[meta-selinux][PATCH 0/5] Resend: Remove python dependency from refpol.

[meta-selinux][PATCH 0/5] Resend: Remove python dependency from refpol.

[Philip Tricca]

This is a resend of an earlier patch set that never made it to the list
AFAIK.

The reference policy package currently pulls in a lot of python stuff
that isn't strictly necessary to boot an SELinux system and load a
policy. AFAIK this is caused by the mix of python and C utilities in
policycoreutils.

This patch set breaks the policycoreutils recipe up into multiple
packages, one for each utility. In this way we can have the refpol etc
pull in only the utilities necessary for normal operation. This happens
to be only the utilities written in C and thus we can remove python
completely in a minimal image.

I've attempted to localize these changes as much as possible so this
patch set should have minimal impact on recipes outside of the
policycoreutils. An example image reicpe is added to demonstrate a
minimal image with only the utilities required to load a policy and
manipulate the policy store (add / remove policy modules) at runtime.

Regards,
- Philip

Philip Tricca (5):
 Break policycoreutils out into separate
 Remove unnecessary RDEPENDS_${BPN}.
 Remove runtime dependency on
 Add packagegroup and image recipe for
 Add packagegroup for policycoreutils

 .../images/core-image-selinux-minimal.bb           |   15 ++
 .../packagegroups/packagegroup-core-selinux.bb     |    4 +-
 .../packagegroups/packagegroup-selinux-minimal.bb  |   26 +++
 .../packagegroup-selinux-policycoreutils.bb        |   36 ++++
 recipes-security/refpolicy/refpolicy_common.inc    |    2 +-
 recipes-security/selinux/policycoreutils.inc       |  179 +++++++++++++++++--
 6 files changed, 245 insertions(+), 17 deletions(-)

[meta-selinux][PATCH 1/5] Break policycoreutils out into separate packages for the various utilities.

[Philip Tricca]

The driver beind this is to allow images to be built with the minimal
tools necessary to load a policy.  Breaking all of the stuff that's
dependent on python out from the core utils allows us to make much
smaller images.
---
 recipes-security/selinux/policycoreutils.inc |  181 +++++++++++++++++++++++++-
 1 file changed, 175 insertions(+), 6 deletions(-)

diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc
index dfd65e3..e6ff4ed 100644
--- a/recipes-security/selinux/policycoreutils.inc
+++ b/recipes-security/selinux/policycoreutils.inc
@@ -38,6 +38,92 @@ RDEPENDS_${BPN} += "\
 	python-ipy \
 	"
 
+RDEPENDS_${BPN}-audit2allow = " \
+	python-textutils \
+	libselinux-python \
+	sepolgen \
+	"
+RDEPENDS_${BPN}-chcat = " \
+	python-codecs \
+	python-shell \
+	python-stringold \
+	python-unixadmin \
+	${BPN}-python \
+	libselinux-python \
+	"
+RDEPENDS_${BPN}-fixfiles += "\
+	${BPN}-setfiles \
+	"
+RDEPENDS_${BPN}-genhomedircon += "\
+	${BPN}-genhomedircon \
+	${BPN}-semodule \
+	"
+RDEPENDS_${BPN}-loadpolicy += "\
+	libselinux \
+	libsepol \
+	"
+RDEPENDS_${BPN}-newrole += "\
+	libcap-ng \
+	libselinux \
+	"
+RDEPENDS_${BPN}-python += "\
+	python-codecs \
+	python-io \
+	python-ipy \
+	python-re \
+	python-stringold \
+	python-syslog \
+	python-unixadmin \
+	libselinux-python \
+	libsemanage-python \
+	"
+RDEPENDS_${BPN}-runinit += "libselinux"
+RDEPENDS_${BPN}-sandbox += "\
+	python-math \
+	python-shell \
+	python-subprocess \
+	python-textutils \
+	python-unixadmin \
+	libselinux-python \
+	${BPN}-python \
+	"
+RDEPENDS_${BPN}-secon += "libselinux"
+RDEPENDS_${BPN}-semanage = " \
+	python-core \
+	python-ipy \
+	${BPN}-python \
+	libselinux-python \
+	"
+RDEPENDS_${BPN}-semodule += "\
+	libsepol \
+	libselinux \
+	libsemanage \
+	"
+# static link to libsepol
+DEPENDS_${BPN}-semodule-deps += "libsepol"
+RDEPENDS_${BPN}-semodule-expand += "libsepol libselinux"
+RDEPENDS_${BPN}-semodule-link += "libsepol libselinux"
+RDEPENDS_${BPN}-semodule-package += "libsepol libselinux"
+RDEPENDS_${BPN}-sepolicy += "\
+	python-argparse \
+	python-codecs \
+	python-core \
+	python-syslog \
+	${BPN}-python \
+	"
+# static link to libsepol
+DEPENDS_${BPN}-sepolgen-ifgen += "libsepol"
+RDEPENDS_${BPN}-sepolgen-ifgen += "libselinux-python"
+RDEPENDS_${BPN}-sestatus += "libselinux"
+RDEPENDS_${BPN}-setfiles += "\
+	libselinux \
+	libsepol \
+	"
+RDEPENDS_${BPN}-setsebool += "\
+	libsepol \
+	libselinux \
+	libsemanage \
+	"
 RDEPENDS_${BPN} += "setools setools-libs ${BPN}-python"
 
