diff options
| author | Wenzong Fan <wenzong.fan@windriver.com> | 2017-09-04 22:59:48 -0700 |
|---|---|---|
| committer | Mark Hatle <mark.hatle@windriver.com> | 2017-09-13 19:48:51 -0500 |
| commit | a5b5f5b328fa7f059fbfe8480bd107379bfe8d21 (patch) | |
| tree | 8d841decf254e399fcd55a6156bc41e85b09d0eb | |
| parent | 9a07ac84248c97ea7adebebbf11d28bf9872b77f (diff) | |
| download | meta-selinux-a5b5f5b328fa7f059fbfe8480bd107379bfe8d21.tar.gz | |
selinux-sandbox: add package 2.7 (20170804)
Move policycoreutils/sandbox to sandbox:
* Move and rebase patch:
- policycoreutils-sandbox-de-bashify.patch
* Cleanup policycoreutils.inc
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
| -rw-r--r-- | recipes-security/selinux/policycoreutils.inc | 17 | ||||
| -rw-r--r-- | recipes-security/selinux/selinux-sandbox.inc | 28 | ||||
| -rw-r--r-- | recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch (renamed from recipes-security/selinux/policycoreutils/policycoreutils-sandbox-de-bashify.patch) | 13 | ||||
| -rw-r--r-- | recipes-security/selinux/selinux-sandbox_2.7.bb | 7 |
4 files changed, 42 insertions, 23 deletions
diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc index e8f6e5f..9e45e0c 100644 --- a/recipes-security/selinux/policycoreutils.inc +++ b/recipes-security/selinux/policycoreutils.inc | |||
| @@ -9,7 +9,6 @@ LICENSE = "GPLv2+" | |||
| 9 | 9 | ||
| 10 | SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ | 10 | SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ |
| 11 | file://policycoreutils-fixfiles-de-bashify.patch \ | 11 | file://policycoreutils-fixfiles-de-bashify.patch \ |
| 12 | file://policycoreutils-sandbox-de-bashify.patch \ | ||
| 13 | " | 12 | " |
| 14 | 13 | ||
| 15 | PAM_SRC_URI = "file://pam.d/newrole \ | 14 | PAM_SRC_URI = "file://pam.d/newrole \ |
| @@ -64,15 +63,6 @@ RDEPENDS_${BPN}-python += "\ | |||
| 64 | libsemanage-python \ | 63 | libsemanage-python \ |
| 65 | " | 64 | " |
| 66 | RDEPENDS_${BPN}-runinit += "libselinux" | 65 | RDEPENDS_${BPN}-runinit += "libselinux" |
| 67 | RDEPENDS_${BPN}-sandbox += "\ | ||
| 68 | python-math \ | ||
| 69 | python-shell \ | ||
| 70 | python-subprocess \ | ||
| 71 | python-textutils \ | ||
| 72 | python-unixadmin \ | ||
| 73 | libselinux-python \ | ||
| 74 | ${BPN}-python \ | ||
| 75 | " | ||
| 76 | RDEPENDS_${BPN}-secon += "libselinux" | 66 | RDEPENDS_${BPN}-secon += "libselinux" |
| 77 | RDEPENDS_${BPN}-semanage = "\ | 67 | RDEPENDS_${BPN}-semanage = "\ |
| 78 | python-core \ | 68 | python-core \ |
| @@ -128,7 +118,6 @@ PACKAGES =+ "\ | |||
| 128 | ${PN}-newrole \ | 118 | ${PN}-newrole \ |
| 129 | ${PN}-python \ | 119 | ${PN}-python \ |
| 130 | ${PN}-runinit \ | 120 | ${PN}-runinit \ |
| 131 | ${PN}-sandbox \ | ||
| 132 | ${PN}-secon \ | 121 | ${PN}-secon \ |
| 133 | ${PN}-semanage \ | 122 | ${PN}-semanage \ |
| 134 | ${PN}-semodule \ | 123 | ${PN}-semodule \ |
| @@ -171,12 +160,6 @@ FILES_${PN}-runinit += "\ | |||
| 171 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/run_init', '', d)} \ | 160 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/run_init', '', d)} \ |
| 172 | " | 161 | " |
| 173 | FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/.debug/* ${prefix}/libexec/selinux/hll/.debug" | 162 | FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/.debug/* ${prefix}/libexec/selinux/hll/.debug" |
| 174 | FILES_${PN}-sandbox += "\ | ||
| 175 | ${datadir}/sandbox/* \ | ||
| 176 | ${bindir}/sandbox \ | ||
| 177 | ${sbindir}/seunshare \ | ||
| 178 | ${sysconfdir}/sysconfig/sandbox \ | ||
| 179 | " | ||
| 180 | FILES_${PN}-secon += "${bindir}/secon" | 163 | FILES_${PN}-secon += "${bindir}/secon" |
| 181 | FILES_${PN}-semanage = "\ | 164 | FILES_${PN}-semanage = "\ |
