The code referenced no longer exists [1]. It was refactored later to
change the way modules are loaded [2].
Remove reference to the code, comment and creation of directory as it
can be set to something else as well.
[1] 565ea9832e
[2] 2ff279e21e
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Make the dependency explicit, otherwise when it leads to errors when it
is not included.
| ~ # semanage permissive
| Traceback (most recent call last):
| File "/sbin/semanage", line 29, in <module>
| import seobject
| File "/usr/lib/python3.13/site-packages/seobject.py", line 33, in <module>
| import sepolicy
| File "/usr/lib/python3.13/site-packages/sepolicy/__init__.py", line 8, in <module>
| import sepolgen.defaults as defaults
| ModuleNotFoundError: No module named 'sepolgen'
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* 739ee699b portage: grant compile domains getattr on chr_files in /dev
* 7de9ae015 ssh: set file context for default locations of split binaries
* 4af789c43 check_fc_files.py: Add a version suffix match
* e93b0cf5e devices: Add iio write and rw interfaces
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
The code "OUTPUT_POLICY=`${STAGING_BINDIR_NATIVE}/checkpolicy -V | cut -d' ' -f1`"
assigns OUTPUT_POLICY with 35 and policy.35 is getting generated.
So, correcting the policy version in semanage.conf file too.
Signed-off-by: Sasi Kumar Maddineni <quic_sasikuma@quicinc.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
filecontexts.homedirs is getting populated with reference to TMPDIR
path and yocto's QA check is flagging it.
To avoid this, removing the line that contains TMPDIR path from
filecontexts.homedirs.
Signed-off-by: Sasi Kumar Maddineni <quic_sasikuma@quicinc.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
The following code snippet from refpolicy shows that the host machine's
/sbin, /usr/bin, /usr/sbin paths were configured to use selinux tools,
instead from yocto build recipe-sysroot paths.
refpolicy/Makefile:47:BINDIR ?= /usr/bin
refpolicy/Makefile:48:SBINDIR ?= /usr/sbin
refpolicy/Makefile:63:tc_usrbindir := $(BINDIR)
refpolicy/Makefile:64:tc_usrsbindir := $(SBINDIR)
refpolicy/Makefile:65:tc_sbindir := /sbin
Fix: Configured 'tc_usrsbindir' and 'tc_sbindir' with yocto build
recipe-sysroot paths. 'tc_usrbindir' already configured as
per recipe-sysroot paths.
Signed-off-by: Sasi Kumar Maddineni <quic_sasikuma@quicinc.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Avoid processing and copying high-level language (.pp) modules during do_install
when MONOLITHIC=y is set. This prevents build failures due to missing files in
/usr/share/selinux/targeted, which are not generated in monolithic mode.
Fixes error:
cp: cannot stat '/usr/share/selinux/targeted/*.*': No such file or directory
Signed-off-by: Sasi Kumar Maddineni <quic_sasikuma@quicinc.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
When the read-only-rootfs feature (in IMAGE_FEATURES) is enabled, the
populate-volatile.sh script runs at build time. This compensates for the
fact that certain essential directories and files cannot be created at
runtime, since the root filesystem is read-only. This is handled in
oe-core's rootfs-postcommands.bbclass, in read_only_rootfs_hook.
However, initscripts-1.0_selinux.inc appends some shell code to
populate-volatile.sh considering it will be run in the target, not on
the host machine. So, if one uses both read-only-rootfs and selinux (in
DISTRO_FEATURES), the recursive call to restorecon is run in the host
machine, since populate-volatile.sh is called in build time. This leads
to errors such as:
| NOTE: Executing read_only_rootfs_hook ...
| DEBUG: Executing shell function read_only_rootfs_hook
| /sbin/restorecon: Could not read /var/lib/AccountsService/users: Permission denied.
| /sbin/restorecon: Could not read /var/lib/NetworkManager: Permission denied.
| /sbin/restorecon: Could not read /var/lib/bluetooth: Permission denied.
| /sbin/restorecon: Could not read /var/lib/chrony: Permission denied.
As a matter of fact, this scenario is a fair reminder not to call
bitbake with sudo.
This change makes sure the append is only performed if the
read-only-rootfs feature is not used.
Signed-off-by: João Marcos Costa <joaomarcos.costa@bootlin.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Config snippets should be used over file overrides since targeted
changes may be required in multiple recipes.
