[yocto] [meta-selinux][PATCH] libselinux: python-importlib is now part of python*-core

Joe MacDonald Joe_MacDonald at mentor.com
Mon May 14 09:09:56 PDT 2018 

[Re: [yocto] [meta-selinux][PATCH] libselinux: python-importlib is now part of python*-core] On 18.05.14 (Mon 10:05) Mark Hatle wrote:

> On 5/11/18 1:19 PM, Rudolf J Streif wrote:
> > Thank you, Mark. Much appreciated and understood.
> > 
> > Would you be open to tagging the layer for rocko to the right commit and
> > applying the patches sent to the mailing list by Armin and Kai to master
> > so that we have known points to move forward?
> 
> I'm going to try to sync with Joe later today.  I'll make sure that we
> branch rocko..  If Joe can't get to the sumo work this week, I'll do
> my best to get it done.

Yeah, just keep everyone in the loop on this, Mark and I will
coordinate, I anticipate having the current meta-selinux queue cleaned
up this week.  I followed up last week to Armin indicating that I was
working on this, but as I'm sure anyone building meta-selinux right now
already knows, things are not happy there and corrective measures are
kind of involved.

As for longer-term maintenance, meta-selinux and SELinux in general is
of particular interest to me personally, but much like Mark, I haven't
has as much time for the layer as it deserves lately, so if anyone wants
to volunteer to help out with it, by all means, let us know.


Thanks,
-J.

> 
> --Mark
> 
> > Thank you,
> > Rudi
> > 
> > 
> > On 05/11/2018 10:45 AM, Mark Hatle wrote:
> >> On 5/11/18 12:28 PM, Rudolf J Streif wrote:
> >>> Echoing this: may I ask what the current maintenance status of
> >>> meta-selinux is. It appears that no updates have been made for more than
> >>> 9 months. This is of course not to blame anybody but out of concern that
> >>> the layer is falling behind even more and to find a solution.
> >> The answer is the current set of people are horribly overworked and busy, so
> >> day-to-day updates have been 'sparse'.
> >>
> >> Usually we update meta-selinux about the time of a release, and thus are due.
> >>
> >> The last update of meta-selinux was about the time of the Rocko release, so what
> >> is in master is definitely current as of Rocko.  (I did the last set of updates
> >> -- so I know it did work as of Rocko release.)  The master needs to be branched
> >> as Rocko... master needs to be updated to be Sumo compatible.
> >>
> >> My assumption is that once Sumo is formally released (any minute now), we'll
> >> collection all of the patches and get them into place and spend some time
> >> cleaning them up...
> >>
> >> It looks like Joe is already working through this effort.
> >>
> >> (Only speaking for myself,) I don't have time to do day-to-day maintenance of
> >> meta-selinux any longer -- nor do I have the indepth knowledge to understand
> >> when not to do something.  I filled this role purely out of necessity since
> >> nobody else was doing it.
> >>
> >> So with that said, if anyone wants to help, we're all open for help here...  I
> >> doubt there would be any objection to adding or replacing existing maintainers
> >> and/or giving more people push access.
> >>
> >>> In addition to Armin's patches there are two patches submitted by Kai
> >>> Kang at Windriver:
> >>>
> >>> * https://lists.yoctoproject.org/pipermail/yocto/2018-February/039917.html
> >>> * https://lists.yoctoproject.org/pipermail/yocto/2018-February/039918.html
> >>>
> >>> Curiously enough, the second patch has been applied to master but not
> >>> the first one.
> >>>
> >>>
> >>> There is also an issue with building SELinux with systemd. The layer
> >>> enables auditing:
> >>>
> >>> meta-selinux/classes/enable-audit.bbclass:PACKAGECONFIG[audit] =
> >>> "--enable-audit,--disable-audit,audit,"
> >>> meta-selinux/recipes-core/systemd/systemd_%.bbappend:inherit
> >>> ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-audit', '', d)}
> >>>
> >>> Apparently the --enable-audit switch is passed to meson when running the
> >>> configure task, which meson does not appreciate. I am not that familiar
> >>> with the audit feature nor with meson, so I currently have no idea on
> >>> how to fix this the right way.
> >> audit feature is useful outside of selinux, so my understand was that audit
> >> itself was moving into core during the sumo time frame (if it hadn't already
> >> been oved.)
> >>
> >> I don't know anything about meson, so I can't speak to that...
> >>
> >>> Further, refpolicy_git does not build anymore as the YP specific patches
> >>> do not apply anymore since upstream changed.
> >> The refpolicy is and has always been crap.  I've been talking to a few people on
> >> IRC about working to replace the refpolicy with a policy that can be generated
> >> dynamically based on the contents of the recipes.  I don't know if that is
> >> really going to happen, but I hate the way it's currently implemented.
> >>
> >> One of the key issues about the refpolicy is that you need to be an expert at
> >> this (which I never claimed to be) in order to make any reasonable decision --
> >> add to that any specific policy needs to userstand overall system design, and I
> >> wouldn't trust any of the refpolicy items as they stand in meta-selinux.
> >>
> >> --Mark
> >>
> >>> Thanks,
> >>> Rudi
> >>>
> >>>
> >>>
> >>> On 05/07/2018 10:20 AM, akuster808 wrote:
> >>>> On 04/14/2018 07:08 PM, Armin Kuster wrote:
> >>>>> Missing or unbuildable dependency chain was: ['meta-world-pkgdata', 'restorecond', 'libselinux', 'python-importlib']
> >>>>>
> >>>>> Signed-off-by: Armin Kuster <akuster at mvista.com>
> >>>> ping
> >>>>> ---
> >>>>>  recipes-security/selinux/libselinux.inc | 2 +-
> >>>>>  1 file changed, 1 insertion(+), 1 deletion(-)
> >>>>>
> >>>>> diff --git a/recipes-security/selinux/libselinux.inc b/recipes-security/selinux/libselinux.inc
> >>>>> index bd5ce8d..51d0875 100644
> >>>>> --- a/recipes-security/selinux/libselinux.inc
> >>>>> +++ b/recipes-security/selinux/libselinux.inc
> >>>>> @@ -8,7 +8,7 @@ LICENSE = "PD"
> >>>>>  inherit lib_package pythonnative
> >>>>>  
> >>>>>  DEPENDS += "libsepol python libpcre swig-native"
> >>>>> -RDEPENDS_${PN}-python += "python-importlib"
> >>>>> +RDEPENDS_${PN}-python += "python-core"
> >>>>>  
> >>>>>  PACKAGES += "${PN}-python"
> >>>>>  FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*"
> >>>
> >>>
> > 
> 
> 




-- 
-Joe MacDonald.
:wq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20180514/380ff818/attachment.pgp>

More information about the yocto mailing list