[meta-selinux][PATCH] systemd: no need to inherit enable-selinux

[meta-selinux][PATCH] systemd: no need to inherit enable-selinux

[jackie.huang]

From: Jackie Huang <jackie.huang@windriver.com>

The selinux PACKAGECONFIG is properly handled in
the recipe in oe-core, no need to inherit the
enable-selinux bbclass.

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
 recipes-core/systemd/systemd_%.bbappend | 1 -
 1 file changed, 1 deletion(-)

diff --git a/recipes-core/systemd/systemd_%.bbappend b/recipes-core/systemd/systemd_%.bbappend
index 8d9029b..f1bdaf8 100644
--- a/recipes-core/systemd/systemd_%.bbappend
+++ b/recipes-core/systemd/systemd_%.bbappend
@@ -1,2 +1 @@
 inherit enable-audit
-inherit enable-selinux
-- 
2.8.3

Re: [meta-selinux][PATCH] systemd: no need to inherit enable-selinux

[Huang, Jie (Jackie)]

Ping.

> -----Original Message-----
> From: yocto-bounces@yoctoproject.org [mailto:yocto-
> bounces@yoctoproject.org] On Behalf Of jackie.huang@windriver.com
> Sent: Wednesday, February 22, 2017 14:45
> To: yocto@yoctoproject.org
> Subject: [yocto] [meta-selinux][PATCH] systemd: no need to inherit enable-
> selinux
> 
> From: Jackie Huang <jackie.huang@windriver.com>
> 
> The selinux PACKAGECONFIG is properly handled in
> the recipe in oe-core, no need to inherit the
> enable-selinux bbclass.
> 
> Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> ---
>  recipes-core/systemd/systemd_%.bbappend | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/recipes-core/systemd/systemd_%.bbappend b/recipes-
> core/systemd/systemd_%.bbappend
> index 8d9029b..f1bdaf8 100644
> --- a/recipes-core/systemd/systemd_%.bbappend
> +++ b/recipes-core/systemd/systemd_%.bbappend
> @@ -1,2 +1 @@
>  inherit enable-audit
> -inherit enable-selinux
> --
> 2.8.3
> 
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto

Re: [meta-selinux][PATCH] systemd: no need to inherit enable-selinux

[Joe MacDonald]

[-- Attachment #1: Type: text/plain, Size: 1129 bytes --]

[[yocto] [meta-selinux][PATCH] systemd: no need to inherit enable-selinux] On 17.02.22 (Wed 14:44) jackie.huang@windriver.com wrote:

> From: Jackie Huang <jackie.huang@windriver.com>
> 
> The selinux PACKAGECONFIG is properly handled in
> the recipe in oe-core, no need to inherit the
> enable-selinux bbclass.

That might be true, but other than belt-and-suspenders, what's the
harm in this being in the recipe?  I don't necessarily think it's an
invalid change but my quick count shows ~44 instances of 'inherit
enable-selinux' and 'inherit with-selinux' in meta-selinux, why's this
one significant?

-J.

> 
> Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> ---
>  recipes-core/systemd/systemd_%.bbappend | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/recipes-core/systemd/systemd_%.bbappend b/recipes-core/systemd/systemd_%.bbappend
> index 8d9029b..f1bdaf8 100644
> --- a/recipes-core/systemd/systemd_%.bbappend
> +++ b/recipes-core/systemd/systemd_%.bbappend
> @@ -1,2 +1 @@
>  inherit enable-audit
> -inherit enable-selinux
> -- 
> 2.8.3
> 
-- 
-Joe MacDonald.
:wq

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 484 bytes --]

Re: [meta-selinux][PATCH] systemd: no need to inherit enable-selinux

[Huang, Jie (Jackie)]

> -----Original Message-----
> From: Joe MacDonald [mailto:Joe_MacDonald@mentor.com]
> Sent: Tuesday, May 02, 2017 21:14
> To: Huang, Jie (Jackie)
> Cc: yocto@yoctoproject.org
> Subject: Re: [yocto] [meta-selinux][PATCH] systemd: no need to inherit enable-
> selinux
> 
> [[yocto] [meta-selinux][PATCH] systemd: no need to inherit enable-selinux] On
> 17.02.22 (Wed 14:44) jackie.huang@windriver.com wrote:
> 
> > From: Jackie Huang <jackie.huang@windriver.com>
> >
> > The selinux PACKAGECONFIG is properly handled in
> > the recipe in oe-core, no need to inherit the
> > enable-selinux bbclass.
> 
> That might be true, but other than belt-and-suspenders, what's the
> harm in this being in the recipe?  I don't necessarily think it's an
> invalid change but my quick count shows ~44 instances of 'inherit
> enable-selinux' and 'inherit with-selinux' in meta-selinux, why's this
> one significant?

That's because I have a patch to change the PACKAGECONFIG for selinux
in oe-core to fix a dependency issue:

-PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux"
+PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,initscripts-sushell"

But it would be overrode by the one in enable-selinux.bbclass:
$ grep PACKAGECONFIG enable-selinux.bbclass
PACKAGECONFIG_append = " ${@target_selinux(d)}"
PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,"

So I need to remove the inherit here in meta-selinux.

