[yocto] [meta-selinux][PATCH] libselinux: python-importlib is now part of python*-core
Mark Hatle
mark.hatle at windriver.com
Mon May 14 08:05:41 PDT 2018
On 5/11/18 1:19 PM, Rudolf J Streif wrote:
> Thank you, Mark. Much appreciated and understood.
>
> Would you be open to tagging the layer for rocko to the right commit and
> applying the patches sent to the mailing list by Armin and Kai to master
> so that we have known points to move forward?
I'm going to try to sync with Joe later today. I'll make sure that we branch
rocko.. If Joe can't get to the sumo work this week, I'll do my best to get it
done.
--Mark
> Thank you,
> Rudi
>
>
> On 05/11/2018 10:45 AM, Mark Hatle wrote:
>> On 5/11/18 12:28 PM, Rudolf J Streif wrote:
>>> Echoing this: may I ask what the current maintenance status of
>>> meta-selinux is. It appears that no updates have been made for more than
>>> 9 months. This is of course not to blame anybody but out of concern that
>>> the layer is falling behind even more and to find a solution.
>> The answer is the current set of people are horribly overworked and busy, so
>> day-to-day updates have been 'sparse'.
>>
>> Usually we update meta-selinux about the time of a release, and thus are due.
>>
>> The last update of meta-selinux was about the time of the Rocko release, so what
>> is in master is definitely current as of Rocko. (I did the last set of updates
>> -- so I know it did work as of Rocko release.) The master needs to be branched
>> as Rocko... master needs to be updated to be Sumo compatible.
>>
>> My assumption is that once Sumo is formally released (any minute now), we'll
>> collection all of the patches and get them into place and spend some time
>> cleaning them up...
>>
>> It looks like Joe is already working through this effort.
>>
>> (Only speaking for myself,) I don't have time to do day-to-day maintenance of
>> meta-selinux any longer -- nor do I have the indepth knowledge to understand
>> when not to do something. I filled this role purely out of necessity since
>> nobody else was doing it.
>>
>> So with that said, if anyone wants to help, we're all open for help here... I
>> doubt there would be any objection to adding or replacing existing maintainers
>> and/or giving more people push access.
>>
>>> In addition to Armin's patches there are two patches submitted by Kai
>>> Kang at Windriver:
>>>
>>> * https://lists.yoctoproject.org/pipermail/yocto/2018-February/039917.html
>>> * https://lists.yoctoproject.org/pipermail/yocto/2018-February/039918.html
>>>
>>> Curiously enough, the second patch has been applied to master but not
>>> the first one.
>>>
>>>
>>> There is also an issue with building SELinux with systemd. The layer
>>> enables auditing:
>>>
>>> meta-selinux/classes/enable-audit.bbclass:PACKAGECONFIG[audit] =
>>> "--enable-audit,--disable-audit,audit,"
>>> meta-selinux/recipes-core/systemd/systemd_%.bbappend:inherit
>>> ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-audit', '', d)}
>>>
>>> Apparently the --enable-audit switch is passed to meson when running the
>>> configure task, which meson does not appreciate. I am not that familiar
>>> with the audit feature nor with meson, so I currently have no idea on
>>> how to fix this the right way.
>> audit feature is useful outside of selinux, so my understand was that audit
>> itself was moving into core during the sumo time frame (if it hadn't already
>> been oved.)
>>
>> I don't know anything about meson, so I can't speak to that...
>>
>>> Further, refpolicy_git does not build anymore as the YP specific patches
>>> do not apply anymore since upstream changed.
>> The refpolicy is and has always been crap. I've been talking to a few people on
>> IRC about working to replace the refpolicy with a policy that can be generated
>> dynamically based on the contents of the recipes. I don't know if that is
>> really going to happen, but I hate the way it's currently implemented.
>>
>> One of the key issues about the refpolicy is that you need to be an expert at
>> this (which I never claimed to be) in order to make any reasonable decision --
>> add to that any specific policy needs to userstand overall system design, and I
>> wouldn't trust any of the refpolicy items as they stand in meta-selinux.
>>
>> --Mark
>>
>>> Thanks,
>>> Rudi
>>>
>>>
>>>
>>> On 05/07/2018 10:20 AM, akuster808 wrote:
>>>> On 04/14/2018 07:08 PM, Armin Kuster wrote:
>>>>> Missing or unbuildable dependency chain was: ['meta-world-pkgdata', 'restorecond', 'libselinux', 'python-importlib']
>>>>>
>>>>> Signed-off-by: Armin Kuster <akuster at mvista.com>
>>>> ping
>>>>> ---
>>>>> recipes-security/selinux/libselinux.inc | 2 +-
>>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/recipes-security/selinux/libselinux.inc b/recipes-security/selinux/libselinux.inc
>>>>> index bd5ce8d..51d0875 100644
>>>>> --- a/recipes-security/selinux/libselinux.inc
>>>>> +++ b/recipes-security/selinux/libselinux.inc
>>>>> @@ -8,7 +8,7 @@ LICENSE = "PD"
>>>>> inherit lib_package pythonnative
>>>>>
>>>>> DEPENDS += "libsepol python libpcre swig-native"
>>>>> -RDEPENDS_${PN}-python += "python-importlib"
>>>>> +RDEPENDS_${PN}-python += "python-core"
>>>>>
>>>>> PACKAGES += "${PN}-python"
>>>>> FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*"
>>>
>>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 529 bytes
Desc: OpenPGP digital signature
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20180514/9fb5a03a/attachment.pgp>
More information about the yocto
mailing list