf b/conf/layer.conf > > > > > > > > index 4e04e5cc7e6a..ca981db57019 100644 > > > > > > > > --- a/conf/layer.conf > > > > > > > > +++ b/conf/layer.conf > > > > > > > > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \ > > > > > > > > " > > > > > > > > > > > > > > > > PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted" > > > > > > > > + > > > > > > > > +# With target support for SELinux it is very helpful during debug when the > > > > > > > > +# native tools support SELinux, too. > > > > > > > > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux" > > > > > > > > > > > > > > Can we add this to the doc (e.g. README) instead of enabling it directly > > > > > > > in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = > > > > > > > "selinux" in layer.conf either. > > > > > > > > > > > > I just wanted to add that putting that directly in layer.conf will mean > > > > > > the layer isn't Yocto Project Compatible too. > > > > > > > > > > I am going to send a v2 and take over this work, already asked Uwe about > > > > > that. > > > > > > > > > > But before doing it, I was wondering why changing layer.conf will make > > > > > the layer not compatible with Yocto Project anymore. Can you explain to > > > > > us the reason? > > > > > > > > I'd guess it is from this criteria of the Yocto Compatible layer[0]: > > > > > Inclusion of any layer in the submission does not change the > > > > > behavior/configuration of the overall system without the user > > > > > explicitly opting into those changes > > > > > > > > By putting a 'DISTRO_FEATURES += "selinux"' in layer.conf, the > > > > configuration changes globally without explicit opt-in of the user. > > > > > > Note that the patch didn't change DISTRO_FEATURES, it appended "selinux" > > > to DISTRO_FEATURES_FILTER_NATIVE. If DISTRO_FEATURES doesn't already > > > contain "selinux", this is a noop. So I don't see how this violates the > > > quoted critera. > > > > > > What am I missing? > > > > I guess it would depend whether any of the functions/variables in core > > have hard dependencies on that variable. I was assuming that they do > > but that might not be the case, I'm not sure without checking and you > > may be right. > > Wouldn't that be a bug if a function changes behaviour depending on > DISTRO_FEATURES_FILTER_NATIVE containing "selinux" or not? (Apart from > having "selinux" for native packages iff the global DISTRO_FEATURES has > "selinux".) It depends on how that variable is being used. Some usages would be an issue, some would not. I have not checked how it is being used and what the implications of that are. > I grepped for DISTRO_FEATURES_FILTER_NATIVE in oe-core, bitbake and > meta-openembedded, there are only matches in the first and these are > about default settings, appending DISTRO_FEATURES_OVERRIDES and > providing a filtered version of the global DISTRO_FEATURES for native > packages. > > So unless I missed something, I'd claim setting > DISTRO_FEATURES_FILTER_NATIVE:append in a layer doesn't result in a > relevant change without an explicit opt-in (by adding "selinux" to > DISTRO_FEATURES) and then this (implicit) v1 is better than the v2 that > Hiago sent. I'm starting to wish I'd just never said anything :/. It would be nice if meta-selinux passes yocto-check-layer but that isn't my call, I don't know if it does currently pass or not. I wanted to caution that changing DISTRO_FEATURES or things related to DISTRO_FEATURES from layer.conf is generally a bad idea. In this case you might get away with it, I don't know. Has anyone tested it? I am generally worried about the amount of things people "load" up layer.conf with as whilst it seems easy, the scope of it can be problematic as it affects other layers, and in general you don't want to be doing that unless it is configurable. Cheers, Richard ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [yocto-patches] [meta-selinux][PATCH] Enable SELinux support in native packages 2026-03-18 12:37 ` Richard Purdie @ 2026-03-18 14:22 ` Uwe Kleine-König 2026-03-25 12:28 ` Hiago De Franco 0 siblings, 1 reply; 13+ messages in thread From: Uwe Kleine-König @ 2026-03-18 14:22 