 WARN_QA := "${@oe_filter_out('unsafe-references-in-scripts', '${WARN_QA}', d)}"
@@ -45,14 +131,97 @@ ERROR_QA := "${@oe_filter_out('unsafe-references-in-scripts', '${ERROR_QA}', d)}
 
 inherit pythonnative
 
-PACKAGES =+ "${PN}-python ${PN}-sandbox system-config-selinux"
-FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/seobject.py* \
+PACKAGES =+ "\
+	${PN}-audit2allow \
+	${PN}-chcat \
+	${PN}-fixfiles \
+	${PN}-genhomedircon \
+	${PN}-loadpolicy \
+	${PN}-newrole \
+	${PN}-python \
+	${PN}-runinit \
+	${PN}-sandbox \
+	${PN}-secon \
+	${PN}-semanage \
+	${PN}-semodule \
+	${PN}-semodule-deps \
+	${PN}-semodule-expand \
+	${PN}-semodule-link \
+	${PN}-semodule-package \
+	${PN}-sepolgen-ifgen \
+	${PN}-sepolicy \
+	${PN}-sestatus \
+	${PN}-setfiles \
+	${PN}-setsebool \
+	system-config-selinux \
+	"
+FILES_${PN}-audit2allow = " \
+	${bindir}/audit2allow \
+	${bindir}/audit2why \
+	"
+FILES_${PN}-chcat = " \
+	${bindir}/chcat \
+	"
+FILES_${PN}-fixfiles += "${base_sbindir}/fixfiles"
+FILES_${PN}-genhomedircon += "${sbindir}/genhomedircon"
+FILES_${PN}-loadpolicy += "\
+	${base_sbindir}/load_policy \
+	${sbindir}/load_policy \
+	"
+FILES_${PN}-newrole += "\
+	${bindir}/newrole \
+	${@base_contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/newrole', '', d)} \
+	"
+FILES_${PN}-python = " \
+	${libdir}/python${PYTHON_BASEVERSION}/site-packages/seobject.py* \
 	${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy*.egg-info \
-	${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/*"
+	${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/* \
+        "
+FILES_${PN}-runinit += "\
+	${sbindir}/run_init \
+	${sbindir}/open_init_pty \
+	${@base_contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/run_init', '', d)} \
+	"
 FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/.debug/*"
-FILES_${PN}-sandbox = "${datadir}/sandbox/*"
-FILES_${PN}-sandbox += "${bindir}/sandbox"
-FILES_${PN}-sandbox += "${sbindir}/seunshare"
+FILES_${PN}-sandbox += "\
+	${datadir}/sandbox/* \
+	${bindir}/sandbox \
+	${sbindir}/seunshare \
+	${sysconfdir}/sysconfig/sandbox \
+	"
+FILES_${PN}-secon += "${bindir}/secon"
+FILES_${PN}-semanage = " \
+	${sbindir}/semanage \
+	${sysconfdir}/bash_completion.d/semanage-bash-completion.sh \
+	"
+FILES_${PN}-semodule += "${sbindir}/semodule"
+FILES_${PN}-semodule-deps += "${bindir}/semodule_deps"
+FILES_${PN}-semodule-expand += "${bindir}/semodule_expand"
+FILES_${PN}-semodule-link += "${bindir}/semodule_link"
+FILES_${PN}-semodule-package += "\
+	${bindir}/semodule_package \
+	${bindir}/semodule_unpackage \
+	"
+FILES_${PN}-sepolicy += "\
+	${bindir}/sepolicy \
+	${sysconfdir}/bash_completion.d/sepolicy-bash-completion.sh \
+	"
+FILES_${PN}-sepolgen-ifgen += "\
+	${bindir}/sepolgen-ifgen \
+	${bindir}/sepolgen-ifgen-attr-helper \
+	"
+FILES_${PN}-sestatus += "\
+	${sbindir}/sestatus \
+	${sysconfdir}/sestatus.conf \
+	"
+FILES_${PN}-setfiles += " \
+	${base_sbindir}/restorecon \
+	${base_sbindir}/setfiles \
+	"
+FILES_${PN}-setsebool += " \
+	${sbindir}/setsebool \
+	${sysconfdir}/bash_completion.d/setsebool-bash-completion.sh \
+	"
 FILES_system-config-selinux = " \
     ${bindir}/sepolgen \
     ${datadir}/system-config-selinux/* \
-- 
1.7.10.4

