Add native support for libselinux-python
to fix build error for setools-native
ERROR: Nothing RPROVIDES 'libselinux-python-native'
(but virtual:native: meta-selinux/recipes-security/setools/setools_4.5.1.bb
RDEPENDS on or otherwise requires it)
Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Enable using setools native for analyzing
the built SELinux policy during the build.
Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Remove or update S definitions as required to work with oe-core
S/UNPACKDIR changes. A default definition of S has been added to
selinux_common.inc to avoid duplication in the set of recipes that
use it to build packages from different subdirectories of the selinux
repo. The three packagegroups test build successfully with these
changes.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
whinlatter is the next release, set it as compatible layer since
it is not backwards compatible.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
ChangeLog:
https://github.com/SELinuxProject/selinux/releases/tag/3.8
* libsemanage: Preserve file context and ownership in policy store
* libselinux: deprecate security_disable(3)
* libsepol: Support nlmsg extended permissions
* libsepol: Add policy capability netlink_xperm
* libsemanage: Optionally allow duplicate declarations
* policycoreutils: introduce unsetfiles
* libselinux/utils: introduce selabel_compare
* improved selabel_lookup performance
* libselinux: support parallel usage of selabel_lookup(3)
* libsepol: add support for xperms in conditional policies
* Improved man pages
* Code improvements and bug fixes
* Always build for LFS mode on 32-bit archs.
* libsemanage: Mute error messages from selinux_restorecon introduced in
3.8-rc1
* Regex spec ordering is restored to pre 3.8-rc1
* Binary fcontext files format changed, files using old format are ignored
* Code improvements and bug fixes
License-Update: White space cleanup for libsemanage/LICENSE
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
Use the new cython class to avoid duplicated fixup code to remove build
paths.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
The debug-tweaks IMAGE_FEATURE has been removed in oe-core. Replace it
with allow-empty-password.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
Backport a patch to fix build with swig 4.3[1].
[1] https://github.com/SELinuxProject/selinux/issues/447
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
Backport a patch to fix build with swig 4.3[1].
[1] https://github.com/SELinuxProject/selinux/issues/447
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
For some distributions (e.g. Yocto) that do not provide
system-release/distribution-release file, libdnf can not get releasever
variable, causing conf.substitutions['releasever'] to not be set.
This will cause 'sepolicy generate' command to fail with the following
error on these distributions:
$ sepolicy generate --init /usr/local/bin/foo
Traceback (most recent call last):
File "/usr/bin/sepolicy", line 702, in <module>
args.func(args)
File "/usr/bin/sepolicy", line 569, in generate
mypolicy.gen_writeable()
File "/usr/lib/python3.12/site-packages/sepolicy/generate.py", line 1302, in gen_writeable
self.__extract_rpms()
File "/usr/lib/python3.12/site-packages/sepolicy/generate.py", line 1268, in __extract_rpms
base.read_all_repos()
File "/usr/lib/python3.12/site-packages/dnf/base.py", line 554, in read_all_repos
for repo in reader:
^^^^^^
File "/usr/lib/python3.12/site-packages/dnf/conf/read.py", line 42, in __iter__
for r in self._get_repos(self.conf.config_file_path):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/dnf/conf/read.py", line 109, in _get_repos
parser.setSubstitutions(substs)
File "/usr/lib/python3.12/site-packages/libdnf/conf.py", line 1643, in setSubstitutions
return _conf.ConfigParser_setSubstitutions(self, substitutions)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: in method 'ConfigParser_setSubstitutions', argument 2 of type 'std::map< std::string,std::string,std::less< std::string >,std::allocator< std::pair< std::string const,std::string > > > const &'
Set conf.substitutions['releasever'] to empty str if releasever is None.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
ChangeLog:
https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20240916
Notable Changes
Added sechecker configuration for GitHub CI actions.
Cleaned up concerning permissions uncovered by sechecker
Removed extremely deprecated domains in cups (ptal) and xen (xend/xm)
Systemd updates up to v256
Various container fixes
New Modules
haproxy
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
OE-Core has switched the master branch to styhead, follow the change.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* Update policy for systemd-v256
c20cf2214 systemd: allow systemd-hostnamed to read vsock device
4f3437040 systemd: fix policy for systemd-ssh-generator
d852b7540 devices: add label vsock_device_t for /dev/vsock
a4a7b830f systemd: add policy for systemd-nsresourced
47081be47 systemd: allow system --user to create netlink_route_socket
78cacc708 systemd: allow systemd-networkd to manage sock files under
/run/systemd/netif
29d0bb8c3 systemd: set context to systemd_networkd_var_lib_t for
/var/lib/systemd/network
22fd3ddad Allow interactive user terminal output for the NetLabel
management tool.
c1284c601 bluetooth: Move line.
50a5555f2 Adding SE Policy rules to allow usage of unix stream sockets
by dbus and bluetooth contexts when Gatt notifications are
turned on by remote.
