We still miss some rules for nfsd to bind on nfs ports, so add a patch
to fix this. oe-core changed nfsd to use portmap, so also fix file
contexts for portmap.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Current meta-selinux provides a populate-volatile.sh for adding
restorecon lines to the oe-core script.
If other meta layers would add a new populate-volatile.sh, it will
override the oe-core and meta-selinux ones and cause selinux issues.
So append restorecon lines to the original script instead of a
final script.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
rndc.key would be labeled with wrong named_zone_t inherited from
/etc/bind while creating, so restorecon on it.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Native swig will read datas from hard-coded SWIGLIB or the same
environment variable.
While using sstate, the hard-coded SWIGLIB will point to the project
that create original sstates. This would cause build issues, so add
a wrapper to set the environment variable SWIGLIB to a relative path
on current sysroot.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Some files of bind are not installed to default pathes, fix the
security contexts for these files.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
/var/cache is a symlink in poky, so we need allow rules for files to
read lnk_file while doing search/list/delete/rw.. in /var/cache/
directory.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Target package policycoreutils-sandbox always needs libcgroup and
libcap-ng, so it should not be conditional.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
PYTHON_LDFLAGS is considered as the full path of libpython2.7.so,
dirname of the .so file will be expanded into -L<DIR>. As a result,
current PYTHON_LDFLAGS cause this compile result:
${CC} ... -L-LXXX/tmp/sysroots/qemux86-64/usr/lib64
-L-lapol -lqpol -o _sesearch.so
So "-lapol" is ignored, fix this.
CQID: WIND00400717
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Two patches to fix these two issue:
* Current policy has incomplete allow rules for selinux utils to
manage selinux config files and policy store.
* auditd_log_t(/var/log/audit/audit.log) is also placed in
var_log_t, so add related rules.
CQID: WIND00396415
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
audit admin tools and daemons should install to base_sbindir, so
they can get correct security labels after selinux restorecon
command.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
sed-4.2.2 now has new configure option --with-selinux,
so inherit with-selinux bbclass.
Also, remove the patch since new version fix the issue.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
--with-selinux is consided as unrecognized option while
do_configure, so change it to --enable-selinux,
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
oe-core adds a exit handler to rw python command history file
(~/.python-history). There are no allow rules for every user&role
to use create/read/write ~/.python-history, and it is also
improper to add rules because these rules would blow up the
user&role's scope of authority.
So disable the handler, if selinux enabled.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Add user_tty_device_t as a customizable_type, so that restorecon -R
/dev will not complain about it or modify the security labels.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
In meta-selinux layer, tinylogin links are installed as script
wrappers instead of symlinks to get their security labels.
So, they should use alternatives if there are same commands provided
by other packages.
passwd -> passwd.tinylogin
-> passwd.shadow
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Add bbclasses only for target packages to enable selinux support,
not native/nativesdk/cross/crosssdk pacakges.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
