diff mbox series

[meta-selinux] Enable SELinux support in native packages

Message ID 20260213154238.4093604-2-u.kleine-koenig@baylibre.com
State New
Headers show
Series [meta-selinux] Enable SELinux support in native packages | expand

Commit Message

Uwe Kleine-König Feb. 13, 2026, 3:42 p.m. UTC 
With SELinux enabled for the target it makes sense to have SELinux
support enabled for the native tools, too.

Note that for native packages DISTRO_FEATURES is filtered, thus up to now
it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to
make "selinux" propagate also to DISTRO_FEATURES for native packages.
---
Hello,

I use this on scarthgap, but the patch applies fine to master, too.

During a debug session it took me quite a while to find out why

	ls -lZ "${IMAGE_ROOTFS}

at the end of selinux_set_labels() didn't show the labels added by
setfiles.

Best regards
Uwe

 classes/enable-selinux.bbclass | 2 +-
 conf/layer.conf                | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)


base-commit: 536df5a4fbce3c9fd63f51580f43d248a0d1b0ef

Comments

Yi Zhao March 9, 2026, 12:23 p.m. UTC | #1 
On 2/13/26 23:42, "Uwe Kleine-König wrote:
> With SELinux enabled for the target it makes sense to have SELinux
> support enabled for the native tools, too.
>
> Note that for native packages DISTRO_FEATURES is filtered, thus up to now
> it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to
> make "selinux" propagate also to DISTRO_FEATURES for native packages.
> ---
> Hello,
>
> I use this on scarthgap, but the patch applies fine to master, too.
>
> During a debug session it took me quite a while to find out why
>
> 	ls -lZ "${IMAGE_ROOTFS}
>
> at the end of selinux_set_labels() didn't show the labels added by
> setfiles.
>
> Best regards
> Uwe
>
>   classes/enable-selinux.bbclass | 2 +-
>   conf/layer.conf                | 4 ++++
>   2 files changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass
> index 3dc61d6931ff..0c9f52e74cec 100644
> --- a/classes/enable-selinux.bbclass
> +++ b/classes/enable-selinux.bbclass
> @@ -1,3 +1,3 @@
>   inherit selinux
>   
> -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}"
> +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
> diff --git a/conf/layer.conf b/conf/layer.conf
> index 4e04e5cc7e6a..ca981db57019 100644
> --- a/conf/layer.conf
> +++ b/conf/layer.conf
> @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \
>   "
>   
>   PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted"
> +
> +# With target support for SELinux it is very helpful during debug when the
> +# native tools support SELinux, too.
> +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux"

Can we add this to the doc (e.g. README) instead of enabling it directly 
in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = 
"selinux" in layer.conf either.


Thanks,

Yi


>
> base-commit: 536df5a4fbce3c9fd63f51580f43d248a0d1b0ef
Richard Purdie March 9, 2026, 2:21 p.m. UTC | #2 
On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote:
> 
> On 2/13/26 23:42, "Uwe Kleine-König wrote:
> > With SELinux enabled for the target it makes sense to have SELinux
> > support enabled for the native tools, too.
> > 
> > Note that for native packages DISTRO_FEATURES is filtered, thus up to now
> > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to
> > make "selinux" propagate also to DISTRO_FEATURES for native packages.
> > ---
> > Hello,
> > 
> > I use this on scarthgap, but the patch applies fine to master, too.
> > 
> > During a debug session it took me quite a while to find out why
> > 
> > 	ls -lZ "${IMAGE_ROOTFS}
> > 
> > at the end of selinux_set_labels() didn't show the labels added by
> > setfiles.
> > 
> > Best regards
> > Uwe
> > 
> >   classes/enable-selinux.bbclass | 2 +-
> >   conf/layer.conf                | 4 ++++
> >   2 files changed, 5 insertions(+), 1 deletion(-)
> > 
> > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass
> > index 3dc61d6931ff..0c9f52e74cec 100644
> > --- a/classes/enable-selinux.bbclass
> > +++ b/classes/enable-selinux.bbclass
> > @@ -1,3 +1,3 @@
> >   inherit selinux
> >   
> > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}"
> > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
> > diff --git a/conf/layer.conf b/conf/layer.conf
> > index 4e04e5cc7e6a..ca981db57019 100644
> > --- a/conf/layer.conf
> > +++ b/conf/layer.conf
> > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \
> >   "
> >   
> >   PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted"
> > +
> > +# With target support for SELinux it is very helpful during debug when the
> > +# native tools support SELinux, too.
> > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux"
> 
> Can we add this to the doc (e.g. README) instead of enabling it directly 
> in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = 
> "selinux" in layer.conf either.

I just wanted to add that putting that directly in layer.conf will mean
the layer isn't Yocto Project Compatible too.

Cheers,

Richard
Hiago De Franco March 17, 2026, 5:40 p.m. UTC | #3 
Hi Richard,

On Mon, Mar 09, 2026 at 02:21:51PM +0000, Richard Purdie wrote:
> On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote:
> > 
> > On 2/13/26 23:42, "Uwe Kleine-K�nig wrote:
> > > With SELinux enabled for the target it makes sense to have SELinux
> > > support enabled for the native tools, too.
> > > 
> > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now
> > > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to
> > > make "selinux" propagate also to DISTRO_FEATURES for native packages.
> > > ---
> > > Hello,
> > > 
> > > I use this on scarthgap, but the patch applies fine to master, too.
> > > 
> > > During a debug session it took me quite a while to find out why
> > > 
> > > 	ls -lZ "${IMAGE_ROOTFS}
> > > 
> > > at the end of selinux_set_labels() didn't show the labels added by
> > > setfiles.
> > > 
> > > Best regards
> > > Uwe
> > > 
> > > � classes/enable-selinux.bbclass | 2 +-
> > > � conf/layer.conf��������������� | 4 ++++
> > > � 2 files changed, 5 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass
> > > index 3dc61d6931ff..0c9f52e74cec 100644
> > > --- a/classes/enable-selinux.bbclass
> > > +++ b/classes/enable-selinux.bbclass
> > > @@ -1,3 +1,3 @@
> > > � inherit selinux
> > > � 
> > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}"
> > > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
> > > diff --git a/conf/layer.conf b/conf/layer.conf
> > > index 4e04e5cc7e6a..ca981db57019 100644
> > > --- a/conf/layer.conf
> > > +++ b/conf/layer.conf
> > > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \
> > > � "
> > > � 
> > > � PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted"
> > > +
> > > +# With target support for SELinux it is very helpful during debug when the
> > > +# native tools support SELinux, too.
> > > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux"
> > 
> > Can we add this to the doc (e.g. README) instead of enabling it directly 
> > in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = 
> > "selinux" in layer.conf either.
> 
> I just wanted to add that putting that directly in layer.conf will mean
> the layer isn't Yocto Project Compatible too.

I am going to send a v2 and take over this work, already asked Uwe about
that.

But before doing it, I was wondering why changing layer.conf will make
the layer not compatible with Yocto Project anymore. Can you explain to
us the reason?

> 
> Cheers,
> 
> Richard
> 

Thanks!

