summaryrefslogtreecommitdiffstats
path: root/recipes-security/selinux
Commit message (Collapse)AuthorAgeFilesLines
* Adapt to UNPACKDIR changesHEADmasterScott Murray6 days15-23/+7
| | | | | | | | | | | | Remove or update S definitions as required to work with oe-core S/UNPACKDIR changes. A default definition of S has been added to selinux_common.inc to avoid duplication in the set of recipes that use it to build packages from different subdirectories of the selinux repo. The three packagegroups test build successfully with these changes. Signed-off-by: Scott Murray <scott.murray@konsulko.com> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* selinux: upgrade 3.8 -> 3.8.1Yi Zhao2025-03-1015-1/+1
| | | | | | | | | | ChangeLog: https://github.com/SELinuxProject/selinux/releases/tag/3.8.1 * libsemanage: improved performance of semanage store rebuild Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* selinux: upgrade 3.7 -> 3.8Yi Zhao2025-03-0723-539/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | ChangeLog: https://github.com/SELinuxProject/selinux/releases/tag/3.8 * libsemanage: Preserve file context and ownership in policy store * libselinux: deprecate security_disable(3) * libsepol: Support nlmsg extended permissions * libsepol: Add policy capability netlink_xperm * libsemanage: Optionally allow duplicate declarations * policycoreutils: introduce unsetfiles * libselinux/utils: introduce selabel_compare * improved selabel_lookup performance * libselinux: support parallel usage of selabel_lookup(3) * libsepol: add support for xperms in conditional policies * Improved man pages * Code improvements and bug fixes * Always build for LFS mode on 32-bit archs. * libsemanage: Mute error messages from selinux_restorecon introduced in 3.8-rc1 * Regex spec ordering is restored to pre 3.8-rc1 * Binary fcontext files format changed, files using old format are ignored * Code improvements and bug fixes License-Update: White space cleanup for libsemanage/LICENSE Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* libsemanage: fix build with swig 4.3Yi Zhao2024-12-102-0/+423
| | | | | | | | | Backport a patch to fix build with swig 4.3[1]. [1] https://github.com/SELinuxProject/selinux/issues/447 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* libselinux-python: fix build with swig 4.3Yi Zhao2024-12-102-0/+92
| | | | | | | | | Backport a patch to fix build with swig 4.3[1]. [1] https://github.com/SELinuxProject/selinux/issues/447 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* selinux-python: fix sepolicy runtime errorYi Zhao2024-10-102-0/+62
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For some distributions (e.g. Yocto) that do not provide system-release/distribution-release file, libdnf can not get releasever variable, causing conf.substitutions['releasever'] to not be set. This will cause 'sepolicy generate' command to fail with the following error on these distributions: $ sepolicy generate --init /usr/local/bin/foo Traceback (most recent call last): File "/usr/bin/sepolicy", line 702, in <module> args.func(args) File "/usr/bin/sepolicy", line 569, in generate mypolicy.gen_writeable() File "/usr/lib/python3.12/site-packages/sepolicy/generate.py", line 1302, in gen_writeable self.__extract_rpms() File "/usr/lib/python3.12/site-packages/sepolicy/generate.py", line 1268, in __extract_rpms base.read_all_repos() File "/usr/lib/python3.12/site-packages/dnf/base.py", line 554, in read_all_repos for repo in reader: ^^^^^^ File "/usr/lib/python3.12/site-packages/dnf/conf/read.py", line 42, in __iter__ for r in self._get_repos(self.conf.config_file_path): ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.12/site-packages/dnf/conf/read.py", line 109, in _get_repos parser.setSubstitutions(substs) File "/usr/lib/python3.12/site-packages/libdnf/conf.py", line 1643, in setSubstitutions return _conf.ConfigParser_setSubstitutions(self, substitutions) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ TypeError: in method 'ConfigParser_setSubstitutions', argument 2 of type 'std::map< std::string,std::string,std::less< std::string >,std::allocator< std::pair< std::string const,std::string > > > const &' Set conf.substitutions['releasever'] to empty str if releasever is None. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* policycoreutils: fix packaging for sestatus binaryAlejandro Enedino Hernandez Samaniego2024-07-241-0/+1
