By default /var/volatile will be mounted with tmpfs_t instead of var_t
label, which will cause us to have to add some extra rules to eliminate
avc denials of some services.
Set rootcontext for /var/volatile in fstab to make sure it is mounted
with correct label.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
The sysvinit in oe-core has been upgraded to 3.0. Update the bbappend to
adapt it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
When enable meta-gplv2 layer [1], there comes below error:
ERROR: coreutils-6.9-r5 do_configure: QA Issue: coreutils: configure was passed unrecognised options: --without-selinux [unknown-configure-option]
ERROR: coreutils-6.9-r5 do_configure: Fatal QA errors found, failing task.
It's because the old version of coreutils under meta-gplv2 layer
doesn't support the above configure option, so move the related
pkgconfig setting to the coreutils recipe under oe-core [2] which
supports the configure option to fix the gap.
And the findutils and tar also have the problem.
[1] http://git.yoctoproject.org/cgit/cgit.cgi/meta-gplv2/
[2] https://git.openembedded.org/openembedded-core/
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
There are some redundant classes: enable-selinux.bbclass,
with-selinux.bbclass, meson-enable-selinux.bbclass,
meson-selinux.bbclass, enable-audit.bbclass, with-audit.bbclass.
These classes only add PACKAGEOCNFIG[selinux]/[audit] to recipes. But
currently most recipes have added PACKAGECONFIG[selinux]/[audit] in
their bb files. We don't need these anymore. Only keep
enable-selinux.class and enable-audit.class to append
PACKAGECONFIG[selinux]/[audit] for recipes.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
The content of the bbappend is already contained in libcgroup recipe.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
This is the result of automated script conversion:
poky/scripts/contrib/convert-overrides.py meta-selinux
Converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Some directories are created by populate-volatile.sh. We need to restore
their security contexts.
Before the patch:
$ ls -dZ /tmp /var/tmp /var/lock /var/run
system_u:object_r:root_t /tmp
system_u:object_r:var_t /var/lock
system_u:object_r:var_t /var/run
system_u:object_r:var_t /var/tmp
After the patch:
$ ls -dZ /tmp /var/tmp /var/lock /var/run
system_u:object_r:tmp_t /tmp
system_u:object_r:var_lock_t /var/lock
system_u:object_r:var_run_t /var/run
system_u:object_r:tmp_t /var/tmp
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
The udev-cache has been remove in oe-core commit
048f4149b8438c521e8b65a3c96d850a9b4a3e5b. So we can also remove it.
Also sync the initscript to latest oe-core version.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
83eac4de updated the usage of getVar() in classes/selinux.bbclass to
leave out the default expand parameter. This is consistent with the
usage in the core layers.
Bring all other calls to getVar() in the layer into alignment with this
approach.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Since oe-core upgrades sysvinit to 2.96, wildcard its bbappend and
drop the backported patch
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
In glib 2.60.x, it turns selinux into a meson feature. We should use
'-Dselinux=enabled/disabled' rather than '-Dselinux=true/false' to
enable/disable the feature.
Add meso-enable-selinux.bbclass for this change and inherit it in
glib-2.0 bbappend to fix the configure error.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
A new feature has been added in oe-core to use update-alternative
mechanism for ptest. But it conflicts with current patch in
meta-selinux. So do not use this new feature for ptest when build with
selinux.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Add meson-selinux.bbclass for meson build system. It used
'-Dselinux=true/false' to enable/disable 'selinux' rather than
--enable-selinux or --with-selinux.
Inherit meson-selinux for glib-2.0 to fix configure failure.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
The _virtclass-native is obsolete. Replace it with _class-native.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
If DISTRO_FEATURES contains usrmerge then busybox binaries are
installed under /usr/bin not /bin so use ${base_bindir} to support
both paths and avoid QA errors.
Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
v2 changes:
* Update patch for Yocto Compat - don't change layer's hash
============================================
The systemd-backlight@.service which called after selinux-init.service
will create /var/lib/systemd/backlight with incorrect security labels,
this causes the systemd-backlight service fails to start and stop.
Creating /var/lib/systemd/backlight in advance to make sure it could
always be relabelled by selinux-init while first booting.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Change the references to check for the distribution flag of 'selinux' being
set before taking any action within the bbappends. This prevents the
signature from being modified.
