summaryrefslogtreecommitdiffstats
path: root/recipes-security
Commit message (Collapse)AuthorAgeFilesLines
...
* Add include file for the 20160223 SELinux userspace release.Stephen Smalley2016-03-171-0/+5
| | | | | Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Philip Tricca <flihp@twobit.us>
* audit: upgrade 2.4.4 -> 2.5T.O. Radzy Radzykewycz2016-03-063-78/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * rebase patch audit-python-configure.patch * remove audit-auvirt-get-inline-functions-work-with-gnu89-gnu11.patch as it had already been applied upstream * 2.5 includes miscellaneous enhancements and fixes: 2.5 - Make augenrules the default method to load audit rules - Put rules in its own directory and break out rules into groups - Have auditd do a fsync before closing log - Make default flush setting larger - In auparse. terminate the generated strings (Burn Alting) - In auditd, add incremental_async flushing mode - Clean up dangling fields in DAEMON events - Add audit by process name support to auditctl (Richard Briggs) - Relax permissions on systemd files - Fix auparse to handle interlaced events (Burn Alting) - Allow more syslog facilities in audispd-syslog (Aleksander Adamowski) 2.4.5 - Fix auditd disk flushing for data and sync modes - Fix auditctl to not show options not supported on older OS - Add audit.m4 file to aid adding support to other projects - Fix C99 inline function build issue - Add account lock and unlock event types - Change logging loophole check to geteuid() - Fix ausearch to not consider AUDIT_PROCTITLE events malformed (Burn Alting) - Fix ausearch to parse FEATURE_CHANGE events ( From http://people.redhat.com/sgrubb/audit/ChangeLog ) Signed-off-by: T.O. Radzy Radzykewycz <radzy@windriver.com> Signed-off-by: Philip Tricca <flihp@twobit.us>
* libselinux: backport procfs mount fixIoan-Adrian Ratiu2016-02-283-0/+76
| | | | | | | libselinux 20160107 ships this change (git commit id 9df49888) Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com> Signed-off-by: Philip Tricca <flihp@twobit.us>
* libsemanage: fix libsepol.pc failed sanity testRobert Yang2016-02-273-0/+30
| | | | | | | ERROR: libsemanage-2.4-r0 do_populate_sysroot: QA Issue: libselinux.pc failed sanity test (tmpdir) in path /path/to/sysroot-destdir//usr/lib/pkgconfig [pkgconfig] Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Philip Tricca <flihp@twobit.us>
* libselinux: fix libselinux.pc failed sanity testRobert Yang2016-02-273-0/+30
| | | | | | | ERROR: libselinux-2.4-r0 do_populate_sysroot: QA Issue: libselinux.pc failed sanity test (tmpdir) in path /path/to/sysroot-destdir//usr/lib/pkgconfig [pkgconfig] Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Philip Tricca <flihp@twobit.us>
* libsepol: fix libsepol.pc failed sanity testRobert Yang2016-02-273-0/+32
| | | | | | | ERROR: libsepol-2.4-r0 do_populate_sysroot: QA Issue: libsepol.pc failed sanity test (tmpdir) in path /path/to//sysroot-destdir//usr/lib/pkgconfig [pkgconfig] Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Philip Tricca <flihp@twobit.us>
* audit: upgrade 2.4.3 -> 2.4.4Wenzong Fan2015-11-272-5/+6
| | | | | | | | | | * rebase patch audit-python-configure.patch * 2.4.4 includes CVE-2015-5186 and bug fixes, detials refer to: http://people.redhat.com/sgrubb/audit/ChangeLog Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy-git: Refresh poky-policy-fix-new-SELINUXMNT-in-sys.patch.Philip Tricca2015-11-271-75/+25
| | | | | Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-init: Break handling of /.autorelabel out into separate script.Philip Tricca2015-11-275-14/+43
| | | | | | | | Fixup DESCRIPTION in old selinux-init recipe. Exclude this autorelabel script from the minimal packagegroup. Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-init: Break labeling of /dev out into separate script.Philip Tricca2015-11-276-11/+43
| | | | | | | Remove selinux-init package from packagegroup-selinux-minimal. Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-init: Move script logic into include.Philip Tricca2015-11-272-21/+28
| | | | | | | This will be useful when we have other init scripts. Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-config: Separate init script into new recipe.Philip Tricca2015-11-275-13/+40
