summaryrefslogtreecommitdiffstats
path: root/recipes-security
Commit message (Collapse)AuthorAgeFilesLines
* refpolicy-mcs: update base refpolicy to git repoShrikant Bobade2015-08-071-0/+11
| | | | | | | | A simple forward-port of refpolicy-mcs to use the refpolicy from git repository. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy-targeted: update base refpolicy to git repoShrikant Bobade2015-08-071-0/+20
| | | | | | | | A simple forward-port of refpolicy-targeted to use the refpolicy from git repository. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy git: rebase patches with code baseShrikant Bobade2015-08-075-77/+74
| | | | | | | | | During forward-port of these patches from refpolicy 20140311, requires rebase with the refpolicy git repos head master code base,in order to resolve the patch conflicts. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy git: update refpolicy to git repositoryShrikant Bobade2015-08-0744-0/+1976
| | | | | | | | | | | | | | | | A straight update from refpolicy 2.20140311 to refpolicy git repository for the core policy variants and forward-porting of policy patches as appropriate. This approach is useful for building refpolicy & refpolicy-contrib directly from the git repos, rather than release tarballs. It helps to check the refpolicy based on source commits by just updating the git repo rev. as appropriate in refpolicy_git.inc ref: https://github.com/TresysTechnology/refpolicy/wiki Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy-minimum: update base refpolicy 20141203Shrikant Bobade2015-08-071-0/+48
| | | | | | | | A simple forward-port of refpolicy-minimum to use the 20141203 base refpolicy. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy-standard: update base refpolicy 20141203Shrikant Bobade2015-08-071-0/+8
| | | | | | | | A simple forward-port of refpolicy-standard to use the 20141203 base refpolicy. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy-mls: update base refpolicy 20141203Shrikant Bobade2015-08-071-0/+10
| | | | | | | | A simple forward-port of refpolicy-mls to use the 20141203 base refpolicy. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy-mcs: update base refpolicy 20141203Shrikant Bobade2015-08-071-0/+11
| | | | | | | | A simple forward-port of refpolicy-mcs to use the 20141203 base refpolicy. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy-targeted: update base refpolicy 20141203Shrikant Bobade2015-08-071-0/+20
| | | | | | | | A simple forward-port of refpolicy-targeted to use the 20141203 base refpolicy. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy 20141203: rebase patches with code baseShrikant Bobade2015-08-075-78/+73
| | | | | | | | | During forward-port of these patches from refpolicy 2014120311, requires rebase with the refpolicy 20141203 code base, in order to resolve the patch conflicts. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy: update refpolicy to 20141203 releaseShrikant Bobade2015-08-0744-0/+1974
| | | | | | | | | | A straight update from refpolicy 2.20140311 to 2.20141203 for the core policy variants and forward-porting of policy patches as appropriate. ref: https://github.com/TresysTechnology/refpolicy/wiki Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy: correct SELINUX_DEVEL_PATHWenzong Fan2015-08-071-1/+9
| | | | | | | | | The sepolgen.conf should be installed with devel package to correct the default value of SELINUX_DEVEL_PATH, Makefile will be searched from that path while building policies on target. Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* policycoreutils: install /var/lib/selinuxWenzong Fan2015-08-071-0/+6
| | | | | | | | | This dir is required for running command: $ semanage permissive [OPTS] Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* audit: upgrade 2.3.2 -> 2.4.3Li xin2015-08-076-3065/+125
| | | | | | | | | | | | | | | | 1) Remove audit-for-cross-compiling.patch and disable-ldap.patch since it it not needed anymore. 2) Modify audit-python-configure.patch audit-python.patch fix-swig-host-contamination.patch,since configure.ac and Makefile.am has been changed in 2.4.3 3) Warning Fix: -WARNING: QA Issue: audit: configure was passed unrecognised options: --without-ldap [unknown-configure-option] -WARNING: QA Issue: audit: Files/directories were installed but not shipped in any package Signed-off-by: Li Xin <lixin.fnst@cn.fujitsu.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* mcstrans: remove dependency on bash in initscriptJoe MacDonald2015-08-072-0/+13
| | | | | | | There were no apparent bashisms in mcstrans.init, so remove the dependency on bash. Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* policycoreutils: enable mcstransdRoy Li2015-08-075-4/+126
| | | | | | | | | mcstransd is a daemon to translate SELinux MCS/MLS sensitivity labels, policycoreutils includes mcstransd whose version is newer than that from http://mcstrans.sourcearchive.com/ Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* Fix setools building (-fPIC error)tprrt2015-08-071-0/+3
| | | | | Signed-off-by: tprrt <tprrt@tupi.fr> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-config: fix the S directory not existant warningDmitry Eremin-Solenikov2015-05-111-0/+2
