[yocto] [Yocto pyro] username adding via recipe in capital letters allowed?
Hi , I am using yocto pyro and for creating users via recipe using inherit useradd, followed http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta-skeleton/recipes-skeleton/useradd/useradd-example.bb?h=pyro with lowercase I am able to create user e.g user as expected. but just want to check username adding via recipe in capital letters allowed? I tried capital/upper & lower case mixed user e.g. User Or only with capital/uppercase e.g. USER I am getting failure ERROR: user-1.0-r0 do_prepare_recipe_sysroot: user: useradd command did not succeed. based on current findings it seems capital letters not allowed, but it is worth to confirm once if anyone faced similar stuff and there is any way to do it. Any pointers or details will be helpful. Thanks Shrikant -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] SELinux with Busybox on morty
Hi Marco, On similar lines, as Joe suggested please try with refpolicy 2.20151208 from morty, also I would like to recommend start with refpolicy-minimum policy variant, then you can explore other variants like refpolicy-targeted. On Mon, Jul 24, 2017 at 1:15 PM, Marco Ostini wrote: > > Hi Joe & Shrikant, > > Many thanks for your response. It was good to know that busybox can function with SELinux enforcing enabled. > I also confirm busybox works fine with enforcing mode on minimum variant, used it in multiple ways. > Sorry not to mention the policy we're currently using. It's: >refpolicy-targeted > > ||/ NameVersion Architecture Description > +++-===--- > ii refpolicy-targeted git-r0 amd64 SELinux targeted policy > > We'll build policy based on 2.20151208 and give it a try to see how it behaves. > > It appears to me that policy itself is responsible for semanage not functioning. When I try: > >semanage -v port -l > > I see errors like this: > > 1088. 07/24/17 07:29:46 semanage unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 2 dir write system_u:object_r:lib_t:s0 denied 1095 > 1089. 07/24/17 07:29:46 semanage unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 2 dir write system_u:object_r:lib_t:s0 denied 1096 > > or > > time->Mon Jul 24 07:29:46 2017 > type=PROCTITLE msg=audit(1500881386.907:1101): proctitle=2F7573722F62696E2F707974686F6E002D4573002F7573722F7362696E2F73656D616E616765002D7600706F7274002D6C > type=SYSCALL msg=audit(1500881386.907:1101): arch=c03e syscall=2 success=no exit=-13 a0=7ddf20 a1=2c1 a2=81a4 a3=5640003640100 items=0 ppid=496 pid=1201 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="semanage" exe="/usr/bin/python2.7" subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1500881386.907:1101): avc: denied { write } for pid=1201 comm="semanage" name="sepolgen" dev="vda" ino=6091 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0 > > The majority of the errors however are related to start_getty: > > 142. 07/24/17 06:14:04 start_getty system_u:system_r:getty_t:s0 4 dir search system_u:object_r:default_t:s0 denied 149 > > time->Mon Jul 24 07:34:21 2017 > type=PROCTITLE msg=audit(1500881661.906:1160): proctitle=2F62696E2F7368002F62696E2F73746172745F676574747900313135323030007474795330 > type=SYSCALL msg=audit(1500881661.906:1160): arch=c03e syscall=59 success=no exit=-13 a0=6fca60 a1=6fcc40 a2=6faf90 a3=59a items=0 ppid=1244 pid=1246 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="start_getty" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) > type=AVC msg=audit(1500881661.906:1160): avc: denied { search } for pid=1246 comm="start_getty" name="sbin" dev="vda" ino=7236 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=0 > > I've applied an appropriate context to start_getty, but that didn't prevent the errors: > > ls -alZ /bin/start_getty > -rwxr-xr-x. 1 root root system_u:object_r:getty_exec_t:s0 99 Jul 21 02:55 /bin/start_getty > > start_getty is a shell script that points back to /sbin/getty which is a symlink to /usr/lib/busybox/sbin/getty > > So I applied a context to /usr/lib/busybox/sbin/getty without it preventing the above mentioned errors: > > ls -alZ /usr/lib/busybox/sbin/getty > -rwxr-xr-x. 1 root root system_u:object_r:getty_exec_t:s0 21 Jun 9 03:39 /usr/lib/busybox/sbin/getty > I think you are trying to patch the policy Or fixing the avc denials w.r.to context, To do it, we have audit tools available from meta-selinux which will help to understand the avc denials in detail, please try using audit2why on avc denials to get why we hit with denials. & further using audit2allow to generate the allow rules based on current policy & then try with generated allow rules. Hope it helps :) > I'm keen to see how policy based on 2.20151208 will look. > > Additional to trying 2.20151208 if you have any suggestions or advice I'd be grateful to hear it. Please start exploring with refpolicy-minimum.. > > Cheers, > Marco > > Thanks Shrikant > > On 22 July 2017 at 05:46, Joe MacDonald wrote: >> >> Hi Justin / Marco, >> >> [Re: SELinux with Busybox on morty] On 17.07.19 (Wed 16:05) Justin Clacherty wrote: >> >> > Hi Joe, >> > >> > Is this something you or one of the other meta-selinux devs are able >> > to help out with or is it more of an upstream question? >> >> I'll see if I can give this a shot. :-) >> >> > >> > Cheers, >> > Justin. >> > >> > >> > > On 17 Jul 2017, at 4:57 pm, Marco Ostini wrote: >> > > >> > > >> > > Hi All, >> > > >> > > At the moment I'm attempting to prepare a VM of
Re: [yocto] [meta-selinux] What's the point of refpolicy-minimum?
Hi Joe, On Thu, Jan 12, 2017 at 8:57 PM, Joe MacDonald wrote: > > Hi guys, > > [Re: [meta-selinux] What's the point of refpolicy-minimum?] On 17.01.12 (Thu 12:57) wenzong fan wrote: > > > On 01/10/2017 10:48 PM, Joe MacDonald wrote: > > >Wenzong / Shrikant, > > > > > >I thought I knew the answer to the above question, and maybe my > > >understanding is still correct, but I think I need to ask it now anyway. > > > > > >I don't use refpolicy-minimum for anything, so when I did the updates to > > >refpolicy*_git I didn't even glance at refpolicy-minimum_git. Wenzong's > > >change to refpolicy-minimum_2.20161023 (in the same thread as the uprev > > >of the recipe) piqued my curiosity, so I had a look. Of course, > > >refpolicy-minimum_git.bb also needs to be updated (or thrown out), but > > >now that I'm looking at the recipe I see what seems like conflicting > > >statements in the recipe: > > > > > > recipes-security/refpolicy/refpolicy-minimum_2.20161023.bb: > > > > > > 1 include refpolicy-targeted_${PV}.bb > > > 2 > > > 3 SUMMARY = "SELinux minimum policy" > > > 4 DESCRIPTION = "\ > > > 5 This is a minimum reference policy with just core policy modules, and \ > > > 6 could be used as a base for customizing targeted policy. \ > > > 7 Pretty much everything runs as initrc_t or unconfined_t so all of the \ > > > 8 domains are unconfined. \ > > > 9 " > > > > > >and: > > > > > > recipes-security/refpolicy/refpolicy-targeted_2.20161023.bb: > > > > > > 1 SUMMARY = "SELinux targeted policy" > > > 2 DESCRIPTION = "\ > > > 3 This is the targeted variant of the SELinux reference policy. Most service \ > > > 4 domains are locked down. Users and admins will login in with unconfined_t \ > > > 5 domain, so they have the same access to the system as if SELinux was not \ > > > 6 enabled. \ > > > 7 " > > > > > >So now I'm trying to understand what the point of refpolicy-minimum > > >really is here. Those of you who are using it, what are you using it > > >for and what do you expect would be the correct behaviour of a system > > >running that policy? > > > > > > > I don't have much experience on using the refpolicy-minimum as well. > > > > But from the original logs it should be "minimum targeted policy". > > > > commit 65675f02e33f5da31ec5dbac7a45849f4952569b > > Author: Wenzong Fan > > Date: Mon Mar 24 21:07:50 2014 -0400 > > > > refpolicy: add minimum targeted policy > > > > This is a minimum targeted policy with just core policy modules, and > > could be used as a base for customizing targeted policy. > > Pretty much everything runs as initrc_t or unconfined_t so all of the > > domains are unconfined. > > > > Signed-off-by: Wenzong Fan > > Signed-off-by: Joe MacDonald > > > > > > >At the very least, I'm going to remove the 'include [...].bb' from both > > >'minimum' recipes, as that's completely incorrect, but when I do that I > > >want to know what anyone using this recipe wants to see from it, so > > >whatever the 'include' gets replaced with is doing the right thing > > >(which isn't necessarily what it's doing today). > > > > I won't object to make the changes, if you think there should be a different > > minimum policy with targeted. > > I'm not proposing an alternative, I'm just saying that the statements in > the descriptions of the recipes seem to conflict. (And do note that the > git log you quoted is precisely the text in DESCRIPTION for > refpolicy-minimum. > > What I'm confused by is this in minimum: > > > Pretty much everything runs as initrc_t or unconfined_t so all of the > > domains are unconfined. > > and this in targeted: > > > > Most service domains are locked down. > > So I guess my question is what is the desired behaviour out of this > recipe? If nobody knows and it's not being used, I'm leaning toward a > 'git rm'-based solution. :-) > > It sounds, though, like Shrikant is using it, so it's of some use, I > guess. Shrikant, on the systems you've used the minimum policy, what > does the policy look like on your running system? In the current world > refpolicy-minimum inherits POLICY_TYPE and POLICY_MLS_SENS from > refpolicy-targeted, is that good / bad / irrelevant to what you're doing > with it? If I just rework minimum to remove the include and bring in > the minimal number of changes to get the policy to load again, is that > good enough for your purposes? Do you want to volunteer to test my > changes for me before I commit them? :-) Sure, the rework for minimum to remove the include and minimal no. of changes to get the policy loading, seems good to server the expectations from it. Happy to volunteer to validate the changes, please advise the location to fork the in-progress changes. :) > > -- > -Joe MacDonald. > :wq > > -- > ___ > yocto mailing list > yocto@yoctoproject.org > https://lists.yoctoproject.org/listinfo/yocto > Th
Re: [yocto] [meta-selinux] What's the point of refpolicy-minimum?
