We add pam conf files for login/sshd to use pam_selinux module. When
selinux is not in DISTRO_FEATURES, pam-plugin-selinux would not be
built, this will cause runtime errors to not allow users to login in
on the console or ssh.
Use @target_selinux() to enable these pam conf files conditionally.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Default audit Makefile will generate native executables in lib/ and
auparse/, which are named as gen_*_h and run on the hosts to create
*_tables.h/*tabs.h header files for the targets.
This is inappropriate for our cross compiling because they need
linux-libc-headers from the host.
Even worse, on some old hosts, build will fail because some .h files
in the old linux-libc-headers (<= 2.6.29) has incomplete DEFINE lists
for the audit system.
So add *tables.h/*tabs.h header files which are generated from
linux-libc-headers-3.4, and do not generate and run those native
executables.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Some binaries in base_sbindir have libcap-ng.so* depends, so move
libcap-ng.so* to avoid QA warnings.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
We still miss some rules for nfsd to bind on nfs ports, so add a patch
to fix this. oe-core changed nfsd to use portmap, so also fix file
contexts for portmap.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Current meta-selinux provides a populate-volatile.sh for adding
restorecon lines to the oe-core script.
If other meta layers would add a new populate-volatile.sh, it will
override the oe-core and meta-selinux ones and cause selinux issues.
So append restorecon lines to the original script instead of a
final script.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
rndc.key would be labeled with wrong named_zone_t inherited from
/etc/bind while creating, so restorecon on it.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Native swig will read datas from hard-coded SWIGLIB or the same
environment variable.
While using sstate, the hard-coded SWIGLIB will point to the project
that create original sstates. This would cause build issues, so add
a wrapper to set the environment variable SWIGLIB to a relative path
on current sysroot.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Some files of bind are not installed to default pathes, fix the
security contexts for these files.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
/var/cache is a symlink in poky, so we need allow rules for files to
read lnk_file while doing search/list/delete/rw.. in /var/cache/
directory.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Target package policycoreutils-sandbox always needs libcgroup and
libcap-ng, so it should not be conditional.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Backport configure option with-selinux from master. If the feature
selinux is enabled, sed should depend on iti; Otherwise sed doesn't
need to depend on selinux at all.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
PYTHON_LDFLAGS is considered as the full path of libpython2.7.so,
dirname of the .so file will be expanded into -L<DIR>. As a result,
current PYTHON_LDFLAGS cause this compile result:
${CC} ... -L-LXXX/tmp/sysroots/qemux86-64/usr/lib64
-L-lapol -lqpol -o _sesearch.so
So "-lapol" is ignored, fix this.
CQID: WIND00400717
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Two patches to fix these two issue:
* Current policy has incomplete allow rules for selinux utils to
manage selinux config files and policy store.
* auditd_log_t(/var/log/audit/audit.log) is also placed in
var_log_t, so add related rules.
CQID: WIND00396415
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
audit admin tools and daemons should install to base_sbindir, so
they can get correct security labels after selinux restorecon
command.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
--with-selinux is consided as unrecognized option while
do_configure, so change it to --enable-selinux,
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
oe-core adds a exit handler to rw python command history file
(~/.python-history). There are no allow rules for every user&role
to use create/read/write ~/.python-history, and it is also
improper to add rules because these rules would blow up the
user&role's scope of authority.
So disable the handler, if selinux enabled.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Add user_tty_device_t as a customizable_type, so that restorecon -R
/dev will not complain about it or modify the security labels.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
In meta-selinux layer, tinylogin links are installed as script
wrappers instead of symlinks to get their security labels.
So, they should use alternatives if there are same commands provided
by other packages.
passwd -> passwd.tinylogin
-> passwd.shadow
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Add bbclasses only for target packages to enable selinux support,
not native/nativesdk/cross/crosssdk pacakges.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
