Config snippets should be used over file overrides since targeted
changes may be required in multiple recipes.
Since the oe-core sshd_config file now includes
/etc/ssh/sshd_config.d/*.conf, the meta-selinux configuration snippet
does not require the following:
* ChallengeResponseAutnetication: Replaced by
KbdInteractiveAuthentication and set to "no" by default
* Override default of no subsystems: This is already present
* Compression, ClientAliveInterval, and ClientAliveCountMax: No changes
required due to identical requirements of meta-selinux
Testing process:
* Pulled modified meta-selinux layer into Poky and included openssh
* Built core-image-sato and ran via qemu
* Verified /etc/ssh was as expected with an ssh_config.d directory with
the new selinux config snippet inside
* Verified system was including selinux config modification by running
sshd -T
Suggested-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Levi Shafter <lshafter@21sw.us>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
There are some redundant classes: enable-selinux.bbclass,
with-selinux.bbclass, meson-enable-selinux.bbclass,
meson-selinux.bbclass, enable-audit.bbclass, with-audit.bbclass.
These classes only add PACKAGEOCNFIG[selinux]/[audit] to recipes. But
currently most recipes have added PACKAGECONFIG[selinux]/[audit] in
their bb files. We don't need these anymore. Only keep
enable-selinux.class and enable-audit.class to append
PACKAGECONFIG[selinux]/[audit] for recipes.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
This is the result of automated script conversion:
poky/scripts/contrib/convert-overrides.py meta-selinux
Converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Change the references to check for the distribution flag of 'selinux' being
set before taking any action within the bbappends. This prevents the
signature from being modified.
Also remove PR changes, as they are no longer allowed.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
