| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
* Drop obsolete and unused patches.
* Rebase patches.
* Add patches to make systemd and sysvinit can work with all policy types.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
(cherry picked from commit 15fed8756aa4828fa12a3d813754b4ca65a7607d)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We don't need to set security context for /dev/log after syslogd daemon
startup because it is already set by udev. We just need to set the
correct security context for symbolic link /var/log before syslogd
startup.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
(cherry picked from commit 7d3b1347ae949c7208482694fd773e4bc3f321b4)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By default /var/log is a symbolic link of /var/volatile/log. But
restorecon does not follow symbolic links then we will encounter the
following error when set /var/log/audit directory:
$ /sbin/restorecon -F /var/log/audit
/sbin/restorecon: SELinux: Could not get canonical path for /var/log/audit restorecon: Permission denied.
Use readlink to find the real path before set security context.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
(cherry picked from commit 8b79480663bc9de2343e0146ed8d3d0e59ab48be)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
There is no need to maintain two versions of repolicy. Drop this version
and only keep the git version.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
(cherry picked from commit 9e986d7d794f044464e1af914ddbcd57d8f1c2e9)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
| |
audit repository clone failing with git protocol as
github.com requires the https protocol to be used
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current implementation was overwriting the sshd_config and sshd
assuming PAM is needed by default
openssh should use the default sshd_config packaged with the component
if no distro specific needs are present and not overwrite the full
sshd_config file
1. If PAM is enabled as a distro then enable the UsePAM option in sshd_config
2. Moved the file sshd to pam directory so that when pam is enabled,
then replace the default from poky by installing the same
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
0001-Fix-NULL-pointer-use-in-selinux_restorecon_set_sehandle.patch added
in commit d6ff5a0e67af "libselinux: Backport NULL pointer fix from 3.1"
fails to apply because there is a extra level in the patch context.
The patch cannot apply and do_patch fails. Fix the context so it builds
again.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
commit b2b3ea27e3e3 "e2fsprogs: Superseded by upstream." removed
lib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch from SRC_URI. It was
no longer applied, but the file was not deleted. Do that now.
e2fsprogs_%.bbappend/e2fsprogs_selinux.inc now do nothing, so remove
them as well.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
An equivalent patch was merged into 1.45.7: commit 7616fd6a599e
"create_inode: set xattrs to the root directory as well". The existing
one still applies and actualy breaks building because of duplicate
lables. Remove it.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
| |
Include example send-email
(cherry picked from commit 48038b45dc114592991c069eb66d174820c0701d)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using function restorecon_init inside selinux_restorecon.c can
result in a NULL pointer. This happens because function
selinux_restorecon_set_sehandle can return a NULL pointer. But
it is not checked and directly given to the next function.
This problem is already fixed in libselinux 3.1 and above.
Therefore backport this fix.
Upstream-Status: Backport [https://github.com/SELinuxProject/selinux/commit/08f5e30177218fae7ce9f5c8d6856690126b2b30]
Issue: MGURSU-7259
Change-Id: Ice5c7c94987441ba53431aeffc200c0b9c5697a4
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: https://github.com/SELinuxProject/selinux
MR: 111869
Type: Security Fix
Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/bad0a746e9f4cf260dedba5828d9645d50176aac
ChangeID: b282a68f76e509f548fe6ce46349af56d09481c6
Description:
Affects: secilc <= 3.2
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: https://github.com/SELinuxProject/selinux/
MR: 111857
Type: Security Fix
Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/2d35fcc7e9e976a2346b1de20e54f8663e8a6cba
ChangeID: e50ae65189351ee618db2b278ba7105a5728e4c4
Description:
Affects: libsepol <= 3.2
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: https://github.com/SELinuxProject/selinux
MR: 111851
Type: Security Fix
Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/f34d3d30c8325e4847a6b696fe7a3936a8a361f3
ChangeID: 7fae27568e26ccbb18be3d2a1ce7332d42706f18
Description:
Affects: libsepol < 3.2
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This fixes the error below:
gcc: error: unrecognized command line option
‘-fmacro-prefix-map=/path/to/build/libselinux-python/3.0-r0=/usr/src/debug/libselinux-python/3.0-r0’
Without inheriting the config, supposedly a wrong compiler is used.
Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Backport a patch to remove unused te_assertions to fix the
build failure on fedora 32.
Fixes:
| /build/tmp-glibc/hosttools/ld: policy_define.o:(.bss+0x28): multiple definition of `te_assertions'/build/tmp-glibc/hosttools/ld: policy_define.o:(.bss+0x28): multiple definition of `te_assertions'; y.tab.o:(.bss+0x18): first defined here
| collect2: error: ld returned 1 exit status
| make: *** [Makefile:33: checkpolicy] Error 1
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport 2 patches to fix the build errors on Fedora 32.
