When the read-only-rootfs feature (in IMAGE_FEATURES) is enabled, the
populate-volatile.sh script runs at build time. This compensates for the
fact that certain essential directories and files cannot be created at
runtime, since the root filesystem is read-only. This is handled in
oe-core's rootfs-postcommands.bbclass, in read_only_rootfs_hook.
However, initscripts-1.0_selinux.inc appends some shell code to
populate-volatile.sh considering it will be run in the target, not on
the host machine. So, if one uses both read-only-rootfs and selinux (in
DISTRO_FEATURES), the recursive call to restorecon is run in the host
machine, since populate-volatile.sh is called in build time. This leads
to errors such as:
| NOTE: Executing read_only_rootfs_hook ...
| DEBUG: Executing shell function read_only_rootfs_hook
| /sbin/restorecon: Could not read /var/lib/AccountsService/users: Permission denied.
| /sbin/restorecon: Could not read /var/lib/NetworkManager: Permission denied.
| /sbin/restorecon: Could not read /var/lib/bluetooth: Permission denied.
| /sbin/restorecon: Could not read /var/lib/chrony: Permission denied.
As a matter of fact, this scenario is a fair reminder not to call
bitbake with sudo.
This change makes sure the append is only performed if the
read-only-rootfs feature is not used.
Signed-off-by: João Marcos Costa <joaomarcos.costa@bootlin.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Add native support for libselinux-python
to fix build error for setools-native
ERROR: Nothing RPROVIDES 'libselinux-python-native'
(but virtual:native: meta-selinux/recipes-security/setools/setools_4.5.1.bb
RDEPENDS on or otherwise requires it)
Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Enable using setools native for analyzing
the built SELinux policy during the build.
Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
For some distributions (e.g. Yocto) that do not provide
system-release/distribution-release file, libdnf can not get releasever
variable, causing conf.substitutions['releasever'] to not be set.
This will cause 'sepolicy generate' command to fail with the following
error on these distributions:
$ sepolicy generate --init /usr/local/bin/foo
Traceback (most recent call last):
File "/usr/bin/sepolicy", line 702, in <module>
args.func(args)
File "/usr/bin/sepolicy", line 569, in generate
mypolicy.gen_writeable()
File "/usr/lib/python3.12/site-packages/sepolicy/generate.py", line 1302, in gen_writeable
self.__extract_rpms()
File "/usr/lib/python3.12/site-packages/sepolicy/generate.py", line 1268, in __extract_rpms
base.read_all_repos()
File "/usr/lib/python3.12/site-packages/dnf/base.py", line 554, in read_all_repos
for repo in reader:
^^^^^^
File "/usr/lib/python3.12/site-packages/dnf/conf/read.py", line 42, in __iter__
for r in self._get_repos(self.conf.config_file_path):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/dnf/conf/read.py", line 109, in _get_repos
parser.setSubstitutions(substs)
File "/usr/lib/python3.12/site-packages/libdnf/conf.py", line 1643, in setSubstitutions
return _conf.ConfigParser_setSubstitutions(self, substitutions)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: in method 'ConfigParser_setSubstitutions', argument 2 of type 'std::map< std::string,std::string,std::less< std::string >,std::allocator< std::pair< std::string const,std::string > > > const &'
Set conf.substitutions['releasever'] to empty str if releasever is None.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* a6cf20736 filesystem, devices: move gadgetfs to usbfs_t
* 75492f95f systemd: make xdg optional
* 097d688ff sshd: label sshd-session as sshd_exec_t
* b57b6005c Setting bluetooth helper domain for bluetoothctl
* 30f451d6a Adding Sepolicy rules to allow pulseaudio to access
bluetooth sockets.
* 7037c341f systemd: allow logind to use locallogin pidfds
* 5f7f494d1 userdomain: allow administrative user to get attributes of
shadow history file
* 0126cb1e6 node_exporter: allow reading RPC sysctls
* 9c90f9f7d asterisk: allow reading certbot lib
* bfcaec9ba postfix: allow postfix pipe to watch mail spool
* 06a80c3d8 netutils: allow ping to read net sysctls
* 2e0509c9e node_exporter: allow reading localization
* 50a8cddd1 container: allow containers to execute tmpfs files
* 09a747a16 sysadm: make haproxy admin
* c8c3ae2cb haproxy: initial policy
* 4e97f87ce init: use pidfds from local login
* 7fd9032d8 dbus, init: add interface for pidfd usage
* a6d6921a9 asterisk: allow watching spool dirs
* 72c1d912f su, sudo: allow sudo to signal all su domains
* 8b3178248 sudo: allow systemd-logind to read cgroup state of sudo
* 871f0b0dd postfix: allow smtpd to mmap SASL keytab files
* 578375480 sysnetwork: allow ifconfig to read usr files
* 6916e9b20 systemd: allow systemd-logind to use sshd pidfds
* 96ebb7c4e Reorder perms and classes
* cb68df087 tests.yml: Add policy diff on PRs.
* 99258825c tests.yml: Divide into reusable workflows.
* 1e4b68930 Reorder perms and classes
Drop 0002-refpolicy-minimum-make-xdg-module-optional.patch and
0040-policy-modules-system-systemd-allow-systemd-logind-t.patch which
have been merged upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
Add selinux-autorelabel to reset the SELinux label on the root
filesystem at boot time.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* Allow auditctl to read symlink of var/log directory.
* Grant getpcap capability to syslogd_t.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* 2102055d4 devices: Change dev_rw_uhid() to use a policy pattern
* 1cbe455a5 device: Move dev_rw_uhid definition
* 7a33b4bc8 Sepolicy changes for bluez to access uhid
* c6dd4087d selinuxutil: make policykit optional
* 10feb47e5 newrole: allow newrole to search faillock runtime directory
* bf34d3e5e sysnetwork: fixes for dhcpcd
* 4663e613f Adding Sepolicy rules to allow bluetoothctl and dbus-daemon
to access unix stream sockets
* 27602a932 various: various fixes
* 63d50bbaa container, crio, kubernetes: minor fixes
* 11e729e27 container, podman: various fixes
* ef5954a0e systemd: allow systemd-sysctl to search tmpfs
* 472e0442e container: allow containers to getcap
* 7876e5151 container: allow system container engines to mmap runtime
files
* d917092a8 matrixd: add tunable for binding to all unreserved ports
* 3dba91dd4 bootloader: allow systemd-boot to manage EFI binaries
* ddf395d5d asterisk: allow binding to all unreserved UDP ports
* 3bad3696b postgres: add a standalone execmem tunable
* ef28f7879 userdom: allow users to read user home dir symlinks
* 03711caea dovecot: allow dovecot-auth to read SASL keytab
* cd781e783 fail2ban: allow reading net sysctls
* ddc6ac493 init: allow systemd to use sshd pidfds
* b9c457d80 files context for merged-usr profile on gentoo
* 5040dd3b6 Need map perm for cockpit 300.4
* 2ef9838db tests.yml: Add sechecker testing
* c62bd5c6c cockpit: Change $1_cockpit_tmpfs_t to a tmpfs file type
* 1c694125b certbot: Drop execmem
* 349411d55 xen: Drop xend/xm stack
* 2a261f916 Allow systemd to pass down sig mask
* 2577feb83 cups: Remove PTAL
* 5b02b44e5 xen: Revoke kernel module loading permissions
* 1c20c002c minissdpd: Revoke kernel module loading permissions
* 5671390e2 docker: Fix dockerc typo in container_engine_executable_file
* e1bc4830d cron: Use raw entrypoint rule for system_cronjob_t
* 0f71792c8 uml: Remove excessive access from user domains on
uml_exec_t
* 511223e2d Set the type on /etc/machine-info to net_conf_t so
hostnamectl can manipulate it (CRUD)
* 72fc1b2a3 fix: minor correction in MCS_CATS range comment
* cbf56c8ae systemd: allow notify client to stat socket
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* 0aff1990e quote: read localization
* ab13c0421 getty: grant checkpoint_restore
* 3643773ae Update SOS report to work on RHEL9
* 523b279bd Setup domain for dbus selinux interface
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
`PACKAGEBUILDPKGD` was dropped in Yocto 4.2 and
`PACKAGE_PREPROCESS_FUNCS` should be used instead. The only requirement
for wrapper creation is that it is executed before any of the
`update-alternatives` hooks are executed. This continues to hold as the
call to `create_sh_wrapper_reset_alternative_vars` is prepended only
after the `update-alternatives` class has been inherited.
Additionally, this also fixes a race condition leading to
non-deterministic buildhistory entries in busybox's `sysroot` files.
The race condition was caused by the creation of the wrapper files
inside `D` (i.e. the image directory) which is also consumed by other
tasks such as `do_populate_sysroot` which may be executing in parallel
to `do_package`.
Signed-off-by: Philip Lorenz <philip.lorenz@bmw.de>
Signed-off-by: Joe MacDonald <joe@deserted.net>
ChangeLog:
https://github.com/SELinuxProject/refpolicy/blob/main/Changelog
Notable Changes:
Many systemd updates up to v255
RPM and dnf fixes
Tighten private key handling for Apache
Many container and kubernetes improvements
Add support for Cilium
Update object class definitions up to io_uring:cmd
Add additional rules to cloud-init based on sysadm_t
* Update to latest git rev.
* Refresh patches.
* Add a patch to fix reboot timeout error.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
We merged libselinux recipe and libselinux-python recipe in commit[1]
because we thought the circular dependency was gone. But unfortunately,
it still exists.
Here are the steps to reproduce:
$ echo "DISTRO_FEATURES:append = \" x11\"" >> conf/local.conf
$ echo "PACKAGECONFIG:append:pn-python3 = \" tk\"" >> conf/local.conf
$ bitbake core-image-selinux -n
So we still need to split the libselinux recipe into two recipes:
libselinux and libselinux-python.
[1] https://git.yoctoproject.org/meta-selinux/commit/?id=62b9c816a5000dc01b28e78213bde26b58cbca9d
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