UTC (permalink / raw) To: Richard Purdie; +Cc: Yoann Congal, yocto-patches, Yi Zhao, Hiago De Franco [-- Attachment #1: Type: text/plain, Size: 12657 bytes --] Hey Richard, On Wed, Mar 18, 2026 at 12:37:42PM +0000, Richard Purdie wrote: > On Wed, 2026-03-18 at 12:13 +0100, Uwe Kleine-König wrote: > > On Wed, Mar 18, 2026 at 09:12:52AM +0000, Richard Purdie wrote: > > > On Wed, 2026-03-18 at 08:50 +0100, Uwe Kleine-König wrote: > > > > On Tue, Mar 17, 2026 at 07:23:35PM +0100, Yoann Congal wrote: > > > > > On Tue Mar 17, 2026 at 6:40 PM CET, Hiago De Franco via lists.yoctoproject.org wrote: > > > > > > On Mon, Mar 09, 2026 at 02:21:51PM +0000, Richard Purdie wrote: > > > > > > > On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote: > > > > > > > > > > > > > > > > On 2/13/26 23:42, "Uwe Kleine-König wrote: > > > > > > > > > With SELinux enabled for the target it makes sense to have SELinux > > > > > > > > > support enabled for the native tools, too. > > > > > > > > > > > > > > > > > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now > > > > > > > > > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to > > > > > > > > > make "selinux" propagate also to DISTRO_FEATURES for native packages. > > > > > > > > > --- > > > > > > > > > Hello, > > > > > > > > > > > > > > > > > > I use this on scarthgap, but the patch applies fine to master, too. > > > > > > > > > > > > > > > > > > During a debug session it took me quite a while to find out why > > > > > > > > > > > > > > > > > > ls -lZ "${IMAGE_ROOTFS} > > > > > > > > > > > > > > > > > > at the end of selinux_set_labels() didn't show the labels added by > > > > > > > > > setfiles. > > > > > > > > > > > > > > > > > > Best regards > > > > > > > > > Uwe > > > > > > > > > > > > > > > > > > classes/enable-selinux.bbclass | 2 +- > > > > > > > > > conf/layer.conf | 4 ++++ > > > > > > > > > 2 files changed, 5 insertions(+), 1 deletion(-) > > > > > > > > > > > > > > > > > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass > > > > > > > > > index 3dc61d6931ff..0c9f52e74cec 100644 > > > > > > > > > --- a/classes/enable-selinux.bbclass > > > > > > > > > +++ b/classes/enable-selinux.bbclass > > > > > > > > > @@ -1,3 +1,3 @@ > > > > > > > > > inherit selinux > > > > > > > > > > > > > > > > > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}" > > > > > > > > > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}" > > > > > > > > > diff --git a/conf/layer.conf b/conf/layer.conf > > > > > > > > > index 4e04e5cc7e6a..ca981db57019 100644 > > > > > > > > > --- a/conf/layer.conf > > > > > > > > > +++ b/conf/layer.conf > > > > > > > > > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \ > > > > > > > > > " > > > > > > > > > > > > > > > > > > PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted" > > > > > > > > > + > > > > > > > > > +# With target support for SELinux it is very helpful during debug when the > > > > > > > > > +# native tools support SELinux, too. > > > > > > > > > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux" > > > > > > > > > > > > > > > > Can we add this to the doc (e.g. README) instead of enabling it directly > > > > > > > > in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = > > > > > > > > "selinux" in layer.conf either. > > > > > > > > > > > > > > I just wanted to add that putting that directly in layer.conf will mean > > > > > > > the layer isn't Yocto Project Compatible too. > > > > > > > > > > > > I am going to send a v2 and take over this work, already asked Uwe about > > > > > > that. > > > > > > > > > > > > But before doing it, I was wondering why changing layer.conf will make > > > > > > the layer not compatible with Yocto Project anymore. Can you explain to > > > > > > us the reason? > > > > > > > > > > I'd guess it is from this criteria of the Yocto Compatible layer[0]: > > > > > > Inclusion of any layer in the submission does not change the > > > > > > behavior/configuration of the overall system without the user > > > > > > explicitly opting into those changes > > > > > > > > > > By putting a 'DISTRO_FEATURES += "selinux"' in layer.conf, the > > > > > configuration changes globally without