[meta-selinux][PATCH 2/5] Remove unnecessary RDEPENDS_${BPN}.

[Philip Tricca]

Now that the policycoreutuils package is empty no need for RDEPENDS.
Doing this in the commit that broke up the policycoreutuils package
made the diff hard to read. Figured it best to break it out for
readability.
---
 recipes-security/selinux/policycoreutils.inc |   16 ----------------
 1 file changed, 16 deletions(-)

diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc
index e6ff4ed..05de7ac 100644
--- a/recipes-security/selinux/policycoreutils.inc
+++ b/recipes-security/selinux/policycoreutils.inc
@@ -22,22 +22,6 @@ DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native']}"
 inherit selinux
 DEPENDS += "${@target_selinux(d, 'libpam audit')}"
 
-RDEPENDS_${BPN} += "\
-	libselinux-python \
-	libsemanage-python \
-	sepolgen \
-	"
-RDEPENDS_${BPN} += "\
-	python \
-	python-unixadmin \
-	python-shell \
-	python-crypt \
-	python-subprocess \
-	python-syslog \
-	python-textutils \
-	python-ipy \
-	"
-
 RDEPENDS_${BPN}-audit2allow = " \
 	python-textutils \
 	libselinux-python \
-- 
1.7.10.4

[meta-selinux][PATCH 3/5] Remove runtime dependency on policycoreutils from the reference policy.

[Philip Tricca]

The only thing refpol needs to depend on at runtime are the things
necessary to load the policy.  If sysvinit is patched to load the
policy (which it is) then we only need the config.
---
 recipes-security/refpolicy/refpolicy_common.inc |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 3eaf16d..873d887 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -16,7 +16,7 @@ FILES_${PN} = "${sysconfdir}/selinux/${POLICY_NAME}/ \
 FILES_${PN}-dev =+ "${datadir}/selinux/${POLICY_NAME}/include/"
 
 DEPENDS += "checkpolicy-native policycoreutils-native m4-native"
-RDEPENDS_${PN} += "policycoreutils selinux-config"
+RDEPENDS_${PN} += "selinux-config"
 
 PACKAGE_ARCH = "${MACHINE_ARCH}"
 
-- 
1.7.10.4

[meta-selinux][PATCH 4/5] Add packagegroup and image recipe for minimal SELinux image.