Since the oe-core sshd_config file now includes
/etc/ssh/sshd_config.d/*.conf, the meta-selinux configuration snippet
does not require the following:
* ChallengeResponseAutnetication: Replaced by
KbdInteractiveAuthentication and set to "no" by default
* Override default of no subsystems: This is already present
* Compression, ClientAliveInterval, and ClientAliveCountMax: No changes
required due to identical requirements of meta-selinux
Testing process:
* Pulled modified meta-selinux layer into Poky and included openssh
* Built core-image-sato and ran via qemu
* Verified /etc/ssh was as expected with an ssh_config.d directory with
the new selinux config snippet inside
* Verified system was including selinux config modification by running
sshd -T
Suggested-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Levi Shafter <lshafter@21sw.us>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
When running the do install task run
into No modules named pip.
Add python3-pip-native to DEPENDS
so that pip it available.
PREFIX variable not being set also
appears to effect whether pip is
found or not. No reason was found
as to why that is.
Signed-off-by: Vincent Davis Jr <vince@underview.tech>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
When running the do install task run
into No modules named pip.
Add python3-pip-native to DEPENDS
so that pip it available.
Signed-off-by: Vincent Davis Jr <vince@underview.tech>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
ChangeLog:
https://github.com/SELinuxProject/selinux/releases/tag/3.9
* Support static-only builds with DISABLE_SHARED=y
* Add restore option to modify user and role portions
* setfiles: Add -U option to modify user and role portions
* semanage.conf: Add relabel_store config option
* semodule: Add [-g PATH |--config=PATH] for an alternate path for the
semanage config
* libselinux: Fix local literal fcontext definitions priority
* libselinux: Fix order for path substitutions
* libsepol: Add new 'netif_wildcard' policy capability
* checkpolicy: Add support for wildcard netifcon names
* libsepol: Allow multiple policycap statements
* libsepol: Support genfs_seclabel_wildcard
* Replace all links to selinuxproject.org
* Bug fixes
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Add native support for libselinux-python
to fix build error for setools-native
ERROR: Nothing RPROVIDES 'libselinux-python-native'
(but virtual:native: meta-selinux/recipes-security/setools/setools_4.5.1.bb
RDEPENDS on or otherwise requires it)
Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Enable using setools native for analyzing
the built SELinux policy during the build.
Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Remove or update S definitions as required to work with oe-core
S/UNPACKDIR changes. A default definition of S has been added to
selinux_common.inc to avoid duplication in the set of recipes that
use it to build packages from different subdirectories of the selinux
repo. The three packagegroups test build successfully with these
changes.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
whinlatter is the next release, set it as compatible layer since
it is not backwards compatible.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
ChangeLog:
https://github.com/SELinuxProject/selinux/releases/tag/3.8
* libsemanage: Preserve file context and ownership in policy store
* libselinux: deprecate security_disable(3)
* libsepol: Support nlmsg extended permissions
* libsepol: Add policy capability netlink_xperm
* libsemanage: Optionally allow duplicate declarations
* policycoreutils: introduce unsetfiles
* libselinux/utils: introduce selabel_compare
* improved selabel_lookup performance
* libselinux: support parallel usage of selabel_lookup(3)
* libsepol: add support for xperms in conditional policies
* Improved man pages
* Code improvements and bug fixes
* Always build for LFS mode on 32-bit archs.
* libsemanage: Mute error messages from selinux_restorecon introduced in
3.8-rc1
* Regex spec ordering is restored to pre 3.8-rc1
* Binary fcontext files format changed, files using old format are ignored
* Code improvements and bug fixes
License-Update: White space cleanup for libsemanage/LICENSE
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
Use the new cython class to avoid duplicated fixup code to remove build
paths.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
The debug-tweaks IMAGE_FEATURE has been removed in oe-core. Replace it
with allow-empty-password.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
Backport a patch to fix build with swig 4.3[1].
[1] https://github.com/SELinuxProject/selinux/issues/447
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
Backport a patch to fix build with swig 4.3[1].
[1] https://github.com/SELinuxProject/selinux/issues/447
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
For some distributions (e.g. Yocto) that do not provide
system-release/distribution-release file, libdnf can not get releasever
variable, causing conf.substitutions['releasever'] to not be set.
This will cause 'sepolicy generate' command to fail with the following
error on these distributions:
$ sepolicy generate --init /usr/local/bin/foo
Traceback (most recent call last):
File "/usr/bin/sepolicy", line 702, in <module>
args.func(args)
File "/usr/bin/sepolicy", line 569, in generate
mypolicy.gen_writeable()
File "/usr/lib/python3.12/site-packages/sepolicy/generate.py", line 1302, in gen_writeable
self.__extract_rpms()
File "/usr/lib/python3.12/site-packages/sepolicy/generate.py", line 1268, in __extract_rpms
base.read_all_repos()
File "/usr/lib/python3.12/site-packages/dnf/base.py", line 554, in read_all_repos
for repo in reader:
^^^^^^
File "/usr/lib/python3.12/site-packages/dnf/conf/read.py", line 42, in __iter__
for r in self._get_repos(self.conf.config_file_path):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/dnf/conf/read.py", line 109, in _get_repos
parser.setSubstitutions(substs)
File "/usr/lib/python3.12/site-packages/libdnf/conf.py", line 1643, in setSubstitutions
return _conf.ConfigParser_setSubstitutions(self, substitutions)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: in method 'ConfigParser_setSubstitutions', argument 2 of type 'std::map< std::string,std::string,std::less< std::string >,std::allocator< std::pair< std::string const,std::string > > > const &'
Set conf.substitutions['releasever'] to empty str if releasever is None.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
ChangeLog:
https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20240916
Notable Changes
Added sechecker configuration for GitHub CI actions.