Hiago.
Yoann Congal March 17, 2026, 6:23 p.m. UTC | #4 
On Tue Mar 17, 2026 at 6:40 PM CET, Hiago De Franco via lists.yoctoproject.org wrote:
> Hi Richard,
>
> On Mon, Mar 09, 2026 at 02:21:51PM +0000, Richard Purdie wrote:
>> On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote:
>> > 
>> > On 2/13/26 23:42, "Uwe Kleine-König wrote:
>> > > With SELinux enabled for the target it makes sense to have SELinux
>> > > support enabled for the native tools, too.
>> > > 
>> > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now
>> > > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to
>> > > make "selinux" propagate also to DISTRO_FEATURES for native packages.
>> > > ---
>> > > Hello,
>> > > 
>> > > I use this on scarthgap, but the patch applies fine to master, too.
>> > > 
>> > > During a debug session it took me quite a while to find out why
>> > > 
>> > > 	ls -lZ "${IMAGE_ROOTFS}
>> > > 
>> > > at the end of selinux_set_labels() didn't show the labels added by
>> > > setfiles.
>> > > 
>> > > Best regards
>> > > Uwe
>> > > 
>> > >   classes/enable-selinux.bbclass | 2 +-
>> > >   conf/layer.conf                | 4 ++++
>> > >   2 files changed, 5 insertions(+), 1 deletion(-)
>> > > 
>> > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass
>> > > index 3dc61d6931ff..0c9f52e74cec 100644
>> > > --- a/classes/enable-selinux.bbclass
>> > > +++ b/classes/enable-selinux.bbclass
>> > > @@ -1,3 +1,3 @@
>> > >   inherit selinux
>> > >   
>> > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}"
>> > > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
>> > > diff --git a/conf/layer.conf b/conf/layer.conf
>> > > index 4e04e5cc7e6a..ca981db57019 100644
>> > > --- a/conf/layer.conf
>> > > +++ b/conf/layer.conf
>> > > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \
>> > >   "
>> > >   
>> > >   PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted"
>> > > +
>> > > +# With target support for SELinux it is very helpful during debug when the
>> > > +# native tools support SELinux, too.
>> > > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux"
>> > 
>> > Can we add this to the doc (e.g. README) instead of enabling it directly 
>> > in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = 
>> > "selinux" in layer.conf either.
>> 
>> I just wanted to add that putting that directly in layer.conf will mean
>> the layer isn't Yocto Project Compatible too.
>
> I am going to send a v2 and take over this work, already asked Uwe about
> that.
>
> But before doing it, I was wondering why changing layer.conf will make
> the layer not compatible with Yocto Project anymore. Can you explain to
> us the reason?

I'd guess it is from this criteria of the Yocto Compatible layer[0]:
> Inclusion of any layer in the submission does not change the
> behavior/configuration of the overall system without the user
> explicitly opting into those changes

By putting a 'DISTRO_FEATURES += "selinux"' in layer.conf, the
configuration changes globally without explicit opt-in of the user.

[0]: https://www.yoctoproject.org/compatible-registration/

>> Cheers,
>> 
>> Richard
>> 
>
> Thanks!
>
> Hiago.
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#3491): https://lists.yoctoproject.org/g/yocto-patches/message/3491
> Mute This Topic: https://lists.yoctoproject.org/mt/117794339/4316185
> Group Owner: yocto-patches+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto-patches/leave/13179410/4316185/929767106/xyzzy [yoann.congal@smile.fr]
> -=-=-=-=-=-=-=-=-=-=-=-
Hiago De Franco March 17, 2026, 8:19 p.m. UTC | #5 
On Tue, Mar 17, 2026 at 07:23:35PM +0100, Yoann Congal wrote:
> On Tue Mar 17, 2026 at 6:40 PM CET, Hiago De Franco via lists.yoctoproject.org wrote:
> > Hi Richard,
> >
> > On Mon, Mar 09, 2026 at 02:21:51PM +0000, Richard Purdie wrote:
> >> On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote:
> >> > 
> >> > On 2/13/26 23:42, "Uwe Kleine-K�nig wrote:
> >> > > With SELinux enabled for the target it makes sense to have SELinux
> >> > > support enabled for the native tools, too.
> >> > > 
> >> > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now
> >> > > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to
> >> > > make "selinux" propagate also to DISTRO_FEATURES for native packages.
> >> > > ---
> >> > > Hello,
> >> > > 
> >> > > I use this on scarthgap, but the patch applies fine to master, too.
> >> > > 
> >> > > During a debug session it took me quite a while to find out why
> >> > > 
> >> > > 	ls -lZ "${IMAGE_ROOTFS}
> >> > > 
> >> > > at the end of selinux_set_labels() didn't show the labels added by
> >> > > setfiles.
> >> > > 
> >> > > Best regards
> >> > > Uwe
> >> > > 
> >> > > � classes/enable-selinux.bbclass | 2 +-
> >> > > � conf/layer.conf��������������� | 4 ++++
> >> > > � 2 files changed, 5 insertions(+), 1 deletion(-)
> >> > > 
> >> > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass
> >> > > index 3dc61d6931ff..0c9f52e74cec 100644
> >> > > --- a/classes/enable-selinux.bbclass
> >> > > +++ b/classes/enable-selinux.bbclass
> >> > > @@ -1,3 +1,3 @@
> >> > > � inherit selinux
> >> > > � 
> >> > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}"
> >> > > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
> >> > > diff --git a/conf/layer.conf b/conf/layer.conf
> >> > > index 4e04e5cc7e6a..ca981db57019 100644
> >> > > --- a/conf/layer.conf
> >> > > +++ b/conf/layer.conf
> >> > > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \
> >> > > � "
> >> > > � 
> >> > > � PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted"
> >> > > +
> >> > > +# With target support for SELinux it is very helpful during debug when the
> >> > > +# native tools support SELinux, too.
> >> > > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux"
> >> > 
> >> > Can we add this to the doc (e.g. README) instead of enabling it directly 
> >> > in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = 
> >> > "selinux" in layer.conf either.
> >> 
> >> I just wanted to add that putting that directly in layer.conf will mean
> >> the layer isn't Yocto Project Compatible too.
> >
> > I am going to send a v2 and take over this work, already asked Uwe about
> > that.
> >
> > But before doing it, I was wondering why changing layer.conf will make
> > the layer not compatible with Yocto Project anymore. Can you explain to
> > us the reason?
> 
> I'd guess it is from this criteria of the Yocto Compatible layer[0]:
> > Inclusion of any layer in the submission does not change the
> > behavior/configuration of the overall system without the user
> > explicitly opting into those changes
> 
> By putting a 'DISTRO_FEATURES += "selinux"' in layer.conf, the
> configuration changes globally without explicit opt-in of the user.
> 
> [0]: https://www.yoctoproject.org/compatible-registration/

Got it, thanks for the explanation! I will send the v2 patch soon.

> 
> >> Cheers,
> >> 
> >> Richard
> >> 
> >
> > Thanks!
> >
> > Hiago.
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#3491): https://lists.yoctoproject.org/g/yocto-patches/message/3491
> > Mute This Topic: https://lists.yoctoproject.org/mt/117794339/4316185
> > Group Owner: yocto-patches+owner@lists.yoctoproject.org
> > Unsubscribe: https://lists.yoctoproject.org/g/yocto-patches/leave/13179410/4316185/929767106/xyzzy [yoann.congal@smile.fr]
> > -=-=-=-=-=-=-=-=-=-=-=-
> 
> 
> -- 
> Yoann Congal
> Smile ECS
> 
> 

