Bring in a patch from https://github.com/vorlonofportland/setools,
commit id 790d7a538f515d27d2390f1ef56c9871b107a346.
Fixes an issue where setools fails with:
error: '%04zd' directive output may be truncated writing between 4 and 10 bytes into a region of size 5 [-Werror=format-truncation=]
snprintf(buff, 9, "@ttr%04zd", i + 1);
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
The functional call may not always work as specified, be sure to include the
() to make sure the shell knows this is a function.
Also add both findutils and grep as necessary for fixfiles to run properly
in a minimal environment. Busybox is not adequate at this time.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Resolve warning:
${COREBASE}/LICENSE is not a valid license file, please use '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in LIC_FILES_CHKSUM.
Also remove the obsolete PR number.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
We want to give the users some basic information to be able to run the
compiled system with SE Linux enabled, but not in enforcing mode. This will
allow a knowledgable user to update the reference policy for their
configuration.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Change the references to check for the distribution flag of 'selinux' being
set before taking any action within the bbappends. This prevents the
signature from being modified.
Also remove PR changes, as they are no longer allowed.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Remove distros, instead of specifying an oe or poky example distribution,
we are moving to enabling the components using DISTRO_FEATURES. This will
make it easier for a user to enable selinux on a custom distribution, or on
a project specific basis.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
SETools v4 is a rewrite of SETools in Python, details refer to:
https://github.com/TresysTechnology/setools/wiki/Changes-Since-SETools-v3
Changes for upreving:
* removed setools_3.3.8.bb and all useless patch
* add patches to fix cross-compiling issues:
- setools4-fixes-for-cross-compiling.patch
- setools4-fix-cross-compiling-errors-for-powerpc-mips.patch
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Per discussion w/ Wenzong, added meta-python as a dependency and enabled
the RDEPENDS within the new setools_4.1.1.bb
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Those tools have been moved from policycoreutils to semodule-utils:
semodule_deps, semodule_expand, semodule_link, semodule_package
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Remove setools from DEPENDS/RDEPENDS, it was required by sepolicy,
sepolgen, semanage which have been moved to python/*.
Rebase patch:
- policycoreutils-fixfiles-de-bashify.patch
Drop useless patch:
- policycoreutils-loadpolicy-symlink.patch
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Update policycoreutils_git.bb
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Move policycoreutils/gui to gui and cleanup policycoreutils.inc.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Move policycoreutils/sepolicy/dbus to dbus.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Move policycoreutils/sandbox to sandbox:
* Move and rebase patch:
- policycoreutils-sandbox-de-bashify.patch
* Cleanup policycoreutils.inc
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Move policycoreutils/restorecond to restorecond:
* Move and rebase patch:
- policycoreutils-make-O_CLOEXEC-optional.patch
* Cleanup policycoreutils_2.7.bb.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Update policycoreutils_git.bb
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
The package has been moved to selinux-python/sepolgen.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Uprev the recipe file as is.
Some packages have been moved out from policycoreutils, they will be
added as new packages and the policycoreutils.inc need to be cleaned
up from later commits accordingly.
