devpts use file_use_trans to allocate security contexts. As there are no
range_trans rules for initrc_t mounting devpts, the security level of
mountpoint will be derived from the initrc process, to be systemhigh
(s15:c0.c1023), instead of expected systemlow(s0).
This will block login shells to search PTYs, so use restorecon to fix
this.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
Start point to make SELinux specific changes in devpts.sh, copied from
oe-core layer.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
The file contexts for /run is incorrect while running checkroot.sh
in boot time which causes mount fail to create new dir and file
in /run, so restore the security contexts in it.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Sync with the latest init file from poky as of 01262014:
oe-core commit: ae819671489a22bfdda11210ff620f564aa9b24b
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Oe-core has chnaged the udevadm path, current path will causes failure:
udevd[102]: starting version 182
/etc/rcS.d/S04udev: line 106: /usr/bin/udevadm: No such file or directory
Fix as oe-core commit: cc0f22cd1e93cc25647add1a3339e150572e4fce
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
Rename most recipes
Update a few recipes as needed:
* tar: Newer version has xattr and selinux support
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
While directly using busybox[.[no]suid] as the alternatives'
targets, commands could not get correct security labels.
~# ls -l /sbin/getty
..... /sbin/getty -> /bin/busybox.nosuid
~# ls -Z /bin/busybox.nosuid
system_u:object_r:bin_t:s0 /bin/busybox.nosuid
Add sh wrappers for commands so selinux could work fine.
~# ls -l /sbin/getty
..... /sbin/getty -> /usr/lib/busybox/sbin/getty
~# ls -Z /usr/lib/busybox/sbin/getty
system_u:object_r:getty_exec_t:s0 /usr/lib/busybox/sbin/getty
~# cat /usr/lib/busybox/sbin/getty
#!/bin/busybox.nosuid
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Restoring from the dev-cache with selinux enforcing causes various
failures as devices are lacking, at a minimum, reasonable types and
attributes. If, on the other hand, we at least create the cache with
selinux and xattrs preserved and restored, we get significantly fewer
errors and warnings on boot and we can successfully restore the context
further down in init anyway. It still leaves some devices mislabeled,
though, and still produces warnings on boot.
Previous versions of the initscript removed all use of the dev-cache,
if need be, we fall back to that. It is possible to get the middle-ground
behaviour by defining use_udev_cache at the top of the udev initscript.
Signed-off-by: Joe MacDonald <joe@deserted.net>
[ CQID: WIND00424385 ]
Sync with the latest init file from poky as of 09172013. Changes include:
- adding /sbin/restorecon on start
- specifying full path for /sbin/udevadm
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
In policycoreutils-2.13+, restorecon changes its default behaviour,
and does not restore context if the file' type is correct, even its
mcs/mls level is incorrect.
We should force it always to restore file contexts in initscripts to
avoid issues.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Current meta-selinux provides a populate-volatile.sh for adding
restorecon lines to the oe-core script.
If other meta layers would add a new populate-volatile.sh, it will
override the oe-core and meta-selinux ones and cause selinux issues.
So append restorecon lines to the original script instead of a
final script.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
--with-selinux is consided as unrecognized option while
do_configure, so change it to --enable-selinux,
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
In meta-selinux layer, tinylogin links are installed as script
wrappers instead of symlinks to get their security labels.
So, they should use alternatives if there are same commands provided
by other packages.
passwd -> passwd.tinylogin
-> passwd.shadow
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Symlink can not execute will security contexts, so create script
wrappers for tinylogin commands instead of symlinks.
Also add tinylogin's login command as a alternative.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Poky/oe-core has set CONFIG_DEVTMPFS_MOUNT=y for kernel to mount
/dev with devtmpfs itself.
With MLS policy, kernel is running in s15:c0.c1023 level, so /dev
will be relabeled to this high level too.
This will cause processes running with low levels can not visit
/dev directory.
So, we just run restorecon /dev to fix this.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
populate-volatile.sh creates new directories in /var/volatile/ while
booting, so we should restore the security contexts in it.
Also touch /var/log/lastlog to set correct security contexts.
populate-volatile.sh is imported for oe-core, and add these two
lines at the end.
touch /var/log/lastlog
test ! -x /sbin/restorecon || /sbin/restorecon -R /var/volatile/
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