Hi Joe, On Tue, Jan 10, 2017 at 8:18 PM, Joe MacDonald wrote: > > Wenzong / Shrikant, > > I thought I knew the answer to the above question, and maybe my > understanding is still correct, but I think I need to ask it now anyway. > > I don't use refpolicy-minimum for anything, so when I did the updates to > refpolicy*_git I didn't even glance at refpolicy-minimum_git. Wenzong's > change to refpolicy-minimum_2.20161023 (in the same thread as the uprev > of the recipe) piqued my curiosity, so I had a look. Of course, > refpolicy-minimum_git.bb also needs to be updated (or thrown out), but > now that I'm looking at the recipe I see what seems like conflicting > statements in the recipe: > >recipes-security/refpolicy/refpolicy-minimum_2.20161023.bb: > > 1 include refpolicy-targeted_${PV}.bb > 2 > 3 SUMMARY = "SELinux minimum policy" > 4 DESCRIPTION = "\ > 5 This is a minimum reference policy with just core policy modules, and \ > 6 could be used as a base for customizing targeted policy. \ > 7 Pretty much everything runs as initrc_t or unconfined_t so all of the \ > 8 domains are unconfined. \ > 9 " > > and: > >recipes-security/refpolicy/refpolicy-targeted_2.20161023.bb: > > 1 SUMMARY = "SELinux targeted policy" > 2 DESCRIPTION = "\ > 3 This is the targeted variant of the SELinux reference policy. Most service \ > 4 domains are locked down. Users and admins will login in with unconfined_t \ > 5 domain, so they have the same access to the system as if SELinux was not \ > 6 enabled. \ > 7 " > > So now I'm trying to understand what the point of refpolicy-minimum > really is here. Those of you who are using it, what are you using it > for and what do you expect would be the correct behaviour of a system > running that policy? recently used refpolicy-minimum, as it provides protection/security for minimum modules and reaming things with unconfined, the minimum coverage(modules) of policy easy to start on & cross check the prepared infrastructure against the expected selinux behavior. Also it is easy to patch for systemd compared to other policies. Till refpolicy v20151208 release we have refpolicy-minimum working with systemd as init manager. regarding the latest release need to check. But moving ahead similar policy with minimum modules can be used.. > > At the very least, I'm going to remove the 'include [...].bb' from both > 'minimum' recipes, as that's completely incorrect, but when I do that I > want to know what anyone using this recipe wants to see from it, so > whatever the 'include' gets replaced with is doing the right thing > (which isn't necessarily what it's doing today). agree.. > > -- > -Joe MacDonald. > :wq > > -- > ___ > yocto mailing list > yocto@yoctoproject.org > https://lists.yoctoproject.org/listinfo/yocto > Thanks Shrikant -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 3/3] refpolicy_2.20151208/git: restrict systemd related patches
From: Shrikant Bobade restrict systemd related patches based on distro feature. Signed-off-by: Shrikant Bobade --- recipes-security/refpolicy/refpolicy_2.20151208.inc | 2 +- recipes-security/refpolicy/refpolicy_git.inc| 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc b/recipes-security/refpolicy/refpolicy_2.20151208.inc index ce90b13..1123f3a 100644 --- a/recipes-security/refpolicy/refpolicy_2.20151208.inc +++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc @@ -29,7 +29,7 @@ SRC_URI += "file://poky-fc-subs_dist.patch \ file://poky-fc-rpm.patch \ file://poky-fc-ftpwho-dir.patch \ file://poky-fc-fix-real-path_su.patch \ -file://refpolicy-update-for_systemd.patch \ +${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://refpolicy-update-for_systemd.patch', '', d)} \ " # Specific policy for Poky diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc index d031f81..93ba6e5 100644 --- a/recipes-security/refpolicy/refpolicy_git.inc +++ b/recipes-security/refpolicy/refpolicy_git.inc @@ -32,7 +32,7 @@ SRC_URI += "file://poky-fc-subs_dist.patch \ file://poky-fc-rpm.patch \ file://poky-fc-ftpwho-dir.patch \ file://poky-fc-fix-real-path_su.patch \ -file://refpolicy-update-for_systemd.patch \ +${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://refpolicy-update-for_systemd.patch', '', d)} \ " # Specific policy for Poky -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 2/3] cleanup 'virtual/refpolicy' & switch to 'refpolicy'
From: Shrikant Bobade this change drop complete use of 'virtual/refpolicy' & switch to 'refpolicy' use, the mix use of both results in mismatching policy varient selection. with use of 'virtual/refpolicy' at config. level, when we try to switch to other policy varients using 'refpolicy' at local.conf level we continue to get the policy varient set at config. level, so drop the use of 'virtual/refpolicy' & switch to 'refpolicy'. Signed-off-by: Shrikant Bobade --- conf/distro/oe-selinux.conf | 2 +- recipes-security/refpolicy/refpolicy_common.inc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/distro/oe-selinux.conf b/conf/distro/oe-selinux.conf index 0011d45..f4574d0 100644 --- a/conf/distro/oe-selinux.conf +++ b/conf/distro/oe-selinux.conf @@ -2,4 +2,4 @@ DISTRO = "oe-selinux" DISTROOVERRIDES .= ":selinux" DISTRO_FEATURES_append = " acl xattr pam selinux" -PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls" +PREFERRED_PROVIDER_refpolicy ?= "refpolicy-mls" diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index a9dc466..1017d29 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -5,7 +5,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" -PROVIDES += "virtual/refpolicy" +PROVIDES += "refpolicy" RPROVIDES_${PN} += "refpolicy" # Specific config files for Poky -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 1/3] selinux-initsh.inc: selinux-init/autorelabel: add force reboot
From: Shrikant Bobade Add force reboot during SELinux init and autorelabel, required for smooth auto-reboot functionality with sysvinit as init manager. It is required only for sysvinit, so restricting only for sysvinit and not for systemd. Signed-off-by: Shrikant Bobade --- recipes-security/selinux/selinux-initsh.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/recipes-security/selinux/selinux-initsh.inc b/recipes-security/selinux/selinux-initsh.inc index bcdd449..dbbb4f8 100644 --- a/recipes-security/selinux/selinux-initsh.inc +++ b/recipes-security/selinux/selinux-initsh.inc @@ -21,6 +21,8 @@ do_install () { install -d ${D}${sysconfdir}/init.d/ install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST} + sed -i 's#/sbin/reboot#/sbin/reboot -f#g' ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST} + install -d ${D}${systemd_unitdir}/system install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service ${D}${systemd_unitdir}/system -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux] Regarding "systemd" support with refpolicy-minimum v20151208
Hi, Patch set for systemd and related fixes for refpolicy-minimum v2.20151208 from https://lists.yoctoproject.org/pipermail/yocto/2016-August/031763.html to https://lists.yoctoproject.org/pipermail/yocto/2016-August/031771.html Verified core-image-selinux build with refpolicy-minimum and systemd as init manager, below are reference logs. refpolicy-minimum with patch set: http://paste.ubuntu.com/23107423/ refpolicy-minimum without patch set: http://paste.ubuntu.com/23107437/ Please advise ! Thanks Shrikant On Fri, Jul 29, 2016 at 2:54 PM, Shrikant Bobade wrote: > Hi, > > > Request for comment set from: https://lists.yoctoproject. > org/pipermail/yocto/2016-July/031362.html to https://lists.yoctoproject. > org/pipermail/yocto/2016-July/031369.html > > checked on below build config. with refpolicy-minimum using systemd as > init manager. > > These are comparative boot logs. > refpolicy-minimum without RFC set: http://paste.ubuntu.com/21383917/ > > refpolicy-minimum with RFC set: http://paste.ubuntu.com/21383939/ > > > > Build Configuration: > BB_VERSION= "1.31.0" > BUILD_SYS = "x86_64-linux" > NATIVELSBSTRING = "universal" > TARGET_SYS= "arm-poky-linux-gnueabi" > MACHINE = "qemuarm" > DISTRO= "poky-selinux" > DISTRO_VERSION= "2.1+snapshot-20160729" > TUNE_FEATURES = "arm armv5 thumb dsp" > TARGET_FPU= "soft" > meta > meta-poky > meta-yocto-bsp= "master:039f47ad197a9a53109c9f3deadd9c35e62c056d" > meta-selinux = "master:d0f889259b610c3365962775c6e96a7cba407177" > > > > Please advice, It will be a great help ! > > > Thanks > Shrikant > > > On Fri, Jul 1, 2016 at 7:13 PM, Shrikant Bobade > wrote: > >> Hi, >> >> Using refpolicy-minimum v20151208 with systemd as init manager, >> >> I am facing few issues during enforcing mode, >> 1. systemd service status check, start & stop >> 2. auditd logfile error, so it is mixing with the boot log. >> 3. also other avc denials related to tmpfs & other types etc.. >> >> >> setup details:poky and meta-selinux: both at master head & systemd >> enabled. >> with these SELinux booleans enabled: i.systemd_tmpfiles_manage_all >> ii.allow_mount_anyfile >> >> captured the avc denial to fix the systemd execution well, attached >> SELinux-Modules.txt :- the allow rules generated using audit tools. >> I am trying to merge these module into actual refpolicy modules, so we >> get the out of box experience for smooth systemd execution. >> Observed policy store seems corrupted some time, when start inserting the >> prepared policy modules allow rules into actual refpolicy modules.. >> >> Does anyone also faced similar issues? >> >> Any pointers or references will be a great help. >> >> >> Thanks >> Shrikant >> >> > -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux] [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog
From: Shrikant Bobade syslog & getty related allow rules required to fix the syslog mixup with boot log, while using systemd as init manager. Signed-off-by: Shrikant Bobade --- ...-refpolicy-minimum-systemd-fix-for-syslog.patch | 69 ++ .../refpolicy/refpolicy-minimum_2.20151208.bb | 1 + 2 files changed, 70 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch diff --git a/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch b/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch new file mode 100644 index 000..b01947d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch @@ -0,0 +1,69 @@ +From 9476fb0aad7caa725014e72cd009b78389ba66d5 Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade +Date: Fri, 26 Aug 2016 17:54:29 +0530 +Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog + +syslog & getty related allow rules required to fix the syslog mixup with +boot log, while using systemd as init manager. + +without this change we are getting these avc denials: + +audit: avc: denied { search } for pid=484 comm="syslogd" name="/" +dev="tmpfs" ino=7269 scontext=system_u:system_r:syslogd_t:s0 tcontext= +system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 + +audit: avc: denied { write } for pid=372 comm="syslogd" name="log" dev= +"tmpfs" ino=954 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u: +object_r:tmpfs_t:s0 tclass=dir permissive=0 + +audit: avc: denied { add_name } for pid=390 comm="syslogd" name= +"messages" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r +:tmpfs_t:s0 tclass=dir permissive=0 + +audit: avc: denied { sendto } for pid=558 comm="agetty" path="/run/systemd +/journal/dev-log" scontext=system_u:system_r:getty_t:s0 tcontext=system_u: +system_r:initrc_t:s0 tclass=unix_dgram_socket permissive=0 + +audit: avc: denied { create } for pid=374 comm="syslogd" name="messages" +scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t: +s0 tclass=file permissive=0 + +audit: avc: denied { append } for pid=423 comm="syslogd" name="messages" +dev="tmpfs" ino=7995 scontext=system_u:system_r:syslogd_t:s0 tcontext= +system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 + +audit: avc: denied { getattr } for pid=425 comm="syslogd" path="/var/ +volatile/log/messages" dev="tmpfs" ino=8857 scontext=system_u:system_r: +syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 + +Upstream-Status: Pending + +Signed-off-by: Shrikant Bobade +--- + policy/modules/system/getty.te | 1 + + policy/modules/system/logging.te | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te +index 84eaf77..2e53daf 100644 +--- a/policy/modules/system/getty.te b/policy/modules/system/getty.te +@@ -142,3 +142,4 @@ optional_policy(` + + allow getty_t tmpfs_t:dir search; + allow getty_t tmpfs_t:file { open write lock }; ++allow getty_t initrc_t:unix_dgram_socket sendto; +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 107db03..95de86d 100644 +--- a/policy/modules/system/logging.te b/policy/modules/system/logging.te +@@ -581,4 +581,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto; + allow syslogd_t self:shm create; + allow syslogd_t self:sem { create read unix_write write }; + allow syslogd_t self:shm { read unix_read unix_write write }; +-allow syslogd_t tmpfs_t:file { read write }; ++allow syslogd_t tmpfs_t:file { read write create getattr append open }; ++allow syslogd_t tmpfs_t:dir { search write add_name }; +-- +1.9.1 + diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb index 9f01492..da6626e 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb @@ -80,4 +80,5 @@ SYSTEMD_REFPOLICY_PATCHES = " \ file://0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch \ file://0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch \ file://0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch \ + file://0009-refpolicy-minimum-systemd-fix-for-syslog.patch \ " -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux] [PATCH 6/9] refpolicy-minimum: systemd: mount: enable required refpolicy booleans
From: Shrikant Bobade enable required refpolicy booleans for these modules mount: allow_mount_anyfile & systemd:systemd_tmpfiles_manage_all Signed-off-by: Shrikant Bobade --- ...inimum-systemd-mount-enable-requiried-ref.patch | 47 ++ .../refpolicy/refpolicy-minimum_2.20151208.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch diff --git a/recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch b/recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch new file mode 100644 index 000..bf7b980 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch @@ -0,0 +1,47 @@ +refpolicy-minimum: systemd: mount: enable required refpolicy booleans + +enable required refpolicy booleans for these modules + +i. mount: allow_mount_anyfile +without enabling this boolean we are getting below avc denial + +audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media +/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0 +tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0 + +This avc can be allowed using the boolean 'allow_mount_anyfile' +allow mount_t initrc_var_run_t:dir mounton; + +ii. systemd : systemd_tmpfiles_manage_all +without enabling this boolean we are not getting access to mount systemd +essential tmpfs during bootup, also not getting access to create audit.log + +audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name= +"sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles +_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0 + + ls /var/log + /var/log -> volatile/log +:~# + +Upstream-Status: Pending + +Signed-off-by: Shrikant Bobade + +--- a/policy/booleans.conf b/policy/booleans.conf +@@ -1156,12 +1156,12 @@ racoon_read_shadow = false + # + # Allow the mount command to mount any directory or file. + # +-allow_mount_anyfile = false ++allow_mount_anyfile = true + + # + # Enable support for systemd-tmpfiles to manage all non-security files. + # +-systemd_tmpfiles_manage_all = false ++systemd_tmpfiles_manage_all = true + + # + # Allow users to connect to mysql diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb index 9c806c4..1647c28 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb @@ -77,4 +77,5 @@ SYSTEMD_REFPOLICY_PATCHES = " \ file://0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \ file://0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \ file://0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch \ + file://0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch \ " -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux] [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files services