[Philip Tricca]

This is intended to demonstrate the minimal set packages necessary
to boot and load a system with SELinux enabled. Specifically we
don't need any of the packages that depend on python.
---
 .../images/core-image-selinux-minimal.bb           |   15 +++++++++++
 .../packagegroups/packagegroup-selinux-minimal.bb  |   26 ++++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 recipes-security/images/core-image-selinux-minimal.bb
 create mode 100644 recipes-security/packagegroups/packagegroup-selinux-minimal.bb

diff --git a/recipes-security/images/core-image-selinux-minimal.bb b/recipes-security/images/core-image-selinux-minimal.bb
new file mode 100644
index 0000000..45cd847
--- /dev/null
+++ b/recipes-security/images/core-image-selinux-minimal.bb
@@ -0,0 +1,15 @@
+DESCRIPTION = "Minimal image with SELinux support (no python)"
+
+IMAGE_FEATURES += "splash ssh-server-openssh"
+
+LICENSE = "MIT"
+
+IMAGE_INSTALL = "\
+	${CORE_IMAGE_BASE_INSTALL} \
+	bash \
+	util-linux-agetty \
+	packagegroup-core-boot \
+	packagegroup-selinux-minimal \
+"
+
+inherit core-image
diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
new file mode 100644
index 0000000..16f6bae
--- /dev/null
+++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
@@ -0,0 +1,26 @@
+DESCRIPTION = "SELinux packagegroup with only packages required for basic operations"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/LICENSE;md5=3f40d7994397109285ec7b81fdeb3b58 \
+                    file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+PR = "r0"
+
+PACKAGES = "\
+	${PN} \
+	"
+
+ALLOW_EMPTY_${PN} = "1"
+
+RDEPENDS_${PN} = " \
+	coreutils \
+	libsepol \
+	libselinux \
+	libselinux-bin \
+	libsemanage \
+	policycoreutils-fixfiles \
+	policycoreutils-secon \
+	policycoreutils-semodule \
+	policycoreutils-sestatus \
+	policycoreutils-setfiles \
+	selinux-config \
+	refpolicy-mls \
+	"
-- 
1.7.10.4

[meta-selinux][PATCH 5/5] Add packagegroup for policycoreutils packages.

[Philip Tricca]

The policycoreutils package previously included most everything in
the base package. This packagegroup is intended to fill the role
of the old policycoreutils package and pull in all packages from the
policycoreutils recipe.
---
 .../packagegroups/packagegroup-core-selinux.bb     |    4 +--
 .../packagegroup-selinux-policycoreutils.bb        |   36 ++++++++++++++++++++
 2 files changed, 37 insertions(+), 3 deletions(-)
 create mode 100644 recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb

diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb
index 7cd7409..76863b0 100644
--- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
+++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
@@ -19,9 +19,7 @@ RDEPENDS_${PN} = " \
 	libsemanage \
 	checkpolicy \
 	sepolgen \
-	policycoreutils \
-	policycoreutils-sandbox \
-	policycoreutils-python \
+	packagegroup-selinux-policycoreutils \
 	setools \
 	setools-console \
 	selinux-config \
diff --git a/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb b/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb
new file mode 100644
index 0000000..296a7e3
--- /dev/null
+++ b/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb
@@ -0,0 +1,36 @@
+DESCRIPTION = "SELinux policycoreutils packagegroup"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/LICENSE;md5=3f40d7994397109285ec7b81fdeb3b58 \
+                    file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+PR = "r0"
+
+PACKAGES = "\
+    ${PN} \
+    "
+
+ALLOW_EMPTY_${PN} = "1"
+
+RDEPENDS_${PN} = " \
+	policycoreutils-audit2allow \
+	policycoreutils-chcat \
+	policycoreutils-fixfiles \
+	policycoreutils-genhomedircon \
+	policycoreutils-loadpolicy \
+	policycoreutils-newrole \
+	policycoreutils-python \
+	policycoreutils-runinit \
+	policycoreutils-sandbox \
+	policycoreutils-secon \
+	policycoreutils-semanage \
+	policycoreutils-semodule \
+	policycoreutils-semodule-deps \
+	policycoreutils-semodule-expand \
+	policycoreutils-semodule-link \
+	policycoreutils-semodule-package \
+	policycoreutils-sepolgen-ifgen \
+	policycoreutils-sepolicy \
+	policycoreutils-sestatus \
+	policycoreutils-setfiles \
+	policycoreutils-setsebool \
+	system-config-selinux \
+	"
-- 
1.7.10.4

