dhcp 4.3 has no selinux related configuration options, but it needs the
correct initscript when SELinux is enabled, so inherit selinux, not
inherit with-selinux
Signed-off-by: Roy.Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
dhcp 4.3 has no selinux related configuration options, but it needs the
correct initscript when SELinux is enabled, so inherit selinux, not
inherit with-selinux
Signed-off-by: Roy.Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Based on oe-core commit:
commit 1528e596d4906c33e4be83fcf691cfe76d340ff3
Author: Otavio Salvador <otavio@ossystems.com.br>
Date: Thu Apr 24 15:59:20 2014 -0300
Globally replace 'base_contains' calls with 'bb.utils.contains'
The base_contains is kept as a compatibility method and we ought to not
use it in OE-Core so we can remove it from base metadata in future.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Original refpolicy install compressed policy modules to policy store,
but leave datadir ones uncompressed. After, a "compressed_policy" distro
feature is added for compressing the datadir ones.
This simple mechanism is unworthy for a distro feature, just clear it
and use compressed policy modules by default.
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
Original prepare_policy_store() has a naming bug for
compressed_policy, fix that and let prepare_policy_store() back.
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
Now that the updated refpolicy core variants are available, remove the
previous recipe and patches.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
A simple forward-port of refpolicy-targeted to use the 20140311 base
refpolicy. Now that the updated refpolicy core variants are available,
remove the previous recipe.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
A straight update from refpolicy 2.20130424 to 2.20140311 for the core
policy variants and forward-porting of policy patches as appropriate. Now
that the updated refpolicy core variants are available, remove the
previous recipe.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Based on oe-core commit:
commit 1528e596d4906c33e4be83fcf691cfe76d340ff3
Author: Otavio Salvador <otavio@ossystems.com.br>
Date: Thu Apr 24 15:59:20 2014 -0300
Globally replace 'base_contains' calls with 'bb.utils.contains'
The base_contains is kept as a compatibility method and we ought to not
use it in OE-Core so we can remove it from base metadata in future.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Trac has been turned off on OSS. Update all SRC_URI links for the
userspace components to point at the github project releases. The github
releases also have a slightly different directory structure in the
tarballs, requiring an update of the checksums as well.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Split do_install() to:
+ prepare_policy_store()
+ rebuild_policy()
+ install_misc_files()
This allows to make partial change to do_install() instead of re-write
it totally from specific refpolicy bb file.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
seunshare in policycoreutils 2.2.5 is owned by root with 4755 permissions,
and executes programs in a way that changes the relationship between the
setuid system call and the getresuid saved set-user-ID value, which makes
it easier for local users to gain privileges by leveraging a program that
mistakenly expected that it could permanently drop privileges.
Pick a patch from below link to address the CVE-2014-3215.
https://bugzilla.redhat.com/attachment.cgi?id=829864
Signed-off-by: Shan Hai <shan.hai@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
Adapted from the original patch submitted to meta-oe for swig 2.0.12.
OE-core commit 5870bd272b0b077d0826fb900b251884c1c05061 sabotaged the
binconfig way.
Signed-off-by: Koen Kooi <koen.kooi@linaro.org>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
There are two versions of gnupg so limit the wildcard to the 2.x series
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
dhcp-server fails to start with avc denied error:
avc: denied { read } for pid=571 comm="dhcpd" \
name="dhcpd.leases" dev="hda" ino=63911 \
scontext=system_u:system_r:dhcpd_t:s0-s15:c0.c1023 \
tcontext=system_u:object_r:dhcp_state_t:s0 tclass=file
The type for dhcpd.leases is not correct, just fix it before dhcp-
server started.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
devpts use file_use_trans to allocate security contexts. As there are no
range_trans rules for initrc_t mounting devpts, the security level of
mountpoint will be derived from the initrc process, to be systemhigh
(s15:c0.c1023), instead of expected systemlow(s0).
This will block login shells to search PTYs, so use restorecon to fix
this.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
Start point to make SELinux specific changes in devpts.sh, copied from
oe-core layer.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
The file contexts for /run is incorrect while running checkroot.sh
in boot time which causes mount fail to create new dir and file
in /run, so restore the security contexts in it.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
The default kernel is now 3.14. Since the removal of PRINC support leaves
the 3.10 recipe in a difficult-to-work-with state, now seems like a good
time to move to the new kernel.
Signed-off-by: Joe MacDonald <joe@deserted.net>
Bump up PR and remove PRINC. Set it to something suitably large that it's
unlikely to break anyone's package feed and so that it shows it's clearly
an exception case. Obviously this is just a staging activity until the
next update when we don't include anything of the sort.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
