* WORKDIR -> UNPACKDIR transition
* Switch away from S = WORKDIR
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
Add selinux-autorelabel to reset the SELinux label on the root
filesystem at boot time.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
* 0aff1990e quote: read localization
* ab13c0421 getty: grant checkpoint_restore
* 3643773ae Update SOS report to work on RHEL9
* 523b279bd Setup domain for dbus selinux interface
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
`PACKAGEBUILDPKGD` was dropped in Yocto 4.2 and
`PACKAGE_PREPROCESS_FUNCS` should be used instead. The only requirement
for wrapper creation is that it is executed before any of the
`update-alternatives` hooks are executed. This continues to hold as the
call to `create_sh_wrapper_reset_alternative_vars` is prepended only
after the `update-alternatives` class has been inherited.
Additionally, this also fixes a race condition leading to
non-deterministic buildhistory entries in busybox's `sysroot` files.
The race condition was caused by the creation of the wrapper files
inside `D` (i.e. the image directory) which is also consumed by other
tasks such as `do_populate_sysroot` which may be executing in parallel
to `do_package`.
Signed-off-by: Philip Lorenz <philip.lorenz@bmw.de>
Signed-off-by: Joe MacDonald <joe@deserted.net>
ChangeLog:
https://github.com/SELinuxProject/refpolicy/blob/main/Changelog
Notable Changes:
Many systemd updates up to v255
RPM and dnf fixes
Tighten private key handling for Apache
Many container and kubernetes improvements
Add support for Cilium
Update object class definitions up to io_uring:cmd
Add additional rules to cloud-init based on sysadm_t
* Update to latest git rev.
* Refresh patches.
* Add a patch to fix reboot timeout error.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
We merged libselinux recipe and libselinux-python recipe in commit[1]
because we thought the circular dependency was gone. But unfortunately,
it still exists.
Here are the steps to reproduce:
$ echo "DISTRO_FEATURES:append = \" x11\"" >> conf/local.conf
$ echo "PACKAGECONFIG:append:pn-python3 = \" tk\"" >> conf/local.conf
$ bitbake core-image-selinux -n
So we still need to split the libselinux recipe into two recipes:
libselinux and libselinux-python.
[1] https://git.yoctoproject.org/meta-selinux/commit/?id=62b9c816a5000dc01b28e78213bde26b58cbca9d
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
* Refresh patches.
* Merge libselinux and libselinux-python.
The previous libselinux recipe was split into libselinux and
libselinux-python due to loop dependency[1]. Now this error is gone,
we can merge these two recipes into one again.
[1] https://git.yoctoproject.org/meta-selinux/commit/?id=7bb1507928f2e0f54ff8eac4135e15e821cdb1e2
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
* 82b4448e1 Additional file context fix for:
* 65eed16b5 policy/modules/services/smartmon.te: make fstools optional
* 2e27be3c5 Let the certmonger module manage SSL Private Keys and CSR
used for example by the HTTP and/or Mail Transport daemons.
* 912d3a687 Let the webadm role manage Private Keys and CSR for SSL
Certificates used by the HTTP daemon.
* 5c9038ec9 Create new TLS Private Keys file contexts for the Apache
HTTP server according to the default locations:
* b38583a79 The LDAP server only needs to read generic certificate
files, not manage them.
* 100a853c0 rpm: fixes for dnf
* 8839a7137 Modify the gpg module so that gpg and the gpg_agent can
manage gpg_runtime_t socket files.
* 780adb80a Simple patch for Brother printer drivers as described in:
https://etbe.coker.com.au/2023/10/22/brother-mfc-j4440dw-printer/
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Previously, system using systemd would label selinux contexts on first
boot. While system using sysvinit would label during build. Add a
variable FIRST_BOOT_RELABEL as a switch to control labeling to make the
behavior of sysvinit and systemd consistent.
Set FIRST_BOOT_RELABEL to 1 in local.conf to enable labeling on first
boot.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
The selinux_set_labels function should run as late as possible. To
guarantee that, we append it to IMAGE_PREPROCESS_COMMAND in
RecipePreFinalise event handler, this ensures it is the last function in
IMAGE_PREPROCESS_COMMAND.
After refactoring, system using systemd can also label selinux contexts
during build.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
* Switch branch to main.
* Update to latest git rev.
* Drop obsolete and useless patches.
* Refresh patches.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Add python3-distro and binutils to RDEPENDS for sepolicy to fix runtime
error:
$ sepolicy -h
Traceback (most recent call last):
File "/usr/bin/sepolicy", line 690, in <module>
gen_manpage_args(subparsers)
File "/usr/bin/sepolicy", line 375, in gen_manpage_args
man.add_argument("-o", "--os", dest="os", default=get_os_version(),
File "/usr/lib/python3.11/site-packages/sepolicy/__init__.py", line 1245, in get_os_version
import distro
ModuleNotFoundError: No module named 'distro'
$ sepolicy generate --init /usr/sbin/sshd
/bin/sh: line 1: nm: command not found
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
The CVE product name for selinux-* package is (usually) the selinux
(and not our recipe name), so use selinux as the default.
See also:
http://lists.openembedded.org/pipermail/openembedded-core/2017-July/139897.html
"Results from cve-check are not very good at the moment.
One of the reasons for this is that component names used in CVE
database differ from yocto recipe names. This series fixes several
of those name mapping problems by setting the CVE_PRODUCT correctly
in the recipes. To check this mapping with after a build, I'm exporting
LICENSE and CVE_PRODUCT variables to buildhistory for recipes and
packages."
Value added is based on:
https://nvd.nist.gov/vuln/search/results?results_type=overview&search_type=all&cpe_product=cpe%3A%2F%3Akernel%3Aselinux
Signed-off-by: Sanjay Chitroda <schitrod@cisco.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
License-Update: Rename COPYING to LICENSE. No content changes.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
License-Update: Rename COPYING to LICENSE. No content changes.
* Drop backport patch.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
License-Update: Rename COPYING to LICENSE. No content changes.
* Drop backport patch.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
License-Update: Rename COPYING to LICENSE. No content changes.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
License-Update: Rename COPYING to LICENSE. No content changes.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
