On Warrior branch, glib-2.0 is in version 2.58.3 so we need to revert commit [bb0c9c3abc] until then.
Signed-off-by: Vincent Prince <vincent.prince.fr@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Based on this discussion:
https://www.mail-archive.com/yocto@yoctoproject.org/msg45785.html the
warrior branch does not build against oe-core thud any longer. Since
that's not really intended to be a supported use caes anyway, remove the
layer compatibility statement for thud.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
On yocto warrior the semanage tool didn't work correctly, because it
couldn't find ntpath module. It turned out that this module is now part
of the package python-misc, therefore add dependency to python-misc.
Signed-off-by: Lorenz Kofler <lorenz@sigma-star.at>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Boot loops were being seen when booting with selinux enabled, when the
init system in use is systemd. Once logs were retrieved from the
failing system the error was found to be
selinux-init.sh[284]: /sbin/restorecon: Could not set context for /sys/fs/cgroup/cpuacct: Read-only file system
selinux-init.sh[284]: /sbin/restorecon: Could not set context for /sys/fs/cgroup/cpu: Read-only file system
Systemd mounts /sys/fs/cgroup read-only and the (re)labelling code
used by selinux-init.sh is unable to handle this. On top of this the
system is basically presenting two methods of (re)labelling; using the
built in systemd approach via selinux-autorelabel.service *and* the
code we have in selinux-init.sh. This can get confusing especially
given that most online resources will speak to the systemd approach
using selinux-autorelabel.service and /.autorelabel.
These changes leave the current approach in place when sysvinit is the
init system used, but if systemd is being used we make use of it's
internal (re)labelling functionality. Overall the workflow remains the
same but we now avoid boot loops (systemd remounts /sys/fs/cgroup rw
during the (re)labelling procedure).
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Fixes:
ERROR: QA Issue: /usr/share/sandbox/start contained in package selinux-sandbox requires /usr/bin/python,
but no providers found in RDEPENDS_selinux-sandbox? [file-rdeps]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Fix QA issues:
QA Issue: /usr/lib64/python2.7/site-packages/seobject.py contained in package selinux-python requires /usr/bin/python,
but no providers found in RDEPENDS_selinux-python? [file-rdeps]
QA Issue: /usr/bin/audit2allow contained in package selinux-python-audit2allow requires /usr/bin/python,
but no providers found in RDEPENDS_selinux-python-audit2allow? [file-rdeps]
QA Issue: /usr/bin/chcat contained in package selinux-python-chcat requires /usr/bin/python,
but no providers found in RDEPENDS_selinux-python-chcat? [file-rdeps]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
We need SBINDIR to be compatible with the usrmerge distro feature.
The update to version 2.8 (commit c55c0aca...) removed the definition,
perhaps because the "${D}/" prefix broke the build.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Per http://people.redhat.com/sgrubb/audit/, the
tarball source moves to https://github.com/linux-audit/audit-userspace,
and since commit [21f84fc insane: add sanity checks to SRC_URI]
applied in oe-core, do not use unstable github archive
tarballs, so use git instead.
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* Drop backport patch:
0001-Remove-strdupa-as-suggested-in-pull-request-25.patch
* Refresh all patches.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
In glib 2.60.x, it turns selinux into a meson feature. We should use
'-Dselinux=enabled/disabled' rather than '-Dselinux=true/false' to
enable/disable the feature.
Add meso-enable-selinux.bbclass for this change and inherit it in
glib-2.0 bbappend to fix the configure error.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Since commit [21f84fc insane: add sanity checks to SRC_URI] applied
in oe-core, do not use unstable github archive tarballs
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
The mesa had been converted to use meson build system in oe-core commit
c72b6d46d392bfbcf54154f43663a7a8ada8c567. Update the bbappend to adapt
it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
A new feature has been added in oe-core to use update-alternative
mechanism for ptest. But it conflicts with current patch in
meta-selinux. So do not use this new feature for ptest when build with
selinux.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
The libselinux SWIG wrapper imports shutil.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
The do_install function is assuming that ${S}/../ is ${WORKDIR},
but this is not true when using `devtool modify audit'.
So change to use ${WORKDIR}.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Backport patch from setools upstream to fix build failure with GCC 7 due
to possible truncation of snprintf output. It could be reproduced on 64
bit bsps such as qemux86-64 and qemumips64 with configs:
SELECTED_OPTIMIZATION = "${DEBUG_OPTIMIZATION}"
DEBUG_BUILD = "1"
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Sync with oe-core to update to warrior release name series.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
The git version of libselinux libsemanage libsepol checkpolicy and
policycoreutils are far behind the master branch and now they can not
build due to the do_patch error. The current stable 2.8 version works
well so we can remove them.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
When trying to build a minimal image (eg: without python), the default
user on autologin is not mapped to the intended user/role/domain:
# id -Z
system_u:system_r:kernel_t:s0
And the following error is displayed on autologin:
Unable to get valid context for <user>
While on an image built with the core-selinux packagegroup:
# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Adding selinux-init to the minimal package list fixes the issue.
