| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove duplicate type rules from init_t to init_script_file_type,
they have been included by systemd policies. This also fixes the
errors while installing modules for refpolicy-targeted if systemd
support is enabled:
| Conflicting type rules
| Binary policy creation failed at line 327 of \
.../tmp/work/qemux86-poky-linux/refpolicy-targeted/git-r0/image\
/var/lib/selinux/targeted/tmp/modules/100/init/cil
| Failed to generate binary
| semodule: Failed!
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In keeping with the approach of only providing a single default policy at
runtime, we were originally using a virtual/refpolicy dependency and
filling it with one of our specific refpolicy implementations. This works
well enough for some package systems, but fails for others (specifically
deb, possibly more).
Since the intent was to only have one present in the default image anyway,
we'll just throw out the 'virtual/' part of the RPROVIDES and related
dependencies across the board.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
add init manager user guidelines and examples for using refpolicy with
perticular version and type.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
e2fsprogs has been updated with oe-core commit
f221f331704c0bdfc7c1dd361e666ce2158fe282 Update our bbappend accordingly.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
|
|
| |
WARNING: iproute2-4.6.0-r0 do_package_qa: QA Issue: iproute2-ss rdepends on
libselinux, but it isn't a build dependency, missing libselinux in DEPENDS
or PACKAGECONFIG? [build-deps]
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
we need policycoreutils-hll to insert custom policy module/package, without
it semodule install fail with error:
libsemanage.semanage_pipe_data: Unable to execute /usr/libexec/selinux/hll/
pp : No such file or directory
libsemanage.semanage_direct_commit: Failed to compile hll files into cil
files. (No such file or directory).
semodule: Failed!
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixed:
sepolgen-1.2.3: sepolgen: Files/directories were installed but not shipped in any package:
/usr
/usr/lib
/usr/lib/python
/usr/lib/python/site-packages
/usr/lib/python/site-packages/sepolgen
/usr/lib/python/site-packages/sepolgen/lex.py
/usr/lib/python/site-packages/sepolgen/matching.py
/usr/lib/python/site-packages/sepolgen/sepolgeni18n.py
/usr/lib/python/site-packages/sepolgen/__init__.py
/usr/lib/python/site-packages/sepolgen/classperms.py
/usr/lib/python/site-packages/sepolgen/refparser.py
/usr/lib/python/site-packages/sepolgen/module.py
/usr/lib/python/site-packages/sepolgen/objectmodel.py
/usr/lib/python/site-packages/sepolgen/interfaces.py
/usr/lib/python/site-packages/sepolgen/access.py
/usr/lib/python/site-packages/sepolgen/output.py
/usr/lib/python/site-packages/sepolgen/refpolicy.py
/usr/lib/python/site-packages/sepolgen/defaults.py
/usr/lib/python/site-packages/sepolgen/audit.py
/usr/lib/python/site-packages/sepolgen/yacc.py
/usr/lib/python/site-packages/sepolgen/util.py
/usr/lib/python/site-packages/sepolgen/policygen.py
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
sepolgen: 22 installed and not shipped files. [installed-vs-shipped]
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
Fixed:
semanageswig_wrap.c:147:21: fatal error: Python.h: No such file or directory
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
eudev version at poky updated to v3.2 from v3.1.5, so moving it to use
wildcard in order to fix the parsing error.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
refpolicy now introduced systemd support using POLICY_SYSTEMD variable,
with systemd enabled setup we need the refpolicy with systemd support, so
enable systemd support based on DISTRO_FEATURES.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
with systemd enabled refpolicy-minimum build breaks due to missing dependent
policy modules, so add the dependent modules: clock, systemd, udev
conditionally based on DISTRO_FEATURES.
dependent systemd policy modules needed to fix these errors:
* Failed to resolve 'adjtime_t' in typeattributeset statement at line 138 of
.. modules/100/init/cil
* Failed to resolve 'systemd_kmod_conf_t' in typeattributeset statement at
line 141 of.. moules/100/init/cil
* Failed to resolve 'udev_t' in typeattributeset statement at line 143 of
modules/100/init/cil semodule: Failed!
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
with systemd enabled refpolicy-minimum build breaks due to missing dependent
policy modules, so add the dependent modules: clock, systemd, udev
conditionally based on DISTRO_FEATURES.
dependent systemd policy modules needed to fix these errors:
* Failed to resolve 'adjtime_t' in typeattributeset statement at line 138 of
.. modules/100/init/cil
* Failed to resolve 'systemd_kmod_conf_t' in typeattributeset statement at
line 141 of.. moules/100/init/cil
* Failed to resolve 'udev_t' in typeattributeset statement at line 143 of
modules/100/init/cil semodule: Failed!
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Drop unavailable patches entry to fix the warning, even we are using
libselinux v2.5 these warnings pop-up during recipes parsing.
WARNING:..libselinux_git.bb: Unable to get checksum for libselinux SRC_URI
entry libselinux-get-pywrap-depends-on-selinux.py.patch: file could not be
found
WARNING:..libselinux_git.bb: Unable to get checksum for libselinux SRC_URI
entry libselinux-mount-procfs-before-check.patch: file could not be found
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
| |
config.
