Add selinux-autorelabel to reset the SELinux label on the root
filesystem at boot time.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
This is the result of automated script conversion:
poky/scripts/contrib/convert-overrides.py meta-selinux
Converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Install auditd which will help the users debug and eliminate the audit
logs on screen.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
When trying to build a minimal image (eg: without python), the default
user on autologin is not mapped to the intended user/role/domain:
# id -Z
system_u:system_r:kernel_t:s0
And the following error is displayed on autologin:
Unable to get valid context for <user>
While on an image built with the core-selinux packagegroup:
# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Adding selinux-init to the minimal package list fixes the issue.
This package does not seem to bring along additional dependencies.
Signed-off-by: Luca Boccassi <bluca@debian.org>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Remove package semodule-utils-semodule-deps as it had been removed
upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Resolve warning:
${COREBASE}/LICENSE is not a valid license file, please use '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in LIC_FILES_CHKSUM.
Also remove the obsolete PR number.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
In keeping with the approach of only providing a single default policy at
runtime, we were originally using a virtual/refpolicy dependency and
filling it with one of our specific refpolicy implementations. This works
well enough for some package systems, but fails for others (specifically
deb, possibly more).
Since the intent was to only have one present in the default image anyway,
we'll just throw out the 'virtual/' part of the RPROVIDES and related
dependencies across the board.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
we need policycoreutils-hll to insert custom policy module/package, without
it semodule install fail with error:
libsemanage.semanage_pipe_data: Unable to execute /usr/libexec/selinux/hll/
pp : No such file or directory
libsemanage.semanage_direct_commit: Failed to compile hll files into cil
files. (No such file or directory).
semodule: Failed!
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
With the virutal package there's no need for a separate recipe to build
the config. This can be generated and included as part of the policy
package.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
This allows us to provide a default policy through the
PREFERRED_PROVIDER mechanism for each of the example distro configs.
Consumers of meta-selinux will be able to override this at the config
level instead of having to depend on a specific policy package. We do
lose the ability install more than one policy package but this falls
in line with the embedded nature of the project.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Fixup DESCRIPTION in old selinux-init recipe.
Exclude this autorelabel script from the minimal packagegroup.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Remove selinux-init package from packagegroup-selinux-minimal.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
To add coreutils to packagegroup-core-selinux
inorder to get chcon avaibility.
Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
The policycoreutils package previously included most everything in
the base package. This packagegroup is intended to fill the role
of the old policycoreutils package and pull in all packages from the
policycoreutils recipe.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
This is intended to demonstrate the minimal set packages necessary
to boot and load a system with SELinux enabled. Specifically we
don't need any of the packages that depend on python.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Also fix ALLOW_EMPTY, oe-core does not allow ALLOW_EMPTY w/o a package
name.
Adjust references in core-image-selinux to the new packagegroup filename.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
