| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Systemd init type and related allow rules
updated for refpolicy.
Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
An updated version of the patch to drop linking against libfl was
required.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
| |
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |\
| |
| |
| | |
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| | |
| |
| |
| |
| |
| | |
Update to the latest stable release, 20140506.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
dhcp 4.3 has no selinux related configuration options, but it needs the
correct initscript when SELinux is enabled, so inherit selinux, not
inherit with-selinux
Signed-off-by: Roy.Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Based on oe-core commit:
commit 1528e596d4906c33e4be83fcf691cfe76d340ff3
Author: Otavio Salvador <otavio@ossystems.com.br>
Date: Thu Apr 24 15:59:20 2014 -0300
Globally replace 'base_contains' calls with 'bb.utils.contains'
The base_contains is kept as a compatibility method and we ought to not
use it in OE-Core so we can remove it from base metadata in future.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Original refpolicy install compressed policy modules to policy store,
but leave datadir ones uncompressed. After, a "compressed_policy" distro
feature is added for compressing the datadir ones.
This simple mechanism is unworthy for a distro feature, just clear it
and use compressed policy modules by default.
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Original prepare_policy_store() has a naming bug for
compressed_policy, fix that and let prepare_policy_store() back.
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Now that the updated refpolicy core variants are available, remove the
previous recipe and patches.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| | |
| |
| |
| |
| |
| |
| | |
A simple forward-port of refpolicy-minimum to use the 20140311 base
refpolicy.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
A simple forward-port of refpolicy-targeted to use the 20140311 base
refpolicy. Now that the updated refpolicy core variants are available,
remove the previous recipe.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
A straight update from refpolicy 2.20130424 to 2.20140311 for the core
policy variants and forward-porting of policy patches as appropriate. Now
that the updated refpolicy core variants are available, remove the
previous recipe.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
dhcp 4.3 has no selinux related configuration options, but it needs the
correct initscript when SELinux is enabled, so inherit selinux, not
inherit with-selinux
Signed-off-by: Roy.Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Based on oe-core commit:
commit 1528e596d4906c33e4be83fcf691cfe76d340ff3
Author: Otavio Salvador <otavio@ossystems.com.br>
Date: Thu Apr 24 15:59:20 2014 -0300
Globally replace 'base_contains' calls with 'bb.utils.contains'
The base_contains is kept as a compatibility method and we ought to not
use it in OE-Core so we can remove it from base metadata in future.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
Trac has been turned off on OSS. Update all SRC_URI links for the
userspace components to point at the github project releases. The github
releases also have a slightly different directory structure in the
tarballs, requiring an update of the checksums as well.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
|
| |
* CONFIG_SECURITY=y
* CONFIG_SECURITYFS=y
Signed-off-by: Zhenhua Luo <zhenhua.luo@freescale.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Split do_install() to:
+ prepare_policy_store()
+ rebuild_policy()
+ install_misc_files()
This allows to make partial change to do_install() instead of re-write
it totally from specific refpolicy bb file.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
seunshare in policycoreutils 2.2.5 is owned by root with 4755 permissions,
and executes programs in a way that changes the relationship between the
setuid system call and the getresuid saved set-user-ID value, which makes
it easier for local users to gain privileges by leveraging a program that
mistakenly expected that it could permanently drop privileges.
Pick a patch from below link to address the CVE-2014-3215.
https://bugzilla.redhat.com/attachment.cgi?id=829864
Signed-off-by: Shan Hai <shan.hai@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
Remove PR, since oe-core has a new version.
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
Remove PR, since oe-core has a new version.
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
| |
Adapted from the original patch submitted to meta-oe for swig 2.0.12.
OE-core commit 5870bd272b0b077d0826fb900b251884c1c05061 sabotaged the
binconfig way.
Signed-off-by: Koen Kooi <koen.kooi@linaro.org>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
There are two versions of gnupg so limit the wildcard to the 2.x series
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
dhcp-server fails to start with avc denied error:
avc: denied { read } for pid=571 comm="dhcpd" \
name="dhcpd.leases" dev="hda" ino=63911 \
scontext=system_u:system_r:dhcpd_t:s0-s15:c0.c1023 \
tcontext=system_u:object_r:dhcp_state_t:s0 tclass=file
The type for dhcpd.leases is not correct, just fix it before dhcp-
server started.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
devpts use file_use_trans to allocate security contexts. As there are no
range_trans rules for initrc_t mounting devpts, the security level of
mountpoint will be derived from the initrc process, to be systemhigh
(s15:c0.c1023), instead of expected systemlow(s0).
This will block login shells to search PTYs, so use restorecon to fix
this.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
|
| |
Start point to make SELinux specific changes in devpts.sh, copied from
oe-core layer.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
Avoid policy_scan.c: No such file or directory
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
Fix the avc denied issue:
type=1400 audit(1399440994.656:14): avc: denied { block_suspend } for pid=80 comm="udevd" capability=36 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=capability2
The patch is backported from upstream
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
The file contexts for /run is incorrect while running checkroot.sh
in boot time which causes mount fail to create new dir and file
in /run, so restore the security contexts in it.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
| |
The default kernel is now 3.14. Since the removal of PRINC support leaves
the 3.10 recipe in a difficult-to-work-with state, now seems like a good
time to move to the new kernel.
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