explicit opt-in of the user. > > > > > > > > Note that the patch didn't change DISTRO_FEATURES, it appended "selinux" > > > > to DISTRO_FEATURES_FILTER_NATIVE. If DISTRO_FEATURES doesn't already > > > > contain "selinux", this is a noop. So I don't see how this violates the > > > > quoted critera. > > > > > > > > What am I missing? > > > > > > I guess it would depend whether any of the functions/variables in core > > > have hard dependencies on that variable. I was assuming that they do > > > but that might not be the case, I'm not sure without checking and you > > > may be right. > > > > Wouldn't that be a bug if a function changes behaviour depending on > > DISTRO_FEATURES_FILTER_NATIVE containing "selinux" or not? (Apart from > > having "selinux" for native packages iff the global DISTRO_FEATURES has > > "selinux".) > > It depends on how that variable is being used. Some usages would be an > issue, some would not. I have not checked how it is being used and what > the implications of that are. > > > I grepped for DISTRO_FEATURES_FILTER_NATIVE in oe-core, bitbake and > > meta-openembedded, there are only matches in the first and these are > > about default settings, appending DISTRO_FEATURES_OVERRIDES and > > providing a filtered version of the global DISTRO_FEATURES for native > > packages. > > > > So unless I missed something, I'd claim setting > > DISTRO_FEATURES_FILTER_NATIVE:append in a layer doesn't result in a > > relevant change without an explicit opt-in (by adding "selinux" to > > DISTRO_FEATURES) and then this (implicit) v1 is better than the v2 that > > Hiago sent. > > I'm starting to wish I'd just never said anything :/. :-\ > It would be nice if meta-selinux passes yocto-check-layer but that > isn't my call, I don't know if it does currently pass or not. I wanted > to caution that changing DISTRO_FEATURES or things related to > DISTRO_FEATURES from layer.conf is generally a bad idea. In this case > you might get away with it, I don't know. Has anyone tested it? I tried that: uwe@monoceros:~/work/ashjk/poky/build$ yocto-check-layer ../meta-selinux INFO: Detected layers: INFO: meta-selinux: LayerType.SOFTWARE, /home/uwe/work/ashjk/poky/meta-selinux ERROR: Layer meta-selinux depends on meta-python and isn't found. INFO: INFO: Setting up for meta-selinux(LayerType.SOFTWARE), /home/uwe/work/ashjk/poky/meta-selinux ERROR: Layer meta-selinux depends on meta-python and isn't found. INFO: Skipping meta-selinux due to missing dependencies. INFO: INFO: Summary of results: INFO: INFO: meta-selinux ... SKIPPED (Missing dependencies) hmm, so maybe I need to add this using --dependency: uwe@monoceros:~/work/ashjk/poky/build$ yocto-check-layer ../meta-selinux --dependency ../meta-openembedded/meta-python --dependency ../meta-openembedded INFO: Detected layers: INFO: meta-selinux: LayerType.SOFTWARE, /home/uwe/work/ashjk/poky/meta-selinux INFO: Adding meta-python to the list of layers to test, as a dependency INFO: Adding meta-oe to the list of layers to test, as a dependency INFO: INFO: Setting up for meta-selinux(LayerType.SOFTWARE), /home/uwe/work/ashjk/poky/meta-selinux INFO: Adding layer meta-python INFO: meta-python is already in /home/uwe/work/ashjk/poky/build/conf/bblayers.conf INFO: Adding layer meta-oe INFO: meta-oe is already in /home/uwe/work/ashjk/poky/build/conf/bblayers.conf INFO: Getting initial bitbake variables ... INFO: Getting initial signatures ... INFO: Generating signatures failed. This might be due to some parse error and/or general layer incompatibilities. Command: BB_ENV_PASSTHROUGH_ADDITIONS="$BB_ENV_PASSTHROUGH_ADDITIONS BB_SIGNATURE_HANDLER" BB_SIGNATURE_HANDLER="OEBasicHash" bitbake -S lockedsigs world Output: WARNING: Host distribution "debian-13" has not been validated with this version of the build system; you may possibly experience unexpected failures. It is recommended that you use a tested distribution. Loading cache...done. Loaded 0 entries from dependency cache. Parsing recipes...done. Parsing of 2472 .bb files complete (0 cached, 2472 parsed). 