summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* gnupg: rename bbappend from 2.0.21 to 2.0.22Philip Tricca2013-12-041-0/+0
| | | | | Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe@deserted.net>
* mesa: rename bbappend from 9.1.6 to 9.2.2Philip Tricca2013-12-041-0/+0
| | | | | Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe@deserted.net>
* glib-2.0: rename bbappend from 2.38.0 to 2.38.1Philip Tricca2013-12-041-0/+0
| | | | | Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libselinux / libsemanage: work around FD_CLOEXEC and SOCK_CLOEXEC absenceJoe MacDonald2013-11-145-0/+113
| | | | | | | | | | | | | | | [ CQID: WIND00438478 ] [ CQID: WIND00439485 ] Turns out some of the truly old hosts don't even really recognize FD_CLOEXEC and most of the older ones don't know about SOCK_CLOEXEC. Work around each (define FD_CLOEXEC to something sensible, simply don't use SOCK_CLOEXEC, produce warnings in either event). Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com> Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
* libselinux / policycoreutils: optional O_CLOEXECJoe MacDonald2013-11-144-0/+152
| | | | | | | | | | | [ CQID: WIND00438478 ] We still have hosts that pre-date the inclusion of O_CLOEXEC (Linux 2.6.23) so compile the flag out when building on classic distros. Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com> Signed-off-by: Jeff Polk <jeff.polk@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
* refpolicy-standard: Use default variables from refpolicy_common.incPhilip Tricca2013-11-061-8/+0
| | | | | Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe@deserted.net>
* refpolicy-mls: Use default variables from refpolicy_common.incPhilip Tricca2013-11-061-12/+0
| | | | | Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe@deserted.net>
* refpolicy-mcs: Use default variables from refpolicy_common.incPhilip Tricca2013-11-061-10/+0
| | | | | Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe@deserted.net>
* Move common POLICY_* variables to refpolicy_common.incPhilip Tricca2013-11-061-0/+12
| | | | | | | | Use default assignment to allow variables to be overriden by recipes that include refpolicy_common.inc Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe@deserted.net>
* Add recipe to build the MCS refpolicy.Philip Tricca2013-10-301-0/+23
| | | | | | | | This is the default policy type used by most (all?) distros that support SELinux. Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe@deserted.net>
* audit: address x-compile issuesJoe MacDonald2013-10-231-416/+2933
| | | | | | | | | The previous approach works well for modern hosts but older ones still require the pre-gen'd header files to behave nicely in a x-compile environment. So we generate them, patch them in and remove the bits of the Makefile that may take it upon itself to re-gen them again. Signed-off-by: Joe MacDonald <joe@deserted.net>
* glib-2.0: upgrade from version 2.36.4 to 2.38.0Philip Tricca2013-10-211-0/+0
| | | | Signed-off-by: Joe MacDonald <joe@deserted.net>
* Add packagegroup for policycoreutils packages.Philip Tricca2013-10-152-3/+38
| | | | | | | | | | The policycoreutils package previously included most everything in the base package. This packagegroup is intended to fill the role of the old policycoreutils package and pull in all packages from the policycoreutils recipe. Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe@deserted.net>
* Add packagegroup and image recipe for minimal SELinux image.Philip Tricca2013-10-152-0/+41
| | | | | | | | | This is intended to demonstrate the minimal set packages necessary to boot and load a system with SELinux enabled. Specifically we don't need any of the packages that depend on python. Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe@deserted.net>
* Remove runtime dependency on policycoreutils from the reference policy.Philip Tricca2013-10-151-1/+1
| | | | | | | | | The only thing refpol needs to depend on at runtime are the things necessary to load the policy. If sysvinit is patched to load the policy (which it is) then we only need the config. Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe@deserted.net>
* Remove unnecessary RDEPENDS_${BPN}.Philip Tricca2013-10-151-15/+0
| | | | | | | | | | Now that the policycoreutuils package is empty no need for RDEPENDS. Doing this in the commit that broke up the policycoreutuils package made the diff hard to read. Figured it best to break it out for readability. Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe@deserted.net>
* Break policycoreutils out into separate packages for the various utilities.Philip Tricca2013-10-151-10/+178
| | | | | | | | | | The driver beind this is to allow images to be built with the minimal tools necessary to load a policy. Breaking all of the stuff that's dependent on python out from the core utils allows us to make much smaller images. Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe@deserted.net>