Regards,

Hiago.
Uwe Kleine-König March 18, 2026, 7:50 a.m. UTC | #6 
On Tue, Mar 17, 2026 at 07:23:35PM +0100, Yoann Congal wrote:
> On Tue Mar 17, 2026 at 6:40 PM CET, Hiago De Franco via lists.yoctoproject.org wrote:
> > Hi Richard,
> >
> > On Mon, Mar 09, 2026 at 02:21:51PM +0000, Richard Purdie wrote:
> >> On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote:
> >> > 
> >> > On 2/13/26 23:42, "Uwe Kleine-König wrote:
> >> > > With SELinux enabled for the target it makes sense to have SELinux
> >> > > support enabled for the native tools, too.
> >> > > 
> >> > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now
> >> > > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to
> >> > > make "selinux" propagate also to DISTRO_FEATURES for native packages.
> >> > > ---
> >> > > Hello,
> >> > > 
> >> > > I use this on scarthgap, but the patch applies fine to master, too.
> >> > > 
> >> > > During a debug session it took me quite a while to find out why
> >> > > 
> >> > > 	ls -lZ "${IMAGE_ROOTFS}
> >> > > 
> >> > > at the end of selinux_set_labels() didn't show the labels added by
> >> > > setfiles.
> >> > > 
> >> > > Best regards
> >> > > Uwe
> >> > > 
> >> > >   classes/enable-selinux.bbclass | 2 +-
> >> > >   conf/layer.conf                | 4 ++++
> >> > >   2 files changed, 5 insertions(+), 1 deletion(-)
> >> > > 
> >> > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass
> >> > > index 3dc61d6931ff..0c9f52e74cec 100644
> >> > > --- a/classes/enable-selinux.bbclass
> >> > > +++ b/classes/enable-selinux.bbclass
> >> > > @@ -1,3 +1,3 @@
> >> > >   inherit selinux
> >> > >   
> >> > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}"
> >> > > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
> >> > > diff --git a/conf/layer.conf b/conf/layer.conf
> >> > > index 4e04e5cc7e6a..ca981db57019 100644
> >> > > --- a/conf/layer.conf
> >> > > +++ b/conf/layer.conf
> >> > > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \
> >> > >   "
> >> > >   
> >> > >   PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted"
> >> > > +
> >> > > +# With target support for SELinux it is very helpful during debug when the
> >> > > +# native tools support SELinux, too.
> >> > > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux"
> >> > 
> >> > Can we add this to the doc (e.g. README) instead of enabling it directly 
> >> > in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = 
> >> > "selinux" in layer.conf either.
> >> 
> >> I just wanted to add that putting that directly in layer.conf will mean
> >> the layer isn't Yocto Project Compatible too.
> >
> > I am going to send a v2 and take over this work, already asked Uwe about
> > that.
> >
> > But before doing it, I was wondering why changing layer.conf will make
> > the layer not compatible with Yocto Project anymore. Can you explain to
> > us the reason?
> 
> I'd guess it is from this criteria of the Yocto Compatible layer[0]:
> > Inclusion of any layer in the submission does not change the
> > behavior/configuration of the overall system without the user
> > explicitly opting into those changes
> 
> By putting a 'DISTRO_FEATURES += "selinux"' in layer.conf, the
> configuration changes globally without explicit opt-in of the user.

Note that the patch didn't change DISTRO_FEATURES, it appended "selinux"
to DISTRO_FEATURES_FILTER_NATIVE. If DISTRO_FEATURES doesn't already
contain "selinux", this is a noop. So I don't see how this violates the
quoted critera.

What am I missing?

Best regards
Uwe
Richard Purdie March 18, 2026, 9:12 a.m. UTC | #7 
On Wed, 2026-03-18 at 08:50 +0100, Uwe Kleine-König wrote:
> On Tue, Mar 17, 2026 at 07:23:35PM +0100, Yoann Congal wrote:
> > On Tue Mar 17, 2026 at 6:40 PM CET, Hiago De Franco via lists.yoctoproject.org wrote:
> > > Hi Richard,
> > > 
> > > On Mon, Mar 09, 2026 at 02:21:51PM +0000, Richard Purdie wrote:
> > > > On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote:
> > > > > 
> > > > > On 2/13/26 23:42, "Uwe Kleine-König wrote:
> > > > > > With SELinux enabled for the target it makes sense to have SELinux
> > > > > > support enabled for the native tools, too.
> > > > > > 
> > > > > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now
> > > > > > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to
> > > > > > make "selinux" propagate also to DISTRO_FEATURES for native packages.
> > > > > > ---
> > > > > > Hello,
> > > > > > 
> > > > > > I use this on scarthgap, but the patch applies fine to master, too.
> > > > > > 
> > > > > > During a debug session it took me quite a while to find out why
> > > > > > 
> > > > > > 	ls -lZ "${IMAGE_ROOTFS}
> > > > > > 
> > > > > > at the end of selinux_set_labels() didn't show the labels added by
> > > > > > setfiles.
> > > > > > 
> > > > > > Best regards
> > > > > > Uwe
> > > > > > 
> > > > > >   classes/enable-selinux.bbclass | 2 +-
> > > > > >   conf/layer.conf                | 4 ++++
> > > > > >   2 files changed, 5 insertions(+), 1 deletion(-)
> > > > > > 
> > > > > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass
> > > > > > index 3dc61d6931ff..0c9f52e74cec 100644
> > > > > > --- a/classes/enable-selinux.bbclass
> > > > > > +++ b/classes/enable-selinux.bbclass
> > > > > > @@ -1,3 +1,3 @@
> > > > > >   inherit selinux
> > > > > >   
> > > > > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}"
> > > > > > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
> > > > > > diff --git a/conf/layer.conf b/conf/layer.conf
> > > > > > index 4e04e5cc7e6a..ca981db57019 100644
> > > > > > --- a/conf/layer.conf
> > > > > > +++ b/conf/layer.conf
> > > > > > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \
> > > > > >   "
> > > > > >   
> > > > > >   PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted"
> > > > > > +
> > > > > > +# With target support for SELinux it is very helpful during debug when the
> > > > > > +# native tools support SELinux, too.
> > > > > > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux"
> > > > > 
> > > > > Can we add this to the doc (e.g. README) instead of enabling it directly 
> > > > > in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = 
> > > > > "selinux" in layer.conf either.
> > > > 
> > > > I just wanted to add that putting that directly in layer.conf will mean
> > > > the layer isn't Yocto Project Compatible too.
> > > 
> > > I am going to send a v2 and take over this work, already asked Uwe about
> > > that.
> > > 
> > > But before doing it, I was wondering why changing layer.conf will make
> > > the layer not compatible with Yocto Project anymore. Can you explain to
> > > us the reason?
> > 
> > I'd guess it is from this criteria of the Yocto Compatible layer[0]:
> > > Inclusion of any layer in the submission does not change the
> > > behavior/configuration of the overall system without the user
> > > explicitly opting into those changes
> > 
> > By putting a 'DISTRO_FEATURES += "selinux"' in layer.conf, the
> > configuration changes globally without explicit opt-in of the user.
> 
> Note that the patch didn't change DISTRO_FEATURES, it appended "selinux"
> to DISTRO_FEATURES_FILTER_NATIVE. If DISTRO_FEATURES doesn't already
> contain "selinux", this is a noop. So I don't see how this violates the
> quoted critera.
> 
> What am I missing?

I guess it would depend whether any of the functions/variables in core
have hard dependencies on that variable. I was assuming that they do
but that might not be the case, I'm not sure without checking and you
may be right.

