[Re: [oe] meta-selinux] On 15.02.11 (Wed 16:29) Paul Eggleton wrote: > (Adding yocto@yoctoproject.org to CC since that is where meta-selinux patches > tend to go at least) > > On Wednesday 11 February 2015 10:53:03 dpquigl wrote: > > I'm working on OpenXT and it makes use of the meta-selinux repo hosted > > by the yocto project. I'm trying to use it with a base openembedded core > > and its not in sync with oe-core because its based on pokey. > > To be clear, poky and OE-Core are in lock-step. No patch to core recipes goes > into Poky directly, they are applied to OE-Core and then they flow into Poky > immediately thereafter (Richard, who does the merging of patches into > OE-Core, > does the sync to Poky immediately afterwards.) > > What's more likely happening I suspect is that you are on a newer > branch/revision of OE-Core/Poky than the meta-selinux maintainers have > tested. > I can't speak to the maintenance schedule for meta-selinux but maybe others > with knowledge there can chime in.
Our master tends to lag behind oe-core's master for a few reasons, but none of them are really insurmountable. Certainly the intent is that meta-selinux/master will build successfully with oe-core/master at any given time. > > This made me think of two questions. 1) Why is this not in OE core since so > > many packages in core can potentially have SELinux support enabled and 2) if > > its not supposed to be in core where should turning on SELinux support > > in a recipe go? For example coreutils can have SELinux support enabled. > > Currently this is in meta-selinux as a bbappend to the coreutils > > package. This works out because its always going to be there. However > > there is also a bbappend for an LXC recipe. LXC isn't in core which > > means it has a dependency on a layer not in core. > > > > Ideally I would put the recipes needed for SELinux support in core and > > have a distro feature which is checked in the recipes in core for > > whether or not to add --with-selinux to the build flags. Then LXC could > > check a core distro feature and enable SELinux if it wants to. > > We have to draw the line somewhere for what to include in OE-Core, and at the > moment I guess we have considered SELinux to be outside its scope. Obviously > these things get re-evaluated from time to time, and SELinux is a little bit > painful for this because of how many recipes it has to touch. Ultimately it > depends on how many people in the embedded space want to enable and use > SELinux. > > Thoughts from others? I've been doing SELinux stuff for rather a long time and it's generally been my experience that there's a set of developers / vendors that *really* want it and know what they're doing, there's another set that *really* want nothing to do with it and a group that say they want SELinux support but then immediately start needing to turn stuff off because it causes their system to behave too differently. Taken as a simple maintenance thing, I think it's easier to have SELinux be part of OE-Core. Given, though, it's really not possible to divorce much of SELinux functionality from python on the target, so then I don't know if it really makes sense for something like that to be part of oe-core, proper. I would think no. > > Cheers, > Paul > > -- > > Paul Eggleton > Intel Open Source Technology Centre -- -Joe MacDonald. :wq
signature.asc
Description: Digital signature
-- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto