summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* setools: fix incorrect PYTHON_LDFLAGS.Xin Ouyang2013-01-241-2/+2
| | | | | | | | | | | | | PYTHON_LDFLAGS is considered as the full path of libpython2.7.so, dirname of the .so file will be expanded into -L<DIR>. As a result, current PYTHON_LDFLAGS cause this compile result: ${CC} ... -L-LXXX/tmp/sysroots/qemux86-64/usr/lib64 -L-lapol -lqpol -o _sesearch.so So "-lapol" is ignored, fix this. CQID: WIND00400717 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* refpolicy: policy fixes for seutils and auditd_log_tXin Ouyang2013-01-233-12/+104
| | | | | | | | | | | | Two patches to fix these two issue: * Current policy has incomplete allow rules for selinux utils to manage selinux config files and policy store. * auditd_log_t(/var/log/audit/audit.log) is also placed in var_log_t, so add related rules. CQID: WIND00396415 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* refpolicy: file contexts for alternatives of shadowXin Ouyang2013-01-223-1/+36
| | | | | | CQID: WIND00399962 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* policycoreutils: inherit selinuxXin Ouyang2013-01-221-5/+5
| | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* audit: admin tools&daemons install to base_sbindirXin Ouyang2013-01-223-39/+7
| | | | | | | | audit admin tools and daemons should install to base_sbindir, so they can get correct security labels after selinux restorecon command. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* sed: inherit with-selinux for new versionXin Ouyang2013-01-192-76/+2
| | | | | | | | sed-4.2.2 now has new configure option --with-selinux, so inherit with-selinux bbclass. Also, remove the patch since new version fix the issue. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* packages: uprev bbappends to fit oe-coreXin Ouyang2013-01-194-0/+0
| | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* glib-2.0: config option should be --enable-selinuxXin Ouyang2013-01-181-2/+2
| | | | | | | --with-selinux is consided as unrecognized option while do_configure, so change it to --enable-selinux, Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* python: disable exit handler to rw history fileXin Ouyang2013-01-182-0/+31
| | | | | | | | | | | | oe-core adds a exit handler to rw python command history file (~/.python-history). There are no allow rules for every user&role to use create/read/write ~/.python-history, and it is also improper to add rules because these rules would blow up the user&role's scope of authority. So disable the handler, if selinux enabled. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* refpolicy: add user_tty_device_t into customizable_typesXin Ouyang2013-01-092-0/+10
| | | | | | | Add user_tty_device_t as a customizable_type, so that restorecon -R /dev will not complain about it or modify the security labels. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* refpolicy: change hard-coded pachesXin Ouyang2013-01-091-10/+10
| | | | | | | - /etc -> ${sysconfdir} - /usr/share -> ${datadir} Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* tinylogin: add passwd alternativeXin Ouyang2013-01-071-2/+3
| | | | | | | | | | | | In meta-selinux layer, tinylogin links are installed as script wrappers instead of symlinks to get their security labels. So, they should use alternatives if there are same commands provided by other packages. passwd -> passwd.tinylogin -> passwd.shadow Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* audit: enable auditd service for default runlevelsXin Ouyang2013-01-071-2/+6
| | | | | | CQID: WIND00397456 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* selinux.bbclass: nativesdk- prefix to fit oe-core master.Xin Ouyang2013-01-071-1/+1
| | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* packages: inherit selinuxXin Ouyang2013-01-055-14/+24
| | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* packages: inherit with-selinuxXin Ouyang2013-01-0512-54/+24
| | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* packages: inherit enable-selinuxXin Ouyang2013-01-055-23/+11
| | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* layer: add selinux/audit bbclassesXin Ouyang2013-01-055-0/+30
| | | | | | | Add bbclasses only for target packages to enable selinux support, not native/nativesdk/cross/crosssdk pacakges. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* selinux packages: create include files.Xin Ouyang2013-01-0519-485/+285
| | | | | | | | | | | | Create include files for selinux userspace packages: * checkpolicy.inc * libselinux.inc * libsemanage.inc * libsepol.inc * policycoreutils.inc * sepolgen.inc Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* libsemanage: fix path length limits.Xin Ouyang2012-12-253-8/+38
| | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* sed: fix parallel compile error with libselinuxXin Ouyang2012-12-192-0/+75
| | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* util-linux: fix build failures for version 2.22.1.Xin Ouyang2012-12-123-16/+31
| | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* policycoreutils: install init script under /etc/init.d/Roy.Li2012-12-122-2/+4
| | | | | Signed-off-by: Roy.Li <rongqing.li@windriver.com> Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* libcgroup: remove the SRC_URI to fit oe-coreXin Ouyang2012-12-111-3/+1
| | | | | | | oe-core has fixed this by commit 9a97367038a1e2431bf94211dabbc5aedbbee3bb Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* glib-2.0,util-linux: uprev to oe-core version.Xin Ouyang2012-12-052-0/+0
| | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* libcgroup: fix hard coded /lib to ${base_libdir}Xin Ouyang2012-12-051-4/+4
| | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* checkpolicy+libsemanage: flex+bison native dependsXin Ouyang2012-11-294-8/+8
| | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* glib-2.0/psmisc: uprev to oe-core versionXin Ouyang2012-11-272-0/+0
| | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* refpolicy: standard/mls policy should set UBAC=nXin Ouyang2012-11-263-2/+5
| | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* refpolicy: fix policy to allow nfsd works.Xin Ouyang2012-11-264-2/+72
| | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* selinux-config: update the init scriptXin Ouyang2012-11-192-11/+41
| | | | | | | Fix the hard-coded security type for /dev/null and /dev/console. Check rootfs if support xattrs before do relabel. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* refpolicy*: make to use pythonnativeXin Ouyang2012-11-083-3/+3
| | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* udev: uprev to oe-core version 182.Xin Ouyang2012-11-071-0/+0
| | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* libcgroup: add bbappend and remove bb filesXin Ouyang2012-11-073-189/+14
| | | | | | | | | libcgroup is placed in oe-core now. http://git.openembedded.org/openembedded-core/commit/?id=6ef8e6f2f9b0583fa0881e0dfc52462405b21ede So remove bb files from meta-selinux and add bbappend. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* policycoreutils: backport to remove empty po filesXin Ouyang2012-11-013-2/+3813
| | | | | | | et, gl, and id .po files contained no translations. This can cause build errors. Delete those puppies. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* kernel: default enable selinux for this layer.Xin Ouyang2012-10-181-1/+1
| | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* setools: add libxml2 DEPENDS.Xin Ouyang2012-10-181-1/+1
| | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* openssl: disable execstack in CFLAGXin Ouyang2012-10-181-0/+3
| | | | | | | | | "-Wa,--noexecstack" will mark objects as requiring executable stack, this is a dangerous CFLAG and would cause security issues. So disable it as most distros did. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* selinux-config: add init scriptXin Ouyang2012-10-182-2/+53
| | | | | | | | | | | This script will be installed as 0selinux-init, in runlevel S and sequence number 0. It will start before any other init script. * relabel /dev for restorecon/fixfiles running * rebuild policy and relabel the rootfs if /.autorelabel placed. * relabel the rootfs if it is first booting. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* document: add FAQ file for selinuxXin Ouyang2012-10-181-0/+146
| | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* core-image-selinux: update task-* to packagegroup-*Xin Ouyang2012-10-181-2/+2
| | | | | | | oe-core has changed task-* recipes to packagegroup-*, so we should follow this. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* tinylogin: create script wrappers for selinuxXin Ouyang2012-10-181-0/+14
| | | | | | | | | Symlink can not execute will security contexts, so create script wrappers for tinylogin commands instead of symlinks. Also add tinylogin's login command as a alternative. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* lsof: version 4.86 for oe-core uprev.Xin Ouyang2012-10-181-0/+0
| | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* udev: initscript restore security context for /devXin Ouyang2012-10-182-1/+89
| | | | | | | | | | | | | | Poky/oe-core has set CONFIG_DEVTMPFS_MOUNT=y for kernel to mount /dev with devtmpfs itself. With MLS policy, kernel is running in s15:c0.c1023 level, so /dev will be relabeled to this high level too. This will cause processes running with low levels can not visit /dev directory. So, we just run restorecon /dev to fix this. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* sysklogd: initscripts restorecon for log devicesXin Ouyang2012-10-182-0/+144
| | | | | | | | | | | | | | sysklogd would create /dev/log and create log files in /var/log with the default security contexts while starting. So we should restore the correct security contexts. The initscript file is from oe-core, and add these lines after the start action. test ! -x /sbin/restorecon || \ /sbin/restorecon -R /dev/log /var/log/ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* initscripts: restorecon after populate-volatileXin Ouyang2012-10-182-0/+205
| | | | | | | | | | | | | | populate-volatile.sh creates new directories in /var/volatile/ while booting, so we should restore the security contexts in it. Also touch /var/log/lastlog to set correct security contexts. populate-volatile.sh is imported for oe-core, and add these two lines at the end. touch /var/log/lastlog test ! -x /sbin/restorecon || /sbin/restorecon -R /var/volatile/ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* libpam: add pam-plugin-selinux to RDEPENDSXin Ouyang2012-10-181-1/+3
| | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* shadow: pam config for login to use pam_selinux moduleXin Ouyang2012-10-182-1/+101
| | | | | | | login should use pam_selinux module to label security contexts of processes while login into system. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* policycoreutils: add pam config for newrole/run_initXin Ouyang2012-10-184-9/+52
| | | | | | Also fix missing RDEPENDS for setools-* Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
* openssh: enable pam and selinux.Xin Ouyang2012-10-183-1/+146
| | | | | | | sshd_config file from oe-core to set "UsePAM yes". sshd file (pam config for sshd) from oe-core to add pam_selinux module. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>