| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
* Drop obsolete and unused patches.
* Rebase patches.
* Add patches to make systemd and sysvinit can work with all policy types.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
(cherry picked from commit 15fed8756aa4828fa12a3d813754b4ca65a7607d)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
83eac4de updated the usage of getVar() in classes/selinux.bbclass to
leave out the default expand parameter. This is consistent with the
usage in the core layers.
Bring all other calls to getVar() in the layer into alignment with this
approach.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
* Switch to python3
* Update policy-version to 31 to match selinux 2.9
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
On highly storage-limited machines it may be beneficial to completely
remove some or all non-essential policy modules. refpolicy already
supports this with the 'no' option in modules.conf, so we'll just expose
this feature (with an appropriate warning) at the recipe-level.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
Additionally, the README has fallen out of date, update it to reflect the
current reality of layer dependencies.
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
| |
Those tools have been moved from policycoreutils to semodule-utils:
semodule_deps, semodule_expand, semodule_link, semodule_package
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
|
|
| |
Underscore ("_") should be used for variable overrides.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The behavior of b{zip,unzip}2 an vary from host to host with
regards to a number of things such as return value or permissions.
We should always use the native bzip2 package to keep the behavior
deterministic. This change prevents a warning at do_package_qa
task of refpolicy-mls package.
Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
A number of upstream changes caused patch conflicts or duplication in the
final policy. Update the list of git patches appropriately.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
Both selinux 2.5 and kernel 4.8 support Max Policy Version 30.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In keeping with the approach of only providing a single default policy at
runtime, we were originally using a virtual/refpolicy dependency and
filling it with one of our specific refpolicy implementations. This works
well enough for some package systems, but fails for others (specifically
deb, possibly more).
Since the intent was to only have one present in the default image anyway,
we'll just throw out the 'virtual/' part of the RPROVIDES and related
dependencies across the board.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
refpolicy now introduced systemd support using POLICY_SYSTEMD variable,
with systemd enabled setup we need the refpolicy with systemd support, so
enable systemd support based on DISTRO_FEATURES.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
| |
config.
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
|
|
|
| |
Use the anonymous python function to be sure the value set for
'SELINUX' in the config file is something useful. In the event that
DEFAULT_ENFORCING isn't set to one of the 3 permissible values we
set it to 'permissive'.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
With the virutal package there's no need for a separate recipe to build
the config. This can be generated and included as part of the policy
package.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This allows us to provide a default policy through the
PREFERRED_PROVIDER mechanism for each of the example distro configs.
Consumers of meta-selinux will be able to override this at the config
level instead of having to depend on a specific policy package. We do
lose the ability install more than one policy package but this falls
in line with the embedded nature of the project.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
refpolicy has introduced a new build.conf option, SYSTEMD=y,
to enable rules specific to using systemd as the init system.
In particular, without setting this option, rules for direct
domain transitions from init_t to daemon domains are not included
in the policy. Define a POLICY_SYSTEMD variable in the refpolicy
common include file that can be set elsewhere to enable this support.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
|
| |
libsemanage 2.5 renamed /var/lib/selinux/tmp to /var/lib/selinux/final;
update the refpolicy recipe accordingly.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
'bzip2 -qt $moudle_name.pp' has different exit codes on different
distributions, for example:
* On Redhat/CentOS/Fedora, OpenSUSE:
$ bzip2 -qt /tmp/tor.pp
bzip2: /tmp/tor.pp: bad magic number (file not created by bzip2)
$ echo $?
0
This causes install errors:
unzip2: /path/to/*.pp is not a bzip2 file.
libsepol.module_package_read_offsets: module package header truncated
Failed to read policy package
* Ubuntu has fixed it:
$ bzip2 -qt /tmp/tor.pp
bzip2: /tmp/tor.pp: bad magic number (file not created by bzip2)
$ echo $?
2
The difference involved by '-q' options, remove it would get the bzip2
works consistently. bzip2-native has the same issue, anyway it should
be fixed separately.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The policy modules are now installed into /var/lib/selinux instead
of /etc/selinux.
Policies now have priorities. This is represented as part of the path
under /var/lib/selinux.
