CaROS/meta-selinux
3
0
Fork 0
mirror of git://git.yoctoproject.org/meta-selinux synced 2026-01-01 13:58:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
975 Commits 28 Branches 0 Tags 2.4 MiB
1b43d4d921
Commit Graph

975 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Yi Zhao
1b43d4d921 PATCH 02/15] libsepol: upgrade 3.5 -> 3.6 
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-12-18 11:06:30 -05:00
Yi Zhao
55c246a112 selinux: upgrade 3.5 -> 3.6 
ChangeLog:
https://github.com/SELinuxProject/selinux/releases/tag/3.6

* Switch branch to main

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-12-18 11:06:30 -05:00
Yi Zhao
3fb3324540 refpolicy: fix login errors after enabling systemd DynamicUser 
After oe-ocre commit ba3a78c0[1], domains using PAM need to read
/etc/shadow.

[1] https://git.openembedded.org/openembedded-core/commit/?id=ba3a78c08cb0ce08afde049610d3172b9e3b0695

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-12-14 10:23:31 -05:00
Yi Zhao
fd039518bd refpolicy: update to latest git rev 
* 82b4448e1 Additional file context fix for:
* 65eed16b5 policy/modules/services/smartmon.te: make fstools optional
* 2e27be3c5 Let the certmonger module manage SSL Private Keys and CSR
            used for example by the HTTP and/or Mail Transport daemons.
* 912d3a687 Let the webadm role manage Private Keys and CSR for SSL
            Certificates used by the HTTP daemon.
* 5c9038ec9 Create new TLS Private Keys file contexts for the Apache
            HTTP server according to the default locations:
* b38583a79 The LDAP server only needs to read generic certificate
            files, not manage them.
* 100a853c0 rpm: fixes for dnf
* 8839a7137 Modify the gpg module so that gpg and the gpg_agent can
            manage gpg_runtime_t socket files.
* 780adb80a Simple patch for Brother printer drivers as described in:
	    https://etbe.coker.com.au/2023/10/22/brother-mfc-j4440dw-printer/

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-12-14 10:23:31 -05:00
Yi Zhao
ff95c536a5 README: update 
Add how to enable labeling on first boot.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-10-12 10:14:19 -04:00
Yi Zhao
e29104086e selinux-autorelabel: enable labeling during build 
Previously, system using systemd would label selinux contexts on first
boot. While system using sysvinit would label during build. Add a
variable FIRST_BOOT_RELABEL as a switch to control labeling to make the
behavior of sysvinit and systemd consistent.

Set FIRST_BOOT_RELABEL to 1 in local.conf to enable labeling on first
boot.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-10-12 10:14:19 -04:00
Yi Zhao
46ec0414b4 selinux-image.bbclass: refactor bbclass 
The selinux_set_labels function should run as late as possible. To
guarantee that, we append it to IMAGE_PREPROCESS_COMMAND in
RecipePreFinalise event handler, this ensures it is the last function in
IMAGE_PREPROCESS_COMMAND.

After refactoring, system using systemd can also label selinux contexts
during build.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-10-12 10:14:19 -04:00
Yi Zhao
ce049565e1 layer.conf: update LAYERSERIES_COMPAT for nanbield 
oe-core has switched to nanbield in:
https://git.openembedded.org/openembedded-core/commit/?id=f212cb12a0db9c9de5afd3cc89b1331d386e55f6

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-10-12 10:14:19 -04:00
Yi Zhao
0d58268e29 refpolicy: upgrade 20221101+git -> 20231002+git 
* Switch branch to main.
* Update to latest git rev.
* Drop obsolete and useless patches.
* Refresh patches.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-10-12 10:14:19 -04:00
Yi Zhao
e44d4ff853 libselinux-python: fix build with musl 
libselinux-python also requires the patch which provided by [1] to fix
build with musl.