This package does not seem to bring along additional dependencies.
Signed-off-by: Luca Boccassi <bluca@debian.org>
Signed-off-by: Joe MacDonald <joe@deserted.net>
lipcre-native is trying to create symbolic links to so files
when used with meta-mingw. Remove this condition for mingw builds.
Signed-off-by: Sinan Kaya <okaya@kernel.org>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Fix AVC denied error when booting:
type=AVC msg=audit(1548055920.478:86): avc: denied { execute } for
pid=366 comm="audispd" path="/lib/ld-2.28.so" dev="vda" ino=7545
scontext=system_u:system_r:audisp_t:s15:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
type=AVC msg=audit(1548055920.478:87): avc: denied { open } for
pid=366 comm="audispd" path="/lib/libc-2.28.so" dev="vda" ino=7558
scontext=system_u:system_r:audisp_t:s15:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
When using "+=" for IMAGE_PREPROCESS_COMMAND, the selinux_set_labels
process would run before prelink process to set the security labels for
the files. But the label for /lib/libc-2.28.so and /lib/ld-2.28.so would
be changed after run prelink process. Use "_append" to make sure the
selinux_set_labels process run after prelink process.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Update sshd_config based on openssh 7.9p1. Drop the deprecated option
UsePrivilegeSeparation
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Additionally, the README has fallen out of date, update it to reflect the
current reality of layer dependencies.
Signed-off-by: Joe MacDonald <joe@deserted.net>
Audit 2.8.4 fails to build with musl. The fixes have been committed
to the upstream master branch and can be backported.
Building with glibc is unaffected.
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Add meson-selinux.bbclass for meson build system. It used
'-Dselinux=true/false' to enable/disable 'selinux' rather than
--enable-selinux or --with-selinux.
Inherit meson-selinux for glib-2.0 to fix configure failure.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Using AUTOREV in the main repository has its downsides.
1. The checked out version isn't actually the version depicted
by PV.
2. Breaks builds in scenarios where network isn't available
or BB_NO_NETWORK is used even after sources are already
fetched.
1 is self explanatory, for 2 whenever SRCREV is set to AUTOREV and
SRCPV is used in PV the fetcher tries to access the network in order
to determine SRCPV (bb.fetch2.get_srcrev) and fails for obvious
reasons during parsing even when versioned recipes are used as
PREFERRED_VERSION because parsing still happens for recipes that are
in BB's search paths and we see.
Traceback (most recent call last):
bb.data_smart.ExpansionError: Failure expanding variable SRCPV, expression was ${@bb.fetch2.get_srcrev(d)} which triggered exception NetworkAccess: Network access disabled through BB_NO_NETWORK (or set indirectly due to use of BB_FETCH_PREMIRRORONLY) but access requested with command git -c core.fsyncobjectfiles=0 ls-remote git://github.com/TresysTechnology/refpolicy.git (for url git://github.com/TresysTechnology/refpolicy.git)
So we lock the REVs and do that with a soft assignment which
allows overriding the REVs from elsewhere.
Signed-off-by: Awais Belal <awais_belal@mentor.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
In case of the existence of meta-mingw, the library is .dll instead of
.so and these .dll files are in ${bindir}.
We need to check the existence of the .so file before doing readlink,
otherwise do_install fails.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Musl libc does not implement file traversal functions from fts.h.
Oe-core provides fts library which implements those. Libselinux makefile
allows us to use such additional library by specifying required linker
flags via FTS_LDLIBS variable.
Signed-off-by: Piotr Tworek <tworaz666@gmail.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
The package needs logging, json and argparse modules to start.
Additionaly, it also needs libselinux-python in order to really work.
Without it it'll just print an error message instructing the user to
install it.
Signed-off-by: Piotr Tworek <tworaz666@gmail.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Since `9ec5a8a layer.conf: Drop sumo from LAYERSERIES_CORENAMES' and
`9867924 layer.conf: Add thud to LAYERSERIES_CORENAMES' applied in oe-core,
update LAYERSERIES_COMPAT `sumo' -> `thud'
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
SBINDIR was changed to ${base_sbindir} in commit:
8cc9c17 policycoreutils: fix installed-but-not-shipped on updated recipes
FILES_${PN}-* must now capture files installed in ${base_sbindir}
accordingly.
Signed-off-by: Eric Chanudet <chanudete@ainfosec.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Remove package semodule-utils-semodule-deps as it had been removed
upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Remove package semodule-deps as it had been removed upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Remove unused patch:
policycoreutils-loadpolicy-symlink.patch
Add the following patches to change commands path for backward
compatibility:
policycoreutils-fix-fixfiles-install-path.patch
policycoreutils-fix-fixfiles-install-path.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