Re: [meta-selinux][PATCH 0/5] Resend: Remove python dependency from refpol.

[Joe MacDonald]

[-- Attachment #1: Type: text/plain, Size: 2360 bytes --]

Thought I'd best (finally) follow up to the list on this.  I've been
talking to Philip offline.  These are in the queue for integration but
some surprising things have cropped up along the way and the integration
is being delayed a bit.

I'll be grabbing the other meta-selinux update at the same time.

-J.

[[yocto] [meta-selinux][PATCH 0/5] Resend: Remove python dependency from refpol.] On 13.10.17 (Thu 19:06) Philip Tricca wrote:

> This is a resend of an earlier patch set that never made it to the list
> AFAIK.
> 
> The reference policy package currently pulls in a lot of python stuff
> that isn't strictly necessary to boot an SELinux system and load a
> policy. AFAIK this is caused by the mix of python and C utilities in
> policycoreutils.
> 
> This patch set breaks the policycoreutils recipe up into multiple
> packages, one for each utility. In this way we can have the refpol etc
> pull in only the utilities necessary for normal operation. This happens
> to be only the utilities written in C and thus we can remove python
> completely in a minimal image.
> 
> I've attempted to localize these changes as much as possible so this
> patch set should have minimal impact on recipes outside of the
> policycoreutils. An example image reicpe is added to demonstrate a
> minimal image with only the utilities required to load a policy and
> manipulate the policy store (add / remove policy modules) at runtime.
> 
> Regards,
> - Philip
> 
> Philip Tricca (5):
>  Break policycoreutils out into separate
>  Remove unnecessary RDEPENDS_${BPN}.
>  Remove runtime dependency on
>  Add packagegroup and image recipe for
>  Add packagegroup for policycoreutils
> 
>  .../images/core-image-selinux-minimal.bb           |   15 ++
>  .../packagegroups/packagegroup-core-selinux.bb     |    4 +-
>  .../packagegroups/packagegroup-selinux-minimal.bb  |   26 +++
>  .../packagegroup-selinux-policycoreutils.bb        |   36 ++++
>  recipes-security/refpolicy/refpolicy_common.inc    |    2 +-
>  recipes-security/selinux/policycoreutils.inc       |  179 +++++++++++++++++--
>  6 files changed, 245 insertions(+), 17 deletions(-)
> 
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto

-- 
-Joe MacDonald.
:wq

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 205 bytes --]

Re: [meta-selinux][PATCH 0/5] Resend: Remove python dependency from refpol.

[Joe MacDonald]

[-- Attachment #1: Type: text/plain, Size: 3110 bytes --]

[Re: [yocto] [meta-selinux][PATCH 0/5] Resend: Remove python dependency from refpol.] On 13.10.21 (Mon 10:57) Joe MacDonald wrote:

> Thought I'd best (finally) follow up to the list on this.  I've been
> talking to Philip offline.  These are in the queue for integration but
> some surprising things have cropped up along the way and the integration
> is being delayed a bit.
> 
> I'll be grabbing the other meta-selinux update at the same time.

Further to this, I've finished the merge of this batch and the two other
submissions I've seen for meta-selinux today.  I haven't yet pushed them
to meta-selinux on git.yoctoproject.org.  I'm going to let it cool off
until at least tomorrow since this one proved to be much more
problematic than I think it should have been.  In the meantime, I've
pushed the pending changes to my github project:

   https://github.com/joeythesaint/meta-selinux.git

on the contrib/joeythesaint branch.

-J.

