summaryrefslogtreecommitdiffstats
path: root/recipes-security/selinux
Commit message (Collapse)AuthorAgeFilesLines
* libselinux: Fix restorecon_set_sehandle.patch contextJason Andryuk2021-11-231-2/+2
| | | | | | | | | | | 0001-Fix-NULL-pointer-use-in-selinux_restorecon_set_sehandle.patch added in commit d6ff5a0e67af "libselinux: Backport NULL pointer fix from 3.1" fails to apply because there is a extra level in the patch context. The patch cannot apply and do_patch fails. Fix the context so it builds again. Signed-off-by: Jason Andryuk <jandryuk@gmail.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libselinux: Backport NULL pointer fix from 3.1Jonas Brich2021-10-182-0/+31
| | | | | | | | | | | | | | | Using function restorecon_init inside selinux_restorecon.c can result in a NULL pointer. This happens because function selinux_restorecon_set_sehandle can return a NULL pointer. But it is not checked and directly given to the next function. This problem is already fixed in libselinux 3.1 and above. Therefore backport this fix. Upstream-Status: Backport [https://github.com/SELinuxProject/selinux/commit/08f5e30177218fae7ce9f5c8d6856690126b2b30] Issue: MGURSU-7259 Change-Id: Ice5c7c94987441ba53431aeffc200c0b9c5697a4 Signed-off-by: Joe MacDonald <joe@deserted.net>
* secilc: Security fix for CVE-2021-36087Armin Kuster2021-09-162-0/+136
| | | | | | | | | | | | | | Source: https://github.com/SELinuxProject/selinux MR: 111869 Type: Security Fix Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/bad0a746e9f4cf260dedba5828d9645d50176aac ChangeID: b282a68f76e509f548fe6ce46349af56d09481c6 Description: Affects: secilc <= 3.2 Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libsepol: Security fix CVE-2021-36085Armin Kuster2021-09-162-0/+39
| | | | | | | | | | | | | | Source: https://github.com/SELinuxProject/selinux/ MR: 111857 Type: Security Fix Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/2d35fcc7e9e976a2346b1de20e54f8663e8a6cba ChangeID: e50ae65189351ee618db2b278ba7105a5728e4c4 Description: Affects: libsepol <= 3.2 Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libsepol: Security fix CVE-2021-36084Armin Kuster2021-09-162-0/+100
| | | | | | | | | | | | | | Source: https://github.com/SELinuxProject/selinux MR: 111851 Type: Security Fix Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/f34d3d30c8325e4847a6b696fe7a3936a8a361f3 ChangeID: 7fae27568e26ccbb18be3d2a1ce7332d42706f18 Description: Affects: libsepol < 3.2 Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libselinux-python: Fix build error due to missing target configAnatol Belski2021-03-171-0/+2
| | | | | | | | | | | | This fixes the error below: gcc: error: unrecognized command line option ‘-fmacro-prefix-map=/path/to/build/libselinux-python/3.0-r0=/usr/src/debug/libselinux-python/3.0-r0’ Without inheriting the config, supposedly a wrong compiler is used. Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* checkpolicy: remove unused te_assertionsMingli Yu2020-07-132-0/+49
| | | | | | | | | | | | | Backport a patch to remove unused te_assertions to fix the build failure on fedora 32. Fixes: | /build/tmp-glibc/hosttools/ld: policy_define.o:(.bss+0x28): multiple definition of `te_assertions'/build/tmp-glibc/hosttools/ld: policy_define.o:(.bss+0x28): multiple definition of `te_assertions'; y.tab.o:(.bss+0x18): first defined here | collect2: error: ld returned 1 exit status | make: *** [Makefile:33: checkpolicy] Error 1 Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libsepol: fix build errors on Fedora 32Yi Zhao2020-06-153-0/+600
| | | | | | | | | | | | | | | Backport 2 patches to fix the build errors on Fedora 32. Fixes: [snip] ../cil/src/cil_verify.lo:(.bss+0x4f0): multiple definition of `CIL_KEY_CONS_T3'; ../cil/src/cil_verify.lo:(.bss+0x4f8): multiple definition of `CIL_KEY_CONS_T2'; ../cil/src/cil_verify.lo:(.bss+0x500): multiple definition of `CIL_KEY_CONS_T1'; ../cil/src/cil_verify.lo:(.bss+0x508): multiple definition of `cil_mem_error_handler'; [snip] Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libselinux-python: Fix one invalid linkChangqing Li2020-04-302-0/+53
| | | | | | | | | when host arch and target arch are different, the extension suffix of host is different with target one, so there will be a invalid link. Fix by update the way to create the link. Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* semodule-utils: upgrade to 3.0 (20191204)Yi Zhao2020-04-152-7/+7
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-gui: upgrade to 3.0 (20191204)Yi Zhao2020-04-152-7/+7
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-sandbox: upgrade to 3.0 (20191204)Yi Zhao2020-04-152-7/+7
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-dbus: upgrade to 3.0 (20191204)Yi Zhao2020-04-152-7/+7
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-python: upgrade to 3.0 (20191204)Yi Zhao2020-04-154-25/+15
| | | | | | | Refresh fix-sepolicy-install-path.patch. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* restorecond: upgrade to 3.0 (20191204)Yi Zhao2020-04-153-8/+8
| | | | | | | Fix typo in patch. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* mcstrans: upgrade to 3.0 (20191204)Yi Zhao2020-04-152-7/+7
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* policycoreutils: upgrade to 3.0 (20191204)Yi Zhao2020-04-152-8/+7