Thanks,
Jackie

> 
> -J.
> 
> >
> > Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> > ---
> >  recipes-core/systemd/systemd_%.bbappend | 1 -
> >  1 file changed, 1 deletion(-)
> >
> > diff --git a/recipes-core/systemd/systemd_%.bbappend b/recipes-
> core/systemd/systemd_%.bbappend
> > index 8d9029b..f1bdaf8 100644
> > --- a/recipes-core/systemd/systemd_%.bbappend
> > +++ b/recipes-core/systemd/systemd_%.bbappend
> > @@ -1,2 +1 @@
> >  inherit enable-audit
> > -inherit enable-selinux
> > --
> > 2.8.3
> >
> --
> -Joe MacDonald.
> :wq

Re: [meta-selinux][PATCH] systemd: no need to inherit enable-selinux

[Joe MacDonald]

[-- Attachment #1: Type: text/plain, Size: 3563 bytes --]

[RE: [yocto] [meta-selinux][PATCH] systemd: no need to inherit enable-selinux] On 17.05.08 (Mon 01:40) Huang, Jie (Jackie) wrote:

> 
> 
> > -----Original Message-----
> > From: Joe MacDonald [mailto:Joe_MacDonald@mentor.com]
> > Sent: Tuesday, May 02, 2017 21:14
> > To: Huang, Jie (Jackie)
> > Cc: yocto@yoctoproject.org
> > Subject: Re: [yocto] [meta-selinux][PATCH] systemd: no need to inherit enable-
> > selinux
> > 
> > [[yocto] [meta-selinux][PATCH] systemd: no need to inherit enable-selinux] On
> > 17.02.22 (Wed 14:44) jackie.huang@windriver.com wrote:
> > 
> > > From: Jackie Huang <jackie.huang@windriver.com>
> > >
> > > The selinux PACKAGECONFIG is properly handled in
> > > the recipe in oe-core, no need to inherit the
> > > enable-selinux bbclass.
> > 
> > That might be true, but other than belt-and-suspenders, what's the
> > harm in this being in the recipe?  I don't necessarily think it's an
> > invalid change but my quick count shows ~44 instances of 'inherit
> > enable-selinux' and 'inherit with-selinux' in meta-selinux, why's this
> > one significant?
> 
> That's because I have a patch to change the PACKAGECONFIG for selinux
> in oe-core to fix a dependency issue:
> 
> -PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux"
> +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,initscripts-sushell"
> 
> But it would be overrode by the one in enable-selinux.bbclass:
> $ grep PACKAGECONFIG enable-selinux.bbclass
> PACKAGECONFIG_append = " ${@target_selinux(d)}"
> PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,"
> 
> So I need to remove the inherit here in meta-selinux.

Sorry, this fell between the cracks.

So, let me make sure I understand what you're saying.  This oe-core
commit:

commit 1881c5e0c426a193630e5eed5b629b69ff3741d5
Author: Kai Kang <kai.kang@windriver.com>
Date:   Wed Jul 8 14:26:01 2015 +0800

    systemd: add PACKAGECONFIG selinux
    
    Add PACKAGECONFIG 'selinux' for systemd. debug-shell.service starts
    different shell according whether selinux is enabled.
    
    (From OE-Core rev: 3d1aa27191fe4c21428eaf4ae036acb1496b7df7)
    
    Signed-off-by: Kai Kang <kai.kang@windriver.com>
    Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

conflicts with the --enable/--disable settings in meta-selinux and  you
want to remove the setting in meta-selinux?  Again, I don't specifically
object to this, but I'd like to understand the why of it.  Is there a
valid scenario to include meta-selinux in your project but have selinux
disabled?  If so, I would think the settings in meta-selinux should
still take precedence.  Otherwise, I'm confused why the other 40-ish
cases aren't also covered.  I haven't investigated, but are all the
others in non-oe-core layers, maybe?

Thanks,
-J.

> 
> Thanks,
> Jackie
> 
> > 
> > -J.
> > 
> > >
> > > Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> > > ---
> > >  recipes-core/systemd/systemd_%.bbappend | 1 -
> > >  1 file changed, 1 deletion(-)
> > >
> > > diff --git a/recipes-core/systemd/systemd_%.bbappend b/recipes-
> > core/systemd/systemd_%.bbappend
> > > index 8d9029b..f1bdaf8 100644
> > > --- a/recipes-core/systemd/systemd_%.bbappend
> > > +++ b/recipes-core/systemd/systemd_%.bbappend
> > > @@ -1,2 +1 @@
> > >  inherit enable-audit
> > > -inherit enable-selinux
> > > --
> > > 2.8.3
> > >
> > --
> > -Joe MacDonald.
> > :wq

-- 
-Joe MacDonald.
:wq

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 484 bytes --]

Re: [meta-selinux][PATCH] systemd: no need to inherit enable-selinux

[Huang, Jie (Jackie)]