2b8fa2b4a kubernetes: allow kubelet to connect all TCP ports
9ab94df30 container: allow reading generic certs
7530dfa3c testing: add container_kvm_t to net admin exempt list
47eced9be Makefile: drop duplicate quotes
b0b0d52dd various: rules required for DV manipulation in kubevirt
21e4a44c0 container: add container_kvm_t and supporting kubevirt rules
a9bd177bb iptables: allow reading container engine tmp files
af0b40824 container: allow spc various rules for kubevirt
d585f08c2 container, kubernetes: add supporting rules for kubevirt and
multus
9f37f86b2 dbus: dontaudit session bus domains the netadmin capability
d9ca32f5a container: allow super privileged containers to manage BPF
dirs
1900fbe68 kubernetes: allow kubelet to create unlabeled dirs
b9c8ba607 haproxy: allow interactive usage
846804c58 podman: allow managing init runtime units
8787b3d8d iptables: allow reading usr files
* Drop obsolete patches:
0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
0039-policy-modules-system-authlogin-fix-login-errors-aft.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
Fix QA warning:
WARNING: setools-4.5.1-r0 do_check_backend: QA Issue: inherits
setuptools3 but has pyproject.toml with setuptools.build_meta, use the
correct class [pep517-backend]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
This patch adds a SELinux specific configuration snippet for busybox to
enable SELinux support in busybox out of the box. This is needed to enable
SELinux specific command line options for certain commands like ps -Z.
Signed-off-by: "Weisser, Pascal" <pascal.weisser.ext@karlstorz.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
sestatus is provided as ${base_sbindir}/sestatus which is currently packaged into
PN-sestatus, however, this is only a symlink to the binary located in
${bindir}/sestatus.
This causes that when runtime dependencies are calculated, bitbake properly detects
a dependency from policycoreutils-sestatus to the main policycoreutils package.
Hence the policycoreutils-sestatus package has no usability by itself, this has
several implications, but one of them means that it recursively pulls all
runtime dependencies, making policycoreutils-sestatus require everything that the
main policycoreutils package RDEPENDS on, including python3.
By correctly splitting these packages, an image that RDEPENDS only on
policycoreutils-sestatus decreases its size by about ~13MB.
Signed-off-by: Alejandro Enedino Hernandez Samaniego <alejandro@enedino.org>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* a6cf20736 filesystem, devices: move gadgetfs to usbfs_t
* 75492f95f systemd: make xdg optional
* 097d688ff sshd: label sshd-session as sshd_exec_t
* b57b6005c Setting bluetooth helper domain for bluetoothctl
* 30f451d6a Adding Sepolicy rules to allow pulseaudio to access
bluetooth sockets.
* 7037c341f systemd: allow logind to use locallogin pidfds
* 5f7f494d1 userdomain: allow administrative user to get attributes of
shadow history file
* 0126cb1e6 node_exporter: allow reading RPC sysctls
* 9c90f9f7d asterisk: allow reading certbot lib
* bfcaec9ba postfix: allow postfix pipe to watch mail spool
* 06a80c3d8 netutils: allow ping to read net sysctls
* 2e0509c9e node_exporter: allow reading localization
* 50a8cddd1 container: allow containers to execute tmpfs files
* 09a747a16 sysadm: make haproxy admin
* c8c3ae2cb haproxy: initial policy
* 4e97f87ce init: use pidfds from local login
* 7fd9032d8 dbus, init: add interface for pidfd usage
* a6d6921a9 asterisk: allow watching spool dirs
* 72c1d912f su, sudo: allow sudo to signal all su domains
* 8b3178248 sudo: allow systemd-logind to read cgroup state of sudo
* 871f0b0dd postfix: allow smtpd to mmap SASL keytab files
* 578375480 sysnetwork: allow ifconfig to read usr files
* 6916e9b20 systemd: allow systemd-logind to use sshd pidfds
* 96ebb7c4e Reorder perms and classes
* cb68df087 tests.yml: Add policy diff on PRs.
* 99258825c tests.yml: Divide into reusable workflows.
* 1e4b68930 Reorder perms and classes
Drop 0002-refpolicy-minimum-make-xdg-module-optional.patch and
0040-policy-modules-system-systemd-allow-systemd-logind-t.patch which
have been merged upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* Allow auditctl to read symlink of var/log directory.