[1] https://git.yoctoproject.org/meta-selinux/commit/?id=23d8e2d86317170c0a3c155640c71b83329ff726

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-09-05 14:36:06 -04:00
Yi Zhao
2ff4de94fd linux-yocto: drop CONFIG_SECURITY_SELINUX_DISABLE 
CONFIG_SECURITY_SELINUX_DISABLE has been removed since kernel 6.4[1][2].

[1] https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f22f9aaf6c3d92ebd5ad9e67acc03afebaaeb289

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-09-05 14:36:06 -04:00
Yi Zhao
dea065096b selinux-python: add python3-distro and binutils to RDEPENDS 
Add python3-distro and binutils to RDEPENDS for sepolicy to fix runtime
error:

$ sepolicy -h
Traceback (most recent call last):
  File "/usr/bin/sepolicy", line 690, in <module>
    gen_manpage_args(subparsers)
  File "/usr/bin/sepolicy", line 375, in gen_manpage_args
    man.add_argument("-o", "--os", dest="os", default=get_os_version(),

  File "/usr/lib/python3.11/site-packages/sepolicy/__init__.py", line 1245, in get_os_version
    import distro
ModuleNotFoundError: No module named 'distro'

$ sepolicy generate --init /usr/sbin/sshd
/bin/sh: line 1: nm: command not found

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-09-05 14:36:06 -04:00
Yi Zhao
5933e66507 setools: upgrade 4.4.2 -> 4.4.3 
ChangeLog:
https://github.com/SELinuxProject/setools/releases/tag/4.4.3

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-08-08 10:34:54 -04:00
Renato Caldas
23d8e2d863 libselinux: fix compilation with musl 
Signed-off-by: Renato Caldas <renato@calgera.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-07-31 15:08:04 -04:00
schitrod=cisco.com@lists.yoctoproject.org
bd3902cb93 selinux: Set CVE_PRODUCT 
The CVE product name for selinux-* package is (usually) the selinux
(and not our recipe name), so use selinux as the default.

See also:
http://lists.openembedded.org/pipermail/openembedded-core/2017-July/139897.html

"Results from cve-check are not very good at the moment.
One of the reasons for this is that component names used in CVE
database differ from yocto recipe names. This series fixes several
of those name mapping problems by setting the CVE_PRODUCT correctly
in the recipes. To check this mapping with after a build, I'm exporting
LICENSE and CVE_PRODUCT variables to buildhistory for recipes and
packages."

Value added is based on:
https://nvd.nist.gov/vuln/search/results?results_type=overview&search_type=all&cpe_product=cpe%3A%2F%3Akernel%3Aselinux

Signed-off-by: Sanjay Chitroda <schitrod@cisco.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-05-31 09:43:14 -04:00
Yi Zhao
47858343ed linux-yocto: drop CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE 
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE is deprecated and will be
rejected in a future kernel release[1].

[1] https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-checkreqprot

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-04-30 21:33:46 -04:00
Yi Zhao
0c8af77822 setools: upgrade 4.1 -> 4.2 
ChangeLog:
https://github.com/SELinuxProject/setools/releases/tag/4.4.2

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-04-30 21:33:46 -04:00
Yi Zhao
c370b82cde semodule-utils: upgrade 3.4 -> 3.5 
License-Update: Rename COPYING to LICENSE. No content changes.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-03-27 09:34:02 -04:00
Yi Zhao
4da226c5c5 selinux-sandbox: upgrade 3.4 -> 3.5 
License-Update: Rename COPYING to LICENSE. No content changes.

* Drop backport patch.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-03-27 09:34:02 -04:00
Yi Zhao
06ea8425ae selinux-gui: upgrade 3.4 -> 3.5 
License-Update: Rename COPYING to LICENSE. No content changes.