Moved packages:
From: To:
- policycoreutils/gui gui
- policycoreutils/mcstrans mcstrans
- policycoreutils/restorecond restorecond
- policycoreutils/sandbox sandbox
- policycoreutils/sepolicy/dbus dbus
- policycoreutils/semodule_deps semodule-utils/semodule_deps
- policycoreutils/semodule_expand semodule-utils/semodule_expand
- policycoreutils/semodule_link semodule-utils/semodule_link
- policycoreutils/semodule_package semodule-utils/semodule_package
- policycoreutils/semanage python/semanage
- policycoreutils/audit2allow python/audit2allow
- policycoreutils/sepolgen-ifgen python/audit2allow/sepolgen-ifgen
- policycoreutils/sepolicy python/sepolicy
- policycoreutils/scripts/chcat python/chcat
Released package list refer to:
https://github.com/SELinuxProject/selinux/wiki/Releases
Cleanup the patch file that have been removed in 2.6:
- policycoreutils-fts_flags-FTS_NOCHDIR.patch
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Update policycoreutils_git.bb
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Remove patch that included by new version:
- checkpolicy-Do-not-link-against-libfl.patch
Specify LIBSEPOLA to fix build error:
make[1]: *** No rule to make target `/usr/lib/libsepol.a'
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Update checkpolicy_git.bb
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Remove patches that included by new version:
- 0001-libsemanage-simplify-string-utilities-functions.patch
- 0002-libsemanage-add-semanage_str_replace-utility-functio.patch
- 0003-libsemanage-genhomedircon-drop-ustr-dependency.patch
- 0004-libsemanage-remove-ustr-library-from-Makefiles-READM.patch
- libsemanage-fix-path-len-limit.patch
Rebase patch:
- libsemanage-allow-to-disable-audit-support.patch
Set PYCEXT and PYSITEDIR to generate the _semanage.so and install it
to ${libdir}/python${PYTHON_BASEVERSION}/site-packages.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Update libsemanage_git to match.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Specify LIBSEPOLA to fix build error:
make[1]: *** No rule to make target `/usr/lib/libsepol.a',
needed by `python-2.7audit2why.so'. Stop.
Add python-importlib to RDEPENDS_${PN}-python.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Update libselinux_git.bb
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
The PACKAGECONFIG and related settings are in oe-core. Doing it here will
trigger a bug related to lack of 'initscripts-sushell' rdepends.
based on the change:
From: Jackie Huang <jackie.huang@windriver.com>
The selinux PACKAGECONFIG is properly handled in
the recipe in oe-core, no need to inherit the
enable-selinux bbclass.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
When selinux is enabled, a file has a default attribute
"security.selinux" and the output of getfattr shows:
# file: here
security.selinux="system_u:object_r:lib_t:s0"
That always causes more output of command getfattr than expected.
Filter out selinux related attribute info, and if the file has only
selinux attribute info, remove its whole output.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
auditd.service should be packaged in 'auditd' instead
of 'audit' since the required binaries and config files
are all in 'auditd'.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Use the 'i' option for restorecon command to ignore the files that
don't exist when building project.
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Underscore ("_") should be used for variable overrides.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
The patch fixes the login fails for ssh -o Batchmode=yes when passwords is
empty and without authorized_keys file even if set "PermitEmptyPasswords yes"
in sshd_config file.
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Changed in V5:
Let the subject more clear.
Changed in V4:
Make the comments more clear.
Changed in V3:
Rebase the patch on the latest master branch.
Delete the does not exist files when run task do_package.
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
The targeted, mls and minimum recipes had fallen far behind the upstream
refpolicy repository. Refresh all patches and discard ones that are
obviously no longer needed. This should not have any functional change on
the policies.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
selinux images attempt to label the filesystem image at creation time.
This depends on a native setfiles, though, which isn't guaranteed to be
present without the DEPEND addition.
If the 'setfiles' call fails, that shouldn't be fatal, though, it can
always be run at first boot time, as is commonly done with desktop and
server distros.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Fixing labels after local-fs.target to make sure all mounted
filesystems labeled correctly.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
The behavior of b{zip,unzip}2 an vary from host to host with
regards to a number of things such as return value or permissions.
We should always use the native bzip2 package to keep the behavior
deterministic. This change prevents a warning at do_package_qa
task of refpolicy-mls package.
Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Use the upstream patches to remove the dependency on ustr which no
longer builds with new versions of GCC and the author is unresponsive
and the site hosting the code is down.
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Not intended as a final patch, this is just a quick hack for master-next
to enable building meta-selinux on current yocto base images.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Fixed:
msgfmt -o af.mo af.po
make[1]: msgfmt: Command not found
make[1]: *** [af.mo] Error 127
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Fixed:
swig -Wall -python -o semanageswig_wrap.c -outdir ./ semanageswig_python.i
make[1]: swig: Command not found
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