From: Shrikant Bobade fix for systemd tmp files setup services: systemd-journal-flush.service & systemd-logind.service. Signed-off-by: Shrikant Bobade --- ...inimum-systemd-fix-for-systemd-tmp-files-.patch | 111 + .../refpolicy/refpolicy-minimum_2.20151208.bb | 1 + 2 files changed, 112 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch diff --git a/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch new file mode 100644 index 000..a7338e1 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch @@ -0,0 +1,111 @@ +From ec96260a28f9aae44afc8eec0e089bf95a36b557 Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade +Date: Fri, 26 Aug 2016 17:54:17 +0530 +Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files + services + +fix for systemd tmp files setup service while using refpolicy-minimum and +systemd as init manager. + +these allow rules require kernel domain & files access, so added interfaces +at systemd.te to merge these allow rules. + +without these changes we are getting avc denails like these and below +systemd services failure: + +audit[]: AVC avc: denied { getattr } for pid=232 comm="systemd-tmpfile" +path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd +_tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file + +audit[]: AVC avc: denied { search } for pid=232 comm="systemd-tmpfile" +name="kernel" dev="proc" ino=9341 scontext=system_u:system_r: +systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 +tclass=dir permissive=0 + +[FAILED] Failed to start Create Static Device Nodes in /dev. +See 'systemctl status systemd-tmpfiles-setup-dev.service' for details. + +[FAILED] Failed to start Create Volatile Files and Directories. +See 'systemctl status systemd-tmpfiles-setup.service' for details. + +Upstream-Status: Pending + +Signed-off-by: Shrikant Bobade +--- + policy/modules/kernel/files.if | 19 +++ + policy/modules/kernel/kernel.if | 23 +++ + policy/modules/system/systemd.te | 3 +++ + 3 files changed, 45 insertions(+) + +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index 1cedea2..4ea7d55 100644 +--- a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +@@ -6729,3 +6729,22 @@ interface(`files_unconfined',` + + typeattribute $1 files_unconfined_type; + ') ++ ++ ++## ++##systemd tmp files access to kernel tmp files domain ++## ++## ++## ++##Domain allowed access. ++## ++## ++# ++interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',` ++ gen_require(` ++ type tmp_t; ++class lnk_file getattr; ++ ') ++ ++ allow $1 tmp_t:lnk_file getattr; ++') +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index f1130d1..4604441 100644 +--- a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +@@ -3323,3 +3323,26 @@ interface(`kernel_unconfined',` + typeattribute $1 kern_unconfined; + kernel_load_module($1) + ') ++ ++ ++## ++##systemd tmp files access to kernel sysctl domain ++## ++## ++## ++##Domain allowed access. ++## ++## ++# ++interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',` ++ gen_require(` ++type sysctl_kernel_t; ++class dir search; ++class file { open read }; ++ ') ++ ++allow $1 sysctl_kernel_t:dir search; ++allow $1 sysctl_kernel_t:file { open read }; ++ ++') ++ +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 22021eb..8813664 100644 +--- a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +@@ -269,3 +269,6 @@ allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; + allow systemd_tmpfiles_t self:capability net_admin; + + allow systemd_tmpfiles_t init_t:file { open getattr read }; ++ ++systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t) ++systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t) +-- +1.9.1 + diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb index 7312ada..9f01492 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb @@ -79,4 +79
[yocto] [meta-selinux] [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal service
From: Shrikant Bobade 1. fix for systemd services: login & journal wile using refpolicy-minimum and systemd as init manager. 2. fix login duration after providing root password. Signed-off-by: Shrikant Bobade --- ...inimum-systemd-fix-for-login-journal-serv.patch | 105 + .../refpolicy/refpolicy-minimum_2.20151208.bb | 1 + 2 files changed, 106 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-minimum/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch diff --git a/recipes-security/refpolicy/refpolicy-minimum/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch b/recipes-security/refpolicy/refpolicy-minimum/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch new file mode 100644 index 000..50e3c64 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-minimum/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch @@ -0,0 +1,105 @@ +From 5a1cef9e4a9472982f6c68190f3aa20c73c8de1e Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade +Date: Fri, 26 Aug 2016 17:54:09 +0530 +Subject: [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal + service + +1. fix for systemd services: login & journal wile using refpolicy-minimum and +systemd as init manager. +2. fix login duration after providing root password. + +without these changes we are getting avc denails like these and below +systemd services failure: + +audit[]: AVC avc: denied { write } for pid=422 comm="login" path="/run/ +systemd/sessions/c1.ref" dev="tmpfs" ino=13455 scontext=system_u:system_r: +local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 +tclass=fifo_file permissive=0 + +audit[]: AVC avc: denied { open } for pid=216 comm="systemd-tmpfile" path +="/proc/1/environ" dev="proc" ino=9221 scontext=system_u:system_r: +systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file + +audit[]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u: +system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path +="/lib/systemd/system/systemd-journald.service" cmdline="/bin/journalctl +--flush" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r: +lib_t:s0 tclass=service + +[FAILED] Failed to start Flush Journal to Persistent Storage. +See 'systemctl status systemd-journal-flush.service' for details. + +[FAILED] Failed to start Login Service. +See 'systemctl status systemd-logind.service' for details. + +[FAILED] Failed to start Avahi mDNS/DNS-SD Stack. +See 'systemctl status avahi-daemon.service' for details. + +Upstream-Status: Pending + +Signed-off-by: Shrikant Bobade +--- + policy/modules/system/init.te | 5 + + policy/modules/system/locallogin.te | 3 +++ + policy/modules/system/systemd.if| 6 -- + policy/modules/system/systemd.te| 3 ++- + 4 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 19a7a20..cefa59d 100644 +--- a/policy/modules/system/init.te b/policy/modules/system/init.te +@@ -1105,3 +1105,8 @@ allow init_t self:capability2 audit_read; + + allow initrc_t init_t:system { start status reboot }; + allow initrc_t init_var_run_t:service { start status }; ++ ++allow initrc_t init_var_run_t:service stop; ++allow initrc_t init_t:dbus send_msg; ++ ++allow init_t initrc_t:dbus { send_msg acquire_svc }; +diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te +index 09ec33f..be25c82 100644 +--- a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te +@@ -284,3 +284,6 @@ allow local_login_t var_run_t:file { open read write lock}; + allow local_login_t var_run_t:sock_file write; + allow local_login_t tmpfs_t:dir { add_name write search}; + allow local_login_t tmpfs_t:file { create open read write lock }; ++allow local_login_t init_var_run_t:fifo_file write; ++allow local_login_t initrc_t:dbus send_msg; ++allow initrc_t local_login_t:dbus send_msg; +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index 822c03d..8723527 100644 +--- a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +@@ -205,9 +205,11 @@ interface(`systemd_service_file_operations',` + # + interface(`systemd_service_lib_function',` + gen_require(` +- class service start; ++ class service { start status stop }; ++ class file { execmod open }; + ') + +- allow initrc_t $1:service start; ++ allow initrc_t $1:service { start status stop }; ++ allow initrc_t $1:file execmod; + + ') +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 70ccb0e..22021eb 100644 +--- a/policy/modules/system/systemd.te b/policy/modules/system/systemd
[yocto] [meta-selinux] [PATCH 5/9] refpolicy-minimum: init: fix reboot with systemd as init manager.
