Re: [yocto-patches] [meta-selinux][PATCH] Enable SELinux support in native packages

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Uwe Kleine-König" <u.kleine-koenig@baylibre.com>
To: Hiago De Franco <hfranco@baylibre.com>
Cc: Richard Purdie <richard.purdie@linuxfoundation.org>,
	 Yoann Congal <yoann.congal@smile.fr>,
	yocto-patches@lists.yoctoproject.org,
	 Yi Zhao <yi.zhao@windriver.com>
Subject: Re: [yocto-patches] [meta-selinux][PATCH] Enable SELinux support in native packages
Date: Fri, 27 Mar 2026 17:33:42 +0100	[thread overview]
Message-ID: <acau25bGKj2NcLiw@monoceros> (raw)
In-Reply-To: <s3dvnilzp3mv6xstf7syd42ru3pgjaiebooacljibgf5zpe4ba@ezu4xnouvw26>

[-- Attachment #1: Type: text/plain, Size: 2126 bytes --]

Hello Hiago,

On Wed, Mar 25, 2026 at 09:28:19AM -0300, Hiago De Franco wrote:
> I would like to add something to the discussion that I just found
> yesterday.
> 
> By enabling the native patckages to have SELinux by default, GPG 
> breaks if secureboot is also being used. See the error below:
> 
> ERROR: linux-yocto-6.6.129+git-r0 do_sign: Failed to import gpg key
> (user-keys/boot_keys/BOOT-GPG-PRIVKEY-BOOT-SecureCore): gpg: importing
> secret keys not allowed
> gpg: Total number processed: 1
> gpg:       secret keys read: 1
> 
> This happens becaus of [0]. I had to specifically disable SELinux for
> the GPG native package.

This is ridiculous. What about

diff --git a/g10/import.c b/g10/import.c
index ba62d2322c93..44b113d77222 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -3235,21 +3235,21 @@ import_secret_one (ctrl_t ctrl, kbnode_t keyblock,
      cipher algorithm (only checks the primary key, though).  */
   if (ski->algo > 110)
     {
       if (!for_migration)
         log_error (_("key %s: secret key with invalid cipher %d"
                      " - skipped\n"), keystr_from_pk (pk), ski->algo);
       release_kbnode (keyblock);
       return 0;
     }
 
-#ifdef ENABLE_SELINUX_HACKS
+#ifdef I_WANT_A_BROKEN_GNUPG
   if (1)
     {
       /* We don't allow importing secret keys because that may be used
          to put a secret key into the keyring and the user might later
          be tricked into signing stuff with that key.  */
       log_error (_("importing secret keys not allowed\n"));
       release_kbnode (keyblock);
       return 0;
     }
 #endif

instead? Or does someone understand why it's considered easier to trick
the user into bad stuff with SELINUX enabled?

> So, in this case, if we would to like to proceed with this patch, v2
> would be a better option to prevent such errors.

Well, it only prevents the error if the yocto build doesn't have

	DISTRO_FEATURES_FILTER_NATIVE:append = " selinux"

in local.conf which is recommended in the docs with v2. So I (still)
don't consider v2 better.

Best regards
Uwe

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

     prev parent reply	other threads:[~2026-03-27 16:33 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-13 15:42 [meta-selinux][PATCH] Enable SELinux support in native packages Uwe Kleine-König
2026-03-09 12:23 ` [yocto-patches] " Yi Zhao
2026-03-09 14:21   ` Richard Purdie
2026-03-17 17:40     ` Hiago De Franco
2026-03-17 18:23       ` Yoann Congal
2026-03-17 20:19         ` Hiago De Franco
2026-03-18  7:50         ` Uwe Kleine-König
2026-03-18  9:12           ` Richard Purdie
2026-03-18 11:13             ` Uwe Kleine-König
2026-03-18 12:37               ` Richard Purdie
2026-03-18 14:22                 ` Uwe Kleine-König
2026-03-25 12:28                   ` Hiago De Franco
2026-03-27 16:33                     ` Uwe Kleine-König [this message]

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:ba62d2322c9 dfblob:44b113d7722 )
 OR (
bs:"Re: [yocto-patches] [meta-selinux][PATCH] Enable SELinux support in native packages" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=acau25bGKj2NcLiw@monoceros \
    --to=u.kleine-koenig@baylibre.com \
    --cc=hfranco@baylibre.com \
    --cc=richard.purdie@linuxfoundation.org \
    --cc=yi.zhao@windriver.com \
    --cc=yoann.congal@smile.fr \
    --cc=yocto-patches@lists.yoctoproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.