blob: 493a46f2520f9dad75ffbb68e22a1dbe81c824a8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
SUMMARY = "SELinux packages"
DESCRIPTION = "SELinux packages required for AGL"
LICENSE = "MIT"
inherit packagegroup features_check
REQUIRED_DISTRO_FEATURES = "selinux"
PACKAGES = " \
packagegroup-agl-core-selinux \
packagegroup-agl-core-selinux-devel \
"
#
# meta-selinux's packagegroup-core-selinux includes a lot of
# policy development tools with its inclusion of the layer's
# packagegroup-selinux-policycoreutils, which is not really
# desirable for a production image. Create our own base
# packagegroup and an accompanying devel packagegroup that
# agl-devel can trigger pulling in.
#
# NOTES:
# - It seems likely we will always want auditd, so include
# it in the base packagegroup.
# - selinux-autorelabel seems required to handle both the
# edge case of builds done on non-xattr capable filesystems,
# and to allow driving relabeling after potential package
# installation during runtime.
# - packagegroup-selinux-policycoreutils includes a lot of
# things that seem not useful in a lot of systems (e.g.
# the gtk dependent selinux-gui), so for now the devel
# packagegroup aims to include a more minimal set of tools
# aimed at enabling checkpolicy and audit2allow use.
# - Some thought needs to go into whether the relabeling
# fixup packages should be handled separately, as they
# ideally should not go into images using read-only or
# stateless rootfs, but those are image features so we
# cannot check for them here.
#
RDEPENDS:${PN} = " \
packagegroup-selinux-minimal \
auditd \
selinux-autorelabel \
systemd-selinux-relabel \
"
RDEPENDS:${PN}-devel = " \
${BPN} \
libsepol-bin \
checkpolicy \
policycoreutils-loadpolicy \
policycoreutils-setsebool \
policycoreutils-hll \
semodule-utils-semodule-package \
selinux-python-audit2allow \
"
|