[oe] meta-selinux

Philip Tricca flihp at twobit.us
Wed Feb 11 20:56:48 UTC 2015 

On 02/11/2015 12:00 PM, dpquigl wrote:
> On Wed, 2015-02-11 at 09:25 -0700, Christopher Larson wrote:
>> On Wed, Feb 11, 2015 at 8:53 AM, dpquigl <dpquigl at tycho.nsa.gov> wrote:
>>
>>> I'm working on OpenXT and it makes use of the meta-selinux repo hosted
>>> by the yocto project. I'm trying to use it with a base openembedded core
>>> and its not in sync with oe-core because its based on pokey. This made
>>> me think of two questions. 1) Why is this not in OE core since so many
>>> packages in core can potentially have SELinux support enabled and 2) if
>>> its not supposed to be in core where should turning on SELinux support
>>> in a recipe go? For example coreutils can have SELinux support enabled.
>>> Currently this is in meta-selinux as a bbappend to the coreutils
>>> package. This works out because its always going to be there. However
>>> there is also a bbappend for an LXC recipe. LXC isn't in core which
>>> means it has a dependency on a layer not in core.
>>>
>>
>> This is a bug in the layer. It's fairly trivial to construct a layer in
>> such a way that you can have per-layer bbappends that are only applied when
>> that layer exists. This is likely the approach meta-selinux should take to
>> address this implicit dependency upon meta-virtualization.
> 
> Thanks for the suggestion. I figured there was a way to do this but I'm
> new enough to OE and bitbake that it wasn't immediately obvious to me
> how to accomplish this. I'll look into giving it a try.

I didn't know this was possible either. Will be useful to have in
meta-selinux independent of this conversation. Looks like a good example
of this method used in meta-mentor can be found here:

https://lists.yoctoproject.org/pipermail/meta-mentor/2013-May/000052.html

>> That said, I think most folks would be open to PACKAGECONFIGs for selinux
>> capability going into the main recipes, as that's not an invasive change,
>> nor a patch, but just a tweak in configuration.
> 
> That is good to hear. I'm going through the repo now to figure out what
> is really needed to get SELinux working and what is extra. We've been
> having a discussion here about the need to support certain policy
> configurations on embedded SELinux systems. I'm still new enough to all
> of this that I imagine it will take me a while to figure out how and
> what to add PACKAGECONFIG wise to fit meta-selinux into oe-core.

I'm happy to take a crack at using the per-layer bbappend method
described above in meta-selinux. When meta-selinux picked up a
dependency on 3 new layers caused by bbappends I had to update a bunch
of my build stuff even though I'm not using said layers.

Philip

More information about the Openembedded-devel mailing list