4316 targets, 86 skipped, 0 masked, 0 errors. Removing 14 recipes from the core2-64 sysroot...done. Removing 19 recipes from the qemux86_64 sysroot...done. Removing 6 recipes from the x86_64 sysroot...done. NOTE: Resolving any missing task queue dependencies ERROR: Nothing PROVIDES 'libselinux' (but /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-extended/hwloc/hwloc_2.9.3.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-devtools/squashfs-tools-ng/squashfs-tools-ng_1.2.0.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-support/augeas/augeas_1.12.0.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-support/lvm2/lvm2_2.03.22.bb, /home/uwe/work/ashjk/poky/meta/recipes-extended/at/at_3.2.5.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2024.5.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-extended/smartmontools/smartmontools_7.4.bb, /home/uwe/work/ashjk/poky/meta/recipes-extended/logrotate/logrotate_3.21.0.bb, /home/uwe/work/ashjk/poky/meta/recipes-core/udev/eudev_3.2.14.bb, /home/uwe/work/ashjk/poky/meta/recipes-support/vim/vim_9.1.bb, /home/uwe/work/ashjk/poky/meta/recipes-core/base-passwd/base-passwd_3.6.3.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-security/bubblewrap/bubblewrap_0.8.0.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-support/lvm2/libdevmapper_2.03.22.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-devtools/ltrace/ltrace_git.bb DEPENDS on or otherwise requires it) ERROR: Required build target 'meta-world-pkgdata' has no buildable providers. Missing or unbuildable dependency chain was: ['meta-world-pkgdata', 'hwloc', 'libselinux'] Summary: There was 1 WARNING message. Summary: There were 2 ERROR messages, returning a non-zero exit code. INFO: meta-python already in /home/uwe/work/ashjk/poky/build/conf/bblayers.conf. To capture initial signatures, layer under test should not present in BBLAYERS. Please remove meta-python from BBLAYERS. INFO: meta-oe already in /home/uwe/work/ashjk/poky/build/conf/bblayers.conf. To capture initial signatures, layer under test should not present in BBLAYERS. Please remove meta-oe from BBLAYERS. INFO: INFO: Summary of results: INFO: INFO: meta-selinux ... FAIL (Generating world signatures) INFO: meta-python ... SKIPPED (Layer under test should not present in BBLAYERS) INFO: meta-oe ... SKIPPED (Layer under test should not present in BBLAYERS) Maybe I'm holding it wrong, maybe meta-selinux just doesn't pass?! Ah, when removing "selinux" from DISTRO_FEATURES it works better. Then it says things like: ... INFO: Traceback (most recent call last): File "/home/uwe/work/ashjk/poky/scripts/lib/checklayer/cases/common.py", line 99, in test_signatures self.fail('Adding layer %s changed signatures.\n%s' % (self.tc.layer['name'], msg)) ~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ AssertionError: Adding layer meta-selinux changed signatures. 1789 signatures changed, initial differences (first hash before, second after): android-tools-conf:do_recipe_qa: 0b9fecbec98924f57499d5d53c4b08bebe50deac72f025ed0f4b5b2274c57463 -> d7473d9aba93fba170cd904225f22485c12a8cbfbb90984d90014bc29ce47856 bitbake-diffsigs --task android-tools-conf do_recipe_qa --signature 0b9fecbec98924f57499d5d53c4b08bebe50deac72f025ed0f4b5b2274c57463 d7473d9aba93fba170cd904225f22485c12a8cbfbb90984d90014bc29ce47856 ... (That's without my change BTW.) > I am generally worried about the amount of things people "load" up > layer.conf with as whilst it seems easy, the scope of it can be > problematic as it affects other layers, and in general you don't want > to be doing that unless it is configurable. I understand your motivation, adding things there (even if they are ok) add to the things you stumble over. There is nothing I can say to rebut that objection. Still I think the addition we're discussing about is technically fine and reduces the surprises when working with meta-selinux. So in my subjective opinion it's a net win to add it. Best regards Uwe [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 488 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [yocto-patches] [meta-selinux][PATCH] Enable SELinux support in native packages 2026-03-18 14:22 ` Uwe Kleine-König @ 2026-03-25 12:28 ` Hiago De Franco 2026-03-27 16:33 ` Uwe