* policycoreutils: avoid shell for checking target-special actionsMark Hatle2013-10-021-3/+1
| | | | | | | | do_install was modified to only do the special actions in the target case, instead of using shell to check what mode we were running in. Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* setools: Uprev setoolsMark Hatle2013-10-022-2787/+10
| | | | | Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* README: Update statusMark Hatle2013-10-021-0/+6
| | | | | Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libcap-ng: Uprev libcap-ngMark Hatle2013-10-021-6/+3
| | | | | Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* audit: Uprev to audit 2.3.2Mark Hatle2013-10-026-2564/+234
| | | | | | | | Refactor the audit cross compiling patch. The new patch might have some minor host dependencies. If so, let me know! Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* swig: Update to latest swig from meta-openembeddedMark Hatle2013-10-024-16/+115
| | | | | | | | | | Updated from: git://git.openembedded.org/meta-openembedded/meta-oe/recipes-devtools/swig As of commit 1d536390dcafe4d539335dec2173aa9ddc3d8b51 Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* python-ipy: Uprev to latest 0.81 versionMark Hatle2013-10-021-4/+2
| | | | | Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* distro/*: Update the distro filesMark Hatle2013-10-022-4/+2
| | | | | | | | | Make the oe-selinux.conf the base configuration file. Ensure that we enable acl and xattr support as well. Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* layer.conf: avoid unnecessary early expansion with :=Christopher Larson2013-10-021-3/+3
| | | | | | | bitbake handles immediate expansions of LAYERDIR for us automatically. Signed-off-by: Christopher Larson <chris_larson@mentor.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* selinux: remove reference to locale env files from loginQiang Chen2013-10-022-4/+1
| | | | | | | | | | | | | | | [ CQID: WIND00425413 ] pam.d/login refered to the /etc/default/locale env file. This file is not used in oe-core/Poky. Remove the this reference to avoid error messages in auth.log. Signed-off-by: Qiang Chen <qiang.chen@windriver.com> Signed-off-by: Jeff Polk <jeff.polk@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* linux-yocto: Add support for the 3.10 kernelMark Hatle2013-10-022-0/+6
| | | | | | | Also update the selinux.cfg file to add ext4, jfs, and jffs2 support. Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* kernel: add BBAPPEND for linux 3.10Xin Ouyang2013-10-021-0/+6
| | | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* busybox: alternatives link to sh wrappers for commandsXin Ouyang2013-10-023-2/+94
| | | | | | | | | | | | | | | | | | | | | | While directly using busybox[.[no]suid] as the alternatives' targets, commands could not get correct security labels. ~# ls -l /sbin/getty ..... /sbin/getty -> /bin/busybox.nosuid ~# ls -Z /bin/busybox.nosuid system_u:object_r:bin_t:s0 /bin/busybox.nosuid Add sh wrappers for commands so selinux could work fine. ~# ls -l /sbin/getty ..... /sbin/getty -> /usr/lib/busybox/sbin/getty ~# ls -Z /usr/lib/busybox/sbin/getty system_u:object_r:getty_exec_t:s0 /usr/lib/busybox/sbin/getty ~# cat /usr/lib/busybox/sbin/getty #!/bin/busybox.nosuid Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* refpolicy*: remove old version recipes and patches.Xin Ouyang2013-10-0244-2380/+0
| | | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* refpolicy*: add new version 2.20130424Xin Ouyang2013-10-0239-0/+1753
| | | | | | | | | | | | | | | | | | | These patches are removed because new version merged: - poky-fc-update-alternatives_tinylogin.patch - poky-fc-fix-prefix-path_rpc.patch - poky-fc-fix-portmap.patch - poky-fc-cgroup.patch - poky-fc-networkmanager.patch - poky-policy-allow-dbusd-to-setrlimit-itself.patch - poky-policy-allow-dbusd-to-exec-shell-commands.patch - poky-policy-allow-nfsd-to-bind-nfs-port.patch Add two new patches: + poky-policy-fix-setfiles-statvfs-get-file-count.patch + poky-policy-fix-dmesg-to-use-dev-kmsg.patch Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* udev/init: work around dev-cache restore problemsJoe MacDonald2013-10-022-29/+66
| | | | | | | | | | | | | | | | Restoring from the dev-cache with selinux enforcing causes various failures as devices are lacking, at a minimum, reasonable types and attributes. If, on the other hand, we at least create the cache with selinux and xattrs preserved and restored, we get significantly fewer errors and warnings on boot and we can successfully restore the context further down in init anyway. It still leaves some devices mislabeled, though, and still produces warnings on boot. Previous versions of the initscript removed all use of the dev-cache, if need be, we fall back to that. It is possible to get the middle-ground behaviour by defining use_udev_cache at the top of the udev initscript. Signed-off-by: Joe MacDonald <joe@deserted.net>