| | | | | | | | | | | | | | | | | | | | sestatus is provided as ${base_sbindir}/sestatus which is currently packaged into PN-sestatus, however, this is only a symlink to the binary located in ${bindir}/sestatus. This causes that when runtime dependencies are calculated, bitbake properly detects a dependency from policycoreutils-sestatus to the main policycoreutils package. Hence the policycoreutils-sestatus package has no usability by itself, this has several implications, but one of them means that it recursively pulls all runtime dependencies, making policycoreutils-sestatus require everything that the main policycoreutils package RDEPENDS on, including python3. By correctly splitting these packages, an image that RDEPENDS only on policycoreutils-sestatus decreases its size by about ~13MB. Signed-off-by: Alejandro Enedino Hernandez Samaniego <alejandro@enedino.org> Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* selinux-python: make GPLv3 dependency optionalEtienne Cordonnier2024-06-291-1/+3
| | | | | Signed-off-by: Etienne Cordonnier <ecordonnier@snap.com> Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* selinux: upgrade 3.6 -> 3.7Yi Zhao2024-06-2915-1/+1
| | | | | | | | | | | | | | | | | ChangeLog: https://github.com/SELinuxProject/selinux/releases/tag/3.7 * audit2allow -C for CIL output mode * sepolgen: adjust parse for refpolicy * semanage: Allow modifying records on "add" * semanage: Do not sort local fcontext definitions * Improved man pages * checkpolicy: support CIDR notation for nodecon statements * sandbox: Add support for Wayland * Code improvements and bug fixes Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* recipes: WORKDIR -> UNPACKDIR transitionChangqing Li2024-06-261-2/+2
| | | | | | | | * WORKDIR -> UNPACKDIR transition * Switch away from S = WORKDIR Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* libselinux-python: add recipeYi Zhao2024-01-242-29/+59
| | | | | | | | | | | | | | | | | | | We merged libselinux recipe and libselinux-python recipe in commit[1] because we thought the circular dependency was gone. But unfortunately, it still exists. Here are the steps to reproduce: $ echo "DISTRO_FEATURES:append = \" x11\"" >> conf/local.conf $ echo "PACKAGECONFIG:append:pn-python3 = \" tk\"" >> conf/local.conf $ bitbake core-image-selinux -n So we still need to split the libselinux recipe into two recipes: libselinux and libselinux-python. [1] https://git.yoctoproject.org/meta-selinux/commit/?id=62b9c816a5000dc01b28e78213bde26b58cbca9d Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* semodule-utils: upgrade 3.5 -> 3.6Yi Zhao2023-12-181-0/+0
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* selinux-sandbox: upgrade 3.5 -> 3.6Yi Zhao2023-12-181-0/+0
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* selinux-gui: upgrade 3.5 -> 3.6Yi Zhao2023-12-181-0/+0
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* selinux-dbus: upgrade 3.5 -> 3.6Yi Zhao2023-12-181-0/+0
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* selinux-python: upgrade 3.5 -> 3.6Yi Zhao2023-12-182-2/+2
| | | | | | | * Refresh patch Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* restorecond: upgrade 3.5 -> 3.6Yi Zhao2023-12-181-0/+0
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* mcstrans: upgrade 3.5 -> 3.6Yi Zhao2023-12-181-0/+0
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* policycoreutils: upgrade 3.5 -> 3.6Yi Zhao2023-12-181-0/+0
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* secilc: upgrade 3.5 -> 3.6Yi Zhao2023-12-181-0/+0