Fixes:
[snip]
../cil/src/cil_verify.lo:(.bss+0x4f0): multiple definition of `CIL_KEY_CONS_T3';
../cil/src/cil_verify.lo:(.bss+0x4f8): multiple definition of `CIL_KEY_CONS_T2';
../cil/src/cil_verify.lo:(.bss+0x500): multiple definition of `CIL_KEY_CONS_T1';
../cil/src/cil_verify.lo:(.bss+0x508): multiple definition of `cil_mem_error_handler';
[snip]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
| |
when host arch and target arch are different, the extension
suffix of host is different with target one, so there will
be a invalid link. Fix by update the way to create the link.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
Refresh fix-sepolicy-install-path.patch.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
Fix typo in patch.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
License-Update: fix misspellings
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
* Refresh libsemanage-allow-to-disable-audit-support.patch
* Fix typos in patches.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
* Inherit python3native as the libselinux uses python distutils to install
selinux python bindings now.
* Add a patch to fix python modules install path for multilib.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
* Backport a patch to fix build failure with musl.
* Fix typos in patches.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
Remove __pycache__ directories when do_install.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
Install volatiles file as 04_bind rather than volatiles.04_bind.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
| |
The udev-cache has been remove in oe-core commit
048f4149b8438c521e8b65a3c96d850a9b4a3e5b. So we can also remove it.
Also sync the initscript to latest oe-core version.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
The sysklogd has been updated to 2.1.1 in oe-core and the klogd was
removed from this version since syslogd performs logging of kernel
messages. So we update the initscript to adapt it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
83eac4de updated the usage of getVar() in classes/selinux.bbclass to
leave out the default expand parameter. This is consistent with the
usage in the core layers.
Bring all other calls to getVar() in the layer into alignment with this
approach.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
The getVar() defaults to expanding by default, thus remove the True
option from all getVar() calls.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
The linux-yocto 4.x recipes have been dropped in oe-core. We can remove
the bbappend.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On 32bit system,
After upgrade glibc to 2.31
# strace -o /tmp/test.log date -s 09:16:45
# tail -f /tmp/test.log
close(3) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=114, ...}) = 0
clock_settime64(CLOCK_REALTIME, {tv_sec=1582103805, tv_nsec=0}) = 0
fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(0x4, 0x40), ...}) = 0
ioctl(1, TCGETS, {B115200 opost isig icanon echo ...}) = 0
write(1, "Wed Feb 19 09:16:45 UTC 2020\n", 29) = 29
close(1) = 0
close(2) = 0
exit_group(0) = ?
+++ exited with 0 +++
It means the clock_settime64 syscall is used, so
add the syscall.
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The audit build uses swig to generate a python wrapper. But there is a
hardcoded include directory in auditswig.i, which causes header files on
the host to be used when building. This will cause build error on some
old systems. e.g. on CentOS7 with buildtools:
audit_wrap.c: In function '_wrap_audit_rule_flags_set':
audit_wrap.c:5018:19: error: dereferencing pointer to incomplete type 'struct audit_rule'
5018 if (arg1) (arg1)->flags = arg2;
^~
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
using systemd
The commit 5fd3c5b71edb99659aeb5cb5903088d84517382e introduced an issue
that selinux-init.sh and selinux-labeldev.sh are not installed when
using systemd which will cause the selinux-ini.service and
selinux-labeldev.service fail to startup. Move the do_install codes from
selinux-autorelabel to selinux-initsh.inc to make sure install these
scripts when using systemd.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
Add Yi Zhao as the maintainer.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
* Switch to python3
* Update policy-version to 31 to match selinux 2.9
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
Add UPSTREAM_CHECK_GITTAGREGEX to make devtool check-upgrade-status
works.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The install-pywarp target doesn't depend on swigify target because the
semanage.py is not generated by swigify target but pywrap target.
Here is the dependency chain:
install-pywrap -> pywrap -> $(SWIGSO) -> $(SWIGLOBJ) -> $(SWIGCOUT)
-> semanage.py
But in the recipe, the swigify target is added explicitly in do_install:
do_install_append() {
oe_runmake install-pywrap swigify \
[snip]
}
This target will regenerate the semanage.py when do_install. So there
will be a potential race issue in parallel build. The install-pywrap
target is trying to install semanage.py when swigify target is
generating the file. Then an empty semanage.py will be installed. Remove
the target swigify to fix this issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