| | | | | | | Add runtime dependencies for init script. Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy-minimum: update prepare_policy_storeWenzong Fan2015-11-271-11/+30
| | | | | | | | | | | | | | | | | * update prepare_policy_store() for supporting SELinux 2.4 & CIL, the logic is from refpolicy_common.inc but with minimum set of policy modules; * add extra policy modules that required by sysnetwork, without those modules the install process will fail with error: | Failed to resolve roletype statement at 62 of \ .../image/var/lib/selinux/minimum/tmp/modules/100/sysnetwork/cil | Failed to resolve ast | semodule: Failed! Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy-targeted: rebase patchesWenzong Fan2015-11-272-41/+56
| | | | | | | | | | rebase patches against latest git sources: * refpolicy-fix-optional-issue-on-sysadm-module.patch * refpolicy-unconfined_u-default-user.patch Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* libsepol: DEPENDS on flex-nativeRobert Yang2015-10-221-0/+2
| | | | | | | | Fixed when build libsepol-native: /bin/sh: 1: flex: not found Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy: fix exit code issue of bzip2Wenzong Fan2015-10-221-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 'bzip2 -qt $moudle_name.pp' has different exit codes on different distributions, for example: * On Redhat/CentOS/Fedora, OpenSUSE: $ bzip2 -qt /tmp/tor.pp bzip2: /tmp/tor.pp: bad magic number (file not created by bzip2) $ echo $? 0 This causes install errors: unzip2: /path/to/*.pp is not a bzip2 file. libsepol.module_package_read_offsets: module package header truncated Failed to read policy package * Ubuntu has fixed it: $ bzip2 -qt /tmp/tor.pp bzip2: /tmp/tor.pp: bad magic number (file not created by bzip2) $ echo $? 2 The difference involved by '-q' options, remove it would get the bzip2 works consistently. bzip2-native has the same issue, anyway it should be fixed separately. Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* libcap-ng: remove packageWenzong Fan2015-10-222-98/+0
| | | | | | | | | | libcap-ng 0.7.7 has been added to oe-core: ad509d7644803ff9386affefe2ec1a3664027074 No change need to port. Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy: SRCREV_FORMAT neededJoe Slater2015-10-221-0/+1
| | | | | Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* audit/auvirt: get inline functions work with both gnu89 & gnu11Wenzong Fan2015-09-212-0/+72
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After gcc upgraded to gcc5, and if the codes are compiled without optimization (-O0), and the below error will happen: auvirt.c:484: undefined reference to `copy_str' auvirt.c:667: undefined reference to `is_resource' collect2: error: ld returned 1 exit status gcc5 defaults to -std=gnu11 instead of -std=gnu89, and it requires that exactly one C source file has the callable copy of the inline function. Consider the following program: inline int foo (void) { return 42; } int main (void) { return foo (); } The program above will not link with the C99 inline semantics, because no out-of-line function foo is generated. To fix this, either mark the function foo as static, or add the following declaration: static inline int foo (void); More information refer to: https://gcc.gnu.org/gcc-5/porting_to.html Note: using "extern inline" will fail to build with gcc4.x, so replace inline with "static inline". Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy: Update policy install and bootstrap process for CIL.Philip Tricca2015-09-171-14/+26
| | | | | | | | | | | | | | | | The policy modules are now installed into /var/lib/selinux instead of /etc/selinux. Policies now have priorities. This is represented as part of the path under /var/lib/selinux. The new intermediate policy representation requires that we install the policy package as 3 files (hll, cil & lang_ext) instead of just the *.pp as before. The cil is generated from the hll (the pp file) using the new 'pp' utility. The base policy module now lives with all of the other modules. policy.kern has gone away. Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* setools: Add patch to support 2.4 toolstack.Philip Tricca2015-09-173-35/+115
| | | | | Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* policycoreutuils: Bump version to 2.4.Philip Tricca2015-09-173-5/+83
