aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)Author
2022-11-23refpolicy: upgrade 20210908+git -> 20221101+gitlangdaleYi Zhao
* Update to latest git rev. * Drop obsolete and useless patches. * Rebase patches. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-11-07libsepol: fix build failure for refpolicy-mlsYi Zhao
Backport a patch to fix build failure for refpolicy-mls: | Creating mls xserver.pp policy package | libsepol.validate_user_datum: Invalid user datum | libsepol.validate_datum_array_entries: Invalid datum array entries | libsepol.validate_policydb: Invalid policydb | /buildarea/build/tmp/work/qemux86_64-poky-linux/refpolicy-mls/2.20220520+gitAUTOINC+f311d401cd-r0/recipe-sysroot-native/usr/bin/semodule_package: Error while reading policy module from tmp/xserver.mod | make: *** [Rules.modular:98: xserver.pp] Error 1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-11-07base-files: set correct label for /var/volatileYi Zhao
By default /var/volatile will be mounted with tmpfs_t instead of var_t label, which will cause us to have to add some extra rules to eliminate avc denials of some services. Set rootcontext for /var/volatile in fstab to make sure it is mounted with correct label. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-11-07SELinux-FAQ: remove references to poky-selinux distroYi Zhao
Update SELinux-FAQ as the poky-selinux distro has been removed for a long time. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-10-02layer.conf: add langdale to LAYERSERIES_COMPATYi Zhao
Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-10-02libsemanage: Add python3 to dependenciesOleksiy Obitotskyy
Recipe have implicit dependency on nativesdk-python, so recipe-sysroot-root populated with python headers. But during build code look for headers into recipe-sysroot. Add python dependency explicitly. Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-08-28setools: fix buildpaths issueYi Zhao
Fixes: QA Issue: File /usr/src/debug/setools/4.4.0-r0/setools/policyrep.c in package setools-src contains reference to TMPDIR [buildpaths] Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-08-28semodule-utils: upgrade 3.3 -> 3.4Yi Zhao
Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-08-28selinux-sandbox: upgrade 3.3 -> 3.4Yi Zhao
* Backport a patch to fix chcat runtime error. * Refresh patch. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-08-28selinux-gui: upgrade 3.3 -> 3.4Yi Zhao
Backport a patch to fix chcat runtime error. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-08-28selinux-dbus: upgrade 3.3 -> 3.4Yi Zhao
Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-08-28selinux-python: upgrade 3.3 -> 3.4Yi Zhao
* Backport a patch to fix chcat runtime error. * Refresh patch. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-08-28restorecond: upgrade 3.3 -> 3.4Yi Zhao
Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-08-28mcstrans: upgrade 3.3 -> 3.4Yi Zhao
Refresh patches. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-08-28policycoreutils: upgrade 3.3 -> 3.4Yi Zhao
Refresh patch. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-08-28secilc: upgrade 3.3 -> 3.4Yi Zhao
Use precise license BSD-2-Clause instead of license BSD. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-08-28checkpolicy: upgrade 3.3 -> 3.4Yi Zhao
Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-08-28libsemanage: upgrade 3.3 -> 3.4Yi Zhao
Refresh patches. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-08-28libselinux-python: upgrade 3.3 -> 3.4Yi Zhao
* Use libpcre2 instead of libpcre. * Refresh patches. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-08-28libselinux: upgrade 3.3 -> 3.4Yi Zhao
Use libpcre2 instead of libpcre. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-08-28libsepol: upgrade 3.3 -> 3.4Yi Zhao
Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-08-28selinux: upgrade 3.3 -> 3.4Yi Zhao
Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-07-06refpolicy: add file context for findfs alternativeYi Zhao
Add file context for findfs alternative which is provided by util-linux. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-07-06refpolicy: backport patches to fix policy issues for systemd 250Yi Zhao