Kleine-König 0 siblings, 1 reply; 13+ messages in thread From: Hiago De Franco @ 2026-03-25 12:28 UTC (permalink / raw) To: Uwe Kleine-König Cc: Richard Purdie, Yoann Congal, yocto-patches, Yi Zhao Hello, On Wed, Mar 18, 2026 at 03:22:44PM +0100, Uwe Kleine-König wrote: > Hey Richard, > > On Wed, Mar 18, 2026 at 12:37:42PM +0000, Richard Purdie wrote: > > On Wed, 2026-03-18 at 12:13 +0100, Uwe Kleine-König wrote: > > > On Wed, Mar 18, 2026 at 09:12:52AM +0000, Richard Purdie wrote: > > > > On Wed, 2026-03-18 at 08:50 +0100, Uwe Kleine-König wrote: > > > > > On Tue, Mar 17, 2026 at 07:23:35PM +0100, Yoann Congal wrote: > > > > > > On Tue Mar 17, 2026 at 6:40 PM CET, Hiago De Franco via lists.yoctoproject.org wrote: > > > > > > > On Mon, Mar 09, 2026 at 02:21:51PM +0000, Richard Purdie wrote: > > > > > > > > On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote: > > > > > > > > > > > > > > > > > > On 2/13/26 23:42, "Uwe Kleine-König wrote: > > > > > > > > > > With SELinux enabled for the target it makes sense to have SELinux > > > > > > > > > > support enabled for the native tools, too. > > > > > > > > > > > > > > > > > > > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now > > > > > > > > > > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to > > > > > > > > > > make "selinux" propagate also to DISTRO_FEATURES for native packages. > > > > > > > > > > --- > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > > > > > I use this on scarthgap, but the patch applies fine to master, too. > > > > > > > > > > > > > > > > > > > > During a debug session it took me quite a while to find out why > > > > > > > > > > > > > > > > > > > > ls -lZ "${IMAGE_ROOTFS} > > > > > > > > > > > > > > > > > > > > at the end of selinux_set_labels() didn't show the labels added by > > > > > > > > > > setfiles. > > > > > > > > > > > > > > > > > > > > Best regards > > > > > > > > > > Uwe > > > > > > > > > > > > > > > > > > > > classes/enable-selinux.bbclass | 2 +- > > > > > > > > > > conf/layer.conf | 4 ++++ > > > > > > > > > > 2 files changed, 5 insertions(+), 1 deletion(-) > > > > > > > > > > > > > > > > > > > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass > > > > > > > > > > index 3dc61d6931ff..0c9f52e74cec 100644 > > > > > > > > > > --- a/classes/enable-selinux.bbclass > > > > > > > > > > +++ b/classes/enable-selinux.bbclass > > > > > > > > > > @@ -1,3 +1,3 @@ > > > > > > > > > > inherit selinux > > > > > > > > > > > > > > > > > > > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}" > > > > > > > > > > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}" > > > > > > > > > > diff --git a/conf/layer.conf b/conf/layer.conf > > > > > > > > > > index 4e04e5cc7e6a..ca981db57019 100644 > > > > > > > > > > --- a/conf/layer.conf > > > > > > > > > > +++ b/conf/layer.conf > > > > > > > > > > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \ > > > > > > > > > > " > > > > > > > > > > > > > > > > > > > > PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted" > > > > > > > > > > + > > > > > > > > > > +# With target support for SELinux it is very helpful during debug when the > > > > > > > > > > +# native tools support SELinux, too. > > > > > > > > > > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux" > > > > > > > > > > > > > > > > > > Can we add this to the doc (e.g. README) instead of enabling it directly > > > > > > > > > in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = > > > > > > > > > "selinux" in layer.conf either. > > > > > > > > > > > > > > > > I just wanted to add that putting that directly in layer.conf will mean > > > > > > > > the layer isn't Yocto Project Compatible too. > > > > > > > > > > > > > > I am going to send a v2 and take over this work, already asked Uwe about > > > > > > > that. > > > > > > > > > > > > > > But before doing it, I was wondering why changing layer.conf will make > > > > > > > the layer not compatible with Yocto Project anymore. Can you explain to > > > > > > > us the reason? > > > > > > > > > > > > I'd guess it is from this criteria of the Yocto Compatible layer[0]: > > > > > > > Inclusion of any layer in the submission does not change the > > > > > > > behavior/configuration of the overall system without the user > > > > > > > explicitly opting into those changes > > > > > > > > > > > > By putting a 'DISTRO_FEATURES += "selinux"' in layer.conf, the > > > > > > configuration changes globally without explicit opt-in of the user. > > > > > > > > > > Note that the patch didn't change DISTRO_FEATURES, it appended "selinux" > > > > > to DISTRO_FEATURES_FILTER_NATIVE. If DISTRO_FEATURES doesn't already > > > > > contain "selinux", this is a noop. So I don't see how this violates the > > > > > quoted critera. > > > > > > > > > > What am I missing? > > > > > > > > I guess it would depend whether any of the functions/variables in core > > > > have hard dependencies on that variable. I was assuming that they do > > > > but that might not be the case, I'm not sure without checking and you > > > > may be right. > > > > > > Wouldn't that be a bug if a function changes behaviour depending on > > > DISTRO_FEATURES_FILTER_NATIVE containing "selinux" or not? (Apart from > > > having "selinux" for native packages iff the global DISTRO_FEATURES has > > > "selinux".) > > > > It depends on how that variable is being used. Some usages would be an > > issue, some would not. I have not checked how it is being used and what > > the implications of that are. > > > > > I grepped for DISTRO_FEATURES_FILTER_NATIVE in oe-core, bitbake and > > > meta-openembedded, there are only matches in the first and these are > > > about default settings, appending DISTRO_FEATURES_OVERRIDES and > > > providing a filtered version of the global DISTRO_FEATURES for native > > > packages. > > > > > > So unless I missed something, I'd claim setting > > > DISTRO_FEATURES_FILTER_NATIVE:append in a layer doesn't result in a > > > relevant change without an explicit opt-in (by adding "selinux" to > > > DISTRO_FEATURES) and then this (implicit) v1 is better than the v2 that > > > Hiago sent. > > > > I'm starting to wish I'd just never said anything :/. > > :-\ > > > It would be nice if meta-selinux passes yocto-check-layer but that > > isn't my call, I don't know if it does currently pass or not. I wanted > > to caution that changing DISTRO_FEATURES or things related to > > DISTRO_FEATURES from layer.conf is generally a bad idea. In this case > > you might get away with it, I don't know. Has anyone tested it? > > I tried that: > > uwe@monoceros:~/work/ashjk/poky/build$ yocto-check-layer ../meta-selinux > INFO: Detected layers: > INFO: meta-selinux: LayerType.SOFTWARE, /home/uwe/work/ashjk/poky/meta-selinux > ERROR: Layer meta-selinux depends on meta-python and isn't found. > INFO: > INFO: Setting up for meta-selinux(LayerType.SOFTWARE), /home/uwe/work/ashjk/poky/meta-selinux > ERROR: Layer meta-selinux depends on meta-python and isn't found. > INFO: Skipping meta-selinux due to missing dependencies. > INFO: > INFO: Summary of results: > INFO: > INFO: meta-selinux ... SKIPPED (Missing dependencies) > > hmm, so maybe I need to add this using --dependency: > > uwe@monoceros:~/work/ashjk/poky/build$ yocto-check-layer ../meta-selinux --dependency ../meta-openembedded/meta-python --dependency ../meta-openembedded > INFO: Detected layers: > INFO: meta-selinux: LayerType.SOFTWARE, /home/uwe/work/ashjk/poky/meta-selinux > INFO: Adding meta-python to the list of layers to test, as a dependency > INFO: Adding meta-oe to the list of layers to test, as a dependency > INFO: > INFO: Setting up for meta-selinux(LayerType.SOFTWARE), /home/uwe/work/ashjk/poky/meta-selinux > INFO: Adding layer meta-python > INFO: meta-python is already in /home/uwe/work/ashjk/poky/build/conf/bblayers.conf > INFO: Adding layer meta-oe > INFO: meta-oe is already in /home/uwe/work/ashjk/poky/build/conf/bblayers.conf > INFO: Getting initial bitbake variables ... > INFO: Getting initial signatures ... > INFO: Generating signatures failed. This might be due to some parse error and/or general layer incompatibilities. > Command: BB_ENV_PASSTHROUGH_ADDITIONS="$BB_ENV_PASSTHROUGH_ADDITIONS BB_SIGNATURE_HANDLER" BB_SIGNATURE_HANDLER="OEBasicHash" bitbake -S lockedsigs world > Output: > WARNING: Host distribution "debian-13" has not been validated with this version of the build system; you may possibly experience unexpected failures. It is recommended that you use a tested distribution. > Loading cache...done. > Loaded 0 entries from dependency cache. > Parsing recipes...done. > Parsing of 2472 .bb files complete (0 cached, 2472 parsed). 