| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
A simple forward-port of refpolicy-minimum to use the 20141203
base refpolicy.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
A simple forward-port of refpolicy-standard to use the 20141203
base refpolicy.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
A simple forward-port of refpolicy-mls to use the 20141203
base refpolicy.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
A simple forward-port of refpolicy-mcs to use the 20141203
base refpolicy.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
A simple forward-port of refpolicy-targeted to use the 20141203
base refpolicy.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
During forward-port of these patches from refpolicy 2014120311,
requires rebase with the refpolicy 20141203 code base,
in order to resolve the patch conflicts.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
| |
A straight update from refpolicy 2.20140311 to 2.20141203 for the core
policy variants and forward-porting of policy patches as appropriate.
ref: https://github.com/TresysTechnology/refpolicy/wiki
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
The sepolgen.conf should be installed with devel package to correct
the default value of SELINUX_DEVEL_PATH, Makefile will be searched from
that path while building policies on target.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
Systemd init type and related allow rules
updated for refpolicy.
Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Original refpolicy install compressed policy modules to policy store,
but leave datadir ones uncompressed. After, a "compressed_policy" distro
feature is added for compressing the datadir ones.
This simple mechanism is unworthy for a distro feature, just clear it
and use compressed policy modules by default.
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
Original prepare_policy_store() has a naming bug for
compressed_policy, fix that and let prepare_policy_store() back.
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
Now that the updated refpolicy core variants are available, remove the
previous recipe and patches.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
A simple forward-port of refpolicy-minimum to use the 20140311 base
refpolicy.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
A simple forward-port of refpolicy-targeted to use the 20140311 base
refpolicy. Now that the updated refpolicy core variants are available,
remove the previous recipe.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
A straight update from refpolicy 2.20130424 to 2.20140311 for the core
policy variants and forward-porting of policy patches as appropriate. Now
that the updated refpolicy core variants are available, remove the
previous recipe.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Split do_install() to:
+ prepare_policy_store()
+ rebuild_policy()
+ install_misc_files()
This allows to make partial change to do_install() instead of re-write
it totally from specific refpolicy bb file.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
Fix the avc denied issue:
type=1400 audit(1399440994.656:14): avc: denied { block_suspend } for pid=80 comm="udevd" capability=36 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=capability2
The patch is backported from upstream
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
Bump up PR and remove PRINC. Set it to something suitably large that it's
unlikely to break anyone's package feed and so that it shows it's clearly
an exception case. Obviously this is just a staging activity until the
next update when we don't include anything of the sort.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add initial version for setrans.conf:
- setrans-mls.conf: copied from \
policycoreutils/mcstrans/share/examples/default/setrans.conf
- setrans-mcs.conf: copied from radhat policy.
This fixes below issue:
$ chcat -L
IOError: No such file or directory: \
'/etc/selinux/$POLICY_NAME/setrans.conf'
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
This is a minimum targeted policy with just core policy modules, and
could be used as a base for customizing targeted policy.
Pretty much everything runs as initrc_t or unconfined_t so all of the
domains are unconfined.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
This SELinux policy would targeted most of service domains for lock
down, and users and admins will login in with unconfined_t domain.
So they would have the same access to the system as if SELinux was not
enabled, when running commands and services which are not targeted.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
| |
The patch is backported from upstream.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The value was defined as:
FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
and changed it to:
FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20130424:"
becase the bb that inherit this overwrites the PV every time,
changing its name.
Signed-off-by: Alexandru.Vaduva <Alexandru.Vaduva@enea.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
| |
ftpwho is installed into /usr/bin, not /usr/sbin.
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
| |
When ping is installed with capabilities instead of being marked setuid,
then the ping_t domain needs to be allowed to getcap/setcap.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
| |
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
| |
|
|
|
| |
The default policy version of new selinux toolchains is 29, to
fit kernel 3.10.x, set it to 28.
|
| |
|
|
|
|
|
|
|
| |
New 2.2 release of libsemanage removes policy.kern and replace with
symlink from Dan Walsh. It is a host path while cross-compiling, so
fix this path.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
In Yocto the real path for udevd is /lib/udev/udevd, this patch fixes
the init issues like:
udevd[87]: setfilecon /dev/vcsa2 failed: Operation not permitted
udevd[89]: setfilecon /dev/fb0 failed: Operation not permitted
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
There is a small cost to having compressed policy files on the final
image both in terms of memory requirements and load times. In nearly all
circumstances this is negligible, but this adds a DISTRO_FEATURE that
can be used to enable it, if desired.
The default selinux distros will enable the feature by default.
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The 'semodule' utility can operate on compresed modules so the only
cost of this change is a slower module load time when invoking
'semodule -i' on a running system (increased CPU load due to bzip2).
That said my tests show more than 100M reduction in ext3 image size
of core-image-selinux. This last metric is a bit skewed as the image
includes two policies. Still, a reduction in the size of the refpolicy
package by 1/2 is significant.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
| |
Use default assignment to allow variables to be overriden by recipes
that include refpolicy_common.inc
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
| |
This is the default policy type used by most (all?) distros that
support SELinux.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
| |
The only thing refpol needs to depend on at runtime are the things
necessary to load the policy. If sysvinit is patched to load the
policy (which it is) then we only need the config.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While directly using busybox[.[no]suid] as the alternatives'
targets, commands could not get correct security labels.
~# ls -l /sbin/getty
..... /sbin/getty -> /bin/busybox.nosuid
~# ls -Z /bin/busybox.nosuid
system_u:object_r:bin_t:s0 /bin/busybox.nosuid
Add sh wrappers for commands so selinux could work fine.
~# ls -l /sbin/getty
..... /sbin/getty -> /usr/lib/busybox/sbin/getty
~# ls -Z /usr/lib/busybox/sbin/getty
system_u:object_r:getty_exec_t:s0 /usr/lib/busybox/sbin/getty
~# cat /usr/lib/busybox/sbin/getty
#!/bin/busybox.nosuid
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These patches are removed because new version merged:
- poky-fc-update-alternatives_tinylogin.patch
- poky-fc-fix-prefix-path_rpc.patch
- poky-fc-fix-portmap.patch
- poky-fc-cgroup.patch
- poky-fc-networkmanager.patch
- poky-policy-allow-dbusd-to-setrlimit-itself.patch
- poky-policy-allow-dbusd-to-exec-shell-commands.patch
- poky-policy-allow-nfsd-to-bind-nfs-port.patch
Add two new patches:
+ poky-policy-fix-setfiles-statvfs-get-file-count.patch
+ poky-policy-fix-dmesg-to-use-dev-kmsg.patch
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To do this we call the 'install-headers' make target at the end of
do_install. We then add the interface 'include' directory to the
dev package leaving only the policy modules in the main policy
package. This allows projects that ship their own SELinux policy
(not in the refpolicy) to build the refpolicy headers / interface
files by using the Makefile supplied by refpolicy.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
