| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These patches are removed because new version merged:
- poky-fc-update-alternatives_tinylogin.patch
- poky-fc-fix-prefix-path_rpc.patch
- poky-fc-fix-portmap.patch
- poky-fc-cgroup.patch
- poky-fc-networkmanager.patch
- poky-policy-allow-dbusd-to-setrlimit-itself.patch
- poky-policy-allow-dbusd-to-exec-shell-commands.patch
- poky-policy-allow-nfsd-to-bind-nfs-port.patch
Add two new patches:
+ poky-policy-fix-setfiles-statvfs-get-file-count.patch
+ poky-policy-fix-dmesg-to-use-dev-kmsg.patch
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
In policycoreutils-2.13+, restorecon changes its default behaviour,
and does not restore context if the file' type is correct, even its
mcs/mls level is incorrect.
We should force it always to restore file contexts in initscripts to
avoid issues.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
| |
2.1.14 imports a new python module: sepolicy, so add setools to
DEPENDS and split new files to policycoreutils-python.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
| |
We will also uprev refpolicy, so remove "revert-libpcre.patch".
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upreved packages:
- checkpolicy to 2.1.12
- libselinux to 2.1.13
- libsemanage to 2.1.10
- libsepol to 2.1.9
- policycoreutils to 2.1.14
- sepolgen to 1.1.9
Migrate patches in next commits.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
Currently the policycoreutils package has a broken link from
${bindir}/sepolgen to ${datadir}/system-config-selinux/polgen.py.
All of the other polgen stuff is in system-config-selinux so
adding sepolgen to same package seems like the right thing to do.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
| |
selinux-init.sh script.
This is for consistency and to aid in debugging.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To do this we call the 'install-headers' make target at the end of
do_install. We then add the interface 'include' directory to the
dev package leaving only the policy modules in the main policy
package. This allows projects that ship their own SELinux policy
(not in the refpolicy) to build the refpolicy headers / interface
files by using the Makefile supplied by refpolicy.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently logins to core-image-selinux images through a getty (serial)
fail. This is caused by the use of the busybox getty. SELinux depends
on executable files and their labels to transition between types.
The symlink to busybox is not sufficient to cause the getty processes
to transition to the right SELinux context. Using a getty binary
like the one provided by util-linux fixes this.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is needed to build policy modules outside of the refpolicy.
Policy module build systems need to determine the name of the policy
that will be in effect on the target host. This allows them to
locate the policy headers that will be under
$sysroot/usr/share/selinux/$name/include. Given that there *could*
be more than one policy installed in the sysroot we can't assume
that the policy installed there is the only policy to build against.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
CQID: 418197
Reference /usr/sbin instead of the directory into which
the script is installed on the host.
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
CQID: 428272
The audit build uses swig to generate a python wrapper.
Unfortunately, the swig info file references host include
directories. Some of these were previously noticed and
eliminated, but the one fixed here was not.
Signed-off-by: Anders Hedlund <anders.hedlund@windriver.com>
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
Also fix ALLOW_EMPTY, oe-core does not allow ALLOW_EMPTY w/o a package
name.
Adjust references in core-image-selinux to the new packagegroup filename.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit d46e88abb6e1f7b0228c30c98ba4fb739e63cda3.
In d46e88ab, run_init will not use open_init_pty as Redhat did. Our
old refpolicy still does no work well with this, and make init scripts
fail to start so revert it.
This patch should be dropped while refpolicy is upreved to 2.20120725+.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This reverts uprev commit 96cedba3e59aa474f0f040da5108a17bba45ce6c.
96cedb will cause wrong security contexts for /dev/ while using
MLS type of old refpolicy, so revert it.
This patch should be dropped while refpolicy is upreved to 2.20120725+.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts upstream libpcre commits.
libselinux 2.1.12 uses libpcre to do file path matching instead of glibc
regex. Because there are some differences between glibc regex and pcre
functions, this will cause wrong security contexts for files while using
old refpolicy.
This patch should be dropped while refpolicy is upreved to 2.20120725+.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
The flag: -Wno-unused-but-set-variable isn't supported on older
versions of gcc such as gcc-4.1.2 which is the native compiler for
RHEL-5.9. Drop this warning flag for both the native and target builds.
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
The flag: -Wno-unused-but-set-variable isn't supported on older
versions of gcc such as gcc-4.1.2 which is the native compiler for
RHEL-5.9. I've droped this warning flag for both the native and target builds.
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upreved packages:
- checkpolicy to 2.1.11
- libselinux to 2.1.12
- libsemanage to 2.1.9
- libsepol to 2.1.8
- policycoreutils to 2.1.13
- sepolgen to 1.1.8
Misc changes:
- libselinux has a new depend for libpcre
- drop patches that new version merged
- set PR to r0 for new version
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Default audit Makefile will generate native executables in lib/ and
auparse/, which are named as gen_*_h and run on the hosts to create
*_tables.h/*tabs.h header files for the targets.
This is inappropriate for our cross compiling because they need
linux-libc-headers from the host.
Even worse, on some old hosts, build will fail because some .h files
in the old linux-libc-headers (<= 2.6.29) has incomplete DEFINE lists
for the audit system.
So add *tables.h/*tabs.h header files which are generated from
linux-libc-headers-3.4, and do not generate and run those native
executables.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
Some binaries in base_sbindir have libcap-ng.so* depends, so move
libcap-ng.so* to avoid QA warnings.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
| |
We still miss some rules for nfsd to bind on nfs ports, so add a patch
to fix this. oe-core changed nfsd to use portmap, so also fix file
contexts for portmap.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
Some files of bind are not installed to default pathes, fix the
security contexts for these files.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
| |
/var/cache is a symlink in poky, so we need allow rules for files to
read lnk_file while doing search/list/delete/rw.. in /var/cache/
directory.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
Target package policycoreutils-sandbox always needs libcgroup and
libcap-ng, so it should not be conditional.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
shadow package of oe-core and Debian has installed nologin into
/usr/sbin, so fix this path.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
PYTHON_LDFLAGS is considered as the full path of libpython2.7.so,
dirname of the .so file will be expanded into -L<DIR>. As a result,
current PYTHON_LDFLAGS cause this compile result:
${CC} ... -L-LXXX/tmp/sysroots/qemux86-64/usr/lib64
-L-lapol -lqpol -o _sesearch.so
So "-lapol" is ignored, fix this.
CQID: WIND00400717
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Two patches to fix these two issue:
* Current policy has incomplete allow rules for selinux utils to
manage selinux config files and policy store.
* auditd_log_t(/var/log/audit/audit.log) is also placed in
var_log_t, so add related rules.
CQID: WIND00396415
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
| |
CQID: WIND00399962
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
| |
audit admin tools and daemons should install to base_sbindir, so
they can get correct security labels after selinux restorecon
command.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
Add user_tty_device_t as a customizable_type, so that restorecon -R
/dev will not complain about it or modify the security labels.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
- /etc -> ${sysconfdir}
- /usr/share -> ${datadir}
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
| |
CQID: WIND00397456
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Create include files for selinux userspace packages:
* checkpolicy.inc
* libselinux.inc
* libsemanage.inc
* libsepol.inc
* policycoreutils.inc
* sepolgen.inc
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
|
| |
Signed-off-by: Roy.Li <rongqing.li@windriver.com>
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