From: Shrikant Bobade add allow rule to fix avc denial during system reboot. Signed-off-by: Shrikant Bobade --- ...inimum-init-fix-reboot-with-systemd-as-in.patch | 36 ++ .../refpolicy/refpolicy-minimum_2.20151208.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-minimum/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch diff --git a/recipes-security/refpolicy/refpolicy-minimum/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch b/recipes-security/refpolicy/refpolicy-minimum/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch new file mode 100644 index 000..c88f2b2 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-minimum/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch @@ -0,0 +1,36 @@ +From 07b7eb45458de8a6781019a927c66aabe736e03a Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade +Date: Fri, 26 Aug 2016 17:53:53 +0530 +Subject: [PATCH 5/9] refpolicy-minimum: init: fix reboot with systemd as init + manager. + +add allow rule to fix avc denial during system reboot. + +without this change we are getting: + +audit: type=1107 audit(): pid=1 uid=0 auid=4294967295 ses=4294967295 subj= +system_u:system_r:init_t:s0 msg='avc: denied { reboot } for auid=n/a uid=0 +gid=0 cmdline="/bin/systemctl --force reboot" scontext=system_u:system_r: +initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system + +Upstream-Status: Pending + +Signed-off-by: Shrikant Bobade +--- + policy/modules/system/init.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index f9d7114..19a7a20 100644 +--- a/policy/modules/system/init.te b/policy/modules/system/init.te +@@ -1103,5 +1103,5 @@ allow devpts_t device_t:filesystem associate; + allow init_t self:capability2 block_suspend; + allow init_t self:capability2 audit_read; + +-allow initrc_t init_t:system { start status }; ++allow initrc_t init_t:system { start status reboot }; + allow initrc_t init_var_run_t:service { start status }; +-- +1.9.1 + diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb index d1ea37d..9c806c4 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb @@ -76,4 +76,5 @@ SYSTEMD_REFPOLICY_PATCHES = " \ file://0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch \ file://0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \ file://0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \ + file://0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch \ " -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux] [PATCH 4/9] refpolicy-minimum: locallogin: add allow rules for type local_login_t
From: Shrikant Bobade add allow rules for locallogin module avc denials. Signed-off-by: Shrikant Bobade --- ...inimum-locallogin-add-allow-rules-for-typ.patch | 53 ++ .../refpolicy/refpolicy-minimum_2.20151208.bb | 1 + 2 files changed, 54 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch diff --git a/recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch b/recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch new file mode 100644 index 000..3623215 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch @@ -0,0 +1,53 @@ +From 0e99f9e7c6d69d5f784fe7352c9507791d8cbef9 Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade +Date: Fri, 26 Aug 2016 17:53:46 +0530 +Subject: [PATCH 4/9] refpolicy-minimum: locallogin: add allow rules for type + local_login_t + +add allow rules for locallogin module avc denials. + +without this change we are getting errors like these: + +type=AVC msg=audit(): avc: denied { read write open } for pid=353 +comm="login" path="/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext +=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r: +var_log_t:s0 tclass=file permissive=1 + +type=AVC msg=audit(): avc: denied { sendto } for pid=353 comm="login" +path="/run/systemd/journal/dev-log" scontext=system_u:system_r: +local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 +tclass=unix_dgram_socket permissive=1 + +type=AVC msg=audit(): avc: denied { lock } for pid=353 comm="login" path= +"/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext=system_u:system_r +:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass +=file permissive=1 + +Upstream-Status: Pending + +Signed-off-by: Shrikant Bobade +--- + policy/modules/system/locallogin.te | 10 ++ + 1 file changed, 10 insertions(+) + +diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te +index 53923f8..09ec33f 100644 +--- a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te +@@ -274,3 +274,13 @@ optional_policy(` + optional_policy(` + nscd_use(sulogin_t) + ') ++ ++allow local_login_t initrc_t:fd use; ++allow local_login_t initrc_t:unix_dgram_socket sendto; ++allow local_login_t initrc_t:unix_stream_socket connectto; ++allow local_login_t self:capability net_admin; ++allow local_login_t var_log_t:file { create lock open read write }; ++allow local_login_t var_run_t:file { open read write lock}; ++allow local_login_t var_run_t:sock_file write; ++allow local_login_t tmpfs_t:dir { add_name write search}; ++allow local_login_t tmpfs_t:file { create open read write lock }; +-- +1.9.1 + diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb index f4b80bc..d1ea37d 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb @@ -75,4 +75,5 @@ SYSTEMD_REFPOLICY_PATCHES = " \ file://0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \ file://0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch \ file://0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \ + file://0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \ " -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux] [PATCH 3/9] refpolicy-minimum: systemd: mount: logging: authlogin: add allow rules
From: Shrikant Bobade add allow rules for avc denails for systemd, mount, logging & authlogin modules. without this change we are getting avc. denials from these modules. Signed-off-by: Shrikant Bobade --- ...inimum-systemd-mount-logging-authlogin-ad.patch | 93 ++ .../refpolicy/refpolicy-minimum_2.20151208.bb | 1 + 2 files changed, 94 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch diff --git a/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch new file mode 100644 index 000..35a8e1b --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch @@ -0,0 +1,93 @@ +From edae03ea521a501a2b3229383609f1aec85575c1 Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade +Date: Fri, 26 Aug 2016 17:53:37 +0530 +Subject: [PATCH 3/9] refpolicy-minimum: systemd: mount: logging: authlogin: + add allow rules + +add allow rules for avc denails for systemd, mount, logging & authlogin +modules. + +without this change we are getting avc denial like these: + +type=AVC msg=audit(): avc: denied { sendto } for pid=893 comm="systemd- +tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r: +systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass= +unix_dgram_socket permissive=0 + +type=AVC msg=audit(): avc: denied { open } for pid=703 comm="systemd- +tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u: +system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass= +file permissive=0 + +type=AVC msg=audit(): avc: denied { read write } for pid=486 comm="mount" +path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r: +mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket + +type=AVC msg=audit(): avc: denied { unix_read unix_write } for pid=292 +comm="syslogd" key=1095648583 scontext=system_u:system_r:syslogd_t:s0 +tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1 + +Upstream-Status: Pending + +Signed-off-by: Shrikant Bobade +--- + policy/modules/system/authlogin.te | 2 ++ + policy/modules/system/logging.te | 7 ++- + policy/modules/system/mount.te | 3 +++ + policy/modules/system/systemd.te | 6 ++ + 4 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +index f80dfcb..5fab54a 100644 +--- a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +@@ -464,3 +464,5 @@ optional_policy(` + samba_read_var_files(nsswitch_domain) + samba_dontaudit_write_var_files(nsswitch_domain) + ') ++ ++allow chkpwd_t proc_t:filesystem getattr; +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index fdf86ef..107db03 100644 +--- a/policy/modules/system/logging.te b/policy/modules/system/logging.te +@@ -576,4 +576,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append }; + allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; + allow auditd_t initrc_t:unix_dgram_socket sendto; + +-allow klogd_t initrc_t:unix_dgram_socket sendto; +\ No newline at end of file ++allow klogd_t initrc_t:unix_dgram_socket sendto; ++ ++allow syslogd_t self:shm create; ++allow syslogd_t self:sem { create read unix_write write }; ++allow syslogd_t self:shm { read unix_read unix_write write }; ++allow syslogd_t tmpfs_t:file { read write }; +diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te +index 1c2fc33..b699309 100644 +--- a/policy/modules/system/mount.te b/policy/modules/system/mount.te +@@ -229,3 +229,6 @@ optional_policy(` + files_etc_filetrans_etc_runtime(unconfined_mount_t, file) + unconfined_domain(unconfined_mount_t) + ') ++ ++allow mount_t proc_t:filesystem getattr; ++allow mount_t initrc_t:udp_socket { read write }; +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index fdb9fef..734d455 100644 +--- a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +@@ -262,3 +262,9 @@ tunable_policy(`systemd_tmpfiles_manage_all',` + files_relabel_non_security_dirs(systemd_tmpfiles_t) + files_relabel_non_security_files(systemd_tmpfiles_t) + ') ++ ++allow systemd_tmpfiles_t init_t:dir search; ++allow systemd_tmpfiles_t proc_t:filesystem getattr; ++allow systemd_tmpfiles_t init_t:file read; ++allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; ++allow systemd_tmpfiles_t self:capability net_admin; +-- +1.9.1 + diff --git a/recipes-security/refpolicy/refpolicy-m
[yocto] [meta-selinux] [PATCH 2/9] refpolicy-minimum: audit: logging: getty: audit related allow rules
