| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
Fix the hard-coded security type for /dev/null and /dev/console.
Check rootfs if support xattrs before do relabel.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
libcgroup is placed in oe-core now.
http://git.openembedded.org/openembedded-core/commit/?id=6ef8e6f2f9b0583fa0881e0dfc52462405b21ede
So remove bb files from meta-selinux and add bbappend.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
et, gl, and id .po files contained no translations. This can cause
build errors. Delete those puppies.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
"-Wa,--noexecstack" will mark objects as requiring executable stack,
this is a dangerous CFLAG and would cause security issues.
So disable it as most distros did.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This script will be installed as 0selinux-init, in runlevel S and
sequence number 0. It will start before any other init script.
* relabel /dev for restorecon/fixfiles running
* rebuild policy and relabel the rootfs if /.autorelabel placed.
* relabel the rootfs if it is first booting.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
oe-core has changed task-* recipes to packagegroup-*, so we should
follow this.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
Symlink can not execute will security contexts, so create script
wrappers for tinylogin commands instead of symlinks.
Also add tinylogin's login command as a alternative.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Poky/oe-core has set CONFIG_DEVTMPFS_MOUNT=y for kernel to mount
/dev with devtmpfs itself.
With MLS policy, kernel is running in s15:c0.c1023 level, so /dev
will be relabeled to this high level too.
This will cause processes running with low levels can not visit
/dev directory.
So, we just run restorecon /dev to fix this.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
sysklogd would create /dev/log and create log files in /var/log
with the default security contexts while starting.
So we should restore the correct security contexts.
The initscript file is from oe-core, and add these lines after
the start action.
test ! -x /sbin/restorecon || \
/sbin/restorecon -R /dev/log /var/log/
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
populate-volatile.sh creates new directories in /var/volatile/ while
booting, so we should restore the security contexts in it.
Also touch /var/log/lastlog to set correct security contexts.
populate-volatile.sh is imported for oe-core, and add these two
lines at the end.
touch /var/log/lastlog
test ! -x /sbin/restorecon || /sbin/restorecon -R /var/volatile/
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
login should use pam_selinux module to label security contexts of
processes while login into system.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
| |
Also fix missing RDEPENDS for setools-*
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
sshd_config file from oe-core to set "UsePAM yes".
sshd file (pam config for sshd) from oe-core to add pam_selinux module.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Patches are migrated or droped for new version.
* poky-fc-etc_init.d.patch: droped because file_contexts.subs_dist
is defined to instead.
* fix-mount-to-write-mountpoints-dirs.patch: droped because the
rules is not needed now.
* poky-fc-update-alternatives_sysvinit.patch: migrated.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
libcap-ng need native python while do_configure, and native swig
while do_compile, so add them.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fixfiles in /sbin would run some /usr/bin binaries to cause these
QA warnings.
WARNING: Shell scripts in base_bindir and base_sbindir should not
reference anything in exec_prefix
Since fixfiles is installed into /sbin in most Linux distros,
changing this path may cause runtime errors for some hard coded
binaries.
So, disable unsafe-references-in-scripts QA checkes.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Rename two packages and change files in them.
* audit-libs -> audit : main package, for libraries
* audit -> auditd : for daemon binaries
Libraries are changed to install into ${base_libdir}.
The two fixes are used to fix QA issues and fit the Debian policy.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
The "Public Domain" license now has a common license file placed
as PD in Poky/oe-core, so fix this.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
With new changes in oe-core, recipes which need python-native
should "inherit pythonnative".
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
If no pam DISTRO_FEATURE, policycoreutils should not build with
libpam headers and libraries.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
With new changes in oe-core, recipes which need python-native
should "inherit pythonnative".
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
eglibc-2.16 splits enum __socket_type from bits/socket.h to
bits/socket_type.h, so old eglibc does not have bits/socket_type.h
We should copy it only if it exists.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
The depends should be:
libsepol -> libselinux -> libsemanage -> rpm
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
Fix this error:
===================
| mkdir -p /var/run/sepermit
| mkdir: cannot create directory `/var/run/sepermit': Permission denied
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
EXTRA_DEPENDS is still not null while building native packages,
this will add useless depends for libcap-ng&libcgroup&pam and
cause build errors.
So rewrite these DEPENDS.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
Fix these warnings:
===================
WARNING: Variable get_git_policyconfigarch contains tabs, please remove
these(....)
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
| |
We have copied some target kernel headers in 72fb6da. We may get
build failures because of missing bits/socket_type.h on some hosts,
so add it.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
Add a suitable version of gnulib into SRC_URI, and run
import-gnulib.sh to update it.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ CQID: WIND00365962 ]
Rather than following the approach in
findutils-with-selinux-gnulib.patch,
the import-gnulib configuration was
modified to enable fetching the latest updates
related to selinux support. Specifically,
selinux-at module is now in fetched in gnulib
in order for it be used by findutils if
selinux is enabled.
Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
The compliane guidelines required:
layers contain a README file which details the origin of the layer, its
maintainer, where to submit changes, and any dependencies or version
requirements
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
Current patches for selinux simply add selinux codes without
conditional switches.
And also, the gnulib patch is incomplete.
These will cause build failures while we include selinux layers but
do not specify selinux in DISTO_FEATURES.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
| |
Remove -Wno-error=format-security from CFLAGS. and add a patch
so we can build policycoreutils if -Werror=format-security
enabled.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