Cheers,

Richard
Uwe Kleine-König March 18, 2026, 11:13 a.m. UTC | #8 
On Wed, Mar 18, 2026 at 09:12:52AM +0000, Richard Purdie wrote:
> On Wed, 2026-03-18 at 08:50 +0100, Uwe Kleine-König wrote:
> > On Tue, Mar 17, 2026 at 07:23:35PM +0100, Yoann Congal wrote:
> > > On Tue Mar 17, 2026 at 6:40 PM CET, Hiago De Franco via lists.yoctoproject.org wrote:
> > > > Hi Richard,
> > > > 
> > > > On Mon, Mar 09, 2026 at 02:21:51PM +0000, Richard Purdie wrote:
> > > > > On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote:
> > > > > > 
> > > > > > On 2/13/26 23:42, "Uwe Kleine-König wrote:
> > > > > > > With SELinux enabled for the target it makes sense to have SELinux
> > > > > > > support enabled for the native tools, too.
> > > > > > > 
> > > > > > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now
> > > > > > > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to
> > > > > > > make "selinux" propagate also to DISTRO_FEATURES for native packages.
> > > > > > > ---
> > > > > > > Hello,
> > > > > > > 
> > > > > > > I use this on scarthgap, but the patch applies fine to master, too.
> > > > > > > 
> > > > > > > During a debug session it took me quite a while to find out why
> > > > > > > 
> > > > > > > 	ls -lZ "${IMAGE_ROOTFS}
> > > > > > > 
> > > > > > > at the end of selinux_set_labels() didn't show the labels added by
> > > > > > > setfiles.
> > > > > > > 
> > > > > > > Best regards
> > > > > > > Uwe
> > > > > > > 
> > > > > > >   classes/enable-selinux.bbclass | 2 +-
> > > > > > >   conf/layer.conf                | 4 ++++
> > > > > > >   2 files changed, 5 insertions(+), 1 deletion(-)
> > > > > > > 
> > > > > > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass
> > > > > > > index 3dc61d6931ff..0c9f52e74cec 100644
> > > > > > > --- a/classes/enable-selinux.bbclass
> > > > > > > +++ b/classes/enable-selinux.bbclass
> > > > > > > @@ -1,3 +1,3 @@
> > > > > > >   inherit selinux
> > > > > > >   
> > > > > > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}"
> > > > > > > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
> > > > > > > diff --git a/conf/layer.conf b/conf/layer.conf
> > > > > > > index 4e04e5cc7e6a..ca981db57019 100644
> > > > > > > --- a/conf/layer.conf
> > > > > > > +++ b/conf/layer.conf
> > > > > > > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \
> > > > > > >   "
> > > > > > >   
> > > > > > >   PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted"
> > > > > > > +
> > > > > > > +# With target support for SELinux it is very helpful during debug when the
> > > > > > > +# native tools support SELinux, too.
> > > > > > > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux"
> > > > > > 
> > > > > > Can we add this to the doc (e.g. README) instead of enabling it directly 
> > > > > > in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = 
> > > > > > "selinux" in layer.conf either.
> > > > > 
> > > > > I just wanted to add that putting that directly in layer.conf will mean
> > > > > the layer isn't Yocto Project Compatible too.
> > > > 
> > > > I am going to send a v2 and take over this work, already asked Uwe about
> > > > that.
> > > > 
> > > > But before doing it, I was wondering why changing layer.conf will make
> > > > the layer not compatible with Yocto Project anymore. Can you explain to
> > > > us the reason?
> > > 
> > > I'd guess it is from this criteria of the Yocto Compatible layer[0]:
> > > > Inclusion of any layer in the submission does not change the
> > > > behavior/configuration of the overall system without the user
> > > > explicitly opting into those changes
> > > 
> > > By putting a 'DISTRO_FEATURES += "selinux"' in layer.conf, the
> > > configuration changes globally without explicit opt-in of the user.
> > 
> > Note that the patch didn't change DISTRO_FEATURES, it appended "selinux"
> > to DISTRO_FEATURES_FILTER_NATIVE. If DISTRO_FEATURES doesn't already
> > contain "selinux", this is a noop. So I don't see how this violates the
> > quoted critera.
> > 
> > What am I missing?
> 
> I guess it would depend whether any of the functions/variables in core
> have hard dependencies on that variable. I was assuming that they do
> but that might not be the case, I'm not sure without checking and you
> may be right.

Wouldn't that be a bug if a function changes behaviour depending on
DISTRO_FEATURES_FILTER_NATIVE containing "selinux" or not? (Apart from
having "selinux" for native packages iff the global DISTRO_FEATURES has
"selinux".)

I grepped for DISTRO_FEATURES_FILTER_NATIVE in oe-core, bitbake and
meta-openembedded, there are only matches in the first and these are
about default settings, appending DISTRO_FEATURES_OVERRIDES and
providing a filtered version of the global DISTRO_FEATURES for native
packages.

So unless I missed something, I'd claim setting
DISTRO_FEATURES_FILTER_NATIVE:append in a layer doesn't result in a
relevant change without an explicit opt-in (by adding "selinux" to
DISTRO_FEATURES) and then this (implicit) v1 is better than the v2 that
Hiago sent.

Best regards
Uwe
Richard Purdie March 18, 2026, 12:37 p.m. UTC | #9 
On Wed, 2026-03-18 at 12:13 +0100, Uwe Kleine-König wrote:
> On Wed, Mar 18, 2026 at 09:12:52AM +0000, Richard Purdie wrote:
> > On Wed, 2026-03-18 at 08:50 +0100, Uwe Kleine-König wrote:
> > > On Tue, Mar 17, 2026 at 07:23:35PM +0100, Yoann Congal wrote:
> > > > On Tue Mar 17, 2026 at 6:40 PM CET, Hiago De Franco via lists.yoctoproject.org wrote:
> > > > > Hi Richard,
> > > > > 
> > > > > On Mon, Mar 09, 2026 at 02:21:51PM +0000, Richard Purdie wrote:
> > > > > > On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote:
> > > > > > > 
> > > > > > > On 2/13/26 23:42, "Uwe Kleine-König wrote:
> > > > > > > > With SELinux enabled for the target it makes sense to have SELinux
> > > > > > > > support enabled for the native tools, too.
> > > > > > > > 
> > > > > > > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now
> > > > > > > > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to
> > > > > > > > make "selinux" propagate also to DISTRO_FEATURES for native packages.
> > > > > > > > ---
> > > > > > > > Hello,
> > > > > > > > 
> > > > > > > > I use this on scarthgap, but the patch applies fine to master, too.
> > > > > > > > 
> > > > > > > > During a debug session it took me quite a while to find out why
> > > > > > > > 
> > > > > > > > 	ls -lZ "${IMAGE_ROOTFS}
> > > > > > > > 
> > > > > > > > at the end of selinux_set_labels() didn't show the labels added by
> > > > > > > > setfiles.
> > > > > > > > 
> > > > > > > > Best regards
> > > > > > > > Uwe
> > > > > > > > 
> > > > > > > >   classes/enable-selinux.bbclass | 2 +-
> > > > > > > >   conf/layer.conf                | 4 ++++
> > > > > > > >   2 files changed, 5 insertions(+), 1 deletion(-)
> > > > > > > > 
> > > > > > > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass
> > > > > > > > index 3dc61d6931ff..0c9f52e74cec 100644
> > > > > > > > --- a/classes/enable-selinux.bbclass
> > > > > > > > +++ b/classes/enable-selinux.bbclass
> > > > > > > > @@ -1,3 +1,3 @@
> > > > > > > >   inherit selinux
> > > > > > > >   
> > > > > > > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}"
> > > > > > > > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
> > > > > > > > diff --git a/conf/layer.conf b/conf/layer.conf
> > > > > > > > index 4e04e5cc7e6a..ca981db57019 100644
> > > > > > > > --- a/conf/layer.conf
> > > > > > > > +++ b/conf/layer.conf
> > > > > > > > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \
> > > > > > > >   "
> > > > > > > >   
> > > > > > > >   PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted"
> > > > > > > > +
> > > > > > > > +# With target support for SELinux it is very helpful during debug when the
> > > > > > > > +# native tools support SELinux, too.
> > > > > > > > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux"
> > > > > > > 
> > > > > > > Can we add this to the doc (e.g. README) instead of enabling it directly 
> > > > > > > in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = 
> > > > > > > "selinux" in layer.conf either.
> > > > > > 
> > > > > > I just wanted to add that putting that directly in layer.conf will mean
> > > > > > the layer isn't Yocto Project Compatible too.
> > > > > 
> > > > > I am going to send a v2 and take over this work, already asked Uwe about
> > > > > that.
> > > > > 
> > > > > But before doing it, I was wondering why changing layer.conf will make
> > > > > the layer not compatible with Yocto Project anymore. Can you explain to
> > > > > us the reason?
> > > > 
> > > > I'd guess it is from this criteria of the Yocto Compatible layer[0]:
> > > > > Inclusion of any layer in the submission does not change the
> > > > > behavior/configuration of the overall system without the user
> > > > > explicitly opting into those changes
> > > > 
> > > > By putting a 'DISTRO_FEATURES += "selinux"' in layer.conf, the
> > > > configuration changes globally without explicit opt-in of the user.
> > > 
> > > Note that the patch didn't change DISTRO_FEATURES, it appended "selinux"
> > > to DISTRO_FEATURES_FILTER_NATIVE. If DISTRO_FEATURES doesn't already
> > > contain "selinux", this is a noop. So I don't see how this violates the
> > > quoted critera.
> > > 
> > > What am I missing?
> > 
> > I guess it would depend whether any of the functions/variables in core
> > have hard dependencies on that variable. I was assuming that they do
> > but that might not be the case, I'm not sure without checking and you
> > may be right.
> 
> Wouldn't that be a bug if a function changes behaviour depending on
> DISTRO_FEATURES_FILTER_NATIVE containing "selinux" or not? (Apart from
> having "selinux" for native packages iff the global DISTRO_FEATURES has
> "selinux".)