4316 targets, 86 skipped, 0 masked, 0 errors. > Removing 14 recipes from the core2-64 sysroot...done. > Removing 19 recipes from the qemux86_64 sysroot...done. > Removing 6 recipes from the x86_64 sysroot...done. > NOTE: Resolving any missing task queue dependencies > ERROR: Nothing PROVIDES 'libselinux' (but /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-extended/hwloc/hwloc_2.9.3.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-devtools/squashfs-tools-ng/squashfs-tools-ng_1.2.0.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-support/augeas/augeas_1.12.0.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-support/lvm2/lvm2_2.03.22.bb, /home/uwe/work/ashjk/poky/meta/recipes-extended/at/at_3.2.5.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2024.5.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-extended/smartmontools/smartmontools_7.4.bb, /home/uwe/work/ashjk/poky/meta/recipes-extended/logrotate/logrotate_3.21.0.bb, /home/uwe/work/ashjk/poky/meta/recipes-core/udev/eudev_3.2.14.bb, /home/uwe/work/ashjk/poky/meta/recipes-support/vim/vim_9.1.bb, /home/uwe/work/ashjk/poky/meta/recipes-core/base-passwd/base-passwd_3.6.3.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-security/bubblewrap/bubblewrap_0.8.0.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-support/lvm2/libdevmapper_2.03.22.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-devtools/ltrace/ltrace_git.bb DEPENDS on or otherwise requires it) > ERROR: Required build target 'meta-world-pkgdata' has no buildable providers. > Missing or unbuildable dependency chain was: ['meta-world-pkgdata', 'hwloc', 'libselinux'] > > Summary: There was 1 WARNING message. > Summary: There were 2 ERROR messages, returning a non-zero exit code. > > INFO: meta-python already in /home/uwe/work/ashjk/poky/build/conf/bblayers.conf. To capture initial signatures, layer under test should not present in BBLAYERS. Please remove meta-python from BBLAYERS. > INFO: meta-oe already in /home/uwe/work/ashjk/poky/build/conf/bblayers.conf. To capture initial signatures, layer under test should not present in BBLAYERS. Please remove meta-oe from BBLAYERS. > INFO: > INFO: Summary of results: > INFO: > INFO: meta-selinux ... FAIL (Generating world signatures) > INFO: meta-python ... SKIPPED (Layer under test should not present in BBLAYERS) > INFO: meta-oe ... SKIPPED (Layer under test should not present in BBLAYERS) > > Maybe I'm holding it wrong, maybe meta-selinux just doesn't pass?! > > Ah, when removing "selinux" from DISTRO_FEATURES it works better. Then > it says things like: > > ... > INFO: Traceback (most recent call last): > File "/home/uwe/work/ashjk/poky/scripts/lib/checklayer/cases/common.py", line 99, in test_signatures > self.fail('Adding layer %s changed signatures.\n%s' % (self.tc.layer['name'], msg)) > ~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > AssertionError: Adding layer meta-selinux changed signatures. > 1789 signatures changed, initial differences (first hash before, second after): > android-tools-conf:do_recipe_qa: 0b9fecbec98924f57499d5d53c4b08bebe50deac72f025ed0f4b5b2274c57463 -> d7473d9aba93fba170cd904225f22485c12a8cbfbb90984d90014bc29ce47856 > bitbake-diffsigs --task android-tools-conf do_recipe_qa --signature 0b9fecbec98924f57499d5d53c4b08bebe50deac72f025ed0f4b5b2274c57463 d7473d9aba93fba170cd904225f22485c12a8cbfbb90984d90014bc29ce47856 > ... > > (That's without my change BTW.) > > > I am generally worried about the amount of things people "load" up > > layer.conf with as whilst it seems easy, the scope of it can be > > problematic as it affects other layers, and in general you don't want > > to be doing that unless it is configurable. > > I understand your motivation, adding things there (even if they are ok) > add to the things you stumble over. > > There is nothing I