* Drop backport patch.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-03-27 09:34:02 -04:00
Yi Zhao
64be33c89e selinux-dbus: upgrade 3.4 -> 3.5 
License-Update: Rename COPYING to LICENSE. No content changes.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-03-27 09:34:02 -04:00
Yi Zhao
ff424dc4cf selinux-python: upgrade 3.4 -> 3.5 
License-Update: Rename COPYING to LICENSE. No content changes.

* Refresh patch.
* Drop backport patch.
* Add dependency python3-setuptools-scm-native to fix build error.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-03-27 09:34:02 -04:00
Yi Zhao
1f4cefc882 restorecond: upgrade 3.4 -> 3.5 
License-Update: Rename COPYING to LICENSE. No content changes.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-03-27 09:34:02 -04:00
Yi Zhao
b4385b6746 mcstrans: upgrade 3.4 -> 3.5 
License-Update: Rename COPYING to LICENSE. No content changes.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-03-27 09:34:02 -04:00
Yi Zhao
8bd9e77835 policycoreutils: upgrade 3.4 -> 3.5 
License-Update: Rename COPYING to LICENSE. No content changes.

* Refresh patch.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-03-27 09:34:02 -04:00
Yi Zhao
efed45fd9f secilc: upgrade 3.4 -> 3.5 
License-Update: Rename COPYING to LICENSE. No content changes.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-03-27 09:34:02 -04:00
Yi Zhao
4184abc2a6 checkpolicy: upgrade 3.4 -> 3.5 
License-Update: Rename COPYING to LICENSE. No content changes.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-03-27 09:34:02 -04:00
Yi Zhao
e582e169c4 libsemanage: upgrade 3.4 -> 3.5 
License-Update: Rename COPYING to LICENSE. No content changes.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-03-27 09:34:02 -04:00
Yi Zhao
7c0d8121c3 libselinux-python: upgrade 3.4 -> 3.5 
* Add dependency python3-setuptools-scm-native to fix build error.
* Refresh patches.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-03-27 09:34:02 -04:00
Yi Zhao
4f4946958b libselinux: upgrade 3.4 -> 3.5 
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-03-27 09:34:02 -04:00
Yi Zhao
a99bb21b0f libsepol: upgrade 3.4 -> 3.5 
License-Update: Rename COPYING to LICENSE. No content changes.

* Drop backport patch.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-03-27 09:34:02 -04:00
Yi Zhao
2c45147cb8 selinux: upgrade 3.4 -> 3.5 
ChangeLog:
https://github.com/SELinuxProject/selinux/releases/tag/3.5

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-03-27 09:34:02 -04:00
Yi Zhao
02348acbf6 refpolicy: update to latest git rev 
Drop 0003-refpolicy-minimum-make-dbus-module-optional.patch as the issue
has been fixed upstream.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-03-27 09:34:02 -04:00
Yi Zhao
e9cea983ee gitignore: add it 
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-03-27 09:34:01 -04:00
Yi Zhao
91c8ba5814 linux-yocto: drop version from bbappend 
Make the bbappend available for 5.x and 6.x kernels.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-03-06 11:04:54 -05:00
Yi Zhao
1e6a19762e setools: upgrade 4.4.0 -> 4.4.1 
Changelog:
https://github.com/SELinuxProject/setools/releases/tag/4.4.1

License-Update: Refine COPYING text. No license changes.[1]

[1] fff1906ff4

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-03-06 11:04:54 -05:00
Yi Zhao
4aed1e830c layer.conf: update LAYERSERIES_COMPAT for mickledore 
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2023-01-17 07:31:54 -05:00
Mingli Yu
696662e9f0 psmisc: move PACKAGECONFIG to oe-core 
Move PACKAGECONFIG setting to oe-core [1] to conform to yocto compliance.

[1] https://git.openembedded.org/openembedded-core/commit/?id=d2aa518163a4836eeb5bf8517456790cba382c2e

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2022-12-14 20:31:45 -05:00
Mingli Yu
40c6a3dce7 cronie: move PACKAGECONFIG to oe-core 
Move PACKAGECONFIG setting to oe-core [1] to conform to yocto compliance.

