summaryrefslogtreecommitdiffstats
path: root/recipes-security/refpolicy/refpolicy_2.20130424.inc
Commit message (Collapse)AuthorAgeFilesLines
* refpolicy: clean up old policy and patchesJoe MacDonald2014-09-191-67/+0
| | | | | | | Now that the updated refpolicy core variants are available, remove the previous recipe and patches. Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy: Allow udev the block_suspend capabilityJackie Huang2014-06-021-0/+1
| | | | | | | | | | Fix the avc denied issue: type=1400 audit(1399440994.656:14): avc: denied { block_suspend } for pid=80 comm="udevd" capability=36 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=capability2 The patch is backported from upstream Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
* refpolicy: remove PRINC warningHongxu Jia2014-05-091-2/+0
| | | | | | | | | | Bump up PR and remove PRINC. Set it to something suitably large that it's unlikely to break anyone's package feed and so that it shows it's clearly an exception case. Obviously this is just a staging activity until the next update when we don't include anything of the sort. Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* refpolicy: add rules for /var/log symlink on pokyWenzong Fan2014-04-031-0/+2
| | | | | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* refpolicy: associate tmpfs_t (shm) to device_t (devtmpfs) file systemsWenzong Fan2014-04-031-0/+1
| | | | | | | The patch is backported from upstream. Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* refpolicy: make proftpd be able to workRoy Li2014-04-031-0/+1
| | | | | Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* refpolicy: allow sysadm to run rpcbindRoy Li2014-04-031-0/+1
| | | | | Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* refpolicy: Updated FILESEXTRAPATHS_prepend valueAlexandru.Vaduva2014-04-031-1/+1
| | | | | | | | | | | | The value was defined as: FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:" and changed it to: FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20130424:" becase the bb that inherit this overwrites the PV every time, changing its name. Signed-off-by: Alexandru.Vaduva <Alexandru.Vaduva@enea.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* refpolicy: fix real path for su.shadowWenzong Fan2014-02-131-0/+1
| | | | | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* refpolicy: backport two patches to fix dhclient, hostname and ifconfigRoy Li2014-02-121-0/+2
| | | | | Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* refpolicy: fix ftpwho install dirRoy Li2014-02-121-0/+1
| | | | | | | ftpwho is installed into /usr/bin, not /usr/sbin. Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* refpolicy: Allow ping to get/set capabilitiesWenzong Fan2014-01-281-0/+4
| | | | | | | | When ping is installed with capabilities instead of being marked setuid, then the ping_t domain needs to be allowed to getcap/setcap. Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
* refpolicy: fix real path for cpioWenzong Fan2014-01-281-0/+1
| | | | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* refpolicy: fix real path for udevdWenzong Fan2014-01-101-0/+1
| | | | | | | | | | | In Yocto the real path for udevd is /lib/udev/udevd, this patch fixes the init issues like: udevd[87]: setfilecon /dev/vcsa2 failed: Operation not permitted udevd[89]: setfilecon /dev/fb0 failed: Operation not permitted Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
* busybox: alternatives link to sh wrappers for commandsXin Ouyang2013-10-021-0/+2
| | | | | | | | | | | | | | | | | | | | | | While directly using busybox[.[no]suid] as the alternatives' targets, commands could not get correct security labels. ~# ls -l /sbin/getty ..... /sbin/getty -> /bin/busybox.nosuid ~# ls -Z /bin/busybox.nosuid system_u:object_r:bin_t:s0 /bin/busybox.nosuid Add sh wrappers for commands so selinux could work fine. ~# ls -l /sbin/getty ..... /sbin/getty -> /usr/lib/busybox/sbin/getty ~# ls -Z /usr/lib/busybox/sbin/getty system_u:object_r:getty_exec_t:s0 /usr/lib/busybox/sbin/getty ~# cat /usr/lib/busybox/sbin/getty #!/bin/busybox.nosuid Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* refpolicy*: add new version 2.20130424Xin Ouyang2013-10-021-0/+51
These patches are removed because new version merged: - poky-fc-update-alternatives_tinylogin.patch - poky-fc-fix-prefix-path_rpc.patch - poky-fc-fix-portmap.patch - poky-fc-cgroup.patch - poky-fc-networkmanager.patch - poky-policy-allow-dbusd-to-setrlimit-itself.patch - poky-policy-allow-dbusd-to-exec-shell-commands.patch - poky-policy-allow-nfsd-to-bind-nfs-port.patch Add two new patches: + poky-policy-fix-setfiles-statvfs-get-file-count.patch + poky-policy-fix-dmesg-to-use-dev-kmsg.patch Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>