[ CQID: WIND00425413 ]
pam.d/login refered to the /etc/default/locale env file.
This file is not used in oe-core/Poky.
Remove the this reference to avoid error messages in auth.log.
Signed-off-by: Qiang Chen <qiang.chen@windriver.com>
Signed-off-by: Jeff Polk <jeff.polk@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
In policycoreutils-2.13+, restorecon changes its default behaviour,
and does not restore context if the file' type is correct, even its
mcs/mls level is incorrect.
We should force it always to restore file contexts in initscripts to
avoid issues.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
If acl is a distro feature, we want to depend
on it. Note that without the xattrs patch, tar
cannot deal with acl information.
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
select_context param for pam_selinux module attempt to ask the user
for a custom security context role while login.
Admins and linux distros hardly use this param to the pam configs,
because this adds a new step in login process, and users could use
"newrole" command instead after login in.
Moreover, this is totally unnecessary for policy types without
multiple roles.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
We add pam conf files for login/sshd to use pam_selinux module. When
selinux is not in DISTRO_FEATURES, pam-plugin-selinux would not be
built, this will cause runtime errors to not allow users to login in
on the console or ssh.
Use @target_selinux() to enable these pam conf files conditionally.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
oe-core 9e64079063fc4748b48eee0e2592caf8ba9de10e has split ${B} of
findutils into a different path from ${S}, this would cause build
failures.
.../findutils/4.4.2-r6.5/temp/run.do_configure.25396:
line 87: ./import-gnulib.sh: No such file or directory
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
sed-4.2.2 now has new configure option --with-selinux,
so inherit with-selinux bbclass.
Also, remove the patch since new version fix the issue.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
sysklogd would create /dev/log and create log files in /var/log
with the default security contexts while starting.
So we should restore the correct security contexts.
The initscript file is from oe-core, and add these lines after
the start action.
test ! -x /sbin/restorecon || \
/sbin/restorecon -R /dev/log /var/log/
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
login should use pam_selinux module to label security contexts of
processes while login into system.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
[ CQID: WIND00365962 ]
Rather than following the approach in
findutils-with-selinux-gnulib.patch,
the import-gnulib configuration was
modified to enable fetching the latest updates
related to selinux support. Specifically,
selinux-at module is now in fetched in gnulib
in order for it be used by findutils if
selinux is enabled.
Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
Current patches for selinux simply add selinux codes without
conditional switches.
And also, the gnulib patch is incomplete.
These will cause build failures while we include selinux layers but
do not specify selinux in DISTO_FEATURES.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