[1] https://git.openembedded.org/openembedded-core/commit/?id=fd036af063ef47d8296be909eb5db9bddc05eb6e

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2022-12-14 20:31:45 -05:00
Mingli Yu
a8c55f9456 util-linux: move PACKAGECONFIG to oe-core 
Move PACKAGECONFIG setting to oe-core [1] to conform to yocto compliance.

[1] https://git.openembedded.org/openembedded-core/commit/?id=c57cc22fad708ac856ac4ebe0a42042031fbf90b

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2022-12-14 20:31:45 -05:00
Mingli Yu
61a64b0640 iproute2: move PACKAGECONFIG to oe-core 
Move PACKAGECONFIG setting to oe-core [1] to conform to yocto compliance.

[1] https://git.openembedded.org/openembedded-core/commit/?id=067ce90494bc370fc7a271c6a036c414358f0f38

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2022-12-14 20:31:45 -05:00
Mingli Yu
f6303c0f30 sudo: move PACKAGECONFIG to oe-core 
Move PACKAGECONFIG setting to oe-core [1] to conform to yocto compliance.

[1] https://git.openembedded.org/openembedded-core/commit/?id=5c8e22895709a0ce7ce855468473d9d6d10a1e65

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2022-12-14 20:31:45 -05:00
Yi Zhao
f6d73a35d3 refpolicy: upgrade 20210908+git -> 20221101+git 
* Update to latest git rev.
* Drop obsolete and useless patches.
* Rebase patches.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2022-11-23 09:26:29 -05:00
Yi Zhao
e9270d6e58 libsepol: fix build failure for refpolicy-mls 
Backport a patch to fix build failure for refpolicy-mls:
| Creating mls xserver.pp policy package
| libsepol.validate_user_datum: Invalid user datum
| libsepol.validate_datum_array_entries: Invalid datum array entries
| libsepol.validate_policydb: Invalid policydb
| /buildarea/build/tmp/work/qemux86_64-poky-linux/refpolicy-mls/2.20220520+gitAUTOINC+f311d401cd-r0/recipe-sysroot-native/usr/bin/semodule_package:
Error while reading policy module from tmp/xserver.mod
| make: *** [Rules.modular:98: xserver.pp] Error 1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2022-11-07 14:19:08 -05:00
Yi Zhao
08a2705c00 base-files: set correct label for /var/volatile 
By default /var/volatile will be mounted with tmpfs_t instead of var_t
label, which will cause us to have to add some extra rules to eliminate
avc denials of some services.

Set rootcontext for /var/volatile in fstab to make sure it is mounted
with correct label.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2022-11-07 14:19:08 -05:00
Yi Zhao
cccf2bbe02 SELinux-FAQ: remove references to poky-selinux distro 
Update SELinux-FAQ as the poky-selinux distro has been removed for a
long time.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2022-11-07 14:19:08 -05:00
Yi Zhao
506daf988c layer.conf: add langdale to LAYERSERIES_COMPAT 
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2022-10-02 21:38:35 -04:00
Oleksiy Obitotskyy
fbb3340b0e libsemanage: Add python3 to dependencies 
Recipe have implicit dependency on nativesdk-python,
so recipe-sysroot-root populated with python headers.
But during build code look for headers into recipe-sysroot.
Add python dependency explicitly.

Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2022-10-02 21:38:23 -04:00
Yi Zhao
6683a43e61 setools: fix buildpaths issue 
Fixes:
QA Issue: File /usr/src/debug/setools/4.4.0-r0/setools/policyrep.c in package setools-src
contains reference to TMPDIR [buildpaths]

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2022-08-28 13:54:59 -04:00
Yi Zhao
02cf8bb65a semodule-utils: upgrade 3.3 -> 3.4 
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
 2022-08-28 13:54:59 -04:00