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apply the changes to refpolicy-minimum_2.20151208.bb:
commit bfaf278116e6c3a04bb82c9f8a4f8629a0a85df8
Author: Wenzong Fan <wenzong.fan@windriver.com>
Date: Tue Oct 27 06:25:04 2015 -0400
refpolicy-minimum: update prepare_policy_store
* update prepare_policy_store() for supporting SELinux 2.4 & CIL, the
logic is from refpolicy_common.inc but with minimum set of policy
modules;
* add extra policy modules that required by sysnetwork, without those
modules the install process will fail with error:
| Failed to resolve roletype statement at 62 of \
.../image/var/lib/selinux/minimum/tmp/modules/100/sysnetwork/cil
| Failed to resolve ast
| semodule: Failed!
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
Use the anonymous python function to be sure the value set for
'SELINUX' in the config file is something useful. In the event that
DEFAULT_ENFORCING isn't set to one of the 3 permissible values we
set it to 'permissive'.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
With the virutal package there's no need for a separate recipe to build
the config. This can be generated and included as part of the policy
package.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This allows us to provide a default policy through the
PREFERRED_PROVIDER mechanism for each of the example distro configs.
Consumers of meta-selinux will be able to override this at the config
level instead of having to depend on a specific policy package. We do
lose the ability install more than one policy package but this falls
in line with the embedded nature of the project.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
This was mostly straight forward. Had to refresh a single patch:
poky-policy-fix-new-SELINUXMNT-in-sys.patch
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
|
| |
selinux upstream commits c7cf5d8aa061b9616bf9d5e91139ce4fb40f532c
and f77021d720f12767576c25d751c75cacd7478614
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
selinux upstream commit 5a8d8c499b2ef80eaa7b5abe2ec68d7101e613bf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
refpolicy has introduced a new build.conf option, SYSTEMD=y,
to enable rules specific to using systemd as the init system.
In particular, without setting this option, rules for direct
domain transitions from init_t to daemon domains are not included
in the policy. Define a POLICY_SYSTEMD variable in the refpolicy
common include file that can be set elsewhere to enable this support.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
|
| |
libsemanage 2.5 renamed /var/lib/selinux/tmp to /var/lib/selinux/final;
update the refpolicy recipe accordingly.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
These include files are no longer used by any .bb files.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
SELinux Common Intermediate Language (CIL) policy compiler
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* rebase patch audit-python-configure.patch
* remove audit-auvirt-get-inline-functions-work-with-gnu89-gnu11.patch
as it had already been applied upstream
* 2.5 includes miscellaneous enhancements and fixes:
2.5
- Make augenrules the default method to load audit rules
- Put rules in its own directory and break out rules into groups
- Have auditd do a fsync before closing log
- Make default flush setting larger
- In auparse. terminate the generated strings (Burn Alting)
- In auditd, add incremental_async flushing mode
- Clean up dangling fields in DAEMON events
- Add audit by process name support to auditctl (Richard Briggs)
- Relax permissions on systemd files
- Fix auparse to handle interlaced events (Burn Alting)
- Allow more syslog facilities in audispd-syslog (Aleksander Adamowski)
2.4.5
- Fix auditd disk flushing for data and sync modes
- Fix auditctl to not show options not supported on older OS
- Add audit.m4 file to aid adding support to other projects
- Fix C99 inline function build issue
- Add account lock and unlock event types
- Change logging loophole check to geteuid()
- Fix ausearch to not consider AUDIT_PROCTITLE events malformed (Burn Alting)
- Fix ausearch to parse FEATURE_CHANGE events
( From http://people.redhat.com/sgrubb/audit/ChangeLog )
Signed-off-by: T.O. Radzy Radzykewycz <radzy@windriver.com>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
Required by switch to eudev in oe-core. Dropping PR since this is
effectively a new recipe.
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
SELinux support was merged upstream in at-3.1.18,
so this patch no longer applies and is not needed.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
|
|
| |
libselinux 20160107 ships this change (git commit id 9df49888)
Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
ERROR: libsemanage-2.4-r0 do_populate_sysroot: QA Issue: libselinux.pc failed sanity test (tmpdir) in path /path/to/sysroot-destdir//usr/lib/pkgconfig [pkgconfig]
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
ERROR: libselinux-2.4-r0 do_populate_sysroot: QA Issue: libselinux.pc failed sanity test (tmpdir) in path /path/to/sysroot-destdir//usr/lib/pkgconfig [pkgconfig]
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
ERROR: libsepol-2.4-r0 do_populate_sysroot: QA Issue: libsepol.pc failed sanity test (tmpdir) in path /path/to//sysroot-destdir//usr/lib/pkgconfig [pkgconfig]
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Thomas Perrot <thomas.perrot@tupi.fr>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
Adding Philip Tricca as a common layer maintainer and marking Pascal as
away.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
| |
* rebase patch audit-python-configure.patch
* 2.4.4 includes CVE-2015-5186 and bug fixes, detials refer to:
http://people.redhat.com/sgrubb/audit/ChangeLog
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Change [:space:] to [[:space:]]. [:space:] is incorrect and is treated
as a list of characters. Prior to this change having a policy of
'standard' resulted in POL_TYPE being set to 'tandard'.
Change the regular expression to match from the beginning of the line
since correcting the [:space:] error causes the '# SELINUXTYPE= can
take one of these values:' line to match.
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
