mirror of
git://git.yoctoproject.org/meta-selinux
synced 2026-01-01 13:58:04 +00:00
9f5a46620a
* a6cf20736 filesystem, devices: move gadgetfs to usbfs_t
* 75492f95f systemd: make xdg optional
* 097d688ff sshd: label sshd-session as sshd_exec_t
* b57b6005c Setting bluetooth helper domain for bluetoothctl
* 30f451d6a Adding Sepolicy rules to allow pulseaudio to access
bluetooth sockets.
* 7037c341f systemd: allow logind to use locallogin pidfds
* 5f7f494d1 userdomain: allow administrative user to get attributes of
shadow history file
* 0126cb1e6 node_exporter: allow reading RPC sysctls
* 9c90f9f7d asterisk: allow reading certbot lib
* bfcaec9ba postfix: allow postfix pipe to watch mail spool
* 06a80c3d8 netutils: allow ping to read net sysctls
* 2e0509c9e node_exporter: allow reading localization
* 50a8cddd1 container: allow containers to execute tmpfs files
* 09a747a16 sysadm: make haproxy admin
* c8c3ae2cb haproxy: initial policy
* 4e97f87ce init: use pidfds from local login
* 7fd9032d8 dbus, init: add interface for pidfd usage
* a6d6921a9 asterisk: allow watching spool dirs
* 72c1d912f su, sudo: allow sudo to signal all su domains
* 8b3178248 sudo: allow systemd-logind to read cgroup state of sudo
* 871f0b0dd postfix: allow smtpd to mmap SASL keytab files
* 578375480 sysnetwork: allow ifconfig to read usr files
* 6916e9b20 systemd: allow systemd-logind to use sshd pidfds
* 96ebb7c4e Reorder perms and classes
* cb68df087 tests.yml: Add policy diff on PRs.
* 99258825c tests.yml: Divide into reusable workflows.
* 1e4b68930 Reorder perms and classes
Drop 0002-refpolicy-minimum-make-xdg-module-optional.patch and
0040-policy-modules-system-systemd-allow-systemd-logind-t.patch which
have been merged upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
|
||
|---|---|---|
| classes | ||
| conf | ||
| dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils | ||
| recipes-connectivity | ||
| recipes-core | ||
| recipes-devtools/rpm | ||
| recipes-extended | ||
| recipes-graphics | ||
| recipes-kernel | ||
| recipes-security | ||
| recipes-support | ||
| .gitignore | ||
| MAINTAINERS | ||
| README | ||
| SELinux-FAQ | ||
meta-selinux ============ This layer's purpose is enabling SE Linux support. The majority of this layers work is accomplished in bbappend files, used to enable SE Linux support in existing recipes. A new recipes-security was added. The purpose of this category is to add software specific to system security. Please see the MAINTAINERS file for information on contacting the maintainers of this layer, as well as instructions for submitting patches. Dependencies ------------ This layer depends on the openembedded-core metadata and the meta-python and meta-oe layers from the meta-openembedded repository. Maintenance ----------- Please see the MAINTAINERS file for information on contacting the maintainers of this layer, as well as instructions for submitting patches. Building the meta-selinux layer ------------------------------- In order to add selinux support to the poky build this layer should be added to your projects bblayers.conf file. By default the selinux components are disabled. This conforms to the Yocto Project compatible guideline that indicate that simply including a layer should not change the system behavior. In order to use the components in this layer you must add the 'selinux' to the DISTRO_FEATURES. In addition to selinux, you should be sure that acl, xattr and pam are also present. e.g. DISTRO_FEATURES:append = " acl xattr pam selinux" You must also specify a preferred provider for the virtual/refpolicy. The included policies with this layer are simply reference policies and will need to be tailored for your environment. * Enable the refpolicy-mls: e.g. PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls" Using different versions of refpolicy ------------------------------------- To prepare selinux enabled images using different ver. of refpolicy, we can choose supported releases of refpolicy refer to available versions under recipes-security/refpolicy We can use the refpolicy directly from git repository instead of release tarballs. By default refpolicy from git builds head commit of master branch, we can update SRCREV for refpolicy and refpolicy-contrib as appropriate at refpolicy_git.inc to check refpolicy as per required commits. * enable the preferred refpolicy-minimum: PREFERRED_VERSION_refpolicy-minimum = "2.20151208" PREFERRED_VERSION_refpolicy = "2.20151208" Using different init manager ---------------------------- By default selinux enabled images coming up with "sysvinit" as init manager, we can use "systemd" as an init manager using below changes to local.conf * enable systemd as init manager changes to local.conf DISTRO_FEATURES:remove = " sysvinit" DISTRO_FEATURES:append = " systemd" VIRTUAL-RUNTIME_init_manager = "systemd" DISTRO_FEATURES_BACKFILL_CONSIDERED = "" Enable labeling on first boot ---------------------------- By default, the system will label selinux contexts during build. To enable labeling on first boot. Set FIRST_BOOT_RELABEL to 1 in local.conf: FIRST_BOOT_RELABEL = "1" Starting up the system ---------------------- Most likely the reference policy selected will not just work "out of the box". As always, if you update the reference policy to better work with OpenEmbedded or Poky configurations, please submit the changes back to the project. When using 'core-image-selinux', the system will boot and automatically setup the policy by running the "fixfiles -f -F relabel" for you. This is implemented via the 'selinux-autorelabel' recipe. The 'core-image-selinux-minimal' does not automatically relabel the system. So you must boot using the parameters "selinux=1 enforcing=0", and then manually perform the setup. Running 'fixfiles -f -F relabel' is available in this configuration. After logging in you can verify selinux is present using: $ sestatus Output should include: SELinux status: enabled ... Current mode: enforcing ... The above indicates that selinux is currently running, and if you are running in an enforcing mode or not. License ------- All metadata is MIT licensed unless otherwise stated. Source code included in tree for individual recipes is under the LICENSE stated in each recipe (.bb file) unless otherwise stated. This README document is Copyright (C) 2012 Wind River Systems, Inc.