From: Shrikant Bobade add allow rules for audit.log file & resolve dependent avc denials. Signed-off-by: Shrikant Bobade --- ...inimum-audit-logging-getty-audit-related-.patch | 67 ++ .../refpolicy/refpolicy-minimum_2.20151208.bb | 1 + 2 files changed, 68 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-minimum/0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch diff --git a/recipes-security/refpolicy/refpolicy-minimum/0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch b/recipes-security/refpolicy/refpolicy-minimum/0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch new file mode 100644 index 000..23bc397 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-minimum/0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch @@ -0,0 +1,67 @@ +From edbc234baecfbf5b8e2dbadc976750071d5e7f7f Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade +Date: Fri, 26 Aug 2016 17:51:44 +0530 +Subject: [PATCH 2/9] refpolicy-minimum: audit: logging: getty: audit related + allow rules + +add allow rules for audit.log file & resolve dependent avc denials. + +without this change we are getting audit avc denials mixed into bootlog & +audit other avc denials. + +audit: type=1400 audit(): avc: denied { getattr } for pid=217 comm="mount" +name="/" dev="proc" ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_0 +audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd" +path="/run/systemd/journal/dev-log" scontext=sy0 +audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd" +path="/run/systemd/journal/dev-log" scontext=system_u:system_r:klogd_t:s0 +audit(): avc: denied { open } for pid=540 comm="agetty" path="/var/ +volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t +:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 + +Upstream-Status: Pending + +Signed-off-by: Shrikant Bobade +--- + policy/modules/system/getty.te | 3 +++ + policy/modules/system/logging.te | 8 + 2 files changed, 11 insertions(+) + +diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te +index f6743ea..84eaf77 100644 +--- a/policy/modules/system/getty.te b/policy/modules/system/getty.te +@@ -139,3 +139,6 @@ optional_policy(` + optional_policy(` + udev_read_db(getty_t) + ') ++ ++allow getty_t tmpfs_t:dir search; ++allow getty_t tmpfs_t:file { open write lock }; +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 9b18aad..fdf86ef 100644 +--- a/policy/modules/system/logging.te b/policy/modules/system/logging.te +@@ -238,6 +238,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms; + allow audisp_t self:unix_dgram_socket create_socket_perms; + + allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; ++allow audisp_t initrc_t:unix_dgram_socket sendto; + + manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) + files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) +@@ -569,3 +570,10 @@ optional_policy(` + # log to the xconsole + xserver_rw_console(syslogd_t) + ') ++ ++ ++allow auditd_t tmpfs_t:file { getattr setattr create open read append }; ++allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; ++allow auditd_t initrc_t:unix_dgram_socket sendto; ++ ++allow klogd_t initrc_t:unix_dgram_socket sendto; +\ No newline at end of file +-- +1.9.1 + diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb index 16592e5..9e1dc9b 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb @@ -73,4 +73,5 @@ SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', ' ${SYSTEMD_REFPO SYSTEMD_REFPOLICY_PATCHES = " \ file://0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \ + file://0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch \ " -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux] [PATCH 1/9] refpolicy-minimum: systemd:unconfined:lib: add systemd services allow rules
From: Shrikant Bobade systemd allow rules for systemd service file operations: start, stop, restart & allow rule for unconfined systemd service. without this change we are geting avc denials and access denied to perform operations on service file. Signed-off-by: Shrikant Bobade --- ...inimum-systemd-unconfined-lib-add-systemd.patch | 124 + .../refpolicy/refpolicy-minimum_2.20151208.bb | 7 ++ 2 files changed, 131 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch diff --git a/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch new file mode 100644 index 000..7a72f18 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch @@ -0,0 +1,124 @@ +From 17507a42ce91376b00069ff22b43786894910ed6 Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade +Date: Fri, 26 Aug 2016 17:51:32 +0530 +Subject: [PATCH 1/9] refpolicy-minimum: systemd:unconfined:lib: add systemd + services allow rules + +systemd allow rules for systemd service file operations: start, stop, restart +& allow rule for unconfined systemd service. + +without this change we are getting these errors: +:~# systemctl status selinux-init.service +Failed to get properties: Access denied + +:~# systemctl stop selinux-init.service +Failed to stop selinux-init.service: Access denied + +:~# systemctl restart selinux-init.service +audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj= +system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 +gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl +restart selinux-init.service" scontext=unconfined_u:unconfined_r: +unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service + +Upstream-Status: Pending + +Signed-off-by: Shrikant Bobade +--- + policy/modules/system/init.te | 6 +- + policy/modules/system/libraries.te | 3 +++ + policy/modules/system/systemd.if| 40 + + policy/modules/system/unconfined.te | 6 ++ + 4 files changed, 54 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index d710fb0..f9d7114 100644 +--- a/policy/modules/system/init.te b/policy/modules/system/init.te +@@ -1100,4 +1100,8 @@ optional_policy(` + # systemd related allow rules + allow kernel_t init_t:process dyntransition; + allow devpts_t device_t:filesystem associate; +-allow init_t self:capability2 block_suspend; +\ No newline at end of file ++allow init_t self:capability2 block_suspend; ++allow init_t self:capability2 audit_read; ++ ++allow initrc_t init_t:system { start status }; ++allow initrc_t init_var_run_t:service { start status }; +diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te +index 0f5cd56..df98fe9 100644 +--- a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te +@@ -144,3 +144,6 @@ optional_policy(` + optional_policy(` + unconfined_domain(ldconfig_t) + ') ++ ++# systemd: init domain to start lib domain service ++systemd_service_lib_function(lib_t) +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index 3cd6670..822c03d 100644 +--- a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +@@ -171,3 +171,43 @@ interface(`systemd_start_power_units',` + + allow $1 power_unit_t:service start; + ') ++ ++ ++ ++## ++## Allow specified domain to start stop reset systemd service ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`systemd_service_file_operations',` ++ gen_require(` ++ class service { start status stop }; ++ ') ++ ++ allow $1 lib_t:service { start status stop }; ++ ++') ++ ++ ++ ++## ++## Allow init domain to start lib domain service ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`systemd_service_lib_function',` ++ gen_require(` ++ class service start; ++ ') ++ ++ allow initrc_t $1:service start; ++ ++') +diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te +index 99cab31..87a1b03 100644 +--- a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te +@@ -220,3 +220,9 @@ unconfined_domain_noaudit(unconfined_execmem_t) + optional_policy(` + unconfined_dbus_chat(unconfined_execmem_t) + ') ++ ++ ++# systemd: specified domain to start stop reset systemd service ++systemd_service_file_operations(unconfined_
Re: [yocto] [meta-selinux][PATCH 1/5] selinux-initsh.inc: add systemd support
Hi, @Ping, Thanks Shrikant On Mon, Aug 22, 2016 at 6:36 PM, Shrikant Bobade wrote: > From: Shrikant Bobade > > add support for systemd service file and handling of script required by > systemd service file. > > Signed-off-by: Shrikant Bobade > --- > recipes-security/selinux/selinux-initsh.inc | 12 +++- > 1 file changed, 11 insertions(+), 1 deletion(-) > > diff --git a/recipes-security/selinux/selinux-initsh.inc > b/recipes-security/selinux/selinux-initsh.inc > index f7348bb..bcdd449 100644 > --- a/recipes-security/selinux/selinux-initsh.inc > +++ b/recipes-security/selinux/selinux-initsh.inc > @@ -13,11 +13,21 @@ CONFFILES_${PN} += "${sysconfdir}/init.d/${ > SELINUX_SCRIPT_DST}" > > PACKAGE_ARCH ?= "${MACHINE_ARCH}" > > -inherit update-rc.d > +inherit update-rc.d systemd > + > +SYSTEMD_SERVICE_${PN} = "${SELINUX_SCRIPT_SRC}.service" > > do_install () { > install -d ${D}${sysconfdir}/init.d/ > install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh > ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST} > + > + install -d ${D}${systemd_unitdir}/system > + install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service > ${D}${systemd_unitdir}/system > + > + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', > 'false', d)}; then > + install -d ${D}${bindir} > + install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh > ${D}${bindir} > + fi > } > > sysroot_stage_all_append () { > -- > 1.9.1 > > -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] packagegroup-core-selinux: add auditd support for audit log
From: Shrikant Bobade this change provide dependency required by audit log file, to prepare it at /var/log/audit/audit.log and get cleaner boot log. without this change all avc denial messages mix with the boot log & it is difficult for avc denial analysis. Signed-off-by: Shrikant Bobade --- recipes-security/packagegroups/packagegroup-core-selinux.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb index 9c74458..a0152a9 100644 --- a/recipes-security/packagegroups/packagegroup-core-selinux.bb +++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb @@ -27,4 +27,5 @@ RDEPENDS_${PN} = " \ selinux-labeldev \ refpolicy \ coreutils \ + auditd \ " -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 5/5] refpolicy_common.inc: add refpolicy minimum banner at selinux config.
