Re: [yocto-patches] [meta-selinux][PATCH] Enable SELinux support in native packages

["Uwe Kleine-König" <u.kleine-koenig@baylibre.com>]

[-- Attachment #1: Type: text/plain, Size: 12657 bytes --]

Hey Richard,

On Wed, Mar 18, 2026 at 12:37:42PM +0000, Richard Purdie wrote:
> On Wed, 2026-03-18 at 12:13 +0100, Uwe Kleine-König wrote:
> > On Wed, Mar 18, 2026 at 09:12:52AM +0000, Richard Purdie wrote:
> > > On Wed, 2026-03-18 at 08:50 +0100, Uwe Kleine-König wrote:
> > > > On Tue, Mar 17, 2026 at 07:23:35PM +0100, Yoann Congal wrote:
> > > > > On Tue Mar 17, 2026 at 6:40 PM CET, Hiago De Franco via lists.yoctoproject.org wrote:
> > > > > > On Mon, Mar 09, 2026 at 02:21:51PM +0000, Richard Purdie wrote:
> > > > > > > On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote:
> > > > > > > > 
> > > > > > > > On 2/13/26 23:42, "Uwe Kleine-König wrote:
> > > > > > > > > With SELinux enabled for the target it makes sense to have SELinux
> > > > > > > > > support enabled for the native tools, too.
> > > > > > > > > 
> > > > > > > > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now
> > > > > > > > > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to
> > > > > > > > > make "selinux" propagate also to DISTRO_FEATURES for native packages.
> > > > > > > > > ---
> > > > > > > > > Hello,
> > > > > > > > > 
> > > > > > > > > I use this on scarthgap, but the patch applies fine to master, too.
> > > > > > > > > 
> > > > > > > > > During a debug session it took me quite a while to find out why
> > > > > > > > > 
> > > > > > > > > 	ls -lZ "${IMAGE_ROOTFS}
> > > > > > > > > 
> > > > > > > > > at the end of selinux_set_labels() didn't show the labels added by
> > > > > > > > > setfiles.
> > > > > > > > > 
> > > > > > > > > Best regards
> > > > > > > > > Uwe
> > > > > > > > > 
> > > > > > > > >   classes/enable-selinux.bbclass | 2 +-
> > > > > > > > >   conf/layer.conf                | 4 ++++
> > > > > > > > >   2 files changed, 5 insertions(+), 1 deletion(-)
> > > > > > > > > 
> > > > > > > > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass
> > > > > > > > > index 3dc61d6931ff..0c9f52e74cec 100644
> > > > > > > > > --- a/classes/enable-selinux.bbclass
> > > > > > > > > +++ b/classes/enable-selinux.bbclass
> > > > > > > > > @@ -1,3 +1,3 @@
> > > > > > > > >   inherit selinux
> > > > > > > > >   
> > > > > > > > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}"
> > > > > > > > > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
> > > > > > > > > diff --git a/conf/layer.conf b/conf/layer.conf
> > > > > > > > > index 4e04e5cc7e6a..ca981db57019 100644
> > > > > > > > > --- a/conf/layer.conf
> > > > > > > > > +++ b/conf/layer.conf
> > > > > > > > > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \
> > > > > > > > >   "
> > > > > > > > >   
> > > > > > > > >   PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted"
> > > > > > > > > +
> > > > > > > > > +# With target support for SELinux it is very helpful during debug when the
> > > > > > > > > +# native tools support SELinux, too.
> > > > > > > > > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux"
> > > > > > > > 
> > > > > > > > Can we add this to the doc (e.g. README) instead of enabling it directly 
> > > > > > > > in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = 
> > > > > > > > "selinux" in layer.conf either.
> > > > > > > 
> > > > > > > I just wanted to add that putting that directly in layer.conf will mean
> > > > > > > the layer isn't Yocto Project Compatible too.
> > > > > > 
> > > > > > I am going to send a v2 and take over this work, already asked Uwe about
> > > > > > that.
> > > > > > 
> > > > > > But before doing it, I was wondering why changing layer.conf will make
> > > > > > the layer not compatible with Yocto Project anymore. Can you explain to
> > > > > > us the reason?
> > > > > 
> > > > > I'd guess it is from this criteria of the Yocto Compatible layer[0]:
> > > > > > Inclusion of any layer in the submission does not change the
> > > > > > behavior/configuration of the overall system without the user
> > > > > > explicitly opting into those changes
> > > > > 
> > > > > By putting a 'DISTRO_FEATURES += "selinux"' in layer.conf, the
> > > > > configuration changes globally without explicit opt-in of the user.
> > > > 
> > > > Note that the patch didn't change DISTRO_FEATURES, it appended "selinux"
> > > > to DISTRO_FEATURES_FILTER_NATIVE. If DISTRO_FEATURES doesn't already
> > > > contain "selinux", this is a noop. So I don't see how this violates the
> > > > quoted critera.
> > > > 
> > > > What am I missing?
> > > 
> > > I guess it would depend whether any of the functions/variables in core
> > > have hard dependencies on that variable. I was assuming that they do
> > > but that might not be the case, I'm not sure without checking and you
> > > may be right.
> > 
> > Wouldn't that be a bug if a function changes behaviour depending on
> > DISTRO_FEATURES_FILTER_NATIVE containing "selinux" or not? (Apart from
> > having "selinux" for native packages iff the global DISTRO_FEATURES has
> > "selinux".)
> 
> It depends on how that variable is being used. Some usages would be an
> issue, some would not. I have not checked how it is being used and what
> the implications of that are.
> 
> > I grepped for DISTRO_FEATURES_FILTER_NATIVE in oe-core, bitbake and
> > meta-openembedded, there are only matches in the first and these are
> > about default settings, appending DISTRO_FEATURES_OVERRIDES and
> > providing a filtered version of the global DISTRO_FEATURES for native
> > packages.
> > 
> > So unless I missed something, I'd claim setting
> > DISTRO_FEATURES_FILTER_NATIVE:append in a layer doesn't result in a
> > relevant change without an explicit opt-in (by adding "selinux" to
> > DISTRO_FEATURES) and then this (implicit) v1 is better than the v2 that
> > Hiago sent.
> 
> I'm starting to wish I'd just never said anything :/.

