Age | Commit message (Collapse) | Author |
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Add bbclasses only for target packages to enable selinux support,
not native/nativesdk/cross/crosssdk pacakges.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Create include files for selinux userspace packages:
* checkpolicy.inc
* libselinux.inc
* libsemanage.inc
* libsepol.inc
* policycoreutils.inc
* sepolgen.inc
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Roy.Li <rongqing.li@windriver.com>
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Fix the hard-coded security type for /dev/null and /dev/console.
Check rootfs if support xattrs before do relabel.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
libcgroup is placed in oe-core now.
http://git.openembedded.org/openembedded-core/commit/?id=6ef8e6f2f9b0583fa0881e0dfc52462405b21ede
So remove bb files from meta-selinux and add bbappend.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
et, gl, and id .po files contained no translations. This can cause
build errors. Delete those puppies.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
"-Wa,--noexecstack" will mark objects as requiring executable stack,
this is a dangerous CFLAG and would cause security issues.
So disable it as most distros did.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
This script will be installed as 0selinux-init, in runlevel S and
sequence number 0. It will start before any other init script.
* relabel /dev for restorecon/fixfiles running
* rebuild policy and relabel the rootfs if /.autorelabel placed.
* relabel the rootfs if it is first booting.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
oe-core has changed task-* recipes to packagegroup-*, so we should
follow this.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Symlink can not execute will security contexts, so create script
wrappers for tinylogin commands instead of symlinks.
Also add tinylogin's login command as a alternative.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Poky/oe-core has set CONFIG_DEVTMPFS_MOUNT=y for kernel to mount
/dev with devtmpfs itself.
With MLS policy, kernel is running in s15:c0.c1023 level, so /dev
will be relabeled to this high level too.
This will cause processes running with low levels can not visit
/dev directory.
So, we just run restorecon /dev to fix this.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
sysklogd would create /dev/log and create log files in /var/log
with the default security contexts while starting.
So we should restore the correct security contexts.
The initscript file is from oe-core, and add these lines after
the start action.
test ! -x /sbin/restorecon || \
/sbin/restorecon -R /dev/log /var/log/
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
populate-volatile.sh creates new directories in /var/volatile/ while
booting, so we should restore the security contexts in it.
Also touch /var/log/lastlog to set correct security contexts.
populate-volatile.sh is imported for oe-core, and add these two
lines at the end.
touch /var/log/lastlog
test ! -x /sbin/restorecon || /sbin/restorecon -R /var/volatile/
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
login should use pam_selinux module to label security contexts of
processes while login into system.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Also fix missing RDEPENDS for setools-*
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
sshd_config file from oe-core to set "UsePAM yes".
sshd file (pam config for sshd) from oe-core to add pam_selinux module.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Patches are migrated or droped for new version.
* poky-fc-etc_init.d.patch: droped because file_contexts.subs_dist
is defined to instead.
* fix-mount-to-write-mountpoints-dirs.patch: droped because the
rules is not needed now.
* poky-fc-update-alternatives_sysvinit.patch: migrated.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
libcap-ng need native python while do_configure, and native swig
while do_compile, so add them.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
fixfiles in /sbin would run some /usr/bin binaries to cause these
QA warnings.
WARNING: Shell scripts in base_bindir and base_sbindir should not
reference anything in exec_prefix
Since fixfiles is installed into /sbin in most Linux distros,
changing this path may cause runtime errors for some hard coded
binaries.
So, disable unsafe-references-in-scripts QA checkes.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Rename two packages and change files in them.
* audit-libs -> audit : main package, for libraries
* audit -> auditd : for daemon binaries
Libraries are changed to install into ${base_libdir}.
The two fixes are used to fix QA issues and fit the Debian policy.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
The "Public Domain" license now has a common license file placed
as PD in Poky/oe-core, so fix this.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
With new changes in oe-core, recipes which need python-native
should "inherit pythonnative".
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
If no pam DISTRO_FEATURE, policycoreutils should not build with
libpam headers and libraries.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
With new changes in oe-core, recipes which need python-native
should "inherit pythonnative".
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
eglibc-2.16 splits enum __socket_type from bits/socket.h to
bits/socket_type.h, so old eglibc does not have bits/socket_type.h
We should copy it only if it exists.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
The depends should be:
libsepol -> libselinux -> libsemanage -> rpm
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Fix this error:
===================
| mkdir -p /var/run/sepermit
| mkdir: cannot create directory `/var/run/sepermit': Permission denied
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
EXTRA_DEPENDS is still not null while building native packages,
this will add useless depends for libcap-ng&libcgroup&pam and
cause build errors.
So rewrite these DEPENDS.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Fix these warnings:
===================
WARNING: Variable get_git_policyconfigarch contains tabs, please remove
these(....)
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
We have copied some target kernel headers in 72fb6da. We may get
build failures because of missing bits/socket_type.h on some hosts,
so add it.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
Add a suitable version of gnulib into SRC_URI, and run
import-gnulib.sh to update it.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
|
[ CQID: WIND00365962 ]
Rather than following the approach in
findutils-with-selinux-gnulib.patch,
the import-gnulib configuration was
modified to enable fetching the latest updates
related to selinux support. Specifically,
selinux-at module is now in fetched in gnulib
in order for it be used by findutils if
selinux is enabled.
Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
|