Current meta-selinux provides a populate-volatile.sh for adding
restorecon lines to the oe-core script.
If other meta layers would add a new populate-volatile.sh, it will
override the oe-core and meta-selinux ones and cause selinux issues.
So append restorecon lines to the original script instead of a
final script.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
--with-selinux is consided as unrecognized option while
do_configure, so change it to --enable-selinux,
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
In meta-selinux layer, tinylogin links are installed as script
wrappers instead of symlinks to get their security labels.
So, they should use alternatives if there are same commands provided
by other packages.
passwd -> passwd.tinylogin
-> passwd.shadow
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Symlink can not execute will security contexts, so create script
wrappers for tinylogin commands instead of symlinks.
Also add tinylogin's login command as a alternative.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Poky/oe-core has set CONFIG_DEVTMPFS_MOUNT=y for kernel to mount
/dev with devtmpfs itself.
With MLS policy, kernel is running in s15:c0.c1023 level, so /dev
will be relabeled to this high level too.
This will cause processes running with low levels can not visit
/dev directory.
So, we just run restorecon /dev to fix this.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
populate-volatile.sh creates new directories in /var/volatile/ while
booting, so we should restore the security contexts in it.
Also touch /var/log/lastlog to set correct security contexts.
populate-volatile.sh is imported for oe-core, and add these two
lines at the end.
touch /var/log/lastlog
test ! -x /sbin/restorecon || /sbin/restorecon -R /var/volatile/
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
add libcgroup recipe from meta-openembedded/meta-oe
as of commit: 902ed05dfca3ce2b98fc9e3a4cafdee956130df7
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
As we have specified "-e MAKEFLAGS= " to make, environment
variables will override variables in the top makefile but not
subdir makefiles.
Current bb uses sysvinit-xxx/src as ${B}, the environment variable
CPPFLAGS would override all "CPPFLAGS" lines in
sysvinit-xxx/src/Makefile. Such as "CPPFLAGS+= -DACCTON_OFF",
"CPPFLAGS += $(SELINUX_DEF)" and "CPPFLAGS += -DINIT_MAIN".
This causes some sections(#ifdef INIT_MAIN/WITH_SELINUX ... #endif)
will never be used.
