| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
| |
PYTHON_LDFLAGS is considered as the full path of libpython2.7.so,
dirname of the .so file will be expanded into -L<DIR>. As a result,
current PYTHON_LDFLAGS cause this compile result:
${CC} ... -L-LXXX/tmp/sysroots/qemux86-64/usr/lib64
-L-lapol -lqpol -o _sesearch.so
So "-lapol" is ignored, fix this.
CQID: WIND00400717
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two patches to fix these two issue:
* Current policy has incomplete allow rules for selinux utils to
manage selinux config files and policy store.
* auditd_log_t(/var/log/audit/audit.log) is also placed in
var_log_t, so add related rules.
CQID: WIND00396415
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
| |
CQID: WIND00399962
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
|
| |
audit admin tools and daemons should install to base_sbindir, so
they can get correct security labels after selinux restorecon
command.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
|
| |
sed-4.2.2 now has new configure option --with-selinux,
so inherit with-selinux bbclass.
Also, remove the patch since new version fix the issue.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
| |
--with-selinux is consided as unrecognized option while
do_configure, so change it to --enable-selinux,
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
oe-core adds a exit handler to rw python command history file
(~/.python-history). There are no allow rules for every user&role
to use create/read/write ~/.python-history, and it is also
improper to add rules because these rules would blow up the
user&role's scope of authority.
So disable the handler, if selinux enabled.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
| |
Add user_tty_device_t as a customizable_type, so that restorecon -R
/dev will not complain about it or modify the security labels.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
| |
- /etc -> ${sysconfdir}
- /usr/share -> ${datadir}
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In meta-selinux layer, tinylogin links are installed as script
wrappers instead of symlinks to get their security labels.
So, they should use alternatives if there are same commands provided
by other packages.
passwd -> passwd.tinylogin
-> passwd.shadow
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
| |
CQID: WIND00397456
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
| |
Add bbclasses only for target packages to enable selinux support,
not native/nativesdk/cross/crosssdk pacakges.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create include files for selinux userspace packages:
* checkpolicy.inc
* libselinux.inc
* libsemanage.inc
* libsepol.inc
* policycoreutils.inc
* sepolgen.inc
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
| |
Signed-off-by: Roy.Li <rongqing.li@windriver.com>
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
| |
oe-core has fixed this by commit
9a97367038a1e2431bf94211dabbc5aedbbee3bb
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
| |
Fix the hard-coded security type for /dev/null and /dev/console.
Check rootfs if support xattrs before do relabel.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
|
|
| |
libcgroup is placed in oe-core now.
http://git.openembedded.org/openembedded-core/commit/?id=6ef8e6f2f9b0583fa0881e0dfc52462405b21ede
So remove bb files from meta-selinux and add bbappend.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
| |
et, gl, and id .po files contained no translations. This can cause
build errors. Delete those puppies.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
|
|
| |
"-Wa,--noexecstack" will mark objects as requiring executable stack,
this is a dangerous CFLAG and would cause security issues.
So disable it as most distros did.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This script will be installed as 0selinux-init, in runlevel S and
sequence number 0. It will start before any other init script.
* relabel /dev for restorecon/fixfiles running
* rebuild policy and relabel the rootfs if /.autorelabel placed.
* relabel the rootfs if it is first booting.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
| |
oe-core has changed task-* recipes to packagegroup-*, so we should
follow this.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
|
|
| |
Symlink can not execute will security contexts, so create script
wrappers for tinylogin commands instead of symlinks.
Also add tinylogin's login command as a alternative.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Poky/oe-core has set CONFIG_DEVTMPFS_MOUNT=y for kernel to mount
/dev with devtmpfs itself.
With MLS policy, kernel is running in s15:c0.c1023 level, so /dev
will be relabeled to this high level too.
This will cause processes running with low levels can not visit
/dev directory.
So, we just run restorecon /dev to fix this.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sysklogd would create /dev/log and create log files in /var/log
with the default security contexts while starting.
So we should restore the correct security contexts.
The initscript file is from oe-core, and add these lines after
the start action.
test ! -x /sbin/restorecon || \
/sbin/restorecon -R /dev/log /var/log/
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
populate-volatile.sh creates new directories in /var/volatile/ while
booting, so we should restore the security contexts in it.
Also touch /var/log/lastlog to set correct security contexts.
populate-volatile.sh is imported for oe-core, and add these two
lines at the end.
touch /var/log/lastlog
test ! -x /sbin/restorecon || /sbin/restorecon -R /var/volatile/
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
| |
login should use pam_selinux module to label security contexts of
processes while login into system.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
| |
Also fix missing RDEPENDS for setools-*
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
|
|
|
|
|
| |
sshd_config file from oe-core to set "UsePAM yes".
sshd file (pam config for sshd) from oe-core to add pam_selinux module.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|