> 
> -J.
> 
> [[yocto] [meta-selinux][PATCH 0/5] Resend: Remove python dependency from refpol.] On 13.10.17 (Thu 19:06) Philip Tricca wrote:
> 
> > This is a resend of an earlier patch set that never made it to the list
> > AFAIK.
> > 
> > The reference policy package currently pulls in a lot of python stuff
> > that isn't strictly necessary to boot an SELinux system and load a
> > policy. AFAIK this is caused by the mix of python and C utilities in
> > policycoreutils.
> > 
> > This patch set breaks the policycoreutils recipe up into multiple
> > packages, one for each utility. In this way we can have the refpol etc
> > pull in only the utilities necessary for normal operation. This happens
> > to be only the utilities written in C and thus we can remove python
> > completely in a minimal image.
> > 
> > I've attempted to localize these changes as much as possible so this
> > patch set should have minimal impact on recipes outside of the
> > policycoreutils. An example image reicpe is added to demonstrate a
> > minimal image with only the utilities required to load a policy and
> > manipulate the policy store (add / remove policy modules) at runtime.
> > 
> > Regards,
> > - Philip
> > 
> > Philip Tricca (5):
> >  Break policycoreutils out into separate
> >  Remove unnecessary RDEPENDS_${BPN}.
> >  Remove runtime dependency on
> >  Add packagegroup and image recipe for
> >  Add packagegroup for policycoreutils
> > 
> >  .../images/core-image-selinux-minimal.bb           |   15 ++
> >  .../packagegroups/packagegroup-core-selinux.bb     |    4 +-
> >  .../packagegroups/packagegroup-selinux-minimal.bb  |   26 +++
> >  .../packagegroup-selinux-policycoreutils.bb        |   36 ++++
> >  recipes-security/refpolicy/refpolicy_common.inc    |    2 +-
> >  recipes-security/selinux/policycoreutils.inc       |  179 +++++++++++++++++--
> >  6 files changed, 245 insertions(+), 17 deletions(-)
> > 
> > _______________________________________________
> > yocto mailing list
> > yocto@yoctoproject.org
> > https://lists.yoctoproject.org/listinfo/yocto
> 
-- 
-Joe MacDonald.
:wq

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 205 bytes --]

Re: [meta-selinux][PATCH 0/5] Resend: Remove python dependency from refpol.

[Joe MacDonald]

[-- Attachment #1: Type: text/plain, Size: 3566 bytes --]

[Re: [yocto] [meta-selinux][PATCH 0/5] Resend: Remove python dependency from refpol.] On 13.10.21 (Mon 16:01) Joe MacDonald wrote:

> [Re: [yocto] [meta-selinux][PATCH 0/5] Resend: Remove python dependency from refpol.] On 13.10.21 (Mon 10:57) Joe MacDonald wrote:
> 
> > Thought I'd best (finally) follow up to the list on this.  I've been
> > talking to Philip offline.  These are in the queue for integration but
> > some surprising things have cropped up along the way and the integration
> > is being delayed a bit.
> > 
> > I'll be grabbing the other meta-selinux update at the same time.
> 
> Further to this, I've finished the merge of this batch and the two other
> submissions I've seen for meta-selinux today.  I haven't yet pushed them
> to meta-selinux on git.yoctoproject.org.  I'm going to let it cool off
> until at least tomorrow since this one proved to be much more
> problematic than I think it should have been.  In the meantime, I've
> pushed the pending changes to my github project:
> 
>    https://github.com/joeythesaint/meta-selinux.git
> 
> on the contrib/joeythesaint branch.

Six of the seven commits that were on that branch are now in the
official meta-selinux master branch.  The last is the bzip-compressed
policy update.

Thanks Philip.

-J.

