[oe] meta-selinux
Joe MacDonald
Joe_MacDonald at mentor.com
Wed Feb 11 21:22:23 UTC 2015
[Re: [oe] meta-selinux] On 15.02.11 (Wed 09:25) Christopher Larson wrote:
> On Wed, Feb 11, 2015 at 8:53 AM, dpquigl <dpquigl at tycho.nsa.gov> wrote:
>
> > I'm working on OpenXT and it makes use of the meta-selinux repo hosted
> > by the yocto project. I'm trying to use it with a base openembedded core
> > and its not in sync with oe-core because its based on pokey. This made
> > me think of two questions. 1) Why is this not in OE core since so many
> > packages in core can potentially have SELinux support enabled and 2) if
> > its not supposed to be in core where should turning on SELinux support
> > in a recipe go? For example coreutils can have SELinux support enabled.
> > Currently this is in meta-selinux as a bbappend to the coreutils
> > package. This works out because its always going to be there. However
> > there is also a bbappend for an LXC recipe. LXC isn't in core which
> > means it has a dependency on a layer not in core.
> >
>
> This is a bug in the layer. It's fairly trivial to construct a layer in
> such a way that you can have per-layer bbappends that are only applied when
> that layer exists. This is likely the approach meta-selinux should take to
> address this implicit dependency upon meta-virtualization.
I agree. As Philip mentioned, there's been creep in meta-selinux
dependencies that I really would prefer to avoid but I haven't gotten
around to making the dependencies optional and proposing a patch set on
the list yet. It's something I think we need, though, particularly for
meta-selinux, but I imagine it's not the only layer that could use such
a change.
> That said, I think most folks would be open to PACKAGECONFIGs for selinux
> capability going into the main recipes, as that's not an invasive change,
> nor a patch, but just a tweak in configuration.
I know that's been the case in several places already, and in a lot of
cases I think that's probably the better place to do such things, so
that at least in theory the layer maintainers themselves are aware of
selinux issues, but I try to be a practical sort and since I don't
expect up-stream developers to be maintaining their own policy modules,
I also don't expect layer maintainers to be testing with selinux all
that often. :-)
FWIW, though, there're plenty of examples in oe-core of SELinux
PACKAGECONFIGs and that works out pretty well for everyone, I think.
--
-Joe MacDonald.
:wq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.openembedded.org/pipermail/openembedded-devel/attachments/20150211/f594beca/attachment-0002.sig>
More information about the Openembedded-devel
mailing list