can say to rebut that objection. Still I think the > addition we're discussing about is technically fine and reduces the > surprises when working with meta-selinux. So in my subjective opinion > it's a net win to add it. > > Best regards > Uwe I would like to add something to the discussion that I just found yesterday. By enabling the native patckages to have SELinux by default, GPG breaks if secureboot is also being used. See the error below: ERROR: linux-yocto-6.6.129+git-r0 do_sign: Failed to import gpg key (user-keys/boot_keys/BOOT-GPG-PRIVKEY-BOOT-SecureCore): gpg: importing secret keys not allowed gpg: Total number processed: 1 gpg: secret keys read: 1 This happens becaus of [0]. I had to specifically disable SELinux for the GPG native package. So, in this case, if we would to like to proceed with this patch, v2 would be a better option to prevent such errors. [0] https://github.com/gpg/gnupg/blob/master/g10/import.c#L3319 Regards, Hiago. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [yocto-patches] [meta-selinux][PATCH] Enable SELinux support in native packages 2026-03-25 12:28 ` Hiago De Franco @ 2026-03-27 16:33 ` Uwe Kleine-König 0 siblings, 0 replies; 13+ messages in thread From: Uwe Kleine-König @ 2026-03-27 16:33 UTC (permalink / raw) To: Hiago De Franco; +Cc: Richard Purdie, Yoann Congal, yocto-patches, Yi Zhao [-- Attachment #1: Type: text/plain, Size: 2126 bytes --] Hello Hiago, On Wed, Mar 25, 2026 at 09:28:19AM -0300, Hiago De Franco wrote: > I would like to add something to the discussion that I just found > yesterday. > > By enabling the native patckages to have SELinux by default, GPG > breaks if secureboot is also being used. See the error below: > > ERROR: linux-yocto-6.6.129+git-r0 do_sign: Failed to import gpg key > (user-keys/boot_keys/BOOT-GPG-PRIVKEY-BOOT-SecureCore): gpg: importing > secret keys not allowed > gpg: Total number processed: 1 > gpg: secret keys read: 1 > > This happens becaus of [0]. I had to specifically disable SELinux for > the GPG native package. This is ridiculous. What about diff --git a/g10/import.c b/g10/import.c index ba62d2322c93..44b113d77222 100644 --- a/g10/import.c +++ b/g10/import.c @@ -3235,21 +3235,21 @@ import_secret_one (ctrl_t ctrl, kbnode_t keyblock, cipher algorithm (only checks the primary key, though). */ if (ski->algo > 110) { if (!for_migration) log_error (_("key %s: secret key with invalid cipher %d" " - skipped\n"), keystr_from_pk (pk), ski->algo); release_kbnode (keyblock); return 0; } -#ifdef ENABLE_SELINUX_HACKS +#ifdef I_WANT_A_BROKEN_GNUPG if (1) { /* We don't allow importing secret keys because that may be used to put a secret key into the keyring and the user might later be tricked into signing stuff with that key. */ log_error (_("importing secret keys not allowed\n")); release_kbnode (keyblock); return 0; } #endif instead? Or does someone understand why it's considered easier to trick the user into bad stuff with SELINUX enabled? > So, in this case, if we would to like to proceed with this patch, v2 > would be a better option to prevent such errors. Well, it only prevents the error if the yocto build doesn't have DISTRO_FEATURES_FILTER_NATIVE:append = " selinux" in local.conf which is recommended in the docs with v2. So I (still) don't consider v2 better. Best regards Uwe [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 488 bytes --] ^ permalink raw reply related [flat|nested] 13+ messages in thread
end of thread, other threads:[~2026-03-27 16:33 UTC | newest] Thread overview: 13+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-02-13 15:42 [meta-selinux][PATCH] Enable SELinux support in native packages Uwe Kleine-König 2026-03-09 12:23 ` [yocto-patches] " Yi Zhao 2026-03-09 14:21 ` Richard Purdie 2026-03-17 17:40 ` Hiago De Franco 2026-03-17 18:23 ` Yoann Congal 2026-03-17 20:19 ` Hiago De Franco 2026-03-18 7:50 ` Uwe Kleine-König 2026-03-18 9:12 ` Richard Purdie 2026-03-18 11:13 ` Uwe Kleine-König 2026-03-18 12:37 ` Richard Purdie 2026-03-18 14:22 ` Uwe Kleine-König 2026-03-25 12:28 ` Hiago De Franco 2026-03-27 16:33 ` Uwe Kleine-König
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.