> 
> -J.
> 
> > 
> > -J.
> > 
> > [[yocto] [meta-selinux][PATCH 0/5] Resend: Remove python dependency from refpol.] On 13.10.17 (Thu 19:06) Philip Tricca wrote:
> > 
> > > This is a resend of an earlier patch set that never made it to the list
> > > AFAIK.
> > > 
> > > The reference policy package currently pulls in a lot of python stuff
> > > that isn't strictly necessary to boot an SELinux system and load a
> > > policy. AFAIK this is caused by the mix of python and C utilities in
> > > policycoreutils.
> > > 
> > > This patch set breaks the policycoreutils recipe up into multiple
> > > packages, one for each utility. In this way we can have the refpol etc
> > > pull in only the utilities necessary for normal operation. This happens
> > > to be only the utilities written in C and thus we can remove python
> > > completely in a minimal image.
> > > 
> > > I've attempted to localize these changes as much as possible so this
> > > patch set should have minimal impact on recipes outside of the
> > > policycoreutils. An example image reicpe is added to demonstrate a
> > > minimal image with only the utilities required to load a policy and
> > > manipulate the policy store (add / remove policy modules) at runtime.
> > > 
> > > Regards,
> > > - Philip
> > > 
> > > Philip Tricca (5):
> > >  Break policycoreutils out into separate
> > >  Remove unnecessary RDEPENDS_${BPN}.
> > >  Remove runtime dependency on
> > >  Add packagegroup and image recipe for
> > >  Add packagegroup for policycoreutils
> > > 
> > >  .../images/core-image-selinux-minimal.bb           |   15 ++
> > >  .../packagegroups/packagegroup-core-selinux.bb     |    4 +-
> > >  .../packagegroups/packagegroup-selinux-minimal.bb  |   26 +++
> > >  .../packagegroup-selinux-policycoreutils.bb        |   36 ++++
> > >  recipes-security/refpolicy/refpolicy_common.inc    |    2 +-
> > >  recipes-security/selinux/policycoreutils.inc       |  179 +++++++++++++++++--
> > >  6 files changed, 245 insertions(+), 17 deletions(-)
> > > 
> > > _______________________________________________
> > > yocto mailing list
> > > yocto@yoctoproject.org
> > > https://lists.yoctoproject.org/listinfo/yocto
> > 
-- 
-Joe MacDonald.
:wq

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 205 bytes --]

Re: [meta-selinux][PATCH 0/5] Resend: Remove python dependency from refpol.

[Philip Tricca]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 10/22/2013 11:37 AM, Joe MacDonald wrote:
> [Re: [yocto] [meta-selinux][PATCH 0/5] Resend: Remove python 
> dependency from refpol.] On 13.10.21 (Mon 16:01) Joe MacDonald 
> wrote:
> 
>> [Re: [yocto] [meta-selinux][PATCH 0/5] Resend: Remove python 
>> dependency from refpol.] On 13.10.21 (Mon 10:57) Joe MacDonald 
>> wrote:
>> 
>>> Thought I'd best (finally) follow up to the list on this.
>>> I've been talking to Philip offline.  These are in the queue
>>> for integration but some surprising things have cropped up
>>> along the way and the integration is being delayed a bit.
>>> 
>>> I'll be grabbing the other meta-selinux update at the same 
>>> time.
>> 
>> Further to this, I've finished the merge of this batch and the 
>> two other submissions I've seen for meta-selinux today.  I 
>> haven't yet pushed them to meta-selinux on git.yoctoproject.org. 
>> I'm going to let it cool off until at least tomorrow since this 
>> one proved to be much more problematic than I think it should 
>> have been.  In the meantime, I've pushed the pending changes to 
>> my github project:
>> 
>> https://github.com/joeythesaint/meta-selinux.git
>> 
>> on the contrib/joeythesaint branch.
> 
> Six of the seven commits that were on that branch are now in the 
> official meta-selinux master branch.  The last is the 
> bzip-compressed policy update.
> 
> Thanks Philip.

Sure thing Joe. Thanks for spending the time to get these integrated.