* udev/init: sync to latest poky versionMark Hatle2013-10-021-55/+103
| | | | | | | | | | | | [ CQID: WIND00424385 ] Sync with the latest init file from poky as of 09172013. Changes include: - adding /sbin/restorecon on start - specifying full path for /sbin/udevadm Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* always force to restore file contexts in initscriptsXin Ouyang2013-10-0210-15/+15
| | | | | | | | | | | In policycoreutils-2.13+, restorecon changes its default behaviour, and does not restore context if the file' type is correct, even its mcs/mls level is incorrect. We should force it always to restore file contexts in initscripts to avoid issues. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* policycoreutils: fix wrong newrole/run_init pam configXin Ouyang2013-10-022-6/+6
| | | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* sepolgen: migrate SRC_URI to 1.1.9Xin Ouyang2013-10-021-3/+3
| | | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* policycoreutils: migrate SRC_URI and patches to 2.1.14Xin Ouyang2013-10-025-350/+52
| | | | | | | | 2.1.14 imports a new python module: sepolicy, so add setools to DEPENDS and split new files to policycoreutils-python. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libsepol: migrate SRC_URI to 2.1.9Xin Ouyang2013-10-021-3/+3
| | | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libsemanage: migrate SRC_URI to 2.1.10Xin Ouyang2013-10-021-4/+4
| | | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libselinux: migrate SRC_URI and patches to 2.1.13Xin Ouyang2013-10-022-964/+5
| | | | | | | We will also uprev refpolicy, so remove "revert-libpcre.patch". Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* checkpolicy: migrate SRC_URI to 2.1.12Xin Ouyang2013-10-021-3/+3
| | | | | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* selinux userspace: uprev packages to release 20130423Xin Ouyang2013-10-028-12/+12
| | | | | | | | | | | | | | | Upreved packages: - checkpolicy to 2.1.12 - libselinux to 2.1.13 - libsemanage to 2.1.10 - libsepol to 2.1.9 - policycoreutils to 2.1.14 - sepolgen to 1.1.9 Migrate patches in next commits. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* tar: add acl dependency informationJoe Slater2013-10-021-1/+9
| | | | | | | | | If acl is a distro feature, we want to depend on it. Note that without the xattrs patch, tar cannot deal with acl information. Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* Add ${bindir}/sepolgen to system-config-selinux package.Philip Tricca2013-09-271-1/+4
| | | | | | | | | | Currently the policycoreutils package has a broken link from ${bindir}/sepolgen to ${datadir}/system-config-selinux/polgen.py. All of the other polgen stuff is in system-config-selinux so adding sepolgen to same package seems like the right thing to do. Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe@deserted.net>
* Check for the availability of 'secon' and 'setenforce' in the ↵Philip Tricca2013-09-271-3/+5
| | | | | | | | | selinux-init.sh script. This is for consistency and to aid in debugging. Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe@deserted.net>
* Resend: Install policy headers and include them in the refpolicy dev package.Philip Tricca2013-09-271-1/+5
| | | | | | | | | | | | To do this we call the 'install-headers' make target at the end of do_install. We then add the interface 'include' directory to the dev package leaving only the policy modules in the main policy package. This allows projects that ship their own SELinux policy (not in the refpolicy) to build the refpolicy headers / interface files by using the Makefile supplied by refpolicy. Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe@deserted.net>
* openssh: add PACKAGECONFIG data regarding auditJoe Slater2013-09-271-1/+9
| | | | | | | | Define audit related parameters, but do not enable audit support by default. Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* Add util-linux-agetty to core-image-selinux IMAGE_INSTALL.Philip Tricca2013-09-261-0/+1
| | | | | | | | | | | | Currently logins to core-image-selinux images through a getty (serial) fail. This is caused by the use of the busybox getty. SELinux depends on executable files and their labels to transition between types. The symlink to busybox is not sufficient to cause the getty processes to transition to the right SELinux context. Using a getty binary like the one provided by util-linux fixes this. Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe@deserted.net>
* documentation: update guidance for runqemuJoe MacDonald2013-09-251-0/+8
| | | | | | | | Testing SELinux on QEMU occasionally results in OOM conditions during a relabel from time to time. Update the documentation to warn about this and suggest a way to avoid the situation. Signed-off-by: Joe MacDonald <joe@deserted.net>