[yocto] [oe] meta-selinux

Paul Eggleton paul.eggleton at linux.intel.com
Wed Feb 11 08:29:03 PST 2015 

(Adding yocto at yoctoproject.org to CC since that is where meta-selinux patches 
tend to go at least)

On Wednesday 11 February 2015 10:53:03 dpquigl wrote:
> I'm working on OpenXT and it makes use of the meta-selinux repo hosted
> by the yocto project. I'm trying to use it with a base openembedded core
> and its not in sync with oe-core because its based on pokey. 

To be clear, poky and OE-Core are in lock-step. No patch to core recipes goes 
into Poky directly, they are applied to OE-Core and then they flow into Poky 
immediately thereafter (Richard, who does the merging of patches into OE-Core, 
does the sync to Poky immediately afterwards.)

What's more likely happening I suspect is that you are on a newer 
branch/revision of OE-Core/Poky than the meta-selinux maintainers have tested. 
I can't speak to the maintenance schedule for meta-selinux but maybe others 
with knowledge there can chime in.

> This made me think of two questions. 1) Why is this not in OE core since so
> many packages in core can potentially have SELinux support enabled and 2) if
> its not supposed to be in core where should turning on SELinux support
> in a recipe go? For example coreutils can have SELinux support enabled.
> Currently this is in meta-selinux as a bbappend to the coreutils
> package. This works out because its always going to be there. However
> there is also a bbappend for an LXC recipe. LXC isn't in core which
> means it has a dependency on a layer not in core.
> 
> Ideally I would put the recipes needed for SELinux support in core and
> have a distro feature which is checked in the recipes in core for
> whether or not to add --with-selinux to the build flags. Then LXC could
> check a core distro feature and enable SELinux if it wants to.

We have to draw the line somewhere for what to include in OE-Core, and at the 
moment I guess we have considered SELinux to be outside its scope. Obviously 
these things get re-evaluated from time to time, and SELinux is a little bit 
painful for this because of how many recipes it has to touch. Ultimately it 
depends on how many people in the embedded space want to enable and use 
SELinux.

Thoughts from others?

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

More information about the yocto mailing list