[yocto] AppArmor

Anders Montonen Anders.Montonen at iki.fi
Wed Jun 21 19:01:09 PDT 2017

On 21 Jun 2017, at 23:46, Khem Raj <raj.khem at gmail.com> wrote:
> On Tue, Jun 20, 2017 at 9:56 AM Anders Montonen <Anders.Montonen at iki.fi <mailto:Anders.Montonen at iki.fi>> wrote:
> Has anyone tried using AppArmor with Yocto? The recipe in the
> meta-security layer is broken, and when fixed so it actually builds, it
> turns out the installed init script relies on functions not found in
> Yocto's version of LSB.
> That seems a bug to me perhaps can be fixed in initscripts ?

I ended up replacing the recipe with one combining the one from meta-security and from the OpenSwitch project[1]. This allowed me to get rid of the sysvinit and apache2 dependencies. I’ll have to look for Tom Rini’s tweaks and see if he fixed the Python issues more elegantly.

IIRC the issues I ran into with the meta-security recipe were:
- The tools under binutils require the static library
- The systemd service file isn’t installed
- The Python apparmor module is built against Python 2.7, while the scripts that use it are Python 3. Commit 
89683b4fee4616a08d249bc7afd7be55f3fa71a3 is wrong, it papers over a QA warning without fixing the actual problem.
- The Python LibAppArmor module isn’t built at all.


[1] <http://git.openswitch.net/cgit/openswitch/ops-build/tree/yocto/openswitch/meta-foss-openswitch/recipes-security/apparmor <http://git.openswitch.net/cgit/openswitch/ops-build/tree/yocto/openswitch/meta-foss-openswitch/recipes-security/apparmor/apparmor_2.10.95.bb?h=master>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20170622/93800f06/attachment.html>

More information about the yocto mailing list