:-\

> It would be nice if meta-selinux passes yocto-check-layer but that
> isn't my call, I don't know if it does currently pass or not. I wanted
> to caution that changing DISTRO_FEATURES or things related to
> DISTRO_FEATURES from layer.conf is generally a bad idea. In this case
> you might get away with it, I don't know. Has anyone tested it?

I tried that:

	uwe@monoceros:~/work/ashjk/poky/build$ yocto-check-layer ../meta-selinux
	INFO: Detected layers:
	INFO: meta-selinux: LayerType.SOFTWARE, /home/uwe/work/ashjk/poky/meta-selinux
	ERROR: Layer meta-selinux depends on meta-python and isn't found.
	INFO:
	INFO: Setting up for meta-selinux(LayerType.SOFTWARE), /home/uwe/work/ashjk/poky/meta-selinux
	ERROR: Layer meta-selinux depends on meta-python and isn't found.
	INFO: Skipping meta-selinux due to missing dependencies.
	INFO:
	INFO: Summary of results:
	INFO:
	INFO: meta-selinux ... SKIPPED (Missing dependencies)

hmm, so maybe I need to add this using --dependency:

	uwe@monoceros:~/work/ashjk/poky/build$ yocto-check-layer ../meta-selinux --dependency ../meta-openembedded/meta-python --dependency ../meta-openembedded
	INFO: Detected layers:
	INFO: meta-selinux: LayerType.SOFTWARE, /home/uwe/work/ashjk/poky/meta-selinux
	INFO: Adding meta-python to the list of layers to test, as a dependency
	INFO: Adding meta-oe to the list of layers to test, as a dependency
	INFO: 
	INFO: Setting up for meta-selinux(LayerType.SOFTWARE), /home/uwe/work/ashjk/poky/meta-selinux
	INFO: Adding layer meta-python
	INFO: meta-python is already in /home/uwe/work/ashjk/poky/build/conf/bblayers.conf
	INFO: Adding layer meta-oe
	INFO: meta-oe is already in /home/uwe/work/ashjk/poky/build/conf/bblayers.conf
	INFO: Getting initial bitbake variables ...
	INFO: Getting initial signatures ...
	INFO: Generating signatures failed. This might be due to some parse error and/or general layer incompatibilities.
	Command: BB_ENV_PASSTHROUGH_ADDITIONS="$BB_ENV_PASSTHROUGH_ADDITIONS BB_SIGNATURE_HANDLER" BB_SIGNATURE_HANDLER="OEBasicHash" bitbake -S lockedsigs world
	Output:
	WARNING: Host distribution "debian-13" has not been validated with this version of the build system; you may possibly experience unexpected failures. It is recommended that you use a tested distribution.
	Loading cache...done.
	Loaded 0 entries from dependency cache.
	Parsing recipes...done.
	Parsing of 2472 .bb files complete (0 cached, 2472 parsed). 4316 targets, 86 skipped, 0 masked, 0 errors.
	Removing 14 recipes from the core2-64 sysroot...done.
	Removing 19 recipes from the qemux86_64 sysroot...done.
	Removing 6 recipes from the x86_64 sysroot...done.
	NOTE: Resolving any missing task queue dependencies
	ERROR: Nothing PROVIDES 'libselinux' (but /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-extended/hwloc/hwloc_2.9.3.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-devtools/squashfs-tools-ng/squashfs-tools-ng_1.2.0.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-support/augeas/augeas_1.12.0.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-support/lvm2/lvm2_2.03.22.bb, /home/uwe/work/ashjk/poky/meta/recipes-extended/at/at_3.2.5.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2024.5.