Cleaned up concerning permissions uncovered by sechecker
Removed extremely deprecated domains in cups (ptal) and xen (xend/xm)
Systemd updates up to v256
Various container fixes
New Modules
haproxy
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
OE-Core has switched the master branch to styhead, follow the change.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* Update policy for systemd-v256
c20cf2214 systemd: allow systemd-hostnamed to read vsock device
4f3437040 systemd: fix policy for systemd-ssh-generator
d852b7540 devices: add label vsock_device_t for /dev/vsock
a4a7b830f systemd: add policy for systemd-nsresourced
47081be47 systemd: allow system --user to create netlink_route_socket
78cacc708 systemd: allow systemd-networkd to manage sock files under
/run/systemd/netif
29d0bb8c3 systemd: set context to systemd_networkd_var_lib_t for
/var/lib/systemd/network
22fd3ddad Allow interactive user terminal output for the NetLabel
management tool.
c1284c601 bluetooth: Move line.
50a5555f2 Adding SE Policy rules to allow usage of unix stream sockets
by dbus and bluetooth contexts when Gatt notifications are
turned on by remote.
2b8fa2b4a kubernetes: allow kubelet to connect all TCP ports
9ab94df30 container: allow reading generic certs
7530dfa3c testing: add container_kvm_t to net admin exempt list
47eced9be Makefile: drop duplicate quotes
b0b0d52dd various: rules required for DV manipulation in kubevirt
21e4a44c0 container: add container_kvm_t and supporting kubevirt rules
a9bd177bb iptables: allow reading container engine tmp files
af0b40824 container: allow spc various rules for kubevirt
d585f08c2 container, kubernetes: add supporting rules for kubevirt and
multus
9f37f86b2 dbus: dontaudit session bus domains the netadmin capability
d9ca32f5a container: allow super privileged containers to manage BPF
dirs
1900fbe68 kubernetes: allow kubelet to create unlabeled dirs
b9c8ba607 haproxy: allow interactive usage
846804c58 podman: allow managing init runtime units
8787b3d8d iptables: allow reading usr files
* Drop obsolete patches:
0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
0039-policy-modules-system-authlogin-fix-login-errors-aft.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
Fix QA warning:
WARNING: setools-4.5.1-r0 do_check_backend: QA Issue: inherits
setuptools3 but has pyproject.toml with setuptools.build_meta, use the
correct class [pep517-backend]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
This patch adds a SELinux specific configuration snippet for busybox to
enable SELinux support in busybox out of the box. This is needed to enable
SELinux specific command line options for certain commands like ps -Z.
Signed-off-by: "Weisser, Pascal" <pascal.weisser.ext@karlstorz.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
sestatus is provided as ${base_sbindir}/sestatus which is currently packaged into
PN-sestatus, however, this is only a symlink to the binary located in
${bindir}/sestatus.
This causes that when runtime dependencies are calculated, bitbake properly detects
a dependency from policycoreutils-sestatus to the main policycoreutils package.
Hence the policycoreutils-sestatus package has no usability by itself, this has
several implications, but one of them means that it recursively pulls all
runtime dependencies, making policycoreutils-sestatus require everything that the
main policycoreutils package RDEPENDS on, including python3.
By correctly splitting these packages, an image that RDEPENDS only on
policycoreutils-sestatus decreases its size by about ~13MB.
Signed-off-by: Alejandro Enedino Hernandez Samaniego <alejandro@enedino.org>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* a6cf20736 filesystem, devices: move gadgetfs to usbfs_t
* 75492f95f systemd: make xdg optional
* 097d688ff sshd: label sshd-session as sshd_exec_t
* b57b6005c Setting bluetooth helper domain for bluetoothctl
* 30f451d6a Adding Sepolicy rules to allow pulseaudio to access
bluetooth sockets.