| 182 | ${sbindir}/semanage \ | 165 | ${sbindir}/semanage \ |
diff --git a/recipes-security/selinux/selinux-sandbox.inc b/recipes-security/selinux/selinux-sandbox.inc new file mode 100644 index 0000000..8616dd7 --- /dev/null +++ b/recipes-security/selinux/selinux-sandbox.inc | |||
| @@ -0,0 +1,28 @@ | |||
| 1 | SUMMARY = "Run cmd under an SELinux sandbox" | ||
| 2 | DESCRIPTION = "\ | ||
| 3 | Run application within a tightly confined SELinux domain. The default \ | ||
| 4 | sandbox domain only allows applications the ability to read and write \ | ||
| 5 | stdin, stdout and any other file descriptors handed to it." | ||
| 6 | |||
| 7 | SECTION = "base" | ||
| 8 | LICENSE = "GPLv2+" | ||
| 9 | |||
| 10 | SRC_URI += "file://sandbox-de-bashify.patch \ | ||
| 11 | " | ||
| 12 | |||
| 13 | DEPENDS += "libcap-ng libselinux" | ||
| 14 | |||
| 15 | RDEPENDS_${PN} += "\ | ||
| 16 | python-math \ | ||
| 17 | python-shell \ | ||
| 18 | python-subprocess \ | ||
| 19 | python-textutils \ | ||
| 20 | python-unixadmin \ | ||
| 21 | libselinux-python \ | ||
| 22 | selinux-python \ | ||
| 23 | " | ||
| 24 | |||
| 25 | FILES_${PN} += "\ | ||
| 26 | ${datadir}/sandbox/sandboxX.sh \ | ||
| 27 | ${datadir}/sandbox/start \ | ||
| 28 | " | ||
diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-sandbox-de-bashify.patch b/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch index c078ef6..18cef4b 100644 --- a/recipes-security/selinux/policycoreutils/policycoreutils-sandbox-de-bashify.patch +++ b/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch | |||
| @@ -9,25 +9,26 @@ sandboxX script, so point them at /bin/sh instead. | |||
| 9 | Upstream-Status: Pending | 9 | Upstream-Status: Pending |
| 10 | 10 | ||
| 11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
| 12 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
| 12 | --- | 13 | --- |
| 13 | sandbox/sandbox.init | 2 +- | 14 | sandbox/sandbox.init | 2 +- |
| 14 | sandbox/sandboxX.sh | 2 +- | 15 | sandbox/sandboxX.sh | 2 +- |
| 15 | 2 files changed, 2 insertions(+), 2 deletions(-) | 16 | 2 files changed, 2 insertions(+), 2 deletions(-) |
| 16 | 17 | ||
| 17 | diff --git a/sandbox/sandbox.init b/sandbox/sandbox.init | 18 | diff --git a/sandbox.init b/sandbox.init |
| 18 | index b3979bf..1893dc8 100644 | 19 | index b3979bf..1893dc8 100644 |
| 19 | --- a/sandbox/sandbox.init | 20 | --- a/sandbox.init |
| 20 | +++ b/sandbox/sandbox.init | 21 | +++ b/sandbox.init |
| 21 | @@ -1,4 +1,4 @@ | 22 | @@ -1,4 +1,4 @@ |
| 22 | -#!/bin/bash | 23 | -#!/bin/bash |
| 23 | +#!/bin/sh | 24 | +#!/bin/sh |
| 24 | ## BEGIN INIT INFO | 25 | ## BEGIN INIT INFO |
| 25 | # Provides: sandbox | 26 | # Provides: sandbox |
| 26 | # Default-Start: 3 4 5 | 27 | # Default-Start: 3 4 5 |
| 27 | diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh | 28 | diff --git a/sandboxX.sh b/sandboxX.sh |
| 28 | index eaa500d..8755d75 100644 | 29 | index eaa500d..8755d75 100644 |
| 29 | --- a/sandbox/sandboxX.sh | 30 | --- a/sandboxX.sh |
| 30 | +++ b/sandbox/sandboxX.sh | 31 | +++ b/sandboxX.sh |
| 31 | @@ -1,4 +1,4 @@ | 32 | @@ -1,4 +1,4 @@ |
| 32 | -#!/bin/bash | 33 | -#!/bin/bash |
| 33 | +#!/bin/sh | 34 | +#!/bin/sh |
diff --git a/recipes-security/selinux/selinux-sandbox_2.7.bb b/recipes-security/selinux/selinux-sandbox_2.7.bb new file mode 100644 index 0000000..1307ce7 --- /dev/null +++ b/recipes-security/selinux/selinux-sandbox_2.7.bb | |||
| @@ -0,0 +1,7 @@ | |||
| 1 | include selinux_20170804.inc | ||
| 2 | include ${BPN}.inc | ||
| 3 | |||
| 4 | LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" | ||
| 5 | |||
| 6 | SRC_URI[md5sum] = "7360e9dc7b1757b7f82face655982bfa" | ||
| 7 | SRC_URI[sha256sum] = "9490620380ab6d428a92869002a51ada0343ca35fa2a6905595745902a64c541" | ||