- - Philip

> 
> -J.
> 
>> 
>> -J.
>> 
>>> 
>>> -J.
>>> 
>>> [[yocto] [meta-selinux][PATCH 0/5] Resend: Remove python 
>>> dependency from refpol.] On 13.10.17 (Thu 19:06) Philip Tricca 
>>> wrote:
>>> 
>>>> This is a resend of an earlier patch set that never made it 
>>>> to the list AFAIK.
>>>> 
>>>> The reference policy package currently pulls in a lot of 
>>>> python stuff that isn't strictly necessary to boot an
>>>> SELinux system and load a policy. AFAIK this is caused by the
>>>> mix of python and C utilities in policycoreutils.
>>>> 
>>>> This patch set breaks the policycoreutils recipe up into 
>>>> multiple packages, one for each utility. In this way we can 
>>>> have the refpol etc pull in only the utilities necessary for 
>>>> normal operation. This happens to be only the utilities 
>>>> written in C and thus we can remove python completely in a 
>>>> minimal image.
>>>> 
>>>> I've attempted to localize these changes as much as possible 
>>>> so this patch set should have minimal impact on recipes 
>>>> outside of the policycoreutils. An example image reicpe is 
>>>> added to demonstrate a minimal image with only the utilities 
>>>> required to load a policy and manipulate the policy store 
>>>> (add / remove policy modules) at runtime.
>>>> 
>>>> Regards, - Philip
>>>> 
>>>> Philip Tricca (5): Break policycoreutils out into separate 
>>>> Remove unnecessary RDEPENDS_${BPN}. Remove runtime
>>>> dependency on Add packagegroup and image recipe for Add
>>>> packagegroup for policycoreutils
>>>> 
>>>> .../images/core-image-selinux-minimal.bb           |   15 ++
>>>>  .../packagegroups/packagegroup-core-selinux.bb     |    4 +-
>>>>  .../packagegroups/packagegroup-selinux-minimal.bb  |   26 
>>>> +++ .../packagegroup-selinux-policycoreutils.bb        |
>>>> 36 ++++ recipes-security/refpolicy/refpolicy_common.inc    | 
>>>> 2 +- recipes-security/selinux/policycoreutils.inc       | 179
>>>> +++++++++++++++++-- 6 files changed, 245 insertions(+), 17
>>>> deletions(-)
>>>> 
>>>> _______________________________________________ yocto
>>>> mailing list yocto@yoctoproject.org 
>>>> https://lists.yoctoproject.org/listinfo/yocto
>>> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQIcBAEBCgAGBQJSZqzpAAoJEDL3fnXC4dO6Z6UP/0UoTumQK0wIlyk4YviqsTKr
E0F62JvgzCgf9BLadGmbBSEvgS9Zg50fGr+wM4p0wc7TW2egNnQrPQRa70Y2ycjL
jEQhBRuW6HFTSNZYTsrrt20IjE7nTQEDQnvSZW18lDMKbSyWHdrLGL9lgqWKjiRC
mf0g6cyO4CNnhxdYIZvWTNWoDdbDTQRpyzWhO2S4YkM7Vkh7lvg3IPadGwTAd6MM
nGS6iLKaaaUcqw/i5axOwd8xH2C0/MGDPPYkRwcxAjU7nuH4uOS5uaq5k0dGiuLF
IRp374YwCOypcPtmZT0w3C80CmJSC6e2fxHeH8xQNWBnsFSweG3sT/9DGhVYeZky
HuvkFFFKmsbSfZHFuTQsH5AiV3YaHQTOgWCefQ22xCDEB03t52E6IPY0rAzlxXIi
apL8fhtHjlQ0GaY5yoV7n6+KyfqlQm7WpHXAqowfWEYS3P/pVPJe4pTq+PrzadF2
o5DpGVR5Du2QzLBsFZetFIrLg3kKYkq9011RHwBFl9frsVxTYAdBm58GvceBJL1K
wecuveTH30KhYjiDzMZTNL3Tm/vMJLL/CzIWF5NdrMwCUt8+TwFGJvB7a2QEssS0
14SMdPKjtvbGutlAkOT/9T/1HrpIZhoZtkwEnyKgdXEk469+Vp6aBHjf52JPHyFn
5JJhKda01naDs+KA9G6p
=uocy
-----END PGP SIGNATURE-----