| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
Add Yi Zhao as the maintainer.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
* Switch to python3
* Update policy-version to 31 to match selinux 2.9
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
Add UPSTREAM_CHECK_GITTAGREGEX to make devtool check-upgrade-status
works.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The install-pywarp target doesn't depend on swigify target because the
semanage.py is not generated by swigify target but pywrap target.
Here is the dependency chain:
install-pywrap -> pywrap -> $(SWIGSO) -> $(SWIGLOBJ) -> $(SWIGCOUT)
-> semanage.py
But in the recipe, the swigify target is added explicitly in do_install:
do_install_append() {
oe_runmake install-pywrap swigify \
[snip]
}
This target will regenerate the semanage.py when do_install. So there
will be a potential race issue in parallel build. The install-pywrap
target is trying to install semanage.py when swigify target is
generating the file. Then an empty semanage.py will be installed. Remove
the target swigify to fix this issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The install-pywarp target doesn't depend on swigify target because the
selinux.py is not generated by swigify target but pywrap target.
Here is the dependency chain:
install-pywrap -> pywrap -> $(SWIGFILES) -> $(SWIGPYOUT) -> $(SWIGCOUT)
-> selinux.py
But in the recipe, the swigify target is added explicitly in do_install:
do_install_append() {
oe_runmake install-pywrap swigify \
[snip]
}
This target will regenerate the selinux.py when do_install. So there
will be a potential race issue in parallel build. The install-pywrap
target is trying to install selinux.py when swigify target is generating
the file. Then an empty selinux.py will be installed. Remove the target
swigify to fix this issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
The python-ipy had been moved to meta-python.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Switch to python3
* Drop patches:
audit-python-configure.patch
audit-python.patch
fix-swig-host-contamination.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
* Switch to python3
* Drop patches:
Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch
setools4-fix-cross-compiling-errors-for-powerpc-mips.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
* Switch to python3
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
* Switch to python3
* Rebase patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
* Switch to python3
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Switch to python3
* Drop patches:
fix-TypeError-for-seobject.py.patch
process-ValueError-for-sepolicy-seobject.patch
* Rebase patches
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
* Rebase patches
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
* Rebase patches
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
* Switch to python3
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Switch to python3
* Drop patches:
libsemanage-fix-path-nologin.patch
0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
* Rebase patches
* Update policy version to 31
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
After switch to python3, There is a loop dependency error with
libselinux-python package when build libselinux. Split the original
libselinux recipe into libselinux and libselinux-python.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Switch to python3
* Drop patches:
0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch
0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
* Split into libselinux recipe and libselinux-python recipe to fix the
loop dependency error.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
* Drop patch 0001-src-Makefile-fix-includedir-in-libsepol.pc.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
* Update SRC_URI
* Add UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
Since oe-core upgrades sysvinit to 2.96, wildcard its bbappend and
drop the backported patch
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
Since upstream oe-core [bd40260cba sed: upgrade to 4.7],
renme bbappend to match the new version
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
On highly storage-limited machines it may be beneficial to completely
remove some or all non-essential policy modules. refpolicy already
supports this with the 'no' option in modules.conf, so we'll just expose
this feature (with an appropriate warning) at the recipe-level.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
| |
With previous implementation, several packages provided
.autorelabel file while only selinux-autorelabel manage it.
If there is several packages which try to install .autorelabel
file, an issue occur during installation of packagegroup-core-selinux.
Signed-off-by: Christophe Priouzeau <christophe.priouzeau@st.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE has been remove from mainline kernel
by the commit be6ec88f41ba ("selinux: Remove SECURITY_SELINUX_BOOTPARAM_VALUE").
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Also remove thud and warrior, based on:
f5170305dcff (compat: remove thud from warrior layer compatibility
list)
Since thud or warrior users are expected to use the 'thud' or
'warrior' branch.
Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
| |
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
| |
|
|
|
|
|
|
| |
Disable golang bindings to avoid potential host contamination issue.
