| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
| |
Bump up PR and remove PRINC. Set it to something suitably large that it's
unlikely to break anyone's package feed and so that it shows it's clearly
an exception case. Obviously this is just a staging activity until the
next update when we don't include anything of the sort.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
Bump up PR and remove PRINC. Set it to something suitably large that it's
unlikely to break anyone's package feed and so that it shows it's clearly
an exception case. Obviously this is just a staging activity until the
next update when we don't include anything of the sort.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
Bump up PR and remove PRINC. Set it to something suitably large that it's
unlikely to break anyone's package feed and so that it shows it's clearly
an exception case. Obviously this is just a staging activity until the
next update when we don't include anything of the sort.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
Bump up PR and remove PRINC. Set it to something suitably large that it's
unlikely to break anyone's package feed and so that it shows it's clearly
an exception case. Obviously this is just a staging activity until the
next update when we don't include anything of the sort.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
Bump up PR and remove PRINC. Set it to something suitably large that it's
unlikely to break anyone's package feed and so that it shows it's clearly
an exception case. Obviously this is just a staging activity until the
next update when we don't include anything of the sort.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The libpcre has been upgrade to 8.34 in oe-core, but since we were still
using PRINC until now, we'll need to keep it around (in a PR form), so set
it to something suitably large that it's unlikely to break anyone's
package feed and so that it shows it's clearly an exception case.
Obviously this is just a staging activity until the next update when we
don't include anything of the sort.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
Bump up PR and remove PRINC. Set it to something suitably large that it's
unlikely to break anyone's package feed and so that it shows it's clearly
an exception case. Obviously this is just a staging activity until the
next update when we don't include anything of the sort.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
| |
For small policy modules it's not necessary to walk the hierarchy on load.
On embedded devices that are low-powered or resource-constrained disabling
the hierarchy processing can make the difference between seconds and
(many) minutes of load time (or being able to load the policy at all).
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix python error about:
File "/usr/lib64/python2.7/site-packages/seobject.py", line 109, in log
message += " sename=" + sename
TypeError: cannot concatenate 'str' and 'NoneType' objects
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
| |
The sepolicy, seobject modules raise many unprocessed ValueError, just
process them in semanage to make the script proivdes error message but
not error trace.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add initial version for setrans.conf:
- setrans-mls.conf: copied from \
policycoreutils/mcstrans/share/examples/default/setrans.conf
- setrans-mcs.conf: copied from radhat policy.
This fixes below issue:
$ chcat -L
IOError: No such file or directory: \
'/etc/selinux/$POLICY_NAME/setrans.conf'
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Audit System Call needs kernel and user space support.
In user space it needs system call table for ARM. It also needs a
configure option --with-armeb for build audit. Audit system call also
needs enable kernel config CONFIG_AUDITSYSCALL.
Signed-off-by: Han Chao <chan@windriver.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
This is a minimum targeted policy with just core policy modules, and
could be used as a base for customizing targeted policy.
Pretty much everything runs as initrc_t or unconfined_t so all of the
domains are unconfined.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
This SELinux policy would targeted most of service domains for lock
down, and users and admins will login in with unconfined_t domain.
So they would have the same access to the system as if SELinux was not
enabled, when running commands and services which are not targeted.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Various components were failing, and upon investigation it was noted
that the audit.rules file referenced by the initscript wasn't available.
There was however a copy under the rules.d directory. Investigating
the audit.spec file (which in the upstream source) showed that it was
expected that the version in the rules.d should be copied into
/etc/audit.
Do this and correct the systemd services file to use the same file.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
| |
mesa builds a host utility named builtin_compiler,
and that needs selinux, too, if --enable-selinux is
specfied to configure.
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
| |
The semanage utility requires python-compression (for "import gzip")
and python-xml (for "import xml.etree.ElementTree").
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
In policy_scan.l file, we have already removed all references to yywrap by
adding "%option noyywrap" statements to each flex source file that doesn't
override yywrap. After this, we no longer need to link against libfl and so
no longer get errors about undefined references to yylex.
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
The patch policycoreutils-revert-run_init-open_init_pty.patch
is only for refpolicy version older than 2.20120725, now the
refpolicy is updated to 2.20130424 so drop the patch or it
will make run_init fail to start some init scripts.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
| |
When modifying an selinux login record, seobject.py,
may try to log a value, self.sename, which has been preset to "None"
and this will fail. So, we set it to something useful.
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
| |
The patch is backported from upstream.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
| |
A ordinary use should not to access auditd configuration files
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
| |
Audit unit file is from https://fedorahosted.org/audit/browser/trunk/init.d/auditd.service
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
| |
packagegroup-core-basic has been renamed to packagegroup-full-cmdline,
update our core-image-selinux.
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The value was defined as:
FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
and changed it to:
FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20130424:"
becase the bb that inherit this overwrites the PV every time,
changing its name.
Signed-off-by: Alexandru.Vaduva <Alexandru.Vaduva@enea.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
| |
ftpwho is installed into /usr/bin, not /usr/sbin.
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
create mode 100644 recipes-core/libcgroup/libcgroup_%.bbappend
delete mode 100644 recipes-core/libcgroup/libcgroup_0.38.bbappend
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
create mode 100644 recipes-extended/sudo/sudo_%.bbappend
delete mode 100644 recipes-extended/sudo/sudo_1.8.8.bbappend
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
create mode 100644 recipes-graphics/xcb/libxcb_%.bbappend
delete mode 100644 recipes-graphics/xcb/libxcb_1.9.3.bbappend
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
create mode 100644 recipes-core/busybox/busybox_%.bbappend
delete mode 100644 recipes-core/busybox/busybox_1.21.1.bbappend
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
| |
When ping is installed with capabilities instead of being marked setuid,
then the ping_t domain needs to be allowed to getcap/setcap.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
| |
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
| |
|
|
|
| |
The default policy version of new selinux toolchains is 29, to
fit kernel 3.10.x, set it to 28.
|
| |
|
|
|
|
|
|
|
| |
New 2.2 release of libsemanage removes policy.kern and replace with
symlink from Dan Walsh. It is a host path while cross-compiling, so
fix this path.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
| |
|
|
|
|
|
|
| |
Sync with the latest init file from poky as of 01262014:
oe-core commit: ae819671489a22bfdda11210ff620f564aa9b24b
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
| |
|
|
|
|
|
| |
Don't override DEPENDS for target build, the "audit" should be appended
to it.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Oe-core has chnaged the udevadm path, current path will causes failure:
udevd[102]: starting version 182
/etc/rcS.d/S04udev: line 106: /usr/bin/udevadm: No such file or directory
Fix as oe-core commit: cc0f22cd1e93cc25647add1a3339e150572e4fce
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
* native tools don't need audit support;
* audit 2.3.2 or laters require kernel headers >= 2.6.30, this causes
audit-native can't be built on some older distributions.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
This reverts commit 146bd8c6bc3bc0e9e96a8517263f28f7915b871d.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
|
| |
We are using the latest version for selinux userspace packages, so
remove the PREFERRED_VERSION configs.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
