[Re: [oe] meta-selinux] On 15.02.11 (Wed 09:25) Christopher Larson wrote: > On Wed, Feb 11, 2015 at 8:53 AM, dpquigl <[email protected]> wrote: > > > I'm working on OpenXT and it makes use of the meta-selinux repo hosted > > by the yocto project. I'm trying to use it with a base openembedded core > > and its not in sync with oe-core because its based on pokey. This made > > me think of two questions. 1) Why is this not in OE core since so many > > packages in core can potentially have SELinux support enabled and 2) if > > its not supposed to be in core where should turning on SELinux support > > in a recipe go? For example coreutils can have SELinux support enabled. > > Currently this is in meta-selinux as a bbappend to the coreutils > > package. This works out because its always going to be there. However > > there is also a bbappend for an LXC recipe. LXC isn't in core which > > means it has a dependency on a layer not in core. > > > > This is a bug in the layer. It's fairly trivial to construct a layer in > such a way that you can have per-layer bbappends that are only applied when > that layer exists. This is likely the approach meta-selinux should take to > address this implicit dependency upon meta-virtualization.
I agree. As Philip mentioned, there's been creep in meta-selinux dependencies that I really would prefer to avoid but I haven't gotten around to making the dependencies optional and proposing a patch set on the list yet. It's something I think we need, though, particularly for meta-selinux, but I imagine it's not the only layer that could use such a change. > That said, I think most folks would be open to PACKAGECONFIGs for selinux > capability going into the main recipes, as that's not an invasive change, > nor a patch, but just a tweak in configuration. I know that's been the case in several places already, and in a lot of cases I think that's probably the better place to do such things, so that at least in theory the layer maintainers themselves are aware of selinux issues, but I try to be a practical sort and since I don't expect up-stream developers to be maintaining their own policy modules, I also don't expect layer maintainers to be testing with selinux all that often. :-) FWIW, though, there're plenty of examples in oe-core of SELinux PACKAGECONFIGs and that works out pretty well for everyone, I think. -- -Joe MacDonald. :wq
signature.asc
Description: Digital signature
-- _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-devel
