[yocto] [meta-selinux][PATCH] systemd: no need to inherit enable-selinux

Huang, Jie (Jackie) Jackie.Huang at windriver.com
Tue May 16 18:40:06 PDT 2017 


> -----Original Message-----
> From: Joe MacDonald [mailto:Joe_MacDonald at mentor.com]
> Sent: Tuesday, May 16, 2017 19:55
> To: Huang, Jie (Jackie)
> Cc: yocto at yoctoproject.org
> Subject: Re: [yocto] [meta-selinux][PATCH] systemd: no need to inherit enable-
> selinux
> 
> [RE: [yocto] [meta-selinux][PATCH] systemd: no need to inherit enable-selinux]
> On 17.05.08 (Mon 01:40) Huang, Jie (Jackie) wrote:
> 
> >
> >
> > > -----Original Message-----
> > > From: Joe MacDonald [mailto:Joe_MacDonald at mentor.com]
> > > Sent: Tuesday, May 02, 2017 21:14
> > > To: Huang, Jie (Jackie)
> > > Cc: yocto at yoctoproject.org
> > > Subject: Re: [yocto] [meta-selinux][PATCH] systemd: no need to inherit
> enable-
> > > selinux
> > >
> > > [[yocto] [meta-selinux][PATCH] systemd: no need to inherit enable-selinux]
> On
> > > 17.02.22 (Wed 14:44) jackie.huang at windriver.com wrote:
> > >
> > > > From: Jackie Huang <jackie.huang at windriver.com>
> > > >
> > > > The selinux PACKAGECONFIG is properly handled in
> > > > the recipe in oe-core, no need to inherit the
> > > > enable-selinux bbclass.
> > >
> > > That might be true, but other than belt-and-suspenders, what's the
> > > harm in this being in the recipe?  I don't necessarily think it's an
> > > invalid change but my quick count shows ~44 instances of 'inherit
> > > enable-selinux' and 'inherit with-selinux' in meta-selinux, why's this
> > > one significant?
> >
> > That's because I have a patch to change the PACKAGECONFIG for selinux
> > in oe-core to fix a dependency issue:
> >
> > -PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux"
> > +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-
> selinux,libselinux,initscripts-sushell"
> >
> > But it would be overrode by the one in enable-selinux.bbclass:
> > $ grep PACKAGECONFIG enable-selinux.bbclass
> > PACKAGECONFIG_append = " ${@target_selinux(d)}"
> > PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,"
> >
> > So I need to remove the inherit here in meta-selinux.
> 
> Sorry, this fell between the cracks.
> 
> So, let me make sure I understand what you're saying.  This oe-core
> commit:
> 
> commit 1881c5e0c426a193630e5eed5b629b69ff3741d5
> Author: Kai Kang <kai.kang at windriver.com>
> Date:   Wed Jul 8 14:26:01 2015 +0800
> 
>     systemd: add PACKAGECONFIG selinux
> 
>     Add PACKAGECONFIG 'selinux' for systemd. debug-shell.service starts
>     different shell according whether selinux is enabled.
> 
>     (From OE-Core rev: 3d1aa27191fe4c21428eaf4ae036acb1496b7df7)
> 
>     Signed-off-by: Kai Kang <kai.kang at windriver.com>
>     Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
> 
> conflicts with the --enable/--disable settings in meta-selinux and  you
> want to remove the setting in meta-selinux?  Again, I don't specifically
> object to this, but I'd like to understand the why of it.  Is there a
> valid scenario to include meta-selinux in your project but have selinux
> disabled?  If so, I would think the settings in meta-selinux should

The conflicts is not the --enable/--disable settings, it's the dependency:

oe-core: PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,initscripts-sushell"
meta-selinux: PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,"

There is an extra runtime dependency on initscripts-sushell (which is reauired by debug-shell.service),
so if inheriting the enable-selinux in meta-selinux, the selinux will still be enabled, but the dependency
on initscripts-sushell will be lost.

> still take precedence.  Otherwise, I'm confused why the other 40-ish

Others don't have the extra dependency, the setting in oe-core and
meta-selinux are the same(at least for now), so others aren't covered.

Thanks,
Jackie

> cases aren't also covered.  I haven't investigated, but are all the
> others in non-oe-core layers, maybe?
> 
> Thanks,
> -J.
> 
> >
> > Thanks,
> > Jackie
> >
> > >
> > > -J.
> > >
> > > >
> > > > Signed-off-by: Jackie Huang <jackie.huang at windriver.com>
> > > > ---
> > > >  recipes-core/systemd/systemd_%.bbappend | 1 -
> > > >  1 file changed, 1 deletion(-)
> > > >
> > > > diff --git a/recipes-core/systemd/systemd_%.bbappend b/recipes-
> > > core/systemd/systemd_%.bbappend
> > > > index 8d9029b..f1bdaf8 100644
> > > > --- a/recipes-core/systemd/systemd_%.bbappend
> > > > +++ b/recipes-core/systemd/systemd_%.bbappend
> > > > @@ -1,2 +1 @@
> > > >  inherit enable-audit
> > > > -inherit enable-selinux
> > > > --
> > > > 2.8.3
> > > >
> > > --
> > > -Joe MacDonald.
> > > :wq
> 
> --
> -Joe MacDonald.
> :wq

More information about the yocto mailing list