SUMMARY = "SELinux packages"
DESCRIPTION = "SELinux packages required for AGL"
LICENSE = "MIT"

inherit packagegroup features_check

REQUIRED_DISTRO_FEATURES = "selinux"

PACKAGES = " \
    packagegroup-agl-core-selinux \
    packagegroup-agl-core-selinux-devel \
"

#
# meta-selinux's packagegroup-core-selinux includes a lot of
# policy development tools with its inclusion of the layer's
# packagegroup-selinux-policycoreutils, which is not really
# desirable for a production image.  Create our own base
# packagegroup and an accompanying devel packagegroup that
# agl-devel can trigger pulling in.
#
# NOTES:
# - It seems likely we will always want auditd, so include
#   it in the base packagegroup.
# - selinux-autorelabel seems required to handle both the
#   edge case of builds done on non-xattr capable filesystems,
#   and to allow driving relabeling after potential package
#   installation during runtime.
# - packagegroup-selinux-policycoreutils includes a lot of
#   things that seem not useful in a lot of systems (e.g.
#   the gtk dependent selinux-gui), so for now the devel
#   packagegroup aims to include a more minimal set of tools
#   aimed at enabling checkpolicy and audit2allow use.
# - Some thought needs to go into whether the relabeling
#   fixup packages should be handled separately, as they
#   ideally should not go into images using read-only or
#   stateless rootfs, but those are image features so we
#   cannot check for them here.
#

RDEPENDS:${PN} = " \
    packagegroup-selinux-minimal \
    auditd \
    selinux-autorelabel \
    systemd-selinux-relabel \
"

RDEPENDS:${PN}-devel = " \
    ${BPN} \
    libsepol-bin \
    checkpolicy \
    policycoreutils-loadpolicy \
    policycoreutils-setsebool \
    policycoreutils-hll \
    semodule-utils-semodule-package \
    selinux-python-audit2allow \
"