Add file context for findfs alternative which is provided by util-linux.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Backport the following patches to fix systemd-resolved and
systemd-netowrkd policy issues:
systemd-systemd-resolved-is-linked-to-libselinux.patch
sysnetwork-systemd-allow-DNS-resolution-over-io.syst.patch
term-init-allow-systemd-to-watch-and-watch-reads-on-.patch
systemd-add-file-transition-for-systemd-networkd-run.patch
systemd-add-missing-file-context-for-run-systemd-net.patch
systemd-add-file-contexts-for-systemd-network-genera.patch
systemd-udev-allow-udev-to-read-systemd-networkd-run.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Add RDEPENDS on python3-multiprocessing for selinux-python-sepolicy to
fix runtime error:
$ sepolicy
Traceback (most recent call last):
File "/usr/bin/sepolicy", line 28, in <module>
from multiprocessing import Pool
ModuleNotFoundError: No module named 'multiprocessing'
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Use convert-spdx-licenses.py to update LICENSE names in recipes.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
* Update to latest git rev.
* Drop obsolete and useless patches.
* Rebase patches.
* Set POLICY_DISTRO from redhat to debian, which can reduce the amount
of local patches.
* Set max kernel policy version from 31 to 33.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
There are too many recipes in recipes-security/selinux. Keep the selinux
userspace recipes and move selinux scripts to selinux-scripts directory
to make the directory hierarchy clearer.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Add RDEPENDS on audit-python for selinux-python-semanage.
Fixes:
$ semanage fcontext -a -t user_home_t "/web(/.*)?"
Traceback (most recent call last):
File "/usr/sbin/semanage", line 975, in <module>
do_parser()
File "/usr/sbin/semanage", line 947, in do_parser
args.func(args)
File "/usr/sbin/semanage", line 329, in handleFcontext
OBJECT.add(args.file_spec, args.type, args.ftype, args.range, args.seuser)
File "/usr/lib/python3.9/site-packages/seobject.py", line 2485, in add
self.__add(target, type, ftype, serange, seuser)
File "/usr/lib/python3.9/site-packages/seobject.py", line 2481, in __add
self.mylog.log_change("resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%s"
% (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype],)
NameError: name 'audit' is not defined
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
The sysvinit in oe-core has been upgraded to 3.0. Update the bbappend to
adapt it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
This file is not needed anymore as bind daemon will create them by
itself.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Update SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
When enable meta-gplv2 layer [1], there comes below error:
ERROR: coreutils-6.9-r5 do_configure: QA Issue: coreutils: configure was passed unrecognised options: --without-selinux [unknown-configure-option]
ERROR: coreutils-6.9-r5 do_configure: Fatal QA errors found, failing task.
It's because the old version of coreutils under meta-gplv2 layer
doesn't support the above configure option, so move the related
pkgconfig setting to the coreutils recipe under oe-core [2] which
supports the configure option to fix the gap.
And the findutils and tar also have the problem.
[1] http://git.yoctoproject.org/cgit/cgit.cgi/meta-gplv2/
[2] https://git.openembedded.org/openembedded-core/
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
CVE-2021-36086:
The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission
(called from cil_reset_classperms_set and cil_reset_classperms_list).
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2021-36086
Patch from:
c49a8ea095
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Disable native/nativesdk build as they don't work for a long time.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Simply adding EXTRA_OEMAKE doesn't work for selinux build. We need to
modify config files in do_configure.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
The sysklogd has been updated to 2.2.3 in oe-core. Update the initscript
to adapt it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
There are some redundant classes: enable-selinux.bbclass,
with-selinux.bbclass, meson-enable-selinux.bbclass,
meson-selinux.bbclass, enable-audit.bbclass, with-audit.bbclass.
These classes only add PACKAGEOCNFIG[selinux]/[audit] to recipes. But
currently most recipes have added PACKAGECONFIG[selinux]/[audit] in
their bb files. We don't need these anymore. Only keep
enable-selinux.class and enable-audit.class to append
PACKAGECONFIG[selinux]/[audit] for recipes.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
This bbappend was added long time ago and it is useless now.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
The content of the bbappend is already contained in logrotate recipe.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
This bbappend was added long time ago and it is useless now.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
The content of the bbappend is already contained in libcgroup recipe.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
This is the result of automated script conversion:
poky/scripts/contrib/convert-overrides.py meta-selinux
Converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Currently there is no default refpolicy provider and the user must
specify it in local.conf. Set the default refpolicy provider to
refpolicy-targeted in case the user doesn't set it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
The util-linux has provided chfn and chsh since oe-core commit
804c6b5bd3d398d5ea2a45d6bcc23c76e328ea3f. Update the file context for
them.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Set LAYERSERIES_COMPAT with honister in layer.conf which aligns with
oe-core.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
* Merge inc file into bb file.
* Drop obsolete patches:
policycoreutils-make-O_CLOEXEC-optional.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