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* checkpolicy: upgrade 3.5 -> 3.6Yi Zhao2023-12-181-0/+0
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libsemanage: upgrade 3.5 -> 3.6Yi Zhao2023-12-184-14/+14
| | | | | | | * Refresh patches Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libselinux: upgrade 3.5 -> 3.6Yi Zhao2023-12-185-60/+32
| | | | | | | | | | | | | * Refresh patches. * Merge libselinux and libselinux-python. The previous libselinux recipe was split into libselinux and libselinux-python due to loop dependency[1]. Now this error is gone, we can merge these two recipes into one again. [1] https://git.yoctoproject.org/meta-selinux/commit/?id=7bb1507928f2e0f54ff8eac4135e15e821cdb1e2 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* PATCH 02/15] libsepol: upgrade 3.5 -> 3.6Yi Zhao2023-12-181-0/+0
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* selinux: upgrade 3.5 -> 3.6Yi Zhao2023-12-181-2/+2
| | | | | | | | | | ChangeLog: https://github.com/SELinuxProject/selinux/releases/tag/3.6 * Switch branch to main Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libselinux-python: fix build with muslYi Zhao2023-09-051-0/+1
| | | | | | | | | | libselinux-python also requires the patch which provided by [1] to fix build with musl. [1] https://git.yoctoproject.org/meta-selinux/commit/?id=23d8e2d86317170c0a3c155640c71b83329ff726 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* selinux-python: add python3-distro and binutils to RDEPENDSYi Zhao2023-09-051-0/+2
| | | | | | | | | | | | | | | | | | | | | | Add python3-distro and binutils to RDEPENDS for sepolicy to fix runtime error: $ sepolicy -h Traceback (most recent call last): File "/usr/bin/sepolicy", line 690, in <module> gen_manpage_args(subparsers) File "/usr/bin/sepolicy", line 375, in gen_manpage_args man.add_argument("-o", "--os", dest="os", default=get_os_version(), File "/usr/lib/python3.11/site-packages/sepolicy/__init__.py", line 1245, in get_os_version import distro ModuleNotFoundError: No module named 'distro' $ sepolicy generate --init /usr/sbin/sshd /bin/sh: line 1: nm: command not found Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libselinux: fix compilation with muslRenato Caldas2023-07-312-0/+44
| | | | | Signed-off-by: Renato Caldas <renato@calgera.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* selinux: Set CVE_PRODUCTmickledoreschitrod=cisco.com@lists.yoctoproject.org2023-05-311-0/+2
| | | | | | | | | | | | | | | | | | | | | | The CVE product name for selinux-* package is (usually) the selinux (and not our recipe name), so use selinux as the default. See also: http://lists.openembedded.org/pipermail/openembedded-core/2017-July/139897.html "Results from cve-check are not very good at the moment. One of the reasons for this is that component names used in CVE database differ from yocto recipe names. This series fixes several of those name mapping problems by setting the CVE_PRODUCT correctly in the recipes. To check this mapping with after a build, I'm exporting LICENSE and CVE_PRODUCT variables to buildhistory for recipes and packages." Value added is based on: https://nvd.nist.gov/vuln/search/results?results_type=overview&search_type=all&cpe_product=cpe%3A%2F%3Akernel%3Aselinux Signed-off-by: Sanjay Chitroda <schitrod@cisco.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* semodule-utils: upgrade 3.4 -> 3.5Yi Zhao2023-03-271-1/+1
| | | | | | | License-Update: Rename COPYING to LICENSE. No content changes. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* selinux-sandbox: upgrade 3.4 -> 3.5Yi Zhao2023-03-272-51/+1
| | | | | | | | | License-Update: Rename COPYING to LICENSE. No content changes. * Drop backport patch. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* selinux-gui: upgrade 3.4 -> 3.5Yi Zhao2023-03-272-202/+1
| | | | | | | | | License-Update: Rename COPYING to LICENSE. No content changes. * Drop backport patch. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* selinux-dbus: upgrade 3.4 -> 3.5Yi Zhao2023-03-271-1/+1
