mirror of
git://git.yoctoproject.org/meta-selinux
synced 2026-01-01 13:58:04 +00:00
fd039518bd
* 82b4448e1 Additional file context fix for:
* 65eed16b5 policy/modules/services/smartmon.te: make fstools optional
* 2e27be3c5 Let the certmonger module manage SSL Private Keys and CSR
used for example by the HTTP and/or Mail Transport daemons.
* 912d3a687 Let the webadm role manage Private Keys and CSR for SSL
Certificates used by the HTTP daemon.
* 5c9038ec9 Create new TLS Private Keys file contexts for the Apache
HTTP server according to the default locations:
* b38583a79 The LDAP server only needs to read generic certificate
files, not manage them.
* 100a853c0 rpm: fixes for dnf
* 8839a7137 Modify the gpg module so that gpg and the gpg_agent can
manage gpg_runtime_t socket files.
* 780adb80a Simple patch for Brother printer drivers as described in:
https://etbe.coker.com.au/2023/10/22/brother-mfc-j4440dw-printer/
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
||
|---|---|---|
| classes | ||
| conf | ||
| dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils | ||
| recipes-connectivity | ||
| recipes-core | ||
| recipes-devtools/rpm | ||
| recipes-extended | ||
| recipes-graphics | ||
| recipes-kernel | ||
| recipes-security | ||
| recipes-support | ||
| .gitignore | ||
| MAINTAINERS | ||
| README | ||
| SELinux-FAQ | ||
meta-selinux ============ This layer's purpose is enabling SE Linux support. The majority of this layers work is accomplished in bbappend files, used to enable SE Linux support in existing recipes. A new recipes-security was added. The purpose of this category is to add software specific to system security. Please see the MAINTAINERS file for information on contacting the maintainers of this layer, as well as instructions for submitting patches. Dependencies ------------ This layer depends on the openembedded-core metadata and the meta-python and meta-oe layers from the meta-openembedded repository. Maintenance ----------- Please see the MAINTAINERS file for information on contacting the maintainers of this layer, as well as instructions for submitting patches. Building the meta-selinux layer ------------------------------- In order to add selinux support to the poky build this layer should be added to your projects bblayers.conf file. By default the selinux components are disabled. This conforms to the Yocto Project compatible guideline that indicate that simply including a layer should not change the system behavior. In order to use the components in this layer you must add the 'selinux' to the DISTRO_FEATURES. In addition to selinux, you should be sure that acl, xattr and pam are also present. e.g. DISTRO_FEATURES:append = " acl xattr pam selinux" You must also specify a preferred provider for the virtual/refpolicy. The included policies with this layer are simply reference policies and will need to be tailored for your environment. * Enable the refpolicy-mls: e.g. PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls" Using different versions of refpolicy ------------------------------------- To prepare selinux enabled images using different ver. of refpolicy, we can choose supported releases of refpolicy refer to available versions under recipes-security/refpolicy We can use the refpolicy directly from git repository instead of release tarballs. By default refpolicy from git builds head commit of master branch, we can update SRCREV for refpolicy and refpolicy-contrib as appropriate at refpolicy_git.inc to check refpolicy as per required commits. * enable the preferred refpolicy-minimum: PREFERRED_VERSION_refpolicy-minimum = "2.20151208" PREFERRED_VERSION_refpolicy = "2.20151208" Using different init manager ---------------------------- By default selinux enabled images coming up with "sysvinit" as init manager, we can use "systemd" as an init manager using below changes to local.conf * enable systemd as init manager changes to local.conf DISTRO_FEATURES:remove = " sysvinit" DISTRO_FEATURES:append = " systemd" VIRTUAL-RUNTIME_init_manager = "systemd" DISTRO_FEATURES_BACKFILL_CONSIDERED = "" Enable labeling on first boot ---------------------------- By default, the system will label selinux contexts during build. To enable labeling on first boot. Set FIRST_BOOT_RELABEL to 1 in local.conf: FIRST_BOOT_RELABEL = "1" Starting up the system ---------------------- Most likely the reference policy selected will not just work "out of the box". As always, if you update the reference policy to better work with OpenEmbedded or Poky configurations, please submit the changes back to the project. When using 'core-image-selinux', the system will boot and automatically setup the policy by running the "fixfiles -f -F relabel" for you. This is implemented via the 'selinux-autorelabel' recipe. The 'core-image-selinux-minimal' does not automatically relabel the system. So you must boot using the parameters "selinux=1 enforcing=0", and then manually perform the setup. Running 'fixfiles -f -F relabel' is available in this configuration. After logging in you can verify selinux is present using: $ sestatus Output should include: SELinux status: enabled ... Current mode: enforcing ... The above indicates that selinux is currently running, and if you are running in an enforcing mode or not. License ------- All metadata is MIT licensed unless otherwise stated. Source code included in tree for individual recipes is under the LICENSE stated in each recipe (.bb file) unless otherwise stated. This README document is Copyright (C) 2012 Wind River Systems, Inc.