Backport the following patches to fix systemd-resolved and systemd-netowrkd policy issues: systemd-systemd-resolved-is-linked-to-libselinux.patch sysnetwork-systemd-allow-DNS-resolution-over-io.syst.patch term-init-allow-systemd-to-watch-and-watch-reads-on-.patch systemd-add-file-transition-for-systemd-networkd-run.patch systemd-add-missing-file-context-for-run-systemd-net.patch systemd-add-file-contexts-for-systemd-network-genera.patch systemd-udev-allow-udev-to-read-systemd-networkd-run.patch Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-05-16selinux-python: add RDEPENDES on python3-multiprocessingYi Zhao
Add RDEPENDS on python3-multiprocessing for selinux-python-sepolicy to fix runtime error: $ sepolicy Traceback (most recent call last): File "/usr/bin/sepolicy", line 28, in <module> from multiprocessing import Pool ModuleNotFoundError: No module named 'multiprocessing' Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-04-19LICENSE: update to SPDX standard namesJoe Slater
Use convert-spdx-licenses.py to update LICENSE names in recipes. Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-04-19meta-selinux: Use SPDX style licensing formatAshish Sharma
WARNING: checkpolicy-3.3-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2+ [obsolete-license] \ WARNING: setools-4.4.0-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2 LGPLv2.1 [obsolete-license] \ WARNING: policycoreutils-3.3-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2+ [obsolete-license] \ WARNING: refpolicy-standard-2.20210908+gitAUTOINC+23a8d103f3-r0.2 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2 [obsolete-license] \ WARNING: selinux-python-3.3-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2+ [obsolete-license] \ WARNING: ecryptfs-utils-111-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPL-2.0 [obsolete-license] \ WARNING: nikto-2.1.6-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2 [obsolete-license] \ WARNING: bastille-3.2.1-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2 [obsolete-license] \ WARNING: suricata-6.0.4-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2 [obsolete-license] \ WARNING: samhain-server-4.4.6-r0.7 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2 [obsolete-license] \ ... Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-03-01Update compat to kirkstoneJeremy Puhlman
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-02-07prelink: drop bbappendTim Orling
prelink has been dropped from oe-core [1], so the bbappend can no longer be applied. [1] https://git.openembedded.org/openembedded-core/commit/?id=23c0be78106f1d1e2bb9c724174a1bb8c56c2469 Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2022-01-18refpolicy: upgrade 20210203+git -> 20210908+gitYi Zhao
* Update to latest git rev. * Drop obsolete and useless patches. * Rebase patches. * Set POLICY_DISTRO from redhat to debian, which can reduce the amount of local patches. * Set max kernel policy version from 31 to 33. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2021-12-08selinux: upgrade 3.2 -> 3.3Yi Zhao
Drop backport CVE patches. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2021-12-08selinux: move selinux scripts to selinux-scriptsYi Zhao
There are too many recipes in recipes-security/selinux. Keep the selinux userspace recipes and move selinux scripts to selinux-scripts directory to make the directory hierarchy clearer. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2021-12-08selinux-python: add RDEPENDES on audit-pythonYi Zhao
Add RDEPENDS on audit-python for selinux-python-semanage. Fixes: $ semanage fcontext -a -t user_home_t "/web(/.*)?" Traceback (most recent call last): File "/usr/sbin/semanage", line 975, in <module> do_parser() File "/usr/sbin/semanage", line 947, in do_parser args.func(args) File "/usr/sbin/semanage", line 329, in handleFcontext OBJECT.add(args.file_spec, args.type, args.ftype, args.range, args.seuser) File "/usr/lib/python3.9/site-packages/seobject.py", line 2485, in add self.__add(target, type, ftype, serange, seuser) File "/usr/lib/python3.9/site-packages/seobject.py", line 2481, in __add self.mylog.log_change("resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype],) NameError: name 'audit' is not defined Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2021-11-23selinux: inherit pkgconfigJoe MacDonald
Ensure the correct build options are passed during builds. Signed-off-by: Joe MacDonald <joe@deserted.net>
2021-11-22sysvinit: sync bbappend to 3.0Yi Zhao
The sysvinit in oe-core has been upgraded to 3.0. Update the bbappend to adapt it. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2021-11-22bind: remove volatile fileYi Zhao
