| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ CQID: WIND00438478 ]
[ CQID: WIND00439485 ]
Turns out some of the truly old hosts don't even really recognize
FD_CLOEXEC and most of the older ones don't know about SOCK_CLOEXEC. Work
around each (define FD_CLOEXEC to something sensible, simply don't use
SOCK_CLOEXEC, produce warnings in either event).
Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
| |
[ CQID: WIND00438478 ]
We still have hosts that pre-date the inclusion of O_CLOEXEC (Linux
2.6.23) so compile the flag out when building on classic distros.
Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
Signed-off-by: Jeff Polk <jeff.polk@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
|
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
| |
Use default assignment to allow variables to be overriden by recipes
that include refpolicy_common.inc
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
| |
This is the default policy type used by most (all?) distros that
support SELinux.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
|
| |
The previous approach works well for modern hosts but older ones still
require the pre-gen'd header files to behave nicely in a x-compile
environment. So we generate them, patch them in and remove the bits of
the Makefile that may take it upon itself to re-gen them again.
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
| |
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
|
|
| |
The policycoreutils package previously included most everything in
the base package. This packagegroup is intended to fill the role
of the old policycoreutils package and pull in all packages from the
policycoreutils recipe.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
|
| |
This is intended to demonstrate the minimal set packages necessary
to boot and load a system with SELinux enabled. Specifically we
don't need any of the packages that depend on python.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
|
| |
The only thing refpol needs to depend on at runtime are the things
necessary to load the policy. If sysvinit is patched to load the
policy (which it is) then we only need the config.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
|
|
| |
Now that the policycoreutuils package is empty no need for RDEPENDS.
Doing this in the commit that broke up the policycoreutuils package
made the diff hard to read. Figured it best to break it out for
readability.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
|
|
| |
The driver beind this is to allow images to be built with the minimal
tools necessary to load a policy. Breaking all of the stuff that's
dependent on python out from the core utils allows us to make much
smaller images.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
| |
do_install was modified to only do the special actions in the target case,
instead of using shell to check what mode we were running in.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
| |
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
| |
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
| |
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
| |
Refactor the audit cross compiling patch. The new patch might have some minor
host dependencies. If so, let me know!
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
|
|
| |
Updated from:
git://git.openembedded.org/meta-openembedded/meta-oe/recipes-devtools/swig
As of commit 1d536390dcafe4d539335dec2173aa9ddc3d8b51
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
| |
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
|
| |
Make the oe-selinux.conf the base configuration file.
Ensure that we enable acl and xattr support as well.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
| |
bitbake handles immediate expansions of LAYERDIR for us automatically.
Signed-off-by: Christopher Larson <chris_larson@mentor.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ CQID: WIND00425413 ]
pam.d/login refered to the /etc/default/locale env file.
This file is not used in oe-core/Poky.
Remove the this reference to avoid error messages in auth.log.
Signed-off-by: Qiang Chen <qiang.chen@windriver.com>
Signed-off-by: Jeff Polk <jeff.polk@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
| |
Also update the selinux.cfg file to add ext4, jfs, and jffs2 support.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While directly using busybox[.[no]suid] as the alternatives'
targets, commands could not get correct security labels.
~# ls -l /sbin/getty
..... /sbin/getty -> /bin/busybox.nosuid
~# ls -Z /bin/busybox.nosuid
system_u:object_r:bin_t:s0 /bin/busybox.nosuid
Add sh wrappers for commands so selinux could work fine.
~# ls -l /sbin/getty
..... /sbin/getty -> /usr/lib/busybox/sbin/getty
~# ls -Z /usr/lib/busybox/sbin/getty
system_u:object_r:getty_exec_t:s0 /usr/lib/busybox/sbin/getty
~# cat /usr/lib/busybox/sbin/getty
#!/bin/busybox.nosuid
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These patches are removed because new version merged:
- poky-fc-update-alternatives_tinylogin.patch
- poky-fc-fix-prefix-path_rpc.patch
- poky-fc-fix-portmap.patch
- poky-fc-cgroup.patch
- poky-fc-networkmanager.patch
- poky-policy-allow-dbusd-to-setrlimit-itself.patch
- poky-policy-allow-dbusd-to-exec-shell-commands.patch
- poky-policy-allow-nfsd-to-bind-nfs-port.patch
Add two new patches:
+ poky-policy-fix-setfiles-statvfs-get-file-count.patch
+ poky-policy-fix-dmesg-to-use-dev-kmsg.patch
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Restoring from the dev-cache with selinux enforcing causes various
failures as devices are lacking, at a minimum, reasonable types and
attributes. If, on the other hand, we at least create the cache with
selinux and xattrs preserved and restored, we get significantly fewer
errors and warnings on boot and we can successfully restore the context
further down in init anyway. It still leaves some devices mislabeled,
though, and still produces warnings on boot.
Previous versions of the initscript removed all use of the dev-cache,
if need be, we fall back to that. It is possible to get the middle-ground
behaviour by defining use_udev_cache at the top of the udev initscript.
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ CQID: WIND00424385 ]
Sync with the latest init file from poky as of 09172013. Changes include:
- adding /sbin/restorecon on start
- specifying full path for /sbin/udevadm
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
|
|
|
| |
In policycoreutils-2.13+, restorecon changes its default behaviour,
and does not restore context if the file' type is correct, even its
mcs/mls level is incorrect.
We should force it always to restore file contexts in initscripts to
avoid issues.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
| |
2.1.14 imports a new python module: sepolicy, so add setools to
DEPENDS and split new files to policycoreutils-python.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
| |
We will also uprev refpolicy, so remove "revert-libpcre.patch".
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upreved packages:
- checkpolicy to 2.1.12
- libselinux to 2.1.13
- libsemanage to 2.1.10
- libsepol to 2.1.9
- policycoreutils to 2.1.14
- sepolgen to 1.1.9
Migrate patches in next commits.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
|
| |
If acl is a distro feature, we want to depend
on it. Note that without the xattrs patch, tar
cannot deal with acl information.
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
|
|
| |
Currently the policycoreutils package has a broken link from
${bindir}/sepolgen to ${datadir}/system-config-selinux/polgen.py.
All of the other polgen stuff is in system-config-selinux so
adding sepolgen to same package seems like the right thing to do.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
|
| |
selinux-init.sh script.
This is for consistency and to aid in debugging.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
|
|
|
|
| |
To do this we call the 'install-headers' make target at the end of
do_install. We then add the interface 'include' directory to the
dev package leaving only the policy modules in the main policy
package. This allows projects that ship their own SELinux policy
(not in the refpolicy) to build the refpolicy headers / interface
files by using the Makefile supplied by refpolicy.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
| |
Define audit related parameters, but do not enable
audit support by default.
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently logins to core-image-selinux images through a getty (serial)
fail. This is caused by the use of the busybox getty. SELinux depends
on executable files and their labels to transition between types.
The symlink to busybox is not sufficient to cause the getty processes
to transition to the right SELinux context. Using a getty binary
like the one provided by util-linux fixes this.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
|
|
|
|
|
|
| |
Testing SELinux on QEMU occasionally results in OOM conditions during a
relabel from time to time. Update the documentation to warn about this
and suggest a way to avoid the situation.
Signed-off-by: Joe MacDonald <joe@deserted.net>
|