| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
This was mostly straight forward. Had to refresh a single patch:
poky-policy-fix-new-SELINUXMNT-in-sys.patch
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
|
| |
selinux upstream commits c7cf5d8aa061b9616bf9d5e91139ce4fb40f532c
and f77021d720f12767576c25d751c75cacd7478614
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
selinux upstream commit 5a8d8c499b2ef80eaa7b5abe2ec68d7101e613bf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
refpolicy has introduced a new build.conf option, SYSTEMD=y,
to enable rules specific to using systemd as the init system.
In particular, without setting this option, rules for direct
domain transitions from init_t to daemon domains are not included
in the policy. Define a POLICY_SYSTEMD variable in the refpolicy
common include file that can be set elsewhere to enable this support.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
|
| |
libsemanage 2.5 renamed /var/lib/selinux/tmp to /var/lib/selinux/final;
update the refpolicy recipe accordingly.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
These include files are no longer used by any .bb files.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
SELinux Common Intermediate Language (CIL) policy compiler
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* rebase patch audit-python-configure.patch
* remove audit-auvirt-get-inline-functions-work-with-gnu89-gnu11.patch
as it had already been applied upstream
* 2.5 includes miscellaneous enhancements and fixes:
2.5
- Make augenrules the default method to load audit rules
- Put rules in its own directory and break out rules into groups
- Have auditd do a fsync before closing log
- Make default flush setting larger
- In auparse. terminate the generated strings (Burn Alting)
- In auditd, add incremental_async flushing mode
- Clean up dangling fields in DAEMON events
- Add audit by process name support to auditctl (Richard Briggs)
- Relax permissions on systemd files
- Fix auparse to handle interlaced events (Burn Alting)
- Allow more syslog facilities in audispd-syslog (Aleksander Adamowski)
2.4.5
- Fix auditd disk flushing for data and sync modes
- Fix auditctl to not show options not supported on older OS
- Add audit.m4 file to aid adding support to other projects
- Fix C99 inline function build issue
- Add account lock and unlock event types
- Change logging loophole check to geteuid()
- Fix ausearch to not consider AUDIT_PROCTITLE events malformed (Burn Alting)
- Fix ausearch to parse FEATURE_CHANGE events
( From http://people.redhat.com/sgrubb/audit/ChangeLog )
Signed-off-by: T.O. Radzy Radzykewycz <radzy@windriver.com>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
Required by switch to eudev in oe-core. Dropping PR since this is
effectively a new recipe.
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
SELinux support was merged upstream in at-3.1.18,
so this patch no longer applies and is not needed.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
|
|
| |
libselinux 20160107 ships this change (git commit id 9df49888)
Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
ERROR: libsemanage-2.4-r0 do_populate_sysroot: QA Issue: libselinux.pc failed sanity test (tmpdir) in path /path/to/sysroot-destdir//usr/lib/pkgconfig [pkgconfig]
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
ERROR: libselinux-2.4-r0 do_populate_sysroot: QA Issue: libselinux.pc failed sanity test (tmpdir) in path /path/to/sysroot-destdir//usr/lib/pkgconfig [pkgconfig]
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
ERROR: libsepol-2.4-r0 do_populate_sysroot: QA Issue: libsepol.pc failed sanity test (tmpdir) in path /path/to//sysroot-destdir//usr/lib/pkgconfig [pkgconfig]
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Thomas Perrot <thomas.perrot@tupi.fr>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
Adding Philip Tricca as a common layer maintainer and marking Pascal as
away.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
| |
* rebase patch audit-python-configure.patch
* 2.4.4 includes CVE-2015-5186 and bug fixes, detials refer to:
http://people.redhat.com/sgrubb/audit/ChangeLog
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Change [:space:] to [[:space:]]. [:space:] is incorrect and is treated
as a list of characters. Prior to this change having a policy of
'standard' resulted in POL_TYPE being set to 'tandard'.
Change the regular expression to match from the beginning of the line
since correcting the [:space:] error causes the '# SELINUXTYPE= can
take one of these values:' line to match.
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
Fixup DESCRIPTION in old selinux-init recipe.
Exclude this autorelabel script from the minimal packagegroup.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
Remove selinux-init package from packagegroup-selinux-minimal.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
This will be useful when we have other init scripts.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
Add runtime dependencies for init script.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* update prepare_policy_store() for supporting SELinux 2.4 & CIL, the
logic is from refpolicy_common.inc but with minimum set of policy
modules;
* add extra policy modules that required by sysnetwork, without those
modules the install process will fail with error:
| Failed to resolve roletype statement at 62 of \
.../image/var/lib/selinux/minimum/tmp/modules/100/sysnetwork/cil
| Failed to resolve ast
| semodule: Failed!
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
| |
rebase patches against latest git sources:
* refpolicy-fix-optional-issue-on-sysadm-module.patch
* refpolicy-unconfined_u-default-user.patch
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
Fixed when build libsepol-native:
/bin/sh: 1: flex: not found
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
'bzip2 -qt $moudle_name.pp' has different exit codes on different
distributions, for example:
* On Redhat/CentOS/Fedora, OpenSUSE:
$ bzip2 -qt /tmp/tor.pp
bzip2: /tmp/tor.pp: bad magic number (file not created by bzip2)
$ echo $?
0
This causes install errors:
unzip2: /path/to/*.pp is not a bzip2 file.
libsepol.module_package_read_offsets: module package header truncated
Failed to read policy package
* Ubuntu has fixed it:
$ bzip2 -qt /tmp/tor.pp
bzip2: /tmp/tor.pp: bad magic number (file not created by bzip2)
$ echo $?
2
The difference involved by '-q' options, remove it would get the bzip2
works consistently. bzip2-native has the same issue, anyway it should
be fixed separately.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
| |
libcap-ng 0.7.7 has been added to oe-core:
ad509d7644803ff9386affefe2ec1a3664027074
No change need to port.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
| |
swig 3.0.6 has been added to oe-croe:
66923c6776da13bd4513a73c3f7c5e60d74eb0f3
No change need to port.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After gcc upgraded to gcc5, and if the codes are compiled without
optimization (-O0), and the below error will happen:
auvirt.c:484: undefined reference to `copy_str'
auvirt.c:667: undefined reference to `is_resource'
collect2: error: ld returned 1 exit status
gcc5 defaults to -std=gnu11 instead of -std=gnu89, and it requires that
exactly one C source file has the callable copy of the inline function.
Consider the following program:
inline int
foo (void)
{
return 42;
}
int
main (void)
{
return foo ();
}
The program above will not link with the C99 inline semantics, because
no out-of-line function foo is generated. To fix this, either mark the
function foo as static, or add the following declaration:
static inline int foo (void);
More information refer to: https://gcc.gnu.org/gcc-5/porting_to.html
Note: using "extern inline" will fail to build with gcc4.x, so replace
inline with "static inline".
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The policy modules are now installed into /var/lib/selinux instead
of /etc/selinux.
Policies now have priorities. This is represented as part of the path
under /var/lib/selinux.
The new intermediate policy representation requires that we install
the policy package as 3 files (hll, cil & lang_ext) instead of just
the *.pp as before. The cil is generated from the hll (the pp file)
using the new 'pp' utility.
The base policy module now lives with all of the other modules.
policy.kern has gone away.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This integrates the new hll tool for compiling pp files into cil.
The hack to stage pp into the sysroot is a bit weird but the libexec
dir seems to be something bitbake doesn't account for.
Had to pull one patch from upstream to build the MLS policy. This fixes
an error where the auditadm_r and secadm_r roles end up defined twice in
the CIL.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
