| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changed in V5:
Let the subject more clear.
Changed in V4:
Make the comments more clear.
Changed in V3:
Rebase the patch on the latest master branch.
Delete the does not exist files when run task do_package.
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
| |
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
This updates all of the common policies. standard, minimum, mls and
targeted.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
The targeted, mls and minimum recipes had fallen far behind the upstream
refpolicy repository. Refresh all patches and discard ones that are
obviously no longer needed. This should not have any functional change on
the policies.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
selinux images attempt to label the filesystem image at creation time.
This depends on a native setfiles, though, which isn't guaranteed to be
present without the DEPEND addition.
If the 'setfiles' call fails, that shouldn't be fatal, though, it can
always be run at first boot time, as is commonly done with desktop and
server distros.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
Fixing labels after local-fs.target to make sure all mounted
filesystems labeled correctly.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The behavior of b{zip,unzip}2 an vary from host to host with
regards to a number of things such as return value or permissions.
We should always use the native bzip2 package to keep the behavior
deterministic. This change prevents a warning at do_package_qa
task of refpolicy-mls package.
Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
Use the upstream patches to remove the dependency on ustr which no
longer builds with new versions of GCC and the author is unresponsive
and the site hosting the code is down.
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
Not intended as a final patch, this is just a quick hack for master-next
to enable building meta-selinux on current yocto base images.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
Added swig-native to DEPENDS
Signed-off-by: Tim Orling <timothy.t.orling@linux.intel.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
Fixed:
msgfmt -o af.mo af.po
make[1]: msgfmt: Command not found
make[1]: *** [af.mo] Error 127
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
Fixed:
swig -Wall -python -o semanageswig_wrap.c -outdir ./ semanageswig_python.i
make[1]: swig: Command not found
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
Fixed:
make[4]: swig: Command not found
make[4]: *** [audit_wrap.c] Error 127
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
A number of upstream changes caused patch conflicts or duplication in the
final policy. Update the list of git patches appropriately.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some variables are exported by top Makefile and updated from sub
Makefile (such as PCRE_LDFLAGS, DISABLE_FLAGS ...).
The '-e' option prevents those variables from updating in the sub
Makefile and causes libselinux build errors:
| label.lo:(.data.rel.ro.local+0x20): undefined reference to `selabel_property_init'
| label.lo:(.data.rel.ro.local+0x28): undefined reference to `selabel_service_init'
oe-core also cleaned such default value from commit: aeb65386
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
* rebase patch:
- policycoreutils-process-ValueError-for-sepolicy-seobject.patch
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* rebase patch:
- libselinux-make-O_CLOEXEC-optional.patch
* cleanup patches:
- libselinux-only-mount-proc-if-necessary.patch
- libselinux-procattr-return-einval-for-0-pid.patch
- libselinux-procattr-return-error-on-invalid-pid.patch
* other fixes:
- remove useless variables according to latest Makefile
- update FILES_${PN}-python to match the installed file:
'${libdir}/python2.7/site-packages/_selinux.so'.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
iproute2 calls command pkg-config to check whether libselinux exists
then enable or disable selinux support. That makes packageconfig doesn't
work.
The packageconfig selinux is set by checking whether distro feature
selinux exists in with-selinux.bbclass. Modify the configure result file
with same criteria.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This bbappend moves sysroot lib libpcre.so.x.x.x from /usr/lib to /lib
and symlinks /usr/lib/libpcre.so to ../../lib/libpcre.so.x.x.x, but this
causes certain recipes dependent on libpcre (like pango) to fail because
they also expect libpcre.so.1 to exist which this recipe omits to create.
(the reason why the lib is moved in the first place is to avoid a QA issue
because there's a risk for /usr to be on another partition)
Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
When using udev-cache, the eudev init script had been explicitly calling
'setenforce 1'. That's no longer necessary with updates to other parts of
eudev and the presence of the call prevented booting core-image-selinux*
systems in permissive mode. Remove the call to allow permissive booting.
[YOCTO #7506]
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
| |
oe-core commit:
a162416119ec9deee9fef53455d1281abe573681
dhcpd: create dhcpd user for dhcp dameon
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
Both selinux 2.5 and kernel 4.8 support Max Policy Version 30.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
syslog & getty related allow rules required to fix the syslog mixup with
boot log, while using systemd as init manager.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
fix for systemd tmp files setup services:
systemd-journal-flush.service & systemd-logind.service.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
1. fix for systemd services: login & journal wile using refpolicy-minimum
and systemd as init manager.
2. fix login duration after providing root password.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
enable required refpolicy booleans for these modules mount:
allow_mount_anyfile & systemd:systemd_tmpfiles_manage_all
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
add allow rule to fix avc denial during system reboot.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
add allow rules for locallogin module avc denials.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
add allow rules for avc denails for systemd, mount, logging & authlogin
modules. without this change we are getting avc. denials from these
modules.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
add allow rules for audit.log file & resolve dependent avc denials.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
systemd allow rules for systemd service file operations: start, stop, restart
& allow rule for unconfined systemd service.
without this change we are geting avc denials and access denied to perform
operations on service file.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
add systemd service file for handling selinux labeldev, this change improves
handling of systemd service functionality like:status check, debug etc.
compared to sysvinit compatibility mode scripts.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
add systemd service file for handling selinux autorelabel, this change
improves handling of systemd service functionality like:status check,
re-run, debug etc. compared to sysvinit compatibility mode scripts.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
add systemd service file for handling selinux initialization, this change
improves handling of systemd service functionality like:status check, debug
etc. compared to sysvinit compatibility mode scripts.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
add support for systemd service file and handling of script required by
systemd service file.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
1) Upgrade audit from 2.5 to 2.6.6.
2) Modify audit-python.patch, since the data has changed.
Signed-off-by: Wang Xin <wangxin2015.fnst@cn.fujitsu.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
Augeas lives in meta-python, but meta-selinux shouldn't specifically
require meta-python in every build, so make the bbappend optional using
the standard mechanism already present in the layer.conf.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove duplicate type rules from init_t to init_script_file_type,
they have been included by systemd policies. This also fixes the
errors while installing modules for refpolicy-targeted if systemd
support is enabled:
| Conflicting type rules
| Binary policy creation failed at line 327 of \
.../tmp/work/qemux86-poky-linux/refpolicy-targeted/git-r0/image\
/var/lib/selinux/targeted/tmp/modules/100/init/cil
| Failed to generate binary
| semodule: Failed!
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In keeping with the approach of only providing a single default policy at
runtime, we were originally using a virtual/refpolicy dependency and
filling it with one of our specific refpolicy implementations. This works
well enough for some package systems, but fails for others (specifically
deb, possibly more).
Since the intent was to only have one present in the default image anyway,
we'll just throw out the 'virtual/' part of the RPROVIDES and related
dependencies across the board.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
add init manager user guidelines and examples for using refpolicy with
perticular version and type.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