It depends on how that variable is being used. Some usages would be an
issue, some would not. I have not checked how it is being used and what
the implications of that are.

> I grepped for DISTRO_FEATURES_FILTER_NATIVE in oe-core, bitbake and
> meta-openembedded, there are only matches in the first and these are
> about default settings, appending DISTRO_FEATURES_OVERRIDES and
> providing a filtered version of the global DISTRO_FEATURES for native
> packages.
> 
> So unless I missed something, I'd claim setting
> DISTRO_FEATURES_FILTER_NATIVE:append in a layer doesn't result in a
> relevant change without an explicit opt-in (by adding "selinux" to
> DISTRO_FEATURES) and then this (implicit) v1 is better than the v2 that
> Hiago sent.

I'm starting to wish I'd just never said anything :/.

It would be nice if meta-selinux passes yocto-check-layer but that
isn't my call, I don't know if it does currently pass or not. I wanted
to caution that changing DISTRO_FEATURES or things related to
DISTRO_FEATURES from layer.conf is generally a bad idea. In this case
you might get away with it, I don't know. Has anyone tested it?

I am generally worried about the amount of things people "load" up
layer.conf with as whilst it seems easy, the scope of it can be
problematic as it affects other layers, and in general you don't want
to be doing that unless it is configurable.

Cheers,

Richard
Uwe Kleine-König March 18, 2026, 2:22 p.m. UTC | #10 
Hey Richard,

On Wed, Mar 18, 2026 at 12:37:42PM +0000, Richard Purdie wrote:
> On Wed, 2026-03-18 at 12:13 +0100, Uwe Kleine-König wrote:
> > On Wed, Mar 18, 2026 at 09:12:52AM +0000, Richard Purdie wrote:
> > > On Wed, 2026-03-18 at 08:50 +0100, Uwe Kleine-König wrote:
> > > > On Tue, Mar 17, 2026 at 07:23:35PM +0100, Yoann Congal wrote:
> > > > > On Tue Mar 17, 2026 at 6:40 PM CET, Hiago De Franco via lists.yoctoproject.org wrote:
> > > > > > On Mon, Mar 09, 2026 at 02:21:51PM +0000, Richard Purdie wrote:
> > > > > > > On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote:
> > > > > > > > 
> > > > > > > > On 2/13/26 23:42, "Uwe Kleine-König wrote:
> > > > > > > > > With SELinux enabled for the target it makes sense to have SELinux
> > > > > > > > > support enabled for the native tools, too.
> > > > > > > > > 
> > > > > > > > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now
> > > > > > > > > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to
> > > > > > > > > make "selinux" propagate also to DISTRO_FEATURES for native packages.
> > > > > > > > > ---
> > > > > > > > > Hello,
> > > > > > > > > 
> > > > > > > > > I use this on scarthgap, but the patch applies fine to master, too.
> > > > > > > > > 
> > > > > > > > > During a debug session it took me quite a while to find out why
> > > > > > > > > 
> > > > > > > > > 	ls -lZ "${IMAGE_ROOTFS}
> > > > > > > > > 
> > > > > > > > > at the end of selinux_set_labels() didn't show the labels added by
> > > > > > > > > setfiles.
> > > > > > > > > 
> > > > > > > > > Best regards
> > > > > > > > > Uwe
> > > > > > > > > 
> > > > > > > > >   classes/enable-selinux.bbclass | 2 +-
> > > > > > > > >   conf/layer.conf                | 4 ++++
> > > > > > > > >   2 files changed, 5 insertions(+), 1 deletion(-)
> > > > > > > > > 
> > > > > > > > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass
> > > > > > > > > index 3dc61d6931ff..0c9f52e74cec 100644
> > > > > > > > > --- a/classes/enable-selinux.bbclass
> > > > > > > > > +++ b/classes/enable-selinux.bbclass
> > > > > > > > > @@ -1,3 +1,3 @@
> > > > > > > > >   inherit selinux
> > > > > > > > >   
> > > > > > > > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}"
> > > > > > > > > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
> > > > > > > > > diff --git a/conf/layer.conf b/conf/layer.conf
> > > > > > > > > index 4e04e5cc7e6a..ca981db57019 100644
> > > > > > > > > --- a/conf/layer.conf
> > > > > > > > > +++ b/conf/layer.conf
> > > > > > > > > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \
> > > > > > > > >   "
> > > > > > > > >   
> > > > > > > > >   PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted"
> > > > > > > > > +
> > > > > > > > > +# With target support for SELinux it is very helpful during debug when the
> > > > > > > > > +# native tools support SELinux, too.
> > > > > > > > > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux"
> > > > > > > > 
> > > > > > > > Can we add this to the doc (e.g. README) instead of enabling it directly 
> > > > > > > > in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = 
> > > > > > > > "selinux" in layer.conf either.
> > > > > > > 
> > > > > > > I just wanted to add that putting that directly in layer.conf will mean
> > > > > > > the layer isn't Yocto Project Compatible too.
> > > > > > 
> > > > > > I am going to send a v2 and take over this work, already asked Uwe about
> > > > > > that.
> > > > > > 
> > > > > > But before doing it, I was wondering why changing layer.conf will make
> > > > > > the layer not compatible with Yocto Project anymore. Can you explain to
> > > > > > us the reason?
> > > > > 
> > > > > I'd guess it is from this criteria of the Yocto Compatible layer[0]:
> > > > > > Inclusion of any layer in the submission does not change the
> > > > > > behavior/configuration of the overall system without the user
> > > > > > explicitly opting into those changes
> > > > > 
> > > > > By putting a 'DISTRO_FEATURES += "selinux"' in layer.conf, the
> > > > > configuration changes globally without explicit opt-in of the user.
> > > > 
> > > > Note that the patch didn't change DISTRO_FEATURES, it appended "selinux"
> > > > to DISTRO_FEATURES_FILTER_NATIVE. If DISTRO_FEATURES doesn't already
> > > > contain "selinux", this is a noop. So I don't see how this violates the
> > > > quoted critera.
> > > > 
> > > > What am I missing?
> > > 
> > > I guess it would depend whether any of the functions/variables in core
> > > have hard dependencies on that variable. I was assuming that they do
> > > but that might not be the case, I'm not sure without checking and you
> > > may be right.
> > 
> > Wouldn't that be a bug if a function changes behaviour depending on
> > DISTRO_FEATURES_FILTER_NATIVE containing "selinux" or not? (Apart from
> > having "selinux" for native packages iff the global DISTRO_FEATURES has
> > "selinux".)
> 
> It depends on how that variable is being used. Some usages would be an
> issue, some would not. I have not checked how it is being used and what
> the implications of that are.
> 
> > I grepped for DISTRO_FEATURES_FILTER_NATIVE in oe-core, bitbake and
> > meta-openembedded, there are only matches in the first and these are
> > about default settings, appending DISTRO_FEATURES_OVERRIDES and
> > providing a filtered version of the global DISTRO_FEATURES for native
> > packages.
> > 
> > So unless I missed something, I'd claim setting
> > DISTRO_FEATURES_FILTER_NATIVE:append in a layer doesn't result in a
> > relevant change without an explicit opt-in (by adding "selinux" to
> > DISTRO_FEATURES) and then this (implicit) v1 is better than the v2 that
> > Hiago sent.
> 
> I'm starting to wish I'd just never said anything :/.

:-\

> It would be nice if meta-selinux passes yocto-check-layer but that
> isn't my call, I don't know if it does currently pass or not. I wanted
> to caution that changing DISTRO_FEATURES or things related to
> DISTRO_FEATURES from layer.conf is generally a bad idea. In this case
> you might get away with it, I don't know. Has anyone tested it?