> -----Original Message-----
> From: Joe MacDonald [mailto:Joe_MacDonald@mentor.com]
> Sent: Tuesday, May 16, 2017 19:55
> To: Huang, Jie (Jackie)
> Cc: yocto@yoctoproject.org
> Subject: Re: [yocto] [meta-selinux][PATCH] systemd: no need to inherit enable-
> selinux
> 
> [RE: [yocto] [meta-selinux][PATCH] systemd: no need to inherit enable-selinux]
> On 17.05.08 (Mon 01:40) Huang, Jie (Jackie) wrote:
> 
> >
> >
> > > -----Original Message-----
> > > From: Joe MacDonald [mailto:Joe_MacDonald@mentor.com]
> > > Sent: Tuesday, May 02, 2017 21:14
> > > To: Huang, Jie (Jackie)
> > > Cc: yocto@yoctoproject.org
> > > Subject: Re: [yocto] [meta-selinux][PATCH] systemd: no need to inherit
> enable-
> > > selinux
> > >
> > > [[yocto] [meta-selinux][PATCH] systemd: no need to inherit enable-selinux]
> On
> > > 17.02.22 (Wed 14:44) jackie.huang@windriver.com wrote:
> > >
> > > > From: Jackie Huang <jackie.huang@windriver.com>
> > > >
> > > > The selinux PACKAGECONFIG is properly handled in
> > > > the recipe in oe-core, no need to inherit the
> > > > enable-selinux bbclass.
> > >
> > > That might be true, but other than belt-and-suspenders, what's the
> > > harm in this being in the recipe?  I don't necessarily think it's an
> > > invalid change but my quick count shows ~44 instances of 'inherit
> > > enable-selinux' and 'inherit with-selinux' in meta-selinux, why's this
> > > one significant?
> >
> > That's because I have a patch to change the PACKAGECONFIG for selinux
> > in oe-core to fix a dependency issue:
> >
> > -PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux"
> > +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-
> selinux,libselinux,initscripts-sushell"
> >
> > But it would be overrode by the one in enable-selinux.bbclass:
> > $ grep PACKAGECONFIG enable-selinux.bbclass
> > PACKAGECONFIG_append = " ${@target_selinux(d)}"
> > PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,"
> >
> > So I need to remove the inherit here in meta-selinux.
> 
> Sorry, this fell between the cracks.
> 
> So, let me make sure I understand what you're saying.  This oe-core
> commit:
> 
> commit 1881c5e0c426a193630e5eed5b629b69ff3741d5
> Author: Kai Kang <kai.kang@windriver.com>
> Date:   Wed Jul 8 14:26:01 2015 +0800
> 
>     systemd: add PACKAGECONFIG selinux
> 
>     Add PACKAGECONFIG 'selinux' for systemd. debug-shell.service starts
>     different shell according whether selinux is enabled.
> 
>     (From OE-Core rev: 3d1aa27191fe4c21428eaf4ae036acb1496b7df7)
> 
>     Signed-off-by: Kai Kang <kai.kang@windriver.com>
>     Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> 
> conflicts with the --enable/--disable settings in meta-selinux and  you
> want to remove the setting in meta-selinux?  Again, I don't specifically
> object to this, but I'd like to understand the why of it.  Is there a
> valid scenario to include meta-selinux in your project but have selinux
> disabled?  If so, I would think the settings in meta-selinux should

The conflicts is not the --enable/--disable settings, it's the dependency:

oe-core: PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,initscripts-sushell"
meta-selinux: PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,"

There is an extra runtime dependency on initscripts-sushell (which is reauired by debug-shell.service),
so if inheriting the enable-selinux in meta-selinux, the selinux will still be enabled, but the dependency
on initscripts-sushell will be lost.

> still take precedence.  Otherwise, I'm confused why the other 40-ish

Others don't have the extra dependency, the setting in oe-core and
meta-selinux are the same(at least for now), so others aren't covered.

Thanks,
Jackie

> cases aren't also covered.  I haven't investigated, but are all the
> others in non-oe-core layers, maybe?
> 
> Thanks,
> -J.
> 
> >
> > Thanks,
> > Jackie
> >
> > >
> > > -J.
> > >
> > > >
> > > > Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> > > > ---
> > > >  recipes-core/systemd/systemd_%.bbappend | 1 -
> > > >  1 file changed, 1 deletion(-)
> > > >
> > > > diff --git a/recipes-core/systemd/systemd_%.bbappend b/recipes-
> > > core/systemd/systemd_%.bbappend
> > > > index 8d9029b..f1bdaf8 100644
> > > > --- a/recipes-core/systemd/systemd_%.bbappend
> > > > +++ b/recipes-core/systemd/systemd_%.bbappend
> > > > @@ -1,2 +1 @@
> > > >  inherit enable-audit
> > > > -inherit enable-selinux
> > > > --
> > > > 2.8.3
> > > >
> > > --
> > > -Joe MacDonald.
> > > :wq
> 
> --
> -Joe MacDonald.
> :wq