* 7037c341f systemd: allow logind to use locallogin pidfds
* 5f7f494d1 userdomain: allow administrative user to get attributes of
shadow history file
* 0126cb1e6 node_exporter: allow reading RPC sysctls
* 9c90f9f7d asterisk: allow reading certbot lib
* bfcaec9ba postfix: allow postfix pipe to watch mail spool
* 06a80c3d8 netutils: allow ping to read net sysctls
* 2e0509c9e node_exporter: allow reading localization
* 50a8cddd1 container: allow containers to execute tmpfs files
* 09a747a16 sysadm: make haproxy admin
* c8c3ae2cb haproxy: initial policy
* 4e97f87ce init: use pidfds from local login
* 7fd9032d8 dbus, init: add interface for pidfd usage
* a6d6921a9 asterisk: allow watching spool dirs
* 72c1d912f su, sudo: allow sudo to signal all su domains
* 8b3178248 sudo: allow systemd-logind to read cgroup state of sudo
* 871f0b0dd postfix: allow smtpd to mmap SASL keytab files
* 578375480 sysnetwork: allow ifconfig to read usr files
* 6916e9b20 systemd: allow systemd-logind to use sshd pidfds
* 96ebb7c4e Reorder perms and classes
* cb68df087 tests.yml: Add policy diff on PRs.
* 99258825c tests.yml: Divide into reusable workflows.
* 1e4b68930 Reorder perms and classes
Drop 0002-refpolicy-minimum-make-xdg-module-optional.patch and
0040-policy-modules-system-systemd-allow-systemd-logind-t.patch which
have been merged upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* Allow auditctl to read symlink of var/log directory.
* Grant getpcap capability to syslogd_t.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* 2102055d4 devices: Change dev_rw_uhid() to use a policy pattern
* 1cbe455a5 device: Move dev_rw_uhid definition
* 7a33b4bc8 Sepolicy changes for bluez to access uhid
* c6dd4087d selinuxutil: make policykit optional
* 10feb47e5 newrole: allow newrole to search faillock runtime directory
* bf34d3e5e sysnetwork: fixes for dhcpcd
* 4663e613f Adding Sepolicy rules to allow bluetoothctl and dbus-daemon
to access unix stream sockets
* 27602a932 various: various fixes
* 63d50bbaa container, crio, kubernetes: minor fixes
* 11e729e27 container, podman: various fixes
* ef5954a0e systemd: allow systemd-sysctl to search tmpfs
* 472e0442e container: allow containers to getcap
* 7876e5151 container: allow system container engines to mmap runtime
files
* d917092a8 matrixd: add tunable for binding to all unreserved ports
* 3dba91dd4 bootloader: allow systemd-boot to manage EFI binaries
* ddf395d5d asterisk: allow binding to all unreserved UDP ports
* 3bad3696b postgres: add a standalone execmem tunable
* ef28f7879 userdom: allow users to read user home dir symlinks
* 03711caea dovecot: allow dovecot-auth to read SASL keytab
* cd781e783 fail2ban: allow reading net sysctls
* ddc6ac493 init: allow systemd to use sshd pidfds
* b9c457d80 files context for merged-usr profile on gentoo
* 5040dd3b6 Need map perm for cockpit 300.4
* 2ef9838db tests.yml: Add sechecker testing
* c62bd5c6c cockpit: Change $1_cockpit_tmpfs_t to a tmpfs file type
* 1c694125b certbot: Drop execmem
* 349411d55 xen: Drop xend/xm stack
* 2a261f916 Allow systemd to pass down sig mask
* 2577feb83 cups: Remove PTAL
* 5b02b44e5 xen: Revoke kernel module loading permissions
* 1c20c002c minissdpd: Revoke kernel module loading permissions
* 5671390e2 docker: Fix dockerc typo in container_engine_executable_file
* e1bc4830d cron: Use raw entrypoint rule for system_cronjob_t
* 0f71792c8 uml: Remove excessive access from user domains on
uml_exec_t
* 511223e2d Set the type on /etc/machine-info to net_conf_t so
hostnamectl can manipulate it (CRUD)
* 72fc1b2a3 fix: minor correction in MCS_CATS range comment
* cbf56c8ae systemd: allow notify client to stat socket
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
ChangeLog:
https://github.com/SELinuxProject/selinux/releases/tag/3.7
* audit2allow -C for CIL output mode
* sepolgen: adjust parse for refpolicy
* semanage: Allow modifying records on "add"
* semanage: Do not sort local fcontext definitions
* Improved man pages
* checkpolicy: support CIDR notation for nodecon statements
* sandbox: Add support for Wayland
* Code improvements and bug fixes
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* WORKDIR -> UNPACKDIR transition
* Switch away from S = WORKDIR
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
Add selinux-autorelabel to reset the SELinux label on the root
filesystem at boot time.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