I tried that:

	uwe@monoceros:~/work/ashjk/poky/build$ yocto-check-layer ../meta-selinux
	INFO: Detected layers:
	INFO: meta-selinux: LayerType.SOFTWARE, /home/uwe/work/ashjk/poky/meta-selinux
	ERROR: Layer meta-selinux depends on meta-python and isn't found.
	INFO:
	INFO: Setting up for meta-selinux(LayerType.SOFTWARE), /home/uwe/work/ashjk/poky/meta-selinux
	ERROR: Layer meta-selinux depends on meta-python and isn't found.
	INFO: Skipping meta-selinux due to missing dependencies.
	INFO:
	INFO: Summary of results:
	INFO:
	INFO: meta-selinux ... SKIPPED (Missing dependencies)

hmm, so maybe I need to add this using --dependency:

	uwe@monoceros:~/work/ashjk/poky/build$ yocto-check-layer ../meta-selinux --dependency ../meta-openembedded/meta-python --dependency ../meta-openembedded
	INFO: Detected layers:
	INFO: meta-selinux: LayerType.SOFTWARE, /home/uwe/work/ashjk/poky/meta-selinux
	INFO: Adding meta-python to the list of layers to test, as a dependency
	INFO: Adding meta-oe to the list of layers to test, as a dependency
	INFO: 
	INFO: Setting up for meta-selinux(LayerType.SOFTWARE), /home/uwe/work/ashjk/poky/meta-selinux
	INFO: Adding layer meta-python
	INFO: meta-python is already in /home/uwe/work/ashjk/poky/build/conf/bblayers.conf
	INFO: Adding layer meta-oe
	INFO: meta-oe is already in /home/uwe/work/ashjk/poky/build/conf/bblayers.conf
	INFO: Getting initial bitbake variables ...
	INFO: Getting initial signatures ...
	INFO: Generating signatures failed. This might be due to some parse error and/or general layer incompatibilities.
	Command: BB_ENV_PASSTHROUGH_ADDITIONS="$BB_ENV_PASSTHROUGH_ADDITIONS BB_SIGNATURE_HANDLER" BB_SIGNATURE_HANDLER="OEBasicHash" bitbake -S lockedsigs world
	Output:
	WARNING: Host distribution "debian-13" has not been validated with this version of the build system; you may possibly experience unexpected failures. It is recommended that you use a tested distribution.
	Loading cache...done.
	Loaded 0 entries from dependency cache.
	Parsing recipes...done.
	Parsing of 2472 .bb files complete (0 cached, 2472 parsed). 4316 targets, 86 skipped, 0 masked, 0 errors.
	Removing 14 recipes from the core2-64 sysroot...done.
	Removing 19 recipes from the qemux86_64 sysroot...done.
	Removing 6 recipes from the x86_64 sysroot...done.
	NOTE: Resolving any missing task queue dependencies
	ERROR: Nothing PROVIDES 'libselinux' (but /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-extended/hwloc/hwloc_2.9.3.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-devtools/squashfs-tools-ng/squashfs-tools-ng_1.2.0.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-support/augeas/augeas_1.12.0.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-support/lvm2/lvm2_2.03.22.bb, /home/uwe/work/ashjk/poky/meta/recipes-extended/at/at_3.2.5.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2024.5.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-extended/smartmontools/smartmontools_7.4.bb, /home/uwe/work/ashjk/poky/meta/recipes-extended/logrotate/logrotate_3.21.0.bb, /home/uwe/work/ashjk/poky/meta/recipes-core/udev/eudev_3.2.14.bb, /home/uwe/work/ashjk/poky/meta/recipes-support/vim/vim_9.1.bb, /home/uwe/work/ashjk/poky/meta/recipes-core/base-passwd/base-passwd_3.6.3.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-security/bubblewrap/bubblewrap_0.8.0.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-support/lvm2/libdevmapper_2.03.22.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-devtools/ltrace/ltrace_git.bb DEPENDS on or otherwise requires it)
	ERROR: Required build target 'meta-world-pkgdata' has no buildable providers.
	Missing or unbuildable dependency chain was: ['meta-world-pkgdata', 'hwloc', 'libselinux']

	Summary: There was 1 WARNING message.
	Summary: There were 2 ERROR messages, returning a non-zero exit code.

	INFO: meta-python already in /home/uwe/work/ashjk/poky/build/conf/bblayers.conf. To capture initial signatures, layer under test should not present in BBLAYERS. Please remove meta-python from BBLAYERS.
	INFO: meta-oe already in /home/uwe/work/ashjk/poky/build/conf/bblayers.conf. To capture initial signatures, layer under test should not present in BBLAYERS. Please remove meta-oe from BBLAYERS.
	INFO: 
	INFO: Summary of results:
	INFO: 
	INFO: meta-selinux ... FAIL (Generating world signatures)
	INFO: meta-python ... SKIPPED (Layer under test should not present in BBLAYERS)
	INFO: meta-oe ... SKIPPED (Layer under test should not present in BBLAYERS)

Maybe I'm holding it wrong, maybe meta-selinux just doesn't pass?!

Ah, when removing "selinux" from DISTRO_FEATURES it works better. Then
it says things like:

	...
	INFO: Traceback (most recent call last):
	  File "/home/uwe/work/ashjk/poky/scripts/lib/checklayer/cases/common.py", line 99, in test_signatures
	    self.fail('Adding layer %s changed signatures.\n%s' % (self.tc.layer['name'], msg))
	    ~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
	AssertionError: Adding layer meta-selinux changed signatures.
	1789 signatures changed, initial differences (first hash before, second after):
	   android-tools-conf:do_recipe_qa: 0b9fecbec98924f57499d5d53c4b08bebe50deac72f025ed0f4b5b2274c57463 -> d7473d9aba93fba170cd904225f22485c12a8cbfbb90984d90014bc29ce47856
	      bitbake-diffsigs --task android-tools-conf do_recipe_qa --signature 0b9fecbec98924f57499d5d53c4b08bebe50deac72f025ed0f4b5b2274c57463 d7473d9aba93fba170cd904225f22485c12a8cbfbb90984d90014bc29ce47856
	...

(That's without my change BTW.)

> I am generally worried about the amount of things people "load" up
> layer.conf with as whilst it seems easy, the scope of it can be
> problematic as it affects other layers, and in general you don't want
> to be doing that unless it is configurable.

I understand your motivation, adding things there (even if they are ok)
add to the things you stumble over.

There is nothing I can say to rebut that objection. Still I think the
addition we're discussing about is technically fine and reduces the
surprises when working with meta-selinux. So in my subjective opinion
it's a net win to add it.

