Re: [yocto-patches] [meta-selinux][PATCH] Enable SELinux support in native packages

["Uwe Kleine-König" <u.kleine-koenig@baylibre.com>]

[-- Attachment #1: Type: text/plain, Size: 5193 bytes --]

On Wed, Mar 18, 2026 at 09:12:52AM +0000, Richard Purdie wrote:
> On Wed, 2026-03-18 at 08:50 +0100, Uwe Kleine-König wrote:
> > On Tue, Mar 17, 2026 at 07:23:35PM +0100, Yoann Congal wrote:
> > > On Tue Mar 17, 2026 at 6:40 PM CET, Hiago De Franco via lists.yoctoproject.org wrote:
> > > > Hi Richard,
> > > > 
> > > > On Mon, Mar 09, 2026 at 02:21:51PM +0000, Richard Purdie wrote:
> > > > > On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote:
> > > > > > 
> > > > > > On 2/13/26 23:42, "Uwe Kleine-König wrote:
> > > > > > > With SELinux enabled for the target it makes sense to have SELinux
> > > > > > > support enabled for the native tools, too.
> > > > > > > 
> > > > > > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now
> > > > > > > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to
> > > > > > > make "selinux" propagate also to DISTRO_FEATURES for native packages.
> > > > > > > ---
> > > > > > > Hello,
> > > > > > > 
> > > > > > > I use this on scarthgap, but the patch applies fine to master, too.
> > > > > > > 
> > > > > > > During a debug session it took me quite a while to find out why
> > > > > > > 
> > > > > > > 	ls -lZ "${IMAGE_ROOTFS}
> > > > > > > 
> > > > > > > at the end of selinux_set_labels() didn't show the labels added by
> > > > > > > setfiles.
> > > > > > > 
> > > > > > > Best regards
> > > > > > > Uwe
> > > > > > > 
> > > > > > >   classes/enable-selinux.bbclass | 2 +-
> > > > > > >   conf/layer.conf                | 4 ++++
> > > > > > >   2 files changed, 5 insertions(+), 1 deletion(-)
> > > > > > > 
> > > > > > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass
> > > > > > > index 3dc61d6931ff..0c9f52e74cec 100644
> > > > > > > --- a/classes/enable-selinux.bbclass
> > > > > > > +++ b/classes/enable-selinux.bbclass
> > > > > > > @@ -1,3 +1,3 @@
> > > > > > >   inherit selinux
> > > > > > >   
> > > > > > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}"
> > > > > > > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
> > > > > > > diff --git a/conf/layer.conf b/conf/layer.conf
> > > > > > > index 4e04e5cc7e6a..ca981db57019 100644
> > > > > > > --- a/conf/layer.conf
> > > > > > > +++ b/conf/layer.conf
> > > > > > > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \
> > > > > > >   "
> > > > > > >   
> > > > > > >   PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted"
> > > > > > > +
> > > > > > > +# With target support for SELinux it is very helpful during debug when the
> > > > > > > +# native tools support SELinux, too.
> > > > > > > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux"
> > > > > > 
> > > > > > Can we add this to the doc (e.g. README) instead of enabling it directly 
> > > > > > in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = 
> > > > > > "selinux" in layer.conf either.
> > > > > 
> > > > > I just wanted to add that putting that directly in layer.conf will mean
> > > > > the layer isn't Yocto Project Compatible too.
> > > > 
> > > > I am going to send a v2 and take over this work, already asked Uwe about
> > > > that.
> > > > 
> > > > But before doing it, I was wondering why changing layer.conf will make
> > > > the layer not compatible with Yocto Project anymore. Can you explain to
> > > > us the reason?
> > > 
> > > I'd guess it is from this criteria of the Yocto Compatible layer[0]:
> > > > Inclusion of any layer in the submission does not change the
> > > > behavior/configuration of the overall system without the user
> > > > explicitly opting into those changes
> > > 
> > > By putting a 'DISTRO_FEATURES += "selinux"' in layer.conf, the
> > > configuration changes globally without explicit opt-in of the user.
> > 
> > Note that the patch didn't change DISTRO_FEATURES, it appended "selinux"
> > to DISTRO_FEATURES_FILTER_NATIVE. If DISTRO_FEATURES doesn't already
> > contain "selinux", this is a noop. So I don't see how this violates the
> > quoted critera.
> > 
> > What am I missing?
> 
> I guess it would depend whether any of the functions/variables in core
> have hard dependencies on that variable. I was assuming that they do
> but that might not be the case, I'm not sure without checking and you
> may be right.

Wouldn't that be a bug if a function changes behaviour depending on
DISTRO_FEATURES_FILTER_NATIVE containing "selinux" or not? (Apart from
having "selinux" for native packages iff the global DISTRO_FEATURES has
"selinux".)

I grepped for DISTRO_FEATURES_FILTER_NATIVE in oe-core, bitbake and
meta-openembedded, there are only matches in the first and these are
about default settings, appending DISTRO_FEATURES_OVERRIDES and
providing a filtered version of the global DISTRO_FEATURES for native
packages.

So unless I missed something, I'd claim setting
DISTRO_FEATURES_FILTER_NATIVE:append in a layer doesn't result in a
relevant change without an explicit opt-in (by adding "selinux" to
DISTRO_FEATURES) and then this (implicit) v1 is better than the v2 that
Hiago sent.

Best regards
Uwe

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]