| | | | | | | License-Update: Rename COPYING to LICENSE. No content changes. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* selinux-python: upgrade 3.4 -> 3.5Yi Zhao2023-03-273-186/+19
| | | | | | | | | | | License-Update: Rename COPYING to LICENSE. No content changes. * Refresh patch. * Drop backport patch. * Add dependency python3-setuptools-scm-native to fix build error. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* restorecond: upgrade 3.4 -> 3.5Yi Zhao2023-03-271-1/+1
| | | | | | | License-Update: Rename COPYING to LICENSE. No content changes. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* mcstrans: upgrade 3.4 -> 3.5Yi Zhao2023-03-271-1/+1
| | | | | | | License-Update: Rename COPYING to LICENSE. No content changes. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* policycoreutils: upgrade 3.4 -> 3.5Yi Zhao2023-03-272-6/+6
| | | | | | | | | License-Update: Rename COPYING to LICENSE. No content changes. * Refresh patch. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* secilc: upgrade 3.4 -> 3.5Yi Zhao2023-03-271-1/+1
| | | | | | | License-Update: Rename COPYING to LICENSE. No content changes. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* checkpolicy: upgrade 3.4 -> 3.5Yi Zhao2023-03-271-1/+1
| | | | | | | License-Update: Rename COPYING to LICENSE. No content changes. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libsemanage: upgrade 3.4 -> 3.5Yi Zhao2023-03-271-6/+7
| | | | | | | License-Update: Rename COPYING to LICENSE. No content changes. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libselinux-python: upgrade 3.4 -> 3.5Yi Zhao2023-03-273-15/+19
| | | | | | | | * Add dependency python3-setuptools-scm-native to fix build error. * Refresh patches. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libselinux: upgrade 3.4 -> 3.5Yi Zhao2023-03-271-0/+0
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libsepol: upgrade 3.4 -> 3.5Yi Zhao2023-03-272-83/+1
| | | | | | | | | License-Update: Rename COPYING to LICENSE. No content changes. * Drop backport patch. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* selinux: upgrade 3.4 -> 3.5Yi Zhao2023-03-271-1/+1
| | | | | | | | ChangeLog: https://github.com/SELinuxProject/selinux/releases/tag/3.5 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libsepol: fix build failure for refpolicy-mlsYi Zhao2022-11-072-0/+82
| | | | | | | | | | | | | | Backport a patch to fix build failure for refpolicy-mls: | Creating mls xserver.pp policy package | libsepol.validate_user_datum: Invalid user datum | libsepol.validate_datum_array_entries: Invalid datum array entries | libsepol.validate_policydb: Invalid policydb | /buildarea/build/tmp/work/qemux86_64-poky-linux/refpolicy-mls/2.20220520+gitAUTOINC+f311d401cd-r0/recipe-sysroot-native/usr/bin/semodule_package: Error while reading policy module from tmp/xserver.mod | make: *** [Rules.modular:98: xserver.pp] Error 1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libsemanage: Add python3 to dependenciesOleksiy Obitotskyy2022-10-021-1/+1
| | | | | | | | | | Recipe have implicit dependency on nativesdk-python, so recipe-sysroot-root populated with python headers. But during build code look for headers into recipe-sysroot. Add python dependency explicitly. Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* semodule-utils: upgrade 3.3 -> 3.4Yi Zhao2022-08-281-7/+4
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* selinux-sandbox: upgrade 3.3 -> 3.4Yi Zhao2022-08-283-6/+57
| | | | | | | | * Backport a patch to fix chcat runtime error. * Refresh patch. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* selinux-gui: upgrade 3.3 -> 3.4Yi Zhao2022-08-282-1/+203
| | | | | | | Backport a patch to fix chcat runtime error. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* selinux-dbus: upgrade 3.3 -> 3.4Yi Zhao2022-08-281-1/+1
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-06 06:12:33 +0000