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-extended/smartmontools/smartmontools_7.4.bb, /home/uwe/work/ashjk/poky/meta/recipes-extended/logrotate/logrotate_3.21.0.bb, /home/uwe/work/ashjk/poky/meta/recipes-core/udev/eudev_3.2.14.bb, /home/uwe/work/ashjk/poky/meta/recipes-support/vim/vim_9.1.bb, /home/uwe/work/ashjk/poky/meta/recipes-core/base-passwd/base-passwd_3.6.3.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-security/bubblewrap/bubblewrap_0.8.0.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-support/lvm2/libdevmapper_2.03.22.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-devtools/ltrace/ltrace_git.bb DEPENDS on or otherwise requires it)
	ERROR: Required build target 'meta-world-pkgdata' has no buildable providers.
	Missing or unbuildable dependency chain was: ['meta-world-pkgdata', 'hwloc', 'libselinux']

	Summary: There was 1 WARNING message.
	Summary: There were 2 ERROR messages, returning a non-zero exit code.

	INFO: meta-python already in /home/uwe/work/ashjk/poky/build/conf/bblayers.conf. To capture initial signatures, layer under test should not present in BBLAYERS. Please remove meta-python from BBLAYERS.
	INFO: meta-oe already in /home/uwe/work/ashjk/poky/build/conf/bblayers.conf. To capture initial signatures, layer under test should not present in BBLAYERS. Please remove meta-oe from BBLAYERS.
	INFO: 
	INFO: Summary of results:
	INFO: 
	INFO: meta-selinux ... FAIL (Generating world signatures)
	INFO: meta-python ... SKIPPED (Layer under test should not present in BBLAYERS)
	INFO: meta-oe ... SKIPPED (Layer under test should not present in BBLAYERS)

Maybe I'm holding it wrong, maybe meta-selinux just doesn't pass?!

Ah, when removing "selinux" from DISTRO_FEATURES it works better. Then
it says things like:

	...
	INFO: Traceback (most recent call last):
	  File "/home/uwe/work/ashjk/poky/scripts/lib/checklayer/cases/common.py", line 99, in test_signatures
	    self.fail('Adding layer %s changed signatures.\n%s' % (self.tc.layer['name'], msg))
	    ~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
	AssertionError: Adding layer meta-selinux changed signatures.
	1789 signatures changed, initial differences (first hash before, second after):
	   android-tools-conf:do_recipe_qa: 0b9fecbec98924f57499d5d53c4b08bebe50deac72f025ed0f4b5b2274c57463 -> d7473d9aba93fba170cd904225f22485c12a8cbfbb90984d90014bc29ce47856
	      bitbake-diffsigs --task android-tools-conf do_recipe_qa --signature 0b9fecbec98924f57499d5d53c4b08bebe50deac72f025ed0f4b5b2274c57463 d7473d9aba93fba170cd904225f22485c12a8cbfbb90984d90014bc29ce47856
	...

(That's without my change BTW.)

> I am generally worried about the amount of things people "load" up
> layer.conf with as whilst it seems easy, the scope of it can be
> problematic as it affects other layers, and in general you don't want
> to be doing that unless it is configurable.

I understand your motivation, adding things there (even if they are ok)
add to the things you stumble over.

There is nothing I can say to rebut that objection. Still I think the
addition we're discussing about is technically fine and reduces the
surprises when working with meta-selinux. So in my subjective opinion
it's a net win to add it.

Best regards
Uwe

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]