This file is not needed anymore as bind daemon will create them by itself. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2021-11-22recipes: update SRC_URI branch and protocolsYi Zhao
Update SRC_URIs using git to include branch=master if no branch is set and also to use protocol=https for github urls. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2021-09-29coreutils/findutils/tar: remove pkgconfig from bbappendMingli Yu
When enable meta-gplv2 layer [1], there comes below error: ERROR: coreutils-6.9-r5 do_configure: QA Issue: coreutils: configure was passed unrecognised options: --without-selinux [unknown-configure-option] ERROR: coreutils-6.9-r5 do_configure: Fatal QA errors found, failing task. It's because the old version of coreutils under meta-gplv2 layer doesn't support the above configure option, so move the related pkgconfig setting to the coreutils recipe under oe-core [2] which supports the configure option to fix the gap. And the findutils and tar also have the problem. [1] http://git.yoctoproject.org/cgit/cgit.cgi/meta-gplv2/ [2] https://git.openembedded.org/openembedded-core/ Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2021-09-29libsepol: Security fix for CVE-2021-36086Yi Zhao
CVE-2021-36086: The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list). Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-36086 Patch from: https://github.com/SELinuxProject/selinux/commit/c49a8ea09501ad66e799ea41b8154b6770fec2c8 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2021-09-16secilc: Security fix for CVE-2021-36087Armin Kuster
Source: https://github.com/SELinuxProject/selinux MR: 111869 Type: Security Fix Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/bad0a746e9f4cf260dedba5828d9645d50176aac ChangeID: b282a68f76e509f548fe6ce46349af56d09481c6 Description: Affects: secilc <= 3.2 Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2021-09-16libsepol: Security fix CVE-2021-36085Armin Kuster
Source: https://github.com/SELinuxProject/selinux/ MR: 111857 Type: Security Fix Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/2d35fcc7e9e976a2346b1de20e54f8663e8a6cba ChangeID: e50ae65189351ee618db2b278ba7105a5728e4c4 Description: Affects: libsepol <= 3.2 Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2021-09-16libsepol: Security fix CVE-2021-36084Armin Kuster
Source: https://github.com/SELinuxProject/selinux MR: 111851 Type: Security Fix Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/f34d3d30c8325e4847a6b696fe7a3936a8a361f3 ChangeID: 7fae27568e26ccbb18be3d2a1ce7332d42706f18 Description: Affects: libsepol < 3.2 Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2021-08-29python3-networkx: drop bbappendYi Zhao
It is useless as setools-native build is disabled. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2021-08-29python3-decorator: drop bbappendYi Zhao
It is useless as setools-native build is disabled. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2021-08-29setools: disable native/nativesdk buildYi Zhao
Disable native/nativesdk build as they don't work for a long time. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2021-08-29net-tools: fix selinux buildYi Zhao
Simply adding EXTRA_OEMAKE doesn't work for selinux build. We need to modify config files in do_configure. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2021-08-29sysklogd: sync the initscript to latest oe-core versionYi Zhao
The sysklogd has been updated to 2.2.3 in oe-core. Update the initscript to adapt it. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2021-08-29classes: drop redundant classesYi Zhao
There are some redundant classes: enable-selinux.bbclass, with-selinux.bbclass, meson-enable-selinux.bbclass, meson-selinux.bbclass, enable-audit.bbclass, with-audit.bbclass. These classes only add PACKAGEOCNFIG[selinux]/[audit] to recipes. But currently most recipes have added PACKAGECONFIG[selinux]/[audit] in their bb files. We don't need these anymore. Only keep enable-selinux.class and enable-audit.class to append PACKAGECONFIG[selinux]/[audit] for recipes. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2021-08-29python2: drop bbappendYi Zhao
This bbappend was added long time ago and it is useless now. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2021-08-29lxc: drop bbappendYi Zhao
The PACKAGECONFIG[selinux] is enabled in lxc recipe. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-06-06 23:46:15 +0000