Config snippets should be used over file overrides since targeted
changes may be required in multiple recipes.
Since the oe-core sshd_config file now includes
/etc/ssh/sshd_config.d/*.conf, the meta-selinux configuration snippet
does not require the following:
* ChallengeResponseAutnetication: Replaced by
KbdInteractiveAuthentication and set to "no" by default
* Override default of no subsystems: This is already present
* Compression, ClientAliveInterval, and ClientAliveCountMax: No changes
required due to identical requirements of meta-selinux
Testing process:
* Pulled modified meta-selinux layer into Poky and included openssh
* Built core-image-sato and ran via qemu
* Verified /etc/ssh was as expected with an ssh_config.d directory with
the new selinux config snippet inside
* Verified system was including selinux config modification by running
sshd -T
Suggested-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Levi Shafter <lshafter@21sw.us>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
This file is not needed anymore as bind daemon will create them by
itself.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
There are some redundant classes: enable-selinux.bbclass,
with-selinux.bbclass, meson-enable-selinux.bbclass,
meson-selinux.bbclass, enable-audit.bbclass, with-audit.bbclass.
These classes only add PACKAGEOCNFIG[selinux]/[audit] to recipes. But
currently most recipes have added PACKAGECONFIG[selinux]/[audit] in
their bb files. We don't need these anymore. Only keep
enable-selinux.class and enable-audit.class to append
PACKAGECONFIG[selinux]/[audit] for recipes.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
This is the result of automated script conversion:
poky/scripts/contrib/convert-overrides.py meta-selinux
Converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Install volatiles file as 04_bind rather than volatiles.04_bind.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Update sshd_config based on openssh 7.9p1. Drop the deprecated option
UsePrivilegeSeparation
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
After upgrade to 4.14.1, iproute2 changes it way to create configure output
file config.mk which is also renamed from 'Config'. With RSS, the workaround
for iproute2 is not needed any more.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Change the references to check for the distribution flag of 'selinux' being
set before taking any action within the bbappends. This prevents the
signature from being modified.
Also remove PR changes, as they are no longer allowed.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
The patch fixes the login fails for ssh -o Batchmode=yes when passwords is
empty and without authorized_keys file even if set "PermitEmptyPasswords yes"
in sshd_config file.
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
iproute2 calls command pkg-config to check whether libselinux exists
then enable or disable selinux support. That makes packageconfig doesn't
work.
The packageconfig selinux is set by checking whether distro feature
selinux exists in with-selinux.bbclass. Modify the configure result file
with same criteria.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
oe-core commit:
a162416119ec9deee9fef53455d1281abe573681
dhcpd: create dhcpd user for dhcp dameon
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
WARNING: iproute2-4.6.0-r0 do_package_qa: QA Issue: iproute2-ss rdepends on
libselinux, but it isn't a build dependency, missing libselinux in DEPENDS
or PACKAGECONFIG? [build-deps]
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
dhcp 4.3 has no selinux related configuration options, but it needs the
correct initscript when SELinux is enabled, so inherit selinux, not
inherit with-selinux
Signed-off-by: Roy.Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
dhcp-server fails to start with avc denied error:
avc: denied { read } for pid=571 comm="dhcpd" \
name="dhcpd.leases" dev="hda" ino=63911 \
scontext=system_u:system_r:dhcpd_t:s0-s15:c0.c1023 \
tcontext=system_u:object_r:dhcp_state_t:s0 tclass=file
The type for dhcpd.leases is not correct, just fix it before dhcp-
server started.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
In policycoreutils-2.13+, restorecon changes its default behaviour,
and does not restore context if the file' type is correct, even its
mcs/mls level is incorrect.
We should force it always to restore file contexts in initscripts to
avoid issues.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Define audit related parameters, but do not enable
audit support by default.
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
We add pam conf files for login/sshd to use pam_selinux module. When
selinux is not in DISTRO_FEATURES, pam-plugin-selinux would not be
built, this will cause runtime errors to not allow users to login in
on the console or ssh.
Use @target_selinux() to enable these pam conf files conditionally.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
rndc.key would be labeled with wrong named_zone_t inherited from
/etc/bind while creating, so restorecon on it.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
"-Wa,--noexecstack" will mark objects as requiring executable stack,
this is a dangerous CFLAG and would cause security issues.
So disable it as most distros did.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
sshd_config file from oe-core to set "UsePAM yes".
sshd file (pam config for sshd) from oe-core to add pam_selinux module.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
