There are some redundant classes: enable-selinux.bbclass,
with-selinux.bbclass, meson-enable-selinux.bbclass,
meson-selinux.bbclass, enable-audit.bbclass, with-audit.bbclass.
These classes only add PACKAGEOCNFIG[selinux]/[audit] to recipes. But
currently most recipes have added PACKAGECONFIG[selinux]/[audit] in
their bb files. We don't need these anymore. Only keep
enable-selinux.class and enable-audit.class to append
PACKAGECONFIG[selinux]/[audit] for recipes.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
This is the result of automated script conversion:
poky/scripts/contrib/convert-overrides.py meta-selinux
Converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
The getVar() defaults to expanding by default, thus remove the True
option from all getVar() calls.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
In glib 2.60.x, it turns selinux into a meson feature. We should use
'-Dselinux=enabled/disabled' rather than '-Dselinux=true/false' to
enable/disable the feature.
Add meso-enable-selinux.bbclass for this change and inherit it in
glib-2.0 bbappend to fix the configure error.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Fix AVC denied error when booting:
type=AVC msg=audit(1548055920.478:86): avc: denied { execute } for
pid=366 comm="audispd" path="/lib/ld-2.28.so" dev="vda" ino=7545
scontext=system_u:system_r:audisp_t:s15:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
type=AVC msg=audit(1548055920.478:87): avc: denied { open } for
pid=366 comm="audispd" path="/lib/libc-2.28.so" dev="vda" ino=7558
scontext=system_u:system_r:audisp_t:s15:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
When using "+=" for IMAGE_PREPROCESS_COMMAND, the selinux_set_labels
process would run before prelink process to set the security labels for
the files. But the label for /lib/libc-2.28.so and /lib/ld-2.28.so would
be changed after run prelink process. Use "_append" to make sure the
selinux_set_labels process run after prelink process.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Add meson-selinux.bbclass for meson build system. It used
'-Dselinux=true/false' to enable/disable 'selinux' rather than
--enable-selinux or --with-selinux.
Inherit meson-selinux for glib-2.0 to fix configure failure.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Use -m to prevent non-seclabel mounts from being excluded from labeling.
After the following commit setfiles will no longer label files on a
mount other than / if it doesn't have seclabel listed in /proc/mounts:
f2e77865e1 (diff-2de9aefdd8fc5bc6a8740533e5d1cc2e)
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
enable-audit.bbclass is only used by systemd. And systemd has adapted to
use build tool meson and implement PACKAGECONFIG audit in recipe file of
systemd in oe-core.
So remove implement of PACKAGECONFIG audit from enable-audit.bbclass.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
selinux images attempt to label the filesystem image at creation time.
This depends on a native setfiles, though, which isn't guaranteed to be
present without the DEPEND addition.
If the 'setfiles' call fails, that shouldn't be fatal, though, it can
always be run at first boot time, as is commonly done with desktop and
server distros.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Change [:space:] to [[:space:]]. [:space:] is incorrect and is treated
as a list of characters. Prior to this change having a policy of
'standard' resulted in POL_TYPE being set to 'tandard'.
Change the regular expression to match from the beginning of the line
since correcting the [:space:] error causes the '# SELINUXTYPE= can
take one of these values:' line to match.
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Based on oe-core commit:
commit 1528e596d4906c33e4be83fcf691cfe76d340ff3
Author: Otavio Salvador <otavio@ossystems.com.br>
Date: Thu Apr 24 15:59:20 2014 -0300
Globally replace 'base_contains' calls with 'bb.utils.contains'
The base_contains is kept as a compatibility method and we ought to not
use it in OE-Core so we can remove it from base metadata in future.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Add bbclasses only for target packages to enable selinux support,
not native/nativesdk/cross/crosssdk pacakges.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