| | | | | | | | | | | | This integrates the new hll tool for compiling pp files into cil. The hack to stage pp into the sysroot is a bit weird but the libexec dir seems to be something bitbake doesn't account for. Had to pull one patch from upstream to build the MLS policy. This fixes an error where the auditadm_r and secadm_r roles end up defined twice in the CIL. Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* libsemanage: Bump version to 2.4.Philip Tricca2015-09-172-14/+13
| | | | | Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* checkpolicy: Bump version to 2.4.Philip Tricca2015-09-172-7/+7
| | | | | Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* libselinux: Bump version to 2.4.Philip Tricca2015-09-171-3/+3
| | | | | Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* libsepol: Bump version to 2.4.Philip Tricca2015-09-172-7/+7
| | | | | Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* Add common files for 20150202 SELinux userspace release.Philip Tricca2015-09-171-0/+5
| | | | | | | | | | Note the change in the URL from the last release. We were pulling source tarballs generated by GitHub as part of its reponse to the addition of tags. The SELinux project maintains their own releases on the wiki at: https://github.com/SELinuxProject/selinux/wiki/Releases Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* Use the SELinux project release tarballs.Philip Tricca2015-09-088-18/+14
| | | | | | | | | | | | | | | | The SRC_URI used for the last SELinux userspace upgrade was the wrong one. We were using the URI generated by GitHub when tags are added to a repo. These are not the SELinux release tarballs. The SELinux project generates and releases tarballs for each tool and posts them to their GitHub wiki 'Releases' page: https://github.com/SELinuxProject/selinux/wiki/Releases. This patch fixes this URI, fixes the SELINUX_RELEASE variable that didn't get updated during the last upgrade, removes the workaround for the 'S' variable and fixes up the SRC_URI hashes. Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* audit: remove add-system-call-table-for-ARM.patchRobert Yang2015-08-142-48/+0
| | | | | | | | | | There isn't lib/machinetabs.h any more, there isn't data structures like "static const char machine_strings", either. This fixed a do_patch error when arm. Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* libcap-ng: upgrade 0.7.4 -> 0.7.7Wenzong Fan2015-08-143-100/+41
| | | | | | | | | | | | | | | | | | | | * Port changes from meta-oe: commit bce4dba5546480c8e43c6442959ac7d0a4ef32f6 Author: Li xin <lixin.fnst@cn.fujitsu.com> Date: Thu Jul 23 15:29:31 2015 +0800 libcap-ng: upgrade 0.7.4 -> 0.7.7 Update python.patch,since the contents has been changed. Signed-off-by: Li Xin <lixin.fnst@cn.fujitsu.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> * Remove patch CVE-2014-3215.patch that included by 0.7.7 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* libselinux: get pywrap depends on selinux.pyWenzong Fan2015-08-143-0/+33
| | | | | | | | | | | | | | | | | | | | | | The selinux.py will be installed as selinux/__init__.py, just make sure it has been generated completely while starting "make install-pywrap". This fixes below errors that caused by an empty "selinux/__init__.py" on target: $ /usr/sbin/semanage -h Traceback (most recent call last): File "/usr/sbin/semanage", line 30, in <module> import seobject File "/usr/lib64/python2.7/site-packages/seobject.py", line 27, in <module> import sepolicy File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 226, in <module> def get_file_equiv_modified(fc_path = selinux.selinux_file_context_path()): AttributeError: 'module' object has no attribute 'selinux_file_context_path' Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* audit: fix qa warning, update config optionShrikant Bobade2015-08-141-1/+1
| | | | | | | | update config option '--with-armeb' to '--with-arm' for audit qa warning fix. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-config: make DEFAULT_POLICY and DEFAULT_ENFORCING configurableJosep Puigdemont2015-08-141-5/+7
| | | | | | | Make DEFAULT_POLICY and DEFAULT_ENFORCING configurations more flexible. Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* selinux-image: Add new image class to label the rootfs, use it for selinux ↵Philip Tricca2015-08-082-2/+2