| | | | | | | | Fix the warning reporing that ${S} directory does not exist by pointing S to ${WORKDIR}. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-config: allow to override 'enforcing' status of SELinuxDmitry Eremin-Solenikov2015-05-111-1/+2
| | | | | | | | Move the 'enforcing' setting to the DEFAULT_ENFORCING variable to allow one to override that setting in a bbappend file. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* audit: add bash to audtid runtime dependsDmitry Eremin-Solenikov2015-04-161-0/+1
| | | | | | | | | This is to fix the following QA warning: audit-2.3.2: auditd requires /bin/bash, but no providers in its RDEPENDS [file-rdeps] Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* policycoreutils: address QA issuesJoe MacDonald2015-02-203-2/+136
| | | | | | | | Both the fixfiles and sandbox utilities had dependencies on bash when they didn't really need to. Update sandbox and patch fixfiles. ifgen is python script, so ensure that python is listed as a runtime dependency. Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* audit-systemd: allow manual stop as sysvinitJackie Huang2015-01-261-1/+0
| | | | | | | The audit service should be manually stopped with systemd. Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* pkggrp-core-selinux: coreutils additionShrikant Bobade2015-01-121-0/+1
| | | | | | | | To add coreutils to packagegroup-core-selinux inorder to get chcon avaibility. Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-init: update for systemdShrikant Bobade2015-01-121-2/+2
| | | | | | | | | | | selinux-init.sh updated to reboot system normally to fix the labelling during systemd execution. Due to force reboot labelling won't be proper and system continuously reboot to label it like first time boot. Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* V2 refpolicy:20140311 update for systemdShrikant Bobade2015-01-122-0/+47
| | | | | | | | Systemd init type and related allow rules updated for refpolicy. Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* checkpolicy: remove link against libfldizzyJoe MacDonald2014-11-102-3/+5
| | | | | | | An updated version of the patch to drop linking against libfl was required. Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* userspace: update core selinux userspace toolsJoe MacDonald2014-11-0115-1551/+63
| | | | | | Update to the latest stable release, 20140506. Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* Globally replace 'base_contains' calls with 'bb.utils.contains'Joe MacDonald2014-09-242-4/+4
| | | | | | | | | | | | | | | Based on oe-core commit: commit 1528e596d4906c33e4be83fcf691cfe76d340ff3 Author: Otavio Salvador <otavio@ossystems.com.br> Date: Thu Apr 24 15:59:20 2014 -0300 Globally replace 'base_contains' calls with 'bb.utils.contains' The base_contains is kept as a compatibility method and we ought to not use it in OE-Core so we can remove it from base metadata in future. Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* Use compressed_policy by default, and clear distro featureXin Ouyang2014-09-222-35/+16
| | | | | | | | | | | Original refpolicy install compressed policy modules to policy store, but leave datadir ones uncompressed. After, a "compressed_policy" distro feature is added for compressing the datadir ones. This simple mechanism is unworthy for a distro feature, just clear it and use compressed policy modules by default. Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
* refpolicy-minimum: add fixed prepare_policy_store().Xin Ouyang2014-09-221-0/+28
| | | | | | | Original prepare_policy_store() has a naming bug for compressed_policy, fix that and let prepare_policy_store() back. Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
* refpolicy: clean up old policy and patchesJoe MacDonald2014-09-1949-2156/+0
| | | | | | | Now that the updated refpolicy core variants are available, remove the previous recipe and patches. Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy-minimum: update base refpolicy 20140311Joe MacDonald2014-09-192-58/+29
| | | | | | | A simple forward-port of refpolicy-minimum to use the 20140311 base refpolicy. Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy-targeted: update base refpolicy 20140311Joe MacDonald2014-09-192-41/+34
| | | | | | | | A simple forward-port of refpolicy-targeted to use the 20140311 base refpolicy. Now that the updated refpolicy core variants are available, remove the previous recipe. Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy: update refpolicy to 20140311 releaseJoe MacDonald2014-09-1946-6/+1927
| | | | | | | | | A straight update from refpolicy 2.20130424 to 2.20140311 for the core policy variants and forward-porting of policy patches as appropriate. Now that the updated refpolicy core variants are available, remove the previous recipe. Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-userspace: update userspace SRC_URI and checksumsJoe MacDonald2014-09-1610-17/+23
| | | | | | | | | Trac has been turned off on OSS. Update all SRC_URI links for the userspace components to point at the github project releases. The github releases also have a slightly different directory structure in the tarballs, requiring an update of the checksums as well. Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy / minimum: support compressed policyWenzong Fan2014-08-281-8/+18
| | | | | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
* refpolicy: split do_install to three stepsWenzong Fan2014-08-281-14/+25
| | | | | | | | | | | | | Split do_install() to: + prepare_policy_store() + rebuild_policy() + install_misc_files() This allows to make partial change to do_install() instead of re-write it totally from specific refpolicy bb file. Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
* libcap-ng: CVE-2014-3215Shan Hai2014-08-282-1/+82
| | | | | | | | | | | | | | | seunshare in policycoreutils 2.2.5 is owned by root with 4755 permissions, and executes programs in a way that changes the relationship between the setuid system call and the getresuid saved set-user-ID value, which makes it easier for local users to gain privileges by leveraging a program that mistakenly expected that it could permanently drop privileges. Pick a patch from below link to address the CVE-2014-3215. https://bugzilla.redhat.com/attachment.cgi?id=829864 Signed-off-by: Shan Hai <shan.hai@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
* setools: Add bison-native and flex-native to DEPENDSChong Lu2014-06-021-1/+1
| | | | | | | Avoid policy_scan.c: No such file or directory Signed-off-by: Chong Lu <Chong.Lu@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
* refpolicy: Allow udev the block_suspend capabilityJackie Huang2014-06-022-0/+26
| | | | | | | | | | Fix the avc denied issue: type=1400 audit(1399440994.656:14): avc: denied { block_suspend } for pid=80 comm="udevd" capability=36 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=capability2 The patch is backported from upstream Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
* setools: not override do_configure in autotools class.Xin Ouyang2014-05-161-7/+7
| | | | Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
* refpolicy-*: un-inherit because not autotools packageXin Ouyang2014-05-161-4/+3
| | | | Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
* refpolicy: remove PRINC warningHongxu Jia2014-05-097-7/+6
| | | | | | | | | | Bump up PR and remove PRINC. Set it to something suitably large that it's unlikely to break anyone's package feed and so that it shows it's clearly an exception case. Obviously this is just a staging activity until the next update when we don't include anything of the sort. Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* checkpolicy: remove PRINC warningHongxu Jia2014-05-093-4/+2
| | | | | | | | | | Bump up PR and remove PRINC. Set it to something suitably large that it's unlikely to break anyone's package feed and so that it shows it's clearly an exception case. Obviously this is just a staging activity until the next update when we don't include anything of the sort. Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libselinux: remove PRINC warningHongxu Jia2014-05-093-4/+2
| | | | | | | | | | Bump up PR and remove PRINC. Set it to something suitably large that it's unlikely to break anyone's package feed and so that it shows it's clearly an exception case. Obviously this is just a staging activity until the next update when we don't include anything of the sort. Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libsemanage: remove PRINC warningHongxu Jia2014-05-093-4/+2
| | | | | | | | | | Bump up PR and remove PRINC. Set it to something suitably large that it's unlikely to break anyone's package feed and so that it shows it's clearly an exception case. Obviously this is just a staging activity until the next update when we don't include anything of the sort. Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libsepol: remove PRINC warningHongxu Jia2014-05-093-4/+2
| | | | | | | | | | Bump up PR and remove PRINC. Set it to something suitably large that it's unlikely to break anyone's package feed and so that it shows it's clearly an exception case. Obviously this is just a staging activity until the next update when we don't include anything of the sort. Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* sepolgen: remove PRINC warningHongxu Jia2014-05-093-4/+2
| | | | | | | | | | Bump up PR and remove PRINC. Set it to something suitably large that it's unlikely to break anyone's package feed and so that it shows it's clearly an exception case. Obviously this is just a staging activity until the next update when we don't include anything of the sort. Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* policycoreutils: remove PRINC warningHongxu Jia2014-05-093-4/+2
| | | | | | | | | | Bump up PR and remove PRINC. Set it to something suitably large that it's unlikely to break anyone's package feed and so that it shows it's clearly an exception case. Obviously this is just a staging activity until the next update when we don't include anything of the sort. Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
* libsemanage: disable expand-check on policy loadJoe MacDonald2014-05-072-0/+33
| | | | | | | | | For small policy modules it's not necessary to walk the hierarchy on load. On embedded devices that are low-powered or resource-constrained disabling the hierarchy processing can make the difference between seconds and (many) minutes of load time (or being able to load the policy at all). Signed-off-by: Joe MacDonald <joe@deserted.net>