From: Shrikant Bobade Signed-off-by: Shrikant Bobade --- recipes-security/refpolicy/refpolicy_common.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index e1eac50..a9dc466 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -158,6 +158,7 @@ install_config () { # disabled - No SELinux policy is loaded. SELINUX=${DEFAULT_ENFORCING} # SELINUXTYPE= can take one of these values: +# minimum - Minimum Security protection. # standard - Standard Security protection. # mls - Multi Level Security protection. # targeted - Targeted processes are protected. -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 4/5] selinux-labeldev: add systemd service file support
From: Shrikant Bobade add systemd service file for handling selinux labeldev, this change improves handling of systemd service functionality like:status check, debug etc. compared to sysvinit compatibility mode scripts. Signed-off-by: Shrikant Bobade --- .../selinux/selinux-labeldev/selinux-labeldev.service | 11 +++ recipes-security/selinux/selinux-labeldev_0.1.bb | 5 - 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 recipes-security/selinux/selinux-labeldev/selinux-labeldev.service diff --git a/recipes-security/selinux/selinux-labeldev/selinux-labeldev.service b/recipes-security/selinux/selinux-labeldev/selinux-labeldev.service new file mode 100644 index 000..d45ecbc --- /dev/null +++ b/recipes-security/selinux/selinux-labeldev/selinux-labeldev.service @@ -0,0 +1,11 @@ +[Unit] +Description=SELinux init for /dev service loading +DefaultDependencies=no +Before=sysinit.target + +[Service] +Type=oneshot +ExecStart=/usr/bin/selinux-labeldev.sh + +[Install] +WantedBy=multi-user.target diff --git a/recipes-security/selinux/selinux-labeldev_0.1.bb b/recipes-security/selinux/selinux-labeldev_0.1.bb index b692bb2..8eb5db4 100644 --- a/recipes-security/selinux/selinux-labeldev_0.1.bb +++ b/recipes-security/selinux/selinux-labeldev_0.1.bb @@ -10,7 +10,10 @@ ${PN}_RDEPENDS = " \ policycoreutils-setfiles \ " -SRC_URI = "file://${BPN}.sh" +SRC_URI = "file://${BPN}.sh \ + file://${BPN}.service \ + " + SELINUX_SCRIPT_DST = "0${BPN}" require selinux-initsh.inc -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 3/5] selinux-autorelabel: add systemd service file support
From: Shrikant Bobade add systemd service file for handling selinux autorelabel, this change improves handling of systemd service functionality like:status check, re-run, debug etc. compared to sysvinit compatibility mode scripts. Signed-off-by: Shrikant Bobade --- .../selinux/selinux-autorelabel/selinux-autorelabel.service | 11 +++ recipes-security/selinux/selinux-autorelabel_0.1.bb | 5 - 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.service diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.service b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.service new file mode 100644 index 000..9520f6e --- /dev/null +++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.service @@ -0,0 +1,11 @@ +[Unit] +Description=SELinux autorelabel service loading +DefaultDependencies=no +Before=sysinit.target + +[Service] +Type=oneshot +ExecStart=/usr/bin/selinux-autorelabel.sh + +[Install] +WantedBy=multi-user.target diff --git a/recipes-security/selinux/selinux-autorelabel_0.1.bb b/recipes-security/selinux/selinux-autorelabel_0.1.bb index 2664863..4eb2b4e 100644 --- a/recipes-security/selinux/selinux-autorelabel_0.1.bb +++ b/recipes-security/selinux/selinux-autorelabel_0.1.bb @@ -11,7 +11,10 @@ ${PN}_RDEPENDS = " \ policycoreutils-setfiles \ " -SRC_URI = "file://${BPN}.sh" +SRC_URI = "file://${BPN}.sh \ + file://${BPN}.service \ + " + INITSCRIPT_PARAMS = "start 01 S ." require selinux-initsh.inc -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 2/5] selinux-init: add systemd service file support
From: Shrikant Bobade add systemd service file for handling selinux initialization, this change improves handling of systemd service functionality like:status check, debug etc. compared to sysvinit compatibility mode scripts. Signed-off-by: Shrikant Bobade --- recipes-security/selinux/selinux-init/selinux-init.service | 11 +++ recipes-security/selinux/selinux-init_0.1.bb | 5 - 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 recipes-security/selinux/selinux-init/selinux-init.service diff --git a/recipes-security/selinux/selinux-init/selinux-init.service b/recipes-security/selinux/selinux-init/selinux-init.service new file mode 100644 index 000..93cc6ce --- /dev/null +++ b/recipes-security/selinux/selinux-init/selinux-init.service @@ -0,0 +1,11 @@ +[Unit] +Description=SELinux init service loading +DefaultDependencies=no +Before=sysinit.target + +[Service] +Type=oneshot +ExecStart=/usr/bin/selinux-init.sh + +[Install] +WantedBy=multi-user.target diff --git a/recipes-security/selinux/selinux-init_0.1.bb b/recipes-security/selinux/selinux-init_0.1.bb index 54932e8..38b5900 100644 --- a/recipes-security/selinux/selinux-init_0.1.bb +++ b/recipes-security/selinux/selinux-init_0.1.bb @@ -14,7 +14,10 @@ ${PN}_RDEPENDS = " \ policycoreutils-setfiles \ " -SRC_URI = "file://${BPN}.sh" +SRC_URI = "file://${BPN}.sh \ + file://${BPN}.service \ + " + INITSCRIPT_PARAMS = "start 01 S ." require selinux-initsh.inc -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 1/5] selinux-initsh.inc: add systemd support
From: Shrikant Bobade add support for systemd service file and handling of script required by systemd service file. Signed-off-by: Shrikant Bobade --- recipes-security/selinux/selinux-initsh.inc | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/recipes-security/selinux/selinux-initsh.inc b/recipes-security/selinux/selinux-initsh.inc index f7348bb..bcdd449 100644 --- a/recipes-security/selinux/selinux-initsh.inc +++ b/recipes-security/selinux/selinux-initsh.inc @@ -13,11 +13,21 @@ CONFFILES_${PN} += "${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}" PACKAGE_ARCH ?= "${MACHINE_ARCH}" -inherit update-rc.d +inherit update-rc.d systemd + +SYSTEMD_SERVICE_${PN} = "${SELINUX_SCRIPT_SRC}.service" do_install () { install -d ${D}${sysconfdir}/init.d/ install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST} + + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service ${D}${systemd_unitdir}/system + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${bindir} + install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${bindir} + fi } sysroot_stage_all_append () { -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux] Regarding "systemd" support with refpolicy-minimum v20151208
Hi, Request for comment set from: https://lists.yoctoproject.org/pipermail/yocto/2016-July/031362.html to https://lists.yoctoproject.org/pipermail/yocto/2016-July/031369.html checked on below build config. with refpolicy-minimum using systemd as init manager. These are comparative boot logs. refpolicy-minimum without RFC set: http://paste.ubuntu.com/21383917/ refpolicy-minimum with RFC set: http://paste.ubuntu.com/21383939/ Build Configuration: BB_VERSION= "1.31.0" BUILD_SYS = "x86_64-linux" NATIVELSBSTRING = "universal" TARGET_SYS= "arm-poky-linux-gnueabi" MACHINE = "qemuarm" DISTRO= "poky-selinux" DISTRO_VERSION= "2.1+snapshot-20160729" TUNE_FEATURES = "arm armv5 thumb dsp" TARGET_FPU= "soft" meta meta-poky meta-yocto-bsp= "master:039f47ad197a9a53109c9f3deadd9c35e62c056d" meta-selinux = "master:d0f889259b610c3365962775c6e96a7cba407177" Please advice, It will be a great help ! Thanks Shrikant On Fri, Jul 1, 2016 at 7:13 PM, Shrikant Bobade wrote: > Hi, > > Using refpolicy-minimum v20151208 with systemd as init manager, > > I am facing few issues during enforcing mode, > 1. systemd service status check, start & stop > 2. auditd logfile error, so it is mixing with the boot log. > 3. also other avc denials related to tmpfs & other types etc.. > > > setup details:poky and meta-selinux: both at master head & systemd enabled. > with these SELinux booleans enabled: i.systemd_tmpfiles_manage_all > ii.allow_mount_anyfile > > captured the avc denial to fix the systemd execution well, attached > SELinux-Modules.txt :- the allow rules generated using audit tools. > I am trying to merge these module into actual refpolicy modules, so we get > the out of box experience for smooth systemd execution. > Observed policy store seems corrupted some time, when start inserting the > prepared policy modules allow rules into actual refpolicy modules.. > > Does anyone also faced similar issues? > > Any pointers or references will be a great help. > > > Thanks > Shrikant > > -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][RFC 8/8] systemd: fix for systemd tmp-files services