Best regards
Uwe
Hiago De Franco March 25, 2026, 12:28 p.m. UTC | #11 
Hello,

On Wed, Mar 18, 2026 at 03:22:44PM +0100, Uwe Kleine-König wrote:
> Hey Richard,
> 
> On Wed, Mar 18, 2026 at 12:37:42PM +0000, Richard Purdie wrote:
> > On Wed, 2026-03-18 at 12:13 +0100, Uwe Kleine-König wrote:
> > > On Wed, Mar 18, 2026 at 09:12:52AM +0000, Richard Purdie wrote:
> > > > On Wed, 2026-03-18 at 08:50 +0100, Uwe Kleine-König wrote:
> > > > > On Tue, Mar 17, 2026 at 07:23:35PM +0100, Yoann Congal wrote:
> > > > > > On Tue Mar 17, 2026 at 6:40 PM CET, Hiago De Franco via lists.yoctoproject.org wrote:
> > > > > > > On Mon, Mar 09, 2026 at 02:21:51PM +0000, Richard Purdie wrote:
> > > > > > > > On Mon, 2026-03-09 at 20:23 +0800, Yi Zhao via lists.yoctoproject.org wrote:
> > > > > > > > > 
> > > > > > > > > On 2/13/26 23:42, "Uwe Kleine-König wrote:
> > > > > > > > > > With SELinux enabled for the target it makes sense to have SELinux
> > > > > > > > > > support enabled for the native tools, too.
> > > > > > > > > > 
> > > > > > > > > > Note that for native packages DISTRO_FEATURES is filtered, thus up to now
> > > > > > > > > > it never contained "selinux". Append to DISTRO_FEATURES_FILTER_NATIVE to
> > > > > > > > > > make "selinux" propagate also to DISTRO_FEATURES for native packages.
> > > > > > > > > > ---
> > > > > > > > > > Hello,
> > > > > > > > > > 
> > > > > > > > > > I use this on scarthgap, but the patch applies fine to master, too.
> > > > > > > > > > 
> > > > > > > > > > During a debug session it took me quite a while to find out why
> > > > > > > > > > 
> > > > > > > > > > 	ls -lZ "${IMAGE_ROOTFS}
> > > > > > > > > > 
> > > > > > > > > > at the end of selinux_set_labels() didn't show the labels added by
> > > > > > > > > > setfiles.
> > > > > > > > > > 
> > > > > > > > > > Best regards
> > > > > > > > > > Uwe
> > > > > > > > > > 
> > > > > > > > > >   classes/enable-selinux.bbclass | 2 +-
> > > > > > > > > >   conf/layer.conf                | 4 ++++
> > > > > > > > > >   2 files changed, 5 insertions(+), 1 deletion(-)
> > > > > > > > > > 
> > > > > > > > > > diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass
> > > > > > > > > > index 3dc61d6931ff..0c9f52e74cec 100644
> > > > > > > > > > --- a/classes/enable-selinux.bbclass
> > > > > > > > > > +++ b/classes/enable-selinux.bbclass
> > > > > > > > > > @@ -1,3 +1,3 @@
> > > > > > > > > >   inherit selinux
> > > > > > > > > >   
> > > > > > > > > > -PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}"
> > > > > > > > > > +PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
> > > > > > > > > > diff --git a/conf/layer.conf b/conf/layer.conf
> > > > > > > > > > index 4e04e5cc7e6a..ca981db57019 100644
> > > > > > > > > > --- a/conf/layer.conf
> > > > > > > > > > +++ b/conf/layer.conf
> > > > > > > > > > @@ -25,3 +25,7 @@ LAYERDEPENDS_selinux = " \
> > > > > > > > > >   "
> > > > > > > > > >   
> > > > > > > > > >   PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted"
> > > > > > > > > > +
> > > > > > > > > > +# With target support for SELinux it is very helpful during debug when the
> > > > > > > > > > +# native tools support SELinux, too.
> > > > > > > > > > +DISTRO_FEATURES_FILTER_NATIVE:append = " selinux"
> > > > > > > > > 
> > > > > > > > > Can we add this to the doc (e.g. README) instead of enabling it directly 
> > > > > > > > > in layer.conf? Since we haven't directly enabled DISTRO_FEATURES = 
> > > > > > > > > "selinux" in layer.conf either.
> > > > > > > > 
> > > > > > > > I just wanted to add that putting that directly in layer.conf will mean
> > > > > > > > the layer isn't Yocto Project Compatible too.
> > > > > > > 
> > > > > > > I am going to send a v2 and take over this work, already asked Uwe about
> > > > > > > that.
> > > > > > > 
> > > > > > > But before doing it, I was wondering why changing layer.conf will make
> > > > > > > the layer not compatible with Yocto Project anymore. Can you explain to
> > > > > > > us the reason?
> > > > > > 
> > > > > > I'd guess it is from this criteria of the Yocto Compatible layer[0]:
> > > > > > > Inclusion of any layer in the submission does not change the
> > > > > > > behavior/configuration of the overall system without the user
> > > > > > > explicitly opting into those changes
> > > > > > 
> > > > > > By putting a 'DISTRO_FEATURES += "selinux"' in layer.conf, the
> > > > > > configuration changes globally without explicit opt-in of the user.
> > > > > 
> > > > > Note that the patch didn't change DISTRO_FEATURES, it appended "selinux"
> > > > > to DISTRO_FEATURES_FILTER_NATIVE. If DISTRO_FEATURES doesn't already
> > > > > contain "selinux", this is a noop. So I don't see how this violates the
> > > > > quoted critera.
> > > > > 
> > > > > What am I missing?
> > > > 
> > > > I guess it would depend whether any of the functions/variables in core
> > > > have hard dependencies on that variable. I was assuming that they do
> > > > but that might not be the case, I'm not sure without checking and you
> > > > may be right.
> > > 
> > > Wouldn't that be a bug if a function changes behaviour depending on
> > > DISTRO_FEATURES_FILTER_NATIVE containing "selinux" or not? (Apart from
> > > having "selinux" for native packages iff the global DISTRO_FEATURES has
> > > "selinux".)
> > 
> > It depends on how that variable is being used. Some usages would be an
> > issue, some would not. I have not checked how it is being used and what
> > the implications of that are.
> > 
> > > I grepped for DISTRO_FEATURES_FILTER_NATIVE in oe-core, bitbake and
> > > meta-openembedded, there are only matches in the first and these are
> > > about default settings, appending DISTRO_FEATURES_OVERRIDES and
> > > providing a filtered version of the global DISTRO_FEATURES for native
> > > packages.
> > > 
> > > So unless I missed something, I'd claim setting
> > > DISTRO_FEATURES_FILTER_NATIVE:append in a layer doesn't result in a
> > > relevant change without an explicit opt-in (by adding "selinux" to
> > > DISTRO_FEATURES) and then this (implicit) v1 is better than the v2 that
> > > Hiago sent.
> > 
> > I'm starting to wish I'd just never said anything :/.
> 
> :-\
> 
> > It would be nice if meta-selinux passes yocto-check-layer but that
> > isn't my call, I don't know if it does currently pass or not. I wanted
> > to caution that changing DISTRO_FEATURES or things related to
> > DISTRO_FEATURES from layer.conf is generally a bad idea. In this case
> > you might get away with it, I don't know. Has anyone tested it?
> 
> I tried that:
> 
> 	uwe@monoceros:~/work/ashjk/poky/build$ yocto-check-layer ../meta-selinux
> 	INFO: Detected layers:
> 	INFO: meta-selinux: LayerType.SOFTWARE, /home/uwe/work/ashjk/poky/meta-selinux
> 	ERROR: Layer meta-selinux depends on meta-python and isn't found.
> 	INFO:
> 	INFO: Setting up for meta-selinux(LayerType.SOFTWARE), /home/uwe/work/ashjk/poky/meta-selinux
> 	ERROR: Layer meta-selinux depends on meta-python and isn't found.
> 	INFO: Skipping meta-selinux due to missing dependencies.
> 	INFO:
> 	INFO: Summary of results:
> 	INFO:
> 	INFO: meta-selinux ... SKIPPED (Missing dependencies)
> 
> hmm, so maybe I need to add this using --dependency:
> 
> 	uwe@monoceros:~/work/ashjk/poky/build$ yocto-check-layer ../meta-selinux --dependency ../meta-openembedded/meta-python --dependency ../meta-openembedded
> 	INFO: Detected layers:
> 	INFO: meta-selinux: LayerType.SOFTWARE, /home/uwe/work/ashjk/poky/meta-selinux
> 	INFO: Adding meta-python to the list of layers to test, as a dependency
> 	INFO: Adding meta-oe to the list of layers to test, as a dependency
> 	INFO: 
> 	INFO: Setting up for meta-selinux(LayerType.SOFTWARE), /home/uwe/work/ashjk/poky/meta-selinux
> 	INFO: Adding layer meta-python
> 	INFO: meta-python is already in /home/uwe/work/ashjk/poky/build/conf/bblayers.conf
> 	INFO: Adding layer meta-oe
> 	INFO: meta-oe is already in /home/uwe/work/ashjk/poky/build/conf/bblayers.conf
> 	INFO: Getting initial bitbake variables ...
> 	INFO: Getting initial signatures ...
> 	INFO: Generating signatures failed. This might be due to some parse error and/or general layer incompatibilities.
> 	Command: BB_ENV_PASSTHROUGH_ADDITIONS="$BB_ENV_PASSTHROUGH_ADDITIONS BB_SIGNATURE_HANDLER" BB_SIGNATURE_HANDLER="OEBasicHash" bitbake -S lockedsigs world
> 	Output:
> 	WARNING: Host distribution "debian-13" has not been validated with this version of the build system; you may possibly experience unexpected failures. It is recommended that you use a tested distribution.
> 	Loading cache...done.
> 	Loaded 0 entries from dependency cache.
> 	Parsing recipes...done.
> 	Parsing of 2472 .bb files complete (0 cached, 2472 parsed). 4316 targets, 86 skipped, 0 masked, 0 errors.
> 	Removing 14 recipes from the core2-64 sysroot...done.
> 	Removing 19 recipes from the qemux86_64 sysroot...done.
> 	Removing 6 recipes from the x86_64 sysroot...done.
> 	NOTE: Resolving any missing task queue dependencies
> 	ERROR: Nothing PROVIDES 'libselinux' (but /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-extended/hwloc/hwloc_2.9.3.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-devtools/squashfs-tools-ng/squashfs-tools-ng_1.2.0.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-support/augeas/augeas_1.12.0.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-support/lvm2/lvm2_2.03.22.bb, /home/uwe/work/ashjk/poky/meta/recipes-extended/at/at_3.2.5.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2024.5.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-extended/smartmontools/smartmontools_7.4.bb, /home/uwe/work/ashjk/poky/meta/recipes-extended/logrotate/logrotate_3.21.0.bb, /home/uwe/work/ashjk/poky/meta/recipes-core/udev/eudev_3.2.14.bb, /home/uwe/work/ashjk/poky/meta/recipes-support/vim/vim_9.1.bb, /home/uwe/work/ashjk/poky/meta/recipes-core/base-passwd/base-passwd_3.6.3.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-security/bubblewrap/bubblewrap_0.8.0.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-support/lvm2/libdevmapper_2.03.22.bb, /home/uwe/work/ashjk/poky/meta-openembedded/meta-oe/recipes-devtools/ltrace/ltrace_git.bb DEPENDS on or otherwise requires it)
> 	ERROR: Required build target 'meta-world-pkgdata' has no buildable providers.
> 	Missing or unbuildable dependency chain was: ['meta-world-pkgdata', 'hwloc', 'libselinux']
> 
> 	Summary: There was 1 WARNING message.
> 	Summary: There were 2 ERROR messages, returning a non-zero exit code.
> 
> 	INFO: meta-python already in /home/uwe/work/ashjk/poky/build/conf/bblayers.conf. To capture initial signatures, layer under test should not present in BBLAYERS. Please remove meta-python from BBLAYERS.
> 	INFO: meta-oe already in /home/uwe/work/ashjk/poky/build/conf/bblayers.conf. To capture initial signatures, layer under test should not present in BBLAYERS. Please remove meta-oe from BBLAYERS.
> 	INFO: 
> 	INFO: Summary of results:
> 	INFO: 
> 	INFO: meta-selinux ... FAIL (Generating world signatures)
> 	INFO: meta-python ... SKIPPED (Layer under test should not present in BBLAYERS)
> 	INFO: meta-oe ... SKIPPED (Layer under test should not present in BBLAYERS)
> 
> Maybe I'm holding it wrong, maybe meta-selinux just doesn't pass?!
> 
> Ah, when removing "selinux" from DISTRO_FEATURES it works better. Then
> it says things like:
> 
> 	...
> 	INFO: Traceback (most recent call last):
> 	  File "/home/uwe/work/ashjk/poky/scripts/lib/checklayer/cases/common.py", line 99, in test_signatures
> 	    self.fail('Adding layer %s changed signatures.\n%s' % (self.tc.layer['name'], msg))
> 	    ~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 	AssertionError: Adding layer meta-selinux changed signatures.
> 	1789 signatures changed, initial differences (first hash before, second after):
> 	   android-tools-conf:do_recipe_qa: 0b9fecbec98924f57499d5d53c4b08bebe50deac72f025ed0f4b5b2274c57463 -> d7473d9aba93fba170cd904225f22485c12a8cbfbb90984d90014bc29ce47856
> 	      bitbake-diffsigs --task android-tools-conf do_recipe_qa --signature 0b9fecbec98924f57499d5d53c4b08bebe50deac72f025ed0f4b5b2274c57463 d7473d9aba93fba170cd904225f22485c12a8cbfbb90984d90014bc29ce47856
> 	...
> 
> (That's without my change BTW.)
> 
> > I am generally worried about the amount of things people "load" up
> > layer.conf with as whilst it seems easy, the scope of it can be
> > problematic as it affects other layers, and in general you don't want
> > to be doing that unless it is configurable.
> 
> I understand your motivation, adding things there (even if they are ok)
> add to the things you stumble over.
> 
> There is nothing I can say to rebut that objection. Still I think the
> addition we're discussing about is technically fine and reduces the
> surprises when working with meta-selinux. So in my subjective opinion
> it's a net win to add it.
> 
> Best regards
> Uwe

