Age | Commit message (Collapse) | Author |
|
The _virtclass-native is obsolete. Replace it with _class-native.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
If DISTRO_FEATURES contains usrmerge then busybox binaries are
installed under /usr/bin not /bin so use ${base_bindir} to support
both paths and avoid QA errors.
Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
v2 changes:
* Update patch for Yocto Compat - don't change layer's hash
============================================
The systemd-backlight@.service which called after selinux-init.service
will create /var/lib/systemd/backlight with incorrect security labels,
this causes the systemd-backlight service fails to start and stop.
Creating /var/lib/systemd/backlight in advance to make sure it could
always be relabelled by selinux-init while first booting.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Change the references to check for the distribution flag of 'selinux' being
set before taking any action within the bbappends. This prevents the
signature from being modified.
Also remove PR changes, as they are no longer allowed.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
The PACKAGECONFIG and related settings are in oe-core. Doing it here will
trigger a bug related to lack of 'initscripts-sushell' rdepends.
based on the change:
From: Jackie Huang <jackie.huang@windriver.com>
The selinux PACKAGECONFIG is properly handled in
the recipe in oe-core, no need to inherit the
enable-selinux bbclass.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Use the 'i' option for restorecon command to ignore the files that
don't exist when building project.
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
|
|
When using udev-cache, the eudev init script had been explicitly calling
'setenforce 1'. That's no longer necessary with updates to other parts of
eudev and the presence of the call prevented booting core-image-selinux*
systems in permissive mode. Remove the call to allow permissive booting.
[YOCTO #7506]
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
eudev version at poky updated to v3.2 from v3.1.5, so moving it to use
wildcard in order to fix the parsing error.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Required by switch to eudev in oe-core. Dropping PR since this is
effectively a new recipe.
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
|
Restore contexts for /etc/{resolv.conf, adjtime}, they are created
dynamically and the incorrect contexts maybe prevent some programs
from valid accessing.
/etc/resolv.conf: etc_t:SystemHigh -> etc_t:SystemLow
/etc/adjtime: etc_t:SystemHigh -> adjtime_t:SystemLow
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
This change bases on the factors during bootup:
a. the default type for /run is var_run_t;
b. the type for /run will be changed to tmpfs_t after tmpfs mounted;
c. the type for /run will be fixed after populate-volatile.sh run.
udev service is started in b->c period, fix the type for /run from
udev init script to remove:
avc: denied { write } for pid=294 comm="mdadm" \
name="/" dev="tmpfs" ino=10581 \
scontext=system_u:system_r:mdadm_t:s0-s15:c0.c1023 \
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
devpts use file_use_trans to allocate security contexts. As there are no
range_trans rules for initrc_t mounting devpts, the security level of
mountpoint will be derived from the initrc process, to be systemhigh
(s15:c0.c1023), instead of expected systemlow(s0).
This will block login shells to search PTYs, so use restorecon to fix
this.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
|
Start point to make SELinux specific changes in devpts.sh, copied from
oe-core layer.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
|
The file contexts for /run is incorrect while running checkroot.sh
in boot time which causes mount fail to create new dir and file
in /run, so restore the security contexts in it.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
Signed-off-by: Philip Tricca <flihp@twobit.us>
create mode 100644 recipes-core/libcgroup/libcgroup_%.bbappend
delete mode 100644 recipes-core/libcgroup/libcgroup_0.38.bbappend
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
Signed-off-by: Philip Tricca <flihp@twobit.us>
create mode 100644 recipes-core/busybox/busybox_%.bbappend
delete mode 100644 recipes-core/busybox/busybox_1.21.1.bbappend
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
Sync with the latest init file from poky as of 01262014:
oe-core commit: ae819671489a22bfdda11210ff620f564aa9b24b
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
|
Oe-core has chnaged the udevadm path, current path will causes failure:
udevd[102]: starting version 182
/etc/rcS.d/S04udev: line 106: /usr/bin/udevadm: No such file or directory
Fix as oe-core commit: cc0f22cd1e93cc25647add1a3339e150572e4fce
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
|
|
Rename most recipes
Update a few recipes as needed:
* tar: Newer version has xattr and selinux support
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
While directly using busybox[.[no]suid] as the alternatives'
targets, commands could not get correct security labels.
~# ls -l /sbin/getty
..... /sbin/getty -> /bin/busybox.nosuid
~# ls -Z /bin/busybox.nosuid
system_u:object_r:bin_t:s0 /bin/busybox.nosuid
Add sh wrappers for commands so selinux could work fine.
~# ls -l /sbin/getty
..... /sbin/getty -> /usr/lib/busybox/sbin/getty
~# ls -Z /usr/lib/busybox/sbin/getty
system_u:object_r:getty_exec_t:s0 /usr/lib/busybox/sbin/getty
~# cat /usr/lib/busybox/sbin/getty
#!/bin/busybox.nosuid
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
Restoring from the dev-cache with selinux enforcing causes various
failures as devices are lacking, at a minimum, reasonable types and
attributes. If, on the other hand, we at least create the cache with
selinux and xattrs preserved and restored, we get significantly fewer
errors and warnings on boot and we can successfully restore the context
further down in init anyway. It still leaves some devices mislabeled,
though, and still produces warnings on boot.
Previous versions of the initscript removed all use of the dev-cache,
if need be, we fall back to that. It is possible to get the middle-ground
behaviour by defining use_udev_cache at the top of the udev initscript.
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
[ CQID: WIND00424385 ]
Sync with the latest init file from poky as of 09172013. Changes include:
- adding /sbin/restorecon on start
- specifying full path for /sbin/udevadm
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
In policycoreutils-2.13+, restorecon changes its default behaviour,
and does not restore context if the file' type is correct, even its
mcs/mls level is incorrect.
We should force it always to restore file contexts in initscripts to
avoid issues.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Rebase the bbappends to match the current oe-core versions.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Current meta-selinux provides a populate-volatile.sh for adding
restorecon lines to the oe-core script.
If other meta layers would add a new populate-volatile.sh, it will
override the oe-core and meta-selinux ones and cause selinux issues.
So append restorecon lines to the original script instead of a
final script.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
--with-selinux is consided as unrecognized option while
do_configure, so change it to --enable-selinux,
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
In meta-selinux layer, tinylogin links are installed as script
wrappers instead of symlinks to get their security labels.
So, they should use alternatives if there are same commands provided
by other packages.
passwd -> passwd.tinylogin
-> passwd.shadow
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
oe-core has fixed this by commit
9a97367038a1e2431bf94211dabbc5aedbbee3bb
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|