| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
This dir is required for running command:
$ semanage permissive [OPTS]
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1) Remove audit-for-cross-compiling.patch and disable-ldap.patch
since it it not needed anymore.
2) Modify audit-python-configure.patch audit-python.patch
fix-swig-host-contamination.patch,since configure.ac and
Makefile.am has been changed in 2.4.3
3) Warning Fix:
-WARNING: QA Issue: audit: configure was passed unrecognised options: --without-ldap [unknown-configure-option]
-WARNING: QA Issue: audit: Files/directories were installed but not shipped in any package
Signed-off-by: Li Xin <lixin.fnst@cn.fujitsu.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
There were no apparent bashisms in mcstrans.init, so remove the dependency
on bash.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
mcstransd is a daemon to translate SELinux MCS/MLS sensitivity labels,
policycoreutils includes mcstransd whose version is newer than that
from http://mcstrans.sourcearchive.com/
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: tprrt <tprrt@tupi.fr>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
Fix the warning reporing that ${S} directory does not exist by pointing
S to ${WORKDIR}.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
Move the 'enforcing' setting to the DEFAULT_ENFORCING variable to allow
one to override that setting in a bbappend file.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
This is to fix the following QA warning:
audit-2.3.2: auditd requires /bin/bash, but no providers in its RDEPENDS [file-rdeps]
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
Both the fixfiles and sandbox utilities had dependencies on bash when they
didn't really need to. Update sandbox and patch fixfiles. ifgen is
python script, so ensure that python is listed as a runtime dependency.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
The audit service should be manually stopped with systemd.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
To add coreutils to packagegroup-core-selinux
inorder to get chcon avaibility.
Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
selinux-init.sh updated to reboot system
normally to fix the labelling during systemd
execution. Due to force reboot labelling won't
be proper and system continuously reboot to
label it like first time boot.
Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
Systemd init type and related allow rules
updated for refpolicy.
Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
An updated version of the patch to drop linking against libfl was
required.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
| |
Update to the latest stable release, 20140506.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Based on oe-core commit:
commit 1528e596d4906c33e4be83fcf691cfe76d340ff3
Author: Otavio Salvador <otavio@ossystems.com.br>
Date: Thu Apr 24 15:59:20 2014 -0300
Globally replace 'base_contains' calls with 'bb.utils.contains'
The base_contains is kept as a compatibility method and we ought to not
use it in OE-Core so we can remove it from base metadata in future.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Original refpolicy install compressed policy modules to policy store,
but leave datadir ones uncompressed. After, a "compressed_policy" distro
feature is added for compressing the datadir ones.
This simple mechanism is unworthy for a distro feature, just clear it
and use compressed policy modules by default.
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
Original prepare_policy_store() has a naming bug for
compressed_policy, fix that and let prepare_policy_store() back.
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
Now that the updated refpolicy core variants are available, remove the
previous recipe and patches.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
A simple forward-port of refpolicy-minimum to use the 20140311 base
refpolicy.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
A simple forward-port of refpolicy-targeted to use the 20140311 base
refpolicy. Now that the updated refpolicy core variants are available,
remove the previous recipe.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
A straight update from refpolicy 2.20130424 to 2.20140311 for the core
policy variants and forward-porting of policy patches as appropriate. Now
that the updated refpolicy core variants are available, remove the
previous recipe.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
Trac has been turned off on OSS. Update all SRC_URI links for the
userspace components to point at the github project releases. The github
releases also have a slightly different directory structure in the
tarballs, requiring an update of the checksums as well.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Split do_install() to:
+ prepare_policy_store()
+ rebuild_policy()
+ install_misc_files()
This allows to make partial change to do_install() instead of re-write
it totally from specific refpolicy bb file.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
seunshare in policycoreutils 2.2.5 is owned by root with 4755 permissions,
and executes programs in a way that changes the relationship between the
setuid system call and the getresuid saved set-user-ID value, which makes
it easier for local users to gain privileges by leveraging a program that
mistakenly expected that it could permanently drop privileges.
