[yocto] [meta-selinux][PATCH] systemd: no need to inherit enable-selinux
Joe MacDonald
Joe_MacDonald at mentor.com
Tue May 16 04:54:41 PDT 2017
[RE: [yocto] [meta-selinux][PATCH] systemd: no need to inherit enable-selinux] On 17.05.08 (Mon 01:40) Huang, Jie (Jackie) wrote:
>
>
> > -----Original Message-----
> > From: Joe MacDonald [mailto:Joe_MacDonald at mentor.com]
> > Sent: Tuesday, May 02, 2017 21:14
> > To: Huang, Jie (Jackie)
> > Cc: yocto at yoctoproject.org
> > Subject: Re: [yocto] [meta-selinux][PATCH] systemd: no need to inherit enable-
> > selinux
> >
> > [[yocto] [meta-selinux][PATCH] systemd: no need to inherit enable-selinux] On
> > 17.02.22 (Wed 14:44) jackie.huang at windriver.com wrote:
> >
> > > From: Jackie Huang <jackie.huang at windriver.com>
> > >
> > > The selinux PACKAGECONFIG is properly handled in
> > > the recipe in oe-core, no need to inherit the
> > > enable-selinux bbclass.
> >
> > That might be true, but other than belt-and-suspenders, what's the
> > harm in this being in the recipe? I don't necessarily think it's an
> > invalid change but my quick count shows ~44 instances of 'inherit
> > enable-selinux' and 'inherit with-selinux' in meta-selinux, why's this
> > one significant?
>
> That's because I have a patch to change the PACKAGECONFIG for selinux
> in oe-core to fix a dependency issue:
>
> -PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux"
> +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,initscripts-sushell"
>
> But it would be overrode by the one in enable-selinux.bbclass:
> $ grep PACKAGECONFIG enable-selinux.bbclass
> PACKAGECONFIG_append = " ${@target_selinux(d)}"
> PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,"
>
> So I need to remove the inherit here in meta-selinux.
Sorry, this fell between the cracks.
So, let me make sure I understand what you're saying. This oe-core
commit:
commit 1881c5e0c426a193630e5eed5b629b69ff3741d5
Author: Kai Kang <kai.kang at windriver.com>
Date: Wed Jul 8 14:26:01 2015 +0800
systemd: add PACKAGECONFIG selinux
Add PACKAGECONFIG 'selinux' for systemd. debug-shell.service starts
different shell according whether selinux is enabled.
(From OE-Core rev: 3d1aa27191fe4c21428eaf4ae036acb1496b7df7)
Signed-off-by: Kai Kang <kai.kang at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
conflicts with the --enable/--disable settings in meta-selinux and you
want to remove the setting in meta-selinux? Again, I don't specifically
object to this, but I'd like to understand the why of it. Is there a
valid scenario to include meta-selinux in your project but have selinux
disabled? If so, I would think the settings in meta-selinux should
still take precedence. Otherwise, I'm confused why the other 40-ish
cases aren't also covered. I haven't investigated, but are all the
others in non-oe-core layers, maybe?
Thanks,
-J.
>
> Thanks,
> Jackie
>
> >
> > -J.
> >
> > >
> > > Signed-off-by: Jackie Huang <jackie.huang at windriver.com>
> > > ---
> > > recipes-core/systemd/systemd_%.bbappend | 1 -
> > > 1 file changed, 1 deletion(-)
> > >
> > > diff --git a/recipes-core/systemd/systemd_%.bbappend b/recipes-
> > core/systemd/systemd_%.bbappend
> > > index 8d9029b..f1bdaf8 100644
> > > --- a/recipes-core/systemd/systemd_%.bbappend
> > > +++ b/recipes-core/systemd/systemd_%.bbappend
> > > @@ -1,2 +1 @@
> > > inherit enable-audit
> > > -inherit enable-selinux
> > > --
> > > 2.8.3
> > >
> > --
> > -Joe MacDonald.
> > :wq
--
-Joe MacDonald.
:wq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20170516/98691b13/attachment.pgp>
More information about the yocto
mailing list