Also remove PR changes, as they are no longer allowed.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
The PACKAGECONFIG and related settings are in oe-core. Doing it here will
trigger a bug related to lack of 'initscripts-sushell' rdepends.
based on the change:
From: Jackie Huang <jackie.huang@windriver.com>
The selinux PACKAGECONFIG is properly handled in
the recipe in oe-core, no need to inherit the
enable-selinux bbclass.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Use the 'i' option for restorecon command to ignore the files that
don't exist when building project.
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
When using udev-cache, the eudev init script had been explicitly calling
'setenforce 1'. That's no longer necessary with updates to other parts of
eudev and the presence of the call prevented booting core-image-selinux*
systems in permissive mode. Remove the call to allow permissive booting.
[YOCTO #7506]
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
eudev version at poky updated to v3.2 from v3.1.5, so moving it to use
wildcard in order to fix the parsing error.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Restore contexts for /etc/{resolv.conf, adjtime}, they are created
dynamically and the incorrect contexts maybe prevent some programs
from valid accessing.
/etc/resolv.conf: etc_t:SystemHigh -> etc_t:SystemLow
/etc/adjtime: etc_t:SystemHigh -> adjtime_t:SystemLow
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
This change bases on the factors during bootup:
a. the default type for /run is var_run_t;
b. the type for /run will be changed to tmpfs_t after tmpfs mounted;
c. the type for /run will be fixed after populate-volatile.sh run.
udev service is started in b->c period, fix the type for /run from
udev init script to remove:
avc: denied { write } for pid=294 comm="mdadm" \
name="/" dev="tmpfs" ino=10581 \
scontext=system_u:system_r:mdadm_t:s0-s15:c0.c1023 \
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
devpts use file_use_trans to allocate security contexts. As there are no
range_trans rules for initrc_t mounting devpts, the security level of
mountpoint will be derived from the initrc process, to be systemhigh
(s15:c0.c1023), instead of expected systemlow(s0).
This will block login shells to search PTYs, so use restorecon to fix
this.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
Start point to make SELinux specific changes in devpts.sh, copied from
oe-core layer.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
The file contexts for /run is incorrect while running checkroot.sh
in boot time which causes mount fail to create new dir and file
in /run, so restore the security contexts in it.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Sync with the latest init file from poky as of 01262014:
oe-core commit: ae819671489a22bfdda11210ff620f564aa9b24b
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Oe-core has chnaged the udevadm path, current path will causes failure:
udevd[102]: starting version 182
/etc/rcS.d/S04udev: line 106: /usr/bin/udevadm: No such file or directory
Fix as oe-core commit: cc0f22cd1e93cc25647add1a3339e150572e4fce
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
Rename most recipes
Update a few recipes as needed:
* tar: Newer version has xattr and selinux support
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
While directly using busybox[.[no]suid] as the alternatives'
targets, commands could not get correct security labels.
~# ls -l /sbin/getty
..... /sbin/getty -> /bin/busybox.nosuid
~# ls -Z /bin/busybox.nosuid
system_u:object_r:bin_t:s0 /bin/busybox.nosuid
Add sh wrappers for commands so selinux could work fine.
~# ls -l /sbin/getty
..... /sbin/getty -> /usr/lib/busybox/sbin/getty
~# ls -Z /usr/lib/busybox/sbin/getty
system_u:object_r:getty_exec_t:s0 /usr/lib/busybox/sbin/getty
~# cat /usr/lib/busybox/sbin/getty
#!/bin/busybox.nosuid
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Restoring from the dev-cache with selinux enforcing causes various
failures as devices are lacking, at a minimum, reasonable types and
attributes. If, on the other hand, we at least create the cache with
selinux and xattrs preserved and restored, we get significantly fewer
errors and warnings on boot and we can successfully restore the context
further down in init anyway. It still leaves some devices mislabeled,
though, and still produces warnings on boot.
Previous versions of the initscript removed all use of the dev-cache,
if need be, we fall back to that. It is possible to get the middle-ground
behaviour by defining use_udev_cache at the top of the udev initscript.
Signed-off-by: Joe MacDonald <joe@deserted.net>
[ CQID: WIND00424385 ]
Sync with the latest init file from poky as of 09172013. Changes include:
- adding /sbin/restorecon on start
- specifying full path for /sbin/udevadm
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
In policycoreutils-2.13+, restorecon changes its default behaviour,
and does not restore context if the file' type is correct, even its
mcs/mls level is incorrect.
We should force it always to restore file contexts in initscripts to
avoid issues.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