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* secilc: upgrade to 3.0 (20191204)Yi Zhao2020-04-152-7/+7
| | | | | | | License-Update: fix misspellings Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* checkpolicy: upgrade to 3.0 (20191204)Yi Zhao2020-04-152-7/+7
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* libsemanage: upgrade to 3.0 (20191204)Yi Zhao2020-04-155-13/+13
| | | | | | | | * Refresh libsemanage-allow-to-disable-audit-support.patch * Fix typos in patches. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* libselinux-python: upgrade to 3.0 (20191204)Yi Zhao2020-04-153-7/+38
| | | | | | | | | * Inherit python3native as the libselinux uses python distutils to install selinux python bindings now. * Add a patch to fix python modules install path for multilib. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* libselinux: upgrade to 3.0 (20191204)Yi Zhao2020-04-156-7/+46
| | | | | | | | * Backport a patch to fix build failure with musl. * Fix typos in patches. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* libsepol: upgrade to 3.0 (20191204)Yi Zhao2020-04-152-7/+7
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux: upgrade inc files to 3.0 (20191204)Yi Zhao2020-04-151-1/+1
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* clean up getVar() usageJoe MacDonald2020-04-032-2/+2
| | | | | | | | | | | 83eac4de updated the usage of getVar() in classes/selinux.bbclass to leave out the default expand parameter. This is consistent with the usage in the core layers. Bring all other calls to getVar() in the layer into alignment with this approach. Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-initsh.inc: install selinux-init.sh and selinux-labeldev.sh when ↵Yi Zhao2019-12-302-5/+7
| | | | | | | | | | | | | | using systemd The commit 5fd3c5b71edb99659aeb5cb5903088d84517382e introduced an issue that selinux-init.sh and selinux-labeldev.sh are not installed when using systemd which will cause the selinux-ini.service and selinux-labeldev.service fail to startup. Move the do_install codes from selinux-autorelabel to selinux-initsh.inc to make sure install these scripts when using systemd. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* libsemanage: fix race issue in parallel buildYi Zhao2019-12-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | The install-pywarp target doesn't depend on swigify target because the semanage.py is not generated by swigify target but pywrap target. Here is the dependency chain: install-pywrap -> pywrap -> $(SWIGSO) -> $(SWIGLOBJ) -> $(SWIGCOUT) -> semanage.py But in the recipe, the swigify target is added explicitly in do_install: do_install_append() { oe_runmake install-pywrap swigify \ [snip] } This target will regenerate the semanage.py when do_install. So there will be a potential race issue in parallel build. The install-pywrap target is trying to install semanage.py when swigify target is generating the file. Then an empty semanage.py will be installed. Remove the target swigify to fix this issue. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* libselinux-python: fix race issue in parallel buildYi Zhao2019-12-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | The install-pywarp target doesn't depend on swigify target because the selinux.py is not generated by swigify target but pywrap target. Here is the dependency chain: install-pywrap -> pywrap -> $(SWIGFILES) -> $(SWIGPYOUT) -> $(SWIGCOUT) -> selinux.py But in the recipe, the swigify target is added explicitly in do_install: do_install_append() { oe_runmake install-pywrap swigify \ [snip] } This target will regenerate the selinux.py when do_install. So there will be a potential race issue in parallel build. The install-pywrap target is trying to install selinux.py when swigify target is generating the file. Then an empty selinux.py will be installed. Remove the target swigify to fix this issue. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* semodule-utils: uprev to 2.9 (20190315)Yi Zhao2019-12-192-7/+7
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-gui: uprev to 2.9 (20190315)Yi Zhao2019-12-193-8/+8
| | | | | | | * Switch to python3 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-sandbox: uprev to 2.9 (20190315)Yi Zhao2019-12-194-17/+16
| | | | | | | | * Switch to python3 * Rebase patch Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-dbus: uprev to 2.9 (20190315)Yi Zhao2019-12-193-8/+8
| | | | | | | * Switch to python3 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-python: uprev to 2.9 (20190315)Yi Zhao2019-12-196-121/+40
| | | | | | | | | | | | | * Switch to python3 * Drop patches: fix-TypeError-for-seobject.py.patch process-ValueError-for-sepolicy-seobject.patch * Rebase patches Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* restorecond: uprev to 2.9 (20190315)Yi Zhao2019-12-193-19/+24
| | | | | | | * Rebase patches Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* mcstrans: uprev to 2.9 (20190315)Yi Zhao2019-12-195-23/+32
| | | | | | | * Rebase patches Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* policycoreutils: uprev to 2.9 (20190315)Yi Zhao2019-12-193-20/+12
| | | | | | | * Switch to python3 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* secilc: uprev to 2.9 (20190315)Yi Zhao2019-12-192-7/+7
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* checkpolicy: uprev to 2.9 (20190315)Yi Zhao2019-12-192-7/+7
| | | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* libsemanage: uprev to 2.9 (20190315)Yi Zhao2019-12-1910-128/+70
| | | | | | | | | | | | | | | * Switch to python3 * Drop patches: libsemanage-fix-path-nologin.patch 0001-src-Makefile-fix-includedir-in-libselinux.pc.patch * Rebase patches * Update policy version to 31 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* libselinux-python: add recipeYi Zhao2019-12-192-0/+58
| | | | | | | | | After switch to python3, There is a loop dependency error with libselinux-python package when build libselinux. Split the original libselinux recipe into libselinux and libselinux-python. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* libselinux: uprev to 2.9 (20190315)Yi Zhao2019-12-194-116/+6
| | | | | | | | | | | | | | * Switch to python3 * Drop patches: 0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch 0001-src-Makefile-fix-includedir-in-libselinux.pc.patch * Split into libselinux recipe and libselinux-python recipe to fix the loop dependency error. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* libsepol: uprev to 2.9 (20190315)Yi Zhao2019-12-193-38/+7
| | | | | | | * Drop patch 0001-src-Makefile-fix-includedir-in-libsepol.pc.patch Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux: uprev inc files to 2.9 (20190315)Yi Zhao2019-12-193-8/+9
| | | | | | | | * Update SRC_URI * Add UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* autorelabel: only selinux-autorelabel need autorelabel fileChristophe PRIOUZEAU2019-12-092-7/+9
| | | | | | | | | | With previous implementation, several packages provided .autorelabel file while only selinux-autorelabel manage it. If there is several packages which try to install .autorelabel file, an issue occur during installation of packagegroup-core-selinux. Signed-off-by: Christophe Priouzeau <christophe.priouzeau@st.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-autorelabel: disable enforcing mode before relabelYi Zhao2019-09-091-3/+6
| | | | | | | | | | | The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue when first boot with bootparams="selinux=1 enforcing=1". At first boot, all files are unlabeled including /sbin/setfiles. The relabel operations are not permitted under enforcing mode. So we need to disable enforcing mode before relabel. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* mcstrans: specify INITDIRYi Zhao2019-08-291-1/+1
| | | | | | | | | By default the mcstrans init script will be installed to /etc/rc.d/init.d directory. Specify INITDIR to install it to /etc/init.d directory. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-python: Fix dependency for ntpathLorenz Kofler2019-08-281-0/+1
| | | | | | | | | On yocto warrior the semanage tool didn't work correctly, because it couldn't find ntpath module. It turned out that this module is now part of the package python-misc, therefore add dependency to python-misc. Signed-off-by: Lorenz Kofler <lorenz@sigma-star.at> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-init: use systemd (re)labellingMark Asselstine2019-08-284-16/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | Boot loops were being seen when booting with selinux enabled, when the init system in use is systemd. Once logs were retrieved from the failing system the error was found to be selinux-init.sh[284]: /sbin/restorecon: Could not set context for /sys/fs/cgroup/cpuacct: Read-only file system selinux-init.sh[284]: /sbin/restorecon: Could not set context for /sys/fs/cgroup/cpu: Read-only file system Systemd mounts /sys/fs/cgroup read-only and the (re)labelling code used by selinux-init.sh is unable to handle this. On top of this the system is basically presenting two methods of (re)labelling; using the built in systemd approach via selinux-autorelabel.service *and* the code we have in selinux-init.sh. This can get confusing especially given that most online resources will speak to the systemd approach using selinux-autorelabel.service and /.autorelabel. These changes leave the current approach in place when sysvinit is the init system used, but if systemd is being used we make use of it's internal (re)labelling functionality. Overall the workflow remains the same but we now avoid boot loops (systemd remounts /sys/fs/cgroup rw during the (re)labelling procedure). Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-sandbox: add runtime dependency on python-coreYi Zhao2019-08-281-0/+1
| | | | | | | | | Fixes: ERROR: QA Issue: /usr/share/sandbox/start contained in package selinux-sandbox requires /usr/bin/python, but no providers found in RDEPENDS_selinux-sandbox? [file-rdeps] Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-python: add python-core as runtime dependencyYi Zhao2019-08-281-0/+3
| | | | | | | | | | | | | Fix QA issues: QA Issue: /usr/lib64/python2.7/site-packages/seobject.py contained in package selinux-python requires /usr/bin/python, but no providers found in RDEPENDS_selinux-python? [file-rdeps] QA Issue: /usr/bin/audit2allow contained in package selinux-python-audit2allow requires /usr/bin/python, but no providers found in RDEPENDS_selinux-python-audit2allow? [file-rdeps] QA Issue: /usr/bin/chcat contained in package selinux-python-chcat requires /usr/bin/python, but no providers found in RDEPENDS_selinux-python-chcat? [file-rdeps] Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>