Fixes: https://bugzilla.yoctoproject.org/show_bug.cgi?id=13166
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous code add all BBFILE_COLLECTIONS/recipes*/*/*.bbappend to BBFILES,
which causes the parsing very slow when there are many layers, e.g., I have 87
layers:
* Before:
$ rm -fr tmp-glibc/ cache; time bitbake -p
real 0m45.173s
user 0m0.560s
sys 0m0.060s
* After:
$ rm -fr tmp-glibc/ cache; time bitbake -p
real 0m25.542s
user 0m0.572s
sys 0m0.040s
It wasted 20s which wasn't worth (The host has 128 threads, it should cost more
time on less power host), use BBFILES_DYNAMIC can fix the problem.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue
when first boot with bootparams="selinux=1 enforcing=1". At first boot,
all files are unlabeled including /sbin/setfiles. The relabel operations
are not permitted under enforcing mode. So we need to disable enforcing
mode before relabel.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
SETools has moved from https://github.com/TresysTechnology/setools to
https://github.com/SELinuxProject/setools
See: https://github.com/TresysTechnology/setools/wiki
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
By default the mcstrans init script will be installed to
/etc/rc.d/init.d directory. Specify INITDIR to install it to /etc/init.d
directory.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
On yocto warrior the semanage tool didn't work correctly, because it
couldn't find ntpath module. It turned out that this module is now part
of the package python-misc, therefore add dependency to python-misc.
Signed-off-by: Lorenz Kofler <lorenz@sigma-star.at>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Boot loops were being seen when booting with selinux enabled, when the
init system in use is systemd. Once logs were retrieved from the
failing system the error was found to be
selinux-init.sh[284]: /sbin/restorecon: Could not set context for /sys/fs/cgroup/cpuacct: Read-only file system
selinux-init.sh[284]: /sbin/restorecon: Could not set context for /sys/fs/cgroup/cpu: Read-only file system
Systemd mounts /sys/fs/cgroup read-only and the (re)labelling code
used by selinux-init.sh is unable to handle this. On top of this the
system is basically presenting two methods of (re)labelling; using the
built in systemd approach via selinux-autorelabel.service *and* the
code we have in selinux-init.sh. This can get confusing especially
given that most online resources will speak to the systemd approach
using selinux-autorelabel.service and /.autorelabel.
These changes leave the current approach in place when sysvinit is the
init system used, but if systemd is being used we make use of it's
internal (re)labelling functionality. Overall the workflow remains the
same but we now avoid boot loops (systemd remounts /sys/fs/cgroup rw
during the (re)labelling procedure).
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
Fixes:
ERROR: QA Issue: /usr/share/sandbox/start contained in package selinux-sandbox requires /usr/bin/python,
but no providers found in RDEPENDS_selinux-sandbox? [file-rdeps]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Fix QA issues:
QA Issue: /usr/lib64/python2.7/site-packages/seobject.py contained in package selinux-python requires /usr/bin/python,
but no providers found in RDEPENDS_selinux-python? [file-rdeps]
QA Issue: /usr/bin/audit2allow contained in package selinux-python-audit2allow requires /usr/bin/python,
but no providers found in RDEPENDS_selinux-python-audit2allow? [file-rdeps]
QA Issue: /usr/bin/chcat contained in package selinux-python-chcat requires /usr/bin/python,
but no providers found in RDEPENDS_selinux-python-chcat? [file-rdeps]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
We need SBINDIR to be compatible with the usrmerge distro feature.
The update to version 2.8 (commit c55c0aca...) removed the definition,
perhaps because the "${D}/" prefix broke the build.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix build error:
procattr.c:27:14: error: static declaration of 'gettid' follows
non-static declaration
27 | static pid_t gettid(void)
| ^~~~~~
In file included from /buildarea/build/tmp/work/core2-64-poky-linux/libselinux/2.8-r0/recipe-sysroot/usr/include/unistd.h:1170,
from procattr.c:2:
/buildarea/build/tmp/work/core2-64-poky-linux/libselinux/2.8-r0/recipe-sysroot/usr/include/bits/unistd_ext.h:34:16:
note: previous declaration of 'gettid' was here
34 | extern __pid_t gettid (void) __THROW;
| ^~~~~~
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Per http://people.redhat.com/sgrubb/audit/, the
tarball source moves to https://github.com/linux-audit/audit-userspace,
and since commit [21f84fc insane: add sanity checks to SRC_URI]
applied in oe-core, do not use unstable github archive
tarballs, so use git instead.
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
| |
* Drop backport patch:
0001-Remove-strdupa-as-suggested-in-pull-request-25.patch
* Refresh all patches.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In glib 2.60.x, it turns selinux into a meson feature. We should use
'-Dselinux=enabled/disabled' rather than '-Dselinux=true/false' to
enable/disable the feature.
Add meso-enable-selinux.bbclass for this change and inherit it in
glib-2.0 bbappend to fix the configure error.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
Since commit [21f84fc insane: add sanity checks to SRC_URI] applied
in oe-core, do not use unstable github archive tarballs
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
The mesa had been converted to use meson build system in oe-core commit
c72b6d46d392bfbcf54154f43663a7a8ada8c567. Update the bbappend to adapt
it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
The previous md5sum and sha256sum are not correct.
See: https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20190201
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
