mirror of
git://git.yoctoproject.org/meta-selinux
synced 2026-01-01 13:58:04 +00:00
b60fb46e68
* d05a0d068 networkmanager: Watch systemd directories for
nm-session-monitor.
* 3a60340e9 systemd: allow systemd-hostnamed and systemd-rfkill to get
attributes of nsfs inodes
* ccbf1d66f fixup! Allow to specify module version
* d664ebbaa Allow to specify module version
* 1c8a95dbc Fix mislabeling of /etc/shadow
* ec2b2befd locallogin: allow sulogin_t unconfined domtrans
* 450522052 use init_use_script_ptys for knotc in initscript
* 79dda56d3 locallogin: dontaudit sulogin_t checkpoint_restore
* 4b3b8e7ce lldpad: Configure FW-LLDP on i40e NICs.
* ed9d87976 Revert "Merge pull request #867 from PPN-SD/upd-knot-sel"
* e053fced8 files, init: filetrans /run/machine-id etc_runtime_t
* c5a76add7 firewalld: fix firewalld_t firewalld_tmpfs_t exec
* 8a4043060 firewalld: fix lib_t Python cache denial auditing
* bcb8e1d4d unconfined: fix oddjob security_compute_sid
* ec8a5080a Permit init_t to start a detached screen session
* b025e0ec4 Add setcap to knotd / add knotc_initrc_domtrans
* 231960371 chronyd: fix dac_read_search denials
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||
|---|---|---|
| classes | ||
| conf | ||
| dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils | ||
| recipes-connectivity | ||
| recipes-core | ||
| recipes-devtools/rpm | ||
| recipes-extended | ||
| recipes-graphics | ||
| recipes-kernel | ||
| recipes-security | ||
| recipes-support | ||
| .gitignore | ||
| MAINTAINERS | ||
| README | ||
| SELinux-FAQ | ||
meta-selinux ============ This layer's purpose is enabling SE Linux support. The majority of this layers work is accomplished in bbappend files, used to enable SE Linux support in existing recipes. A new recipes-security was added. The purpose of this category is to add software specific to system security. Please see the MAINTAINERS file for information on contacting the maintainers of this layer, as well as instructions for submitting patches. Dependencies ------------ This layer depends on the openembedded-core metadata and the meta-python and meta-oe layers from the meta-openembedded repository. Maintenance ----------- Please see the MAINTAINERS file for information on contacting the maintainers of this layer, as well as instructions for submitting patches. Building the meta-selinux layer ------------------------------- In order to add selinux support to the poky build this layer should be added to your projects bblayers.conf file. By default the selinux components are disabled. This conforms to the Yocto Project compatible guideline that indicate that simply including a layer should not change the system behavior. In order to use the components in this layer you must add the 'selinux' to the DISTRO_FEATURES. In addition to selinux, you should be sure that acl, xattr and pam are also present. e.g. DISTRO_FEATURES:append = " acl xattr pam selinux" You must also specify a preferred provider for the virtual/refpolicy. The included policies with this layer are simply reference policies and will need to be tailored for your environment. * Enable the refpolicy-mls: e.g. PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls" Using different init manager ---------------------------- By default selinux enabled images coming up with "sysvinit" as init manager, we can use "systemd" as an init manager using below changes to local.conf * enable systemd as init manager changes to local.conf INIT_MANAGER = "systemd" Enable labeling on first boot ---------------------------- By default, the system will label selinux contexts during build. To enable labeling on first boot. Set FIRST_BOOT_RELABEL to 1 in local.conf: FIRST_BOOT_RELABEL = "1" Starting up the system ---------------------- Most likely the reference policy selected will not just work "out of the box". As always, if you update the reference policy to better work with OpenEmbedded or Poky configurations, please submit the changes back to the project. When using 'core-image-selinux', the system will boot and automatically setup the policy by running the "fixfiles -f -F relabel" for you. This is implemented via the 'selinux-autorelabel' recipe. The 'core-image-selinux-minimal' does not automatically relabel the system. So you must boot using the parameters "selinux=1 enforcing=0", and then manually perform the setup. Running 'fixfiles -f -F relabel' is available in this configuration. After logging in you can verify selinux is present using: $ sestatus Output should include: SELinux status: enabled ... Current mode: enforcing ... The above indicates that selinux is currently running, and if you are running in an enforcing mode or not. License ------- All metadata is MIT licensed unless otherwise stated. Source code included in tree for individual recipes is under the LICENSE stated in each recipe (.bb file) unless otherwise stated. This README document is Copyright (C) 2012 Wind River Systems, Inc.