CQID: 418197
Reference /usr/sbin instead of the directory into which
the script is installed on the host.
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
CQID: 428272
The audit build uses swig to generate a python wrapper.
Unfortunately, the swig info file references host include
directories. Some of these were previously noticed and
eliminated, but the one fixed here was not.
Signed-off-by: Anders Hedlund <anders.hedlund@windriver.com>
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Also fix ALLOW_EMPTY, oe-core does not allow ALLOW_EMPTY w/o a package
name.
Adjust references in core-image-selinux to the new packagegroup filename.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
This reverts commit d46e88abb6e1f7b0228c30c98ba4fb739e63cda3.
In d46e88ab, run_init will not use open_init_pty as Redhat did. Our
old refpolicy still does no work well with this, and make init scripts
fail to start so revert it.
This patch should be dropped while refpolicy is upreved to 2.20120725+.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
This reverts uprev commit 96cedba3e59aa474f0f040da5108a17bba45ce6c.
96cedb will cause wrong security contexts for /dev/ while using
MLS type of old refpolicy, so revert it.
This patch should be dropped while refpolicy is upreved to 2.20120725+.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
This reverts upstream libpcre commits.
libselinux 2.1.12 uses libpcre to do file path matching instead of glibc
regex. Because there are some differences between glibc regex and pcre
functions, this will cause wrong security contexts for files while using
old refpolicy.
This patch should be dropped while refpolicy is upreved to 2.20120725+.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
The flag: -Wno-unused-but-set-variable isn't supported on older
versions of gcc such as gcc-4.1.2 which is the native compiler for
RHEL-5.9. Drop this warning flag for both the native and target builds.
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
The flag: -Wno-unused-but-set-variable isn't supported on older
versions of gcc such as gcc-4.1.2 which is the native compiler for
RHEL-5.9. I've droped this warning flag for both the native and target builds.
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
select_context param for pam_selinux module attempt to ask the user
for a custom security context role while login.
Admins and linux distros hardly use this param to the pam configs,
because this adds a new step in login process, and users could use
"newrole" command instead after login in.
Moreover, this is totally unnecessary for policy types without
multiple roles.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Upreved packages:
- checkpolicy to 2.1.11
- libselinux to 2.1.12
- libsemanage to 2.1.9
- libsepol to 2.1.8
- policycoreutils to 2.1.13
- sepolgen to 1.1.8
Misc changes:
- libselinux has a new depend for libpcre
- drop patches that new version merged
- set PR to r0 for new version
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
We add pam conf files for login/sshd to use pam_selinux module. When
selinux is not in DISTRO_FEATURES, pam-plugin-selinux would not be
built, this will cause runtime errors to not allow users to login in
on the console or ssh.
Use @target_selinux() to enable these pam conf files conditionally.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Default audit Makefile will generate native executables in lib/ and
auparse/, which are named as gen_*_h and run on the hosts to create
*_tables.h/*tabs.h header files for the targets.
This is inappropriate for our cross compiling because they need
linux-libc-headers from the host.
Even worse, on some old hosts, build will fail because some .h files
in the old linux-libc-headers (<= 2.6.29) has incomplete DEFINE lists
for the audit system.
So add *tables.h/*tabs.h header files which are generated from
linux-libc-headers-3.4, and do not generate and run those native
executables.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
oe-core 9e64079063fc4748b48eee0e2592caf8ba9de10e has split ${B} of
findutils into a different path from ${S}, this would cause build
failures.
.../findutils/4.4.2-r6.5/temp/run.do_configure.25396:
line 87: ./import-gnulib.sh: No such file or directory
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Some binaries in base_sbindir have libcap-ng.so* depends, so move
libcap-ng.so* to avoid QA warnings.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
We still miss some rules for nfsd to bind on nfs ports, so add a patch
to fix this. oe-core changed nfsd to use portmap, so also fix file
contexts for portmap.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Current meta-selinux provides a populate-volatile.sh for adding
restorecon lines to the oe-core script.
If other meta layers would add a new populate-volatile.sh, it will
override the oe-core and meta-selinux ones and cause selinux issues.
So append restorecon lines to the original script instead of a
final script.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
rndc.key would be labeled with wrong named_zone_t inherited from
/etc/bind while creating, so restorecon on it.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Native swig will read datas from hard-coded SWIGLIB or the same
environment variable.
While using sstate, the hard-coded SWIGLIB will point to the project
that create original sstates. This would cause build issues, so add
a wrapper to set the environment variable SWIGLIB to a relative path
on current sysroot.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Some files of bind are not installed to default pathes, fix the
security contexts for these files.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
/var/cache is a symlink in poky, so we need allow rules for files to
read lnk_file while doing search/list/delete/rw.. in /var/cache/
directory.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Target package policycoreutils-sandbox always needs libcgroup and
libcap-ng, so it should not be conditional.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