* Grant getpcap capability to syslogd_t.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* 2102055d4 devices: Change dev_rw_uhid() to use a policy pattern
* 1cbe455a5 device: Move dev_rw_uhid definition
* 7a33b4bc8 Sepolicy changes for bluez to access uhid
* c6dd4087d selinuxutil: make policykit optional
* 10feb47e5 newrole: allow newrole to search faillock runtime directory
* bf34d3e5e sysnetwork: fixes for dhcpcd
* 4663e613f Adding Sepolicy rules to allow bluetoothctl and dbus-daemon
to access unix stream sockets
* 27602a932 various: various fixes
* 63d50bbaa container, crio, kubernetes: minor fixes
* 11e729e27 container, podman: various fixes
* ef5954a0e systemd: allow systemd-sysctl to search tmpfs
* 472e0442e container: allow containers to getcap
* 7876e5151 container: allow system container engines to mmap runtime
files
* d917092a8 matrixd: add tunable for binding to all unreserved ports
* 3dba91dd4 bootloader: allow systemd-boot to manage EFI binaries
* ddf395d5d asterisk: allow binding to all unreserved UDP ports
* 3bad3696b postgres: add a standalone execmem tunable
* ef28f7879 userdom: allow users to read user home dir symlinks
* 03711caea dovecot: allow dovecot-auth to read SASL keytab
* cd781e783 fail2ban: allow reading net sysctls
* ddc6ac493 init: allow systemd to use sshd pidfds
* b9c457d80 files context for merged-usr profile on gentoo
* 5040dd3b6 Need map perm for cockpit 300.4
* 2ef9838db tests.yml: Add sechecker testing
* c62bd5c6c cockpit: Change $1_cockpit_tmpfs_t to a tmpfs file type
* 1c694125b certbot: Drop execmem
* 349411d55 xen: Drop xend/xm stack
* 2a261f916 Allow systemd to pass down sig mask
* 2577feb83 cups: Remove PTAL
* 5b02b44e5 xen: Revoke kernel module loading permissions
* 1c20c002c minissdpd: Revoke kernel module loading permissions
* 5671390e2 docker: Fix dockerc typo in container_engine_executable_file
* e1bc4830d cron: Use raw entrypoint rule for system_cronjob_t
* 0f71792c8 uml: Remove excessive access from user domains on
uml_exec_t
* 511223e2d Set the type on /etc/machine-info to net_conf_t so
hostnamectl can manipulate it (CRUD)
* 72fc1b2a3 fix: minor correction in MCS_CATS range comment
* cbf56c8ae systemd: allow notify client to stat socket
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
ChangeLog:
https://github.com/SELinuxProject/selinux/releases/tag/3.7
* audit2allow -C for CIL output mode
* sepolgen: adjust parse for refpolicy
* semanage: Allow modifying records on "add"
* semanage: Do not sort local fcontext definitions
* Improved man pages
* checkpolicy: support CIDR notation for nodecon statements
* sandbox: Add support for Wayland
* Code improvements and bug fixes
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* WORKDIR -> UNPACKDIR transition
* Switch away from S = WORKDIR
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
Add selinux-autorelabel to reset the SELinux label on the root
filesystem at boot time.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* 0aff1990e quote: read localization
* ab13c0421 getty: grant checkpoint_restore
* 3643773ae Update SOS report to work on RHEL9
* 523b279bd Setup domain for dbus selinux interface
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
`PACKAGEBUILDPKGD` was dropped in Yocto 4.2 and
`PACKAGE_PREPROCESS_FUNCS` should be used instead. The only requirement
for wrapper creation is that it is executed before any of the
`update-alternatives` hooks are executed. This continues to hold as the
call to `create_sh_wrapper_reset_alternative_vars` is prepended only
after the `update-alternatives` class has been inherited.
Additionally, this also fixes a race condition leading to
non-deterministic buildhistory entries in busybox's `sysroot` files.
The race condition was caused by the creation of the wrapper files
inside `D` (i.e. the image directory) which is also consumed by other
tasks such as `do_populate_sysroot` which may be executing in parallel
to `do_package`.
Signed-off-by: Philip Lorenz <philip.lorenz@bmw.de>
Signed-off-by: Joe MacDonald <joe@deserted.net>
ChangeLog:
https://github.com/SELinuxProject/refpolicy/blob/main/Changelog
Notable Changes:
Many systemd updates up to v255
RPM and dnf fixes
Tighten private key handling for Apache
Many container and kubernetes improvements
Add support for Cilium
Update object class definitions up to io_uring:cmd
Add additional rules to cloud-init based on sysadm_t
* Update to latest git rev.
* Refresh patches.
* Add a patch to fix reboot timeout error.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
We merged libselinux recipe and libselinux-python recipe in commit[1]
because we thought the circular dependency was gone. But unfortunately,
it still exists.
Here are the steps to reproduce:
$ echo "DISTRO_FEATURES:append = \" x11\"" >> conf/local.conf
$ echo "PACKAGECONFIG:append:pn-python3 = \" tk\"" >> conf/local.conf
$ bitbake core-image-selinux -n
So we still need to split the libselinux recipe into two recipes:
libselinux and libselinux-python.
[1] https://git.yoctoproject.org/meta-selinux/commit/?id=62b9c816a5000dc01b28e78213bde26b58cbca9d
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
