| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
| |
The patch is backported from upstream.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
| |
A ordinary use should not to access auditd configuration files
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
| |
Audit unit file is from https://fedorahosted.org/audit/browser/trunk/init.d/auditd.service
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
| |
packagegroup-core-basic has been renamed to packagegroup-full-cmdline,
update our core-image-selinux.
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The value was defined as:
FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
and changed it to:
FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20130424:"
becase the bb that inherit this overwrites the PV every time,
changing its name.
Signed-off-by: Alexandru.Vaduva <Alexandru.Vaduva@enea.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
| |
ftpwho is installed into /usr/bin, not /usr/sbin.
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
| |
When ping is installed with capabilities instead of being marked setuid,
then the ping_t domain needs to be allowed to getcap/setcap.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
| |
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
| |
|
|
|
| |
The default policy version of new selinux toolchains is 29, to
fit kernel 3.10.x, set it to 28.
|
| |
|
|
|
|
|
|
|
| |
New 2.2 release of libsemanage removes policy.kern and replace with
symlink from Dan Walsh. It is a host path while cross-compiling, so
fix this path.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
| |
|
|
|
|
|
| |
Don't override DEPENDS for target build, the "audit" should be appended
to it.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
* native tools don't need audit support;
* audit 2.3.2 or laters require kernel headers >= 2.6.30, this causes
audit-native can't be built on some older distributions.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
This reverts commit 146bd8c6bc3bc0e9e96a8517263f28f7915b871d.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
|
| |
We are using the latest version for selinux userspace packages, so
remove the PREFERRED_VERSION configs.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
In Yocto the real path for udevd is /lib/udev/udevd, this patch fixes
the init issues like:
udevd[87]: setfilecon /dev/vcsa2 failed: Operation not permitted
udevd[89]: setfilecon /dev/fb0 failed: Operation not permitted
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ERROR: QA Issue: policycoreutils: Files/directories were installed \
but not shipped
/usr/share/icons/hicolor/24x24/apps/system-config-selinux.png
/usr/share/bash-completion/completions/setsebool
/usr/share/bash-completion/completions/sepolicy
/usr/share/bash-completion/completions/semanage
/usr/share/dbus-1/system-services/org.selinux.service
/usr/share/polkit-1/actions/org.selinux.config.policy
/usr/share/polkit-1/actions/org.selinux.policy
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
|
|
| |
Building libsemanage 2.2 need the header libaudit.h.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch is removed since it is merged by new version:
- policycoreutils-fix-strict-prototypes.patch
These two patches are updated:
- policycoreutils-fix-sepolicy-install-path.patch
- policycoreutils-make-O_CLOEXEC-optional.patch
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
|
|
|
| |
Removed patch and ported changes to 2.2 bbfile:
- libsepol-Change-ranlib-for-cross-compiling.patch
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
|
|
|
| |
Updated patch:
- libsemanage-fix-path-nologin.patch
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
These two patches are removed since they are merged by new version:
- libselinux-fix-init-load-policy.patch
- libselinux-pcre-link-order.patch
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upreved packages:
- checkpolicy to 2.2
- libselinux to 2.2
- libsemanage to 2.2
- libsepol to 2.2
- policycoreutils to 2.2.5
- sepolgen to 1.2.1
Migrate patches in next commits.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
Setting DESTDIR in the policycoreutils do_install creates a bad
symlink for load_policy. This patch fixes up the Makefile to
create the symlink relative to DESTDIR.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
There is a small cost to having compressed policy files on the final
image both in terms of memory requirements and load times. In nearly all
circumstances this is negligible, but this adds a DISTRO_FEATURE that
can be used to enable it, if desired.
The default selinux distros will enable the feature by default.
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The 'semodule' utility can operate on compresed modules so the only
cost of this change is a slower module load time when invoking
'semodule -i' on a running system (increased CPU load due to bzip2).
That said my tests show more than 100M reduction in ext3 image size
of core-image-selinux. This last metric is a bit skewed as the image
includes two policies. Still, a reduction in the size of the refpolicy
package by 1/2 is significant.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ CQID: WIND00438478 ]
[ CQID: WIND00439485 ]
Turns out some of the truly old hosts don't even really recognize
FD_CLOEXEC and most of the older ones don't know about SOCK_CLOEXEC. Work
around each (define FD_CLOEXEC to something sensible, simply don't use
SOCK_CLOEXEC, produce warnings in either event).
Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
[ CQID: WIND00438478 ]
We still have hosts that pre-date the inclusion of O_CLOEXEC (Linux
2.6.23) so compile the flag out when building on classic distros.
Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
Signed-off-by: Jeff Polk <jeff.polk@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
| |
Use default assignment to allow variables to be overriden by recipes
that include refpolicy_common.inc
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
| |
This is the default policy type used by most (all?) distros that
support SELinux.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
| |
The previous approach works well for modern hosts but older ones still
require the pre-gen'd header files to behave nicely in a x-compile
environment. So we generate them, patch them in and remove the bits of
the Makefile that may take it upon itself to re-gen them again.
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
The policycoreutils package previously included most everything in
the base package. This packagegroup is intended to fill the role
of the old policycoreutils package and pull in all packages from the
policycoreutils recipe.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
| |
This is intended to demonstrate the minimal set packages necessary
to boot and load a system with SELinux enabled. Specifically we
don't need any of the packages that depend on python.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
| |
The only thing refpol needs to depend on at runtime are the things
necessary to load the policy. If sysvinit is patched to load the
policy (which it is) then we only need the config.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
Now that the policycoreutuils package is empty no need for RDEPENDS.
Doing this in the commit that broke up the policycoreutuils package
made the diff hard to read. Figured it best to break it out for
readability.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
The driver beind this is to allow images to be built with the minimal
tools necessary to load a policy. Breaking all of the stuff that's
dependent on python out from the core utils allows us to make much
smaller images.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