Pick a patch from below link to address the CVE-2014-3215.
https://bugzilla.redhat.com/attachment.cgi?id=829864
Signed-off-by: Shan Hai <shan.hai@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
| |
Avoid policy_scan.c: No such file or directory
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
Fix the avc denied issue:
type=1400 audit(1399440994.656:14): avc: denied { block_suspend } for pid=80 comm="udevd" capability=36 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=capability2
The patch is backported from upstream
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
Bump up PR and remove PRINC. Set it to something suitably large that it's
unlikely to break anyone's package feed and so that it shows it's clearly
an exception case. Obviously this is just a staging activity until the
next update when we don't include anything of the sort.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
Bump up PR and remove PRINC. Set it to something suitably large that it's
unlikely to break anyone's package feed and so that it shows it's clearly
an exception case. Obviously this is just a staging activity until the
next update when we don't include anything of the sort.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
Bump up PR and remove PRINC. Set it to something suitably large that it's
unlikely to break anyone's package feed and so that it shows it's clearly
an exception case. Obviously this is just a staging activity until the
next update when we don't include anything of the sort.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
Bump up PR and remove PRINC. Set it to something suitably large that it's
unlikely to break anyone's package feed and so that it shows it's clearly
an exception case. Obviously this is just a staging activity until the
next update when we don't include anything of the sort.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
Bump up PR and remove PRINC. Set it to something suitably large that it's
unlikely to break anyone's package feed and so that it shows it's clearly
an exception case. Obviously this is just a staging activity until the
next update when we don't include anything of the sort.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
Bump up PR and remove PRINC. Set it to something suitably large that it's
unlikely to break anyone's package feed and so that it shows it's clearly
an exception case. Obviously this is just a staging activity until the
next update when we don't include anything of the sort.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
Bump up PR and remove PRINC. Set it to something suitably large that it's
unlikely to break anyone's package feed and so that it shows it's clearly
an exception case. Obviously this is just a staging activity until the
next update when we don't include anything of the sort.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
| |
For small policy modules it's not necessary to walk the hierarchy on load.
On embedded devices that are low-powered or resource-constrained disabling
the hierarchy processing can make the difference between seconds and
(many) minutes of load time (or being able to load the policy at all).
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix python error about:
File "/usr/lib64/python2.7/site-packages/seobject.py", line 109, in log
message += " sename=" + sename
TypeError: cannot concatenate 'str' and 'NoneType' objects
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
| |
The sepolicy, seobject modules raise many unprocessed ValueError, just
process them in semanage to make the script proivdes error message but
not error trace.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add initial version for setrans.conf:
- setrans-mls.conf: copied from \
policycoreutils/mcstrans/share/examples/default/setrans.conf
- setrans-mcs.conf: copied from radhat policy.
This fixes below issue:
$ chcat -L
IOError: No such file or directory: \
'/etc/selinux/$POLICY_NAME/setrans.conf'
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Audit System Call needs kernel and user space support.
In user space it needs system call table for ARM. It also needs a
configure option --with-armeb for build audit. Audit system call also
needs enable kernel config CONFIG_AUDITSYSCALL.
Signed-off-by: Han Chao <chan@windriver.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
This is a minimum targeted policy with just core policy modules, and
could be used as a base for customizing targeted policy.
Pretty much everything runs as initrc_t or unconfined_t so all of the
domains are unconfined.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
This SELinux policy would targeted most of service domains for lock
down, and users and admins will login in with unconfined_t domain.
So they would have the same access to the system as if SELinux was not
enabled, when running commands and services which are not targeted.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Various components were failing, and upon investigation it was noted
that the audit.rules file referenced by the initscript wasn't available.
There was however a copy under the rules.d directory. Investigating
the audit.spec file (which in the upstream source) showed that it was
expected that the version in the rules.d should be copied into
/etc/audit.
Do this and correct the systemd services file to use the same file.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
| |
The semanage utility requires python-compression (for "import gzip")
and python-xml (for "import xml.etree.ElementTree").
Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
In policy_scan.l file, we have already removed all references to yywrap by
adding "%option noyywrap" statements to each flex source file that doesn't
override yywrap. After this, we no longer need to link against libfl and so
no longer get errors about undefined references to yylex.
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
The patch policycoreutils-revert-run_init-open_init_pty.patch
is only for refpolicy version older than 2.20120725, now the
refpolicy is updated to 2.20130424 so drop the patch or it
will make run_init fail to start some init scripts.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
| |
When modifying an selinux login record, seobject.py,
may try to log a value, self.sename, which has been preset to "None"
and this will fail. So, we set it to something useful.
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