The new intermediate policy representation requires that we install
the policy package as 3 files (hll, cil & lang_ext) instead of just
the *.pp as before. The cil is generated from the hll (the pp file)
using the new 'pp' utility.
The base policy module now lives with all of the other modules.
policy.kern has gone away.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
The sepolgen.conf should be installed with devel package to correct
the default value of SELINUX_DEVEL_PATH, Makefile will be searched from
that path while building policies on target.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Original refpolicy install compressed policy modules to policy store,
but leave datadir ones uncompressed. After, a "compressed_policy" distro
feature is added for compressing the datadir ones.
This simple mechanism is unworthy for a distro feature, just clear it
and use compressed policy modules by default.
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Split do_install() to:
+ prepare_policy_store()
+ rebuild_policy()
+ install_misc_files()
This allows to make partial change to do_install() instead of re-write
it totally from specific refpolicy bb file.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
Bump up PR and remove PRINC. Set it to something suitably large that it's
unlikely to break anyone's package feed and so that it shows it's clearly
an exception case. Obviously this is just a staging activity until the
next update when we don't include anything of the sort.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add initial version for setrans.conf:
- setrans-mls.conf: copied from \
policycoreutils/mcstrans/share/examples/default/setrans.conf
- setrans-mcs.conf: copied from radhat policy.
This fixes below issue:
$ chcat -L
IOError: No such file or directory: \
'/etc/selinux/$POLICY_NAME/setrans.conf'
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
The default policy version of new selinux toolchains is 29, to
fit kernel 3.10.x, set it to 28.
|
| |
|
|
|
|
|
|
|
| |
New 2.2 release of libsemanage removes policy.kern and replace with
symlink from Dan Walsh. It is a host path while cross-compiling, so
fix this path.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
There is a small cost to having compressed policy files on the final
image both in terms of memory requirements and load times. In nearly all
circumstances this is negligible, but this adds a DISTRO_FEATURE that
can be used to enable it, if desired.
The default selinux distros will enable the feature by default.
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The 'semodule' utility can operate on compresed modules so the only
cost of this change is a slower module load time when invoking
'semodule -i' on a running system (increased CPU load due to bzip2).
That said my tests show more than 100M reduction in ext3 image size
of core-image-selinux. This last metric is a bit skewed as the image
includes two policies. Still, a reduction in the size of the refpolicy
package by 1/2 is significant.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
| |
Use default assignment to allow variables to be overriden by recipes
that include refpolicy_common.inc
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
| |
The only thing refpol needs to depend on at runtime are the things
necessary to load the policy. If sysvinit is patched to load the
policy (which it is) then we only need the config.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These patches are removed because new version merged:
- poky-fc-update-alternatives_tinylogin.patch
- poky-fc-fix-prefix-path_rpc.patch
- poky-fc-fix-portmap.patch
- poky-fc-cgroup.patch
- poky-fc-networkmanager.patch
- poky-policy-allow-dbusd-to-setrlimit-itself.patch
- poky-policy-allow-dbusd-to-exec-shell-commands.patch
- poky-policy-allow-nfsd-to-bind-nfs-port.patch
Add two new patches:
+ poky-policy-fix-setfiles-statvfs-get-file-count.patch
+ poky-policy-fix-dmesg-to-use-dev-kmsg.patch
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To do this we call the 'install-headers' make target at the end of
do_install. We then add the interface 'include' directory to the
dev package leaving only the policy modules in the main policy
package. This allows projects that ship their own SELinux policy
(not in the refpolicy) to build the refpolicy headers / interface
files by using the Makefile supplied by refpolicy.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
| |
We still miss some rules for nfsd to bind on nfs ports, so add a patch
to fix this. oe-core changed nfsd to use portmap, so also fix file
contexts for portmap.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
| |
CQID: WIND00399962
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
Add user_tty_device_t as a customizable_type, so that restorecon -R
/dev will not complain about it or modify the security labels.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
- /etc -> ${sysconfdir}
- /usr/share -> ${datadir}
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
With new changes in oe-core, recipes which need python-native
should "inherit pythonnative".
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| | |
|
| |
|