I would like to add something to the discussion that I just found
yesterday.

By enabling the native patckages to have SELinux by default, GPG 
breaks if secureboot is also being used. See the error below:

ERROR: linux-yocto-6.6.129+git-r0 do_sign: Failed to import gpg key
(user-keys/boot_keys/BOOT-GPG-PRIVKEY-BOOT-SecureCore): gpg: importing
secret keys not allowed
gpg: Total number processed: 1
gpg:       secret keys read: 1

This happens becaus of [0]. I had to specifically disable SELinux for
the GPG native package.

So, in this case, if we would to like to proceed with this patch, v2
would be a better option to prevent such errors.

[0] https://github.com/gpg/gnupg/blob/master/g10/import.c#L3319

Regards,
Hiago.
Uwe Kleine-König March 27, 2026, 4:33 p.m. UTC | #12 
Hello Hiago,

On Wed, Mar 25, 2026 at 09:28:19AM -0300, Hiago De Franco wrote:
> I would like to add something to the discussion that I just found
> yesterday.
> 
> By enabling the native patckages to have SELinux by default, GPG 
> breaks if secureboot is also being used. See the error below:
> 
> ERROR: linux-yocto-6.6.129+git-r0 do_sign: Failed to import gpg key
> (user-keys/boot_keys/BOOT-GPG-PRIVKEY-BOOT-SecureCore): gpg: importing
> secret keys not allowed
> gpg: Total number processed: 1
> gpg:       secret keys read: 1
> 
> This happens becaus of [0]. I had to specifically disable SELinux for
> the GPG native package.

This is ridiculous. What about

diff --git a/g10/import.c b/g10/import.c
index ba62d2322c93..44b113d77222 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -3235,21 +3235,21 @@ import_secret_one (ctrl_t ctrl, kbnode_t keyblock,
      cipher algorithm (only checks the primary key, though).  */
   if (ski->algo > 110)
     {
       if (!for_migration)
         log_error (_("key %s: secret key with invalid cipher %d"
                      " - skipped\n"), keystr_from_pk (pk), ski->algo);
       release_kbnode (keyblock);
       return 0;
     }
 
-#ifdef ENABLE_SELINUX_HACKS
+#ifdef I_WANT_A_BROKEN_GNUPG
   if (1)
     {
       /* We don't allow importing secret keys because that may be used
          to put a secret key into the keyring and the user might later
          be tricked into signing stuff with that key.  */
       log_error (_("importing secret keys not allowed\n"));
       release_kbnode (keyblock);
       return 0;
     }
 #endif

instead? Or does someone understand why it's considered easier to trick
the user into bad stuff with SELINUX enabled?

> So, in this case, if we would to like to proceed with this patch, v2
> would be a better option to prevent such errors.

Well, it only prevents the error if the yocto build doesn't have

	DISTRO_FEATURES_FILTER_NATIVE:append = " selinux"

in local.conf which is recommended in the docs with v2. So I (still)
don't consider v2 better.

Best regards
Uwe
diff mbox series

Patch

diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass
index 3dc61d6931ff..0c9f52e74cec 100644
--- a/classes/enable-selinux.bbclass
+++ b/classes/enable-selinux.bbclass
@@ -1,3 +1,3 @@ 
 inherit selinux
 
-PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}"
+PACKAGECONFIG:append = " ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
diff --git a/conf/layer.conf b/conf/layer.conf
index 4e04e5cc7e6a..ca981db57019 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -25,3 +25,7 @@  LAYERDEPENDS_selinux = " \
 "
 
 PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted"
+
+# With target support for SELinux it is very helpful during debug when the
+# native tools support SELinux, too.
+DISTRO_FEATURES_FILTER_NATIVE:append = " selinux"