| | | | | | | images. Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* policycoreutils: Patch setfiles to add FTS_NOCHDIR to fts_flags.Philip Tricca2015-08-082-0/+26
| | | | | Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy-minimum: update base refpolicy to git repoShrikant Bobade2015-08-071-0/+48
| | | | | | | | A simple forward-port of refpolicy-minimum to use the refpolicy from git repository. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy-standard: update base refpolicy to git repoShrikant Bobade2015-08-071-0/+8
| | | | | | | | A simple forward-port of refpolicy-standard to use the refpolicy from git repository. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy-mls: update base refpolicy to git repoShrikant Bobade2015-08-071-0/+10
| | | | | | | | A simple forward-port of refpolicy-mls to use the refpolicy from git repository. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy-mcs: update base refpolicy to git repoShrikant Bobade2015-08-071-0/+11
| | | | | | | | A simple forward-port of refpolicy-mcs to use the refpolicy from git repository. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy-targeted: update base refpolicy to git repoShrikant Bobade2015-08-071-0/+20
| | | | | | | | A simple forward-port of refpolicy-targeted to use the refpolicy from git repository. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy git: rebase patches with code baseShrikant Bobade2015-08-075-77/+74
| | | | | | | | | During forward-port of these patches from refpolicy 20140311, requires rebase with the refpolicy git repos head master code base,in order to resolve the patch conflicts. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy git: update refpolicy to git repositoryShrikant Bobade2015-08-0744-0/+1976
| | | | | | | | | | | | | | | | A straight update from refpolicy 2.20140311 to refpolicy git repository for the core policy variants and forward-porting of policy patches as appropriate. This approach is useful for building refpolicy & refpolicy-contrib directly from the git repos, rather than release tarballs. It helps to check the refpolicy based on source commits by just updating the git repo rev. as appropriate in refpolicy_git.inc ref: https://github.com/TresysTechnology/refpolicy/wiki Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy-minimum: update base refpolicy 20141203Shrikant Bobade2015-08-071-0/+48
| | | | | | | | A simple forward-port of refpolicy-minimum to use the 20141203 base refpolicy. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy-standard: update base refpolicy 20141203Shrikant Bobade2015-08-071-0/+8
| | | | | | | | A simple forward-port of refpolicy-standard to use the 20141203 base refpolicy. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy-mls: update base refpolicy 20141203Shrikant Bobade2015-08-071-0/+10
| | | | | | | | A simple forward-port of refpolicy-mls to use the 20141203 base refpolicy. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy-mcs: update base refpolicy 20141203Shrikant Bobade2015-08-071-0/+11
| | | | | | | | A simple forward-port of refpolicy-mcs to use the 20141203 base refpolicy. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy-targeted: update base refpolicy 20141203Shrikant Bobade2015-08-071-0/+20
| | | | | | | | A simple forward-port of refpolicy-targeted to use the 20141203 base refpolicy. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy 20141203: rebase patches with code baseShrikant Bobade2015-08-075-78/+73
| | | | | | | | | During forward-port of these patches from refpolicy 2014120311, requires rebase with the refpolicy 20141203 code base, in order to resolve the patch conflicts. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy: update refpolicy to 20141203 releaseShrikant Bobade2015-08-0744-0/+1974
| | | | | | | | | | A straight update from refpolicy 2.20140311 to 2.20141203 for the core policy variants and forward-porting of policy patches as appropriate. ref: https://github.com/TresysTechnology/refpolicy/wiki Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* refpolicy: correct SELINUX_DEVEL_PATHWenzong Fan2015-08-071-1/+9
| | | | | | | | | The sepolgen.conf should be installed with devel package to correct the default value of SELINUX_DEVEL_PATH, Makefile will be searched from that path while building policies on target. Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-08-04 13:01:02 +0000