From: Shrikant Bobade fix for systemd tmp files setup services: systemd-journal-flush.service & systemd-logind.service. Signed-off-by: Shrikant Bobade --- ...ystemd-fix-for-systemd-tmp-files-services.patch | 110 + .../refpolicy/refpolicy_2.20151208.inc | 1 + 2 files changed, 111 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/0008-systemd-fix-for-systemd-tmp-files-services.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/0008-systemd-fix-for-systemd-tmp-files-services.patch b/recipes-security/refpolicy/refpolicy-2.20151208/0008-systemd-fix-for-systemd-tmp-files-services.patch new file mode 100644 index 000..385e6e2 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20151208/0008-systemd-fix-for-systemd-tmp-files-services.patch @@ -0,0 +1,110 @@ +From 2156e7428c5f58f3b13cfa95a1a4789299d2c448 Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade +Date: Wed, 27 Jul 2016 19:42:43 +0530 +Subject: [PATCH 8/8] systemd: fix for systemd tmp-files services + +fix for systemd tmp files setup service while using refpolicy-minimum and +systemd as init manager. + +these allow rules require kernel domain & files access, so added interfaces +at systemd.te to merge these allow rules. + +without these changes we are getting avc denails like these and below +systemd services failure: + +audit[]: AVC avc: denied { getattr } for pid=232 comm="systemd-tmpfile" +path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd +_tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file + +audit[]: AVC avc: denied { search } for pid=232 comm="systemd-tmpfile" +name="kernel" dev="proc" ino=9341 scontext=system_u:system_r: +systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 +tclass=dir permissive=0 + +[FAILED] Failed to start Create Static Device Nodes in /dev. +See 'systemctl status systemd-tmpfiles-setup-dev.service' for details. + +[FAILED] Failed to start Create Volatile Files and Directories. +See 'systemctl status systemd-tmpfiles-setup.service' for details. + +upstream-status: pending + +Signed-off-by: Shrikant Bobade +--- + policy/modules/kernel/files.if | 19 +++ + policy/modules/kernel/kernel.if | 23 +++ + policy/modules/system/systemd.te | 3 +++ + 3 files changed, 45 insertions(+) + +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index 1cedea2..4ea7d55 100644 +--- a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +@@ -6729,3 +6729,22 @@ interface(`files_unconfined',` + + typeattribute $1 files_unconfined_type; + ') ++ ++ ++## ++##systemd tmp files access to kernel tmp files domain ++## ++## ++## ++##Domain allowed access. ++## ++## ++# ++interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',` ++ gen_require(` ++ type tmp_t; ++class lnk_file getattr; ++ ') ++ ++ allow $1 tmp_t:lnk_file getattr; ++') +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index f1130d1..4604441 100644 +--- a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +@@ -3323,3 +3323,26 @@ interface(`kernel_unconfined',` + typeattribute $1 kern_unconfined; + kernel_load_module($1) + ') ++ ++ ++## ++##systemd tmp files access to kernel sysctl domain ++## ++## ++## ++##Domain allowed access. ++## ++## ++# ++interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',` ++ gen_require(` ++type sysctl_kernel_t; ++class dir search; ++class file { open read }; ++ ') ++ ++allow $1 sysctl_kernel_t:dir search; ++allow $1 sysctl_kernel_t:file { open read }; ++ ++') ++ +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 22021eb..8813664 100644 +--- a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +@@ -269,3 +269,6 @@ allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; + allow systemd_tmpfiles_t self:capability net_admin; + + allow systemd_tmpfiles_t init_t:file { open getattr read }; ++ ++systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t) ++systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t) +-- +1.9.1 + diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc b/recipes-security/refpolicy/refpolicy_2.20151208.inc index 74f7e19..8a73293 100644 --- a/recipes-security/refpolicy/refpolicy_2.20151208.inc +++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc @@ -69,6 +69,7 @@ SYSTEMD_REFPOLICY_PATCHES = "\ file://0005-init-fix-reboot-wit
[yocto] [meta-selinux][RFC 7/8] systemd: fix for login & journal service
From: Shrikant Bobade 1. fix for systemd services: login & journal wile using refpolicy-minimum and systemd as init manager. 2. fix login duration after providing root password. Signed-off-by: Shrikant Bobade --- ...007-systemd-fix-for-login-journal-service.patch | 104 + .../refpolicy/refpolicy_2.20151208.inc | 1 + 2 files changed, 105 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/0007-systemd-fix-for-login-journal-service.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/0007-systemd-fix-for-login-journal-service.patch b/recipes-security/refpolicy/refpolicy-2.20151208/0007-systemd-fix-for-login-journal-service.patch new file mode 100644 index 000..9af0469 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20151208/0007-systemd-fix-for-login-journal-service.patch @@ -0,0 +1,104 @@ +From b767672932ecafa14480cffa0494a44dc78962fa Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade +Date: Wed, 27 Jul 2016 18:09:34 +0530 +Subject: [PATCH 7/8] systemd: fix for login & journal service + +1. fix for systemd services: login & journal wile using refpolicy-minimum and +systemd as init manager. +2. fix login duration after providing root password. + +without these changes we are getting avc denails like these and below +systemd services failure: + +audit[]: AVC avc: denied { write } for pid=422 comm="login" path="/run/ +systemd/sessions/c1.ref" dev="tmpfs" ino=13455 scontext=system_u:system_r: +local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 +tclass=fifo_file permissive=0 + +audit[]: AVC avc: denied { open } for pid=216 comm="systemd-tmpfile" path +="/proc/1/environ" dev="proc" ino=9221 scontext=system_u:system_r: +systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file + +audit[]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u: +system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path +="/lib/systemd/system/systemd-journald.service" cmdline="/bin/journalctl +--flush" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r: +lib_t:s0 tclass=service + +[FAILED] Failed to start Flush Journal to Persistent Storage. +See 'systemctl status systemd-journal-flush.service' for details. + +[FAILED] Failed to start Login Service. +See 'systemctl status systemd-logind.service' for details. + +[FAILED] Failed to start Avahi mDNS/DNS-SD Stack. +See 'systemctl status avahi-daemon.service' for details. + +upstream-status: pending + +Signed-off-by: Shrikant Bobade +--- + policy/modules/system/init.te | 5 + + policy/modules/system/locallogin.te | 3 +++ + policy/modules/system/systemd.if| 6 -- + policy/modules/system/systemd.te| 3 ++- + 4 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 19a7a20..cefa59d 100644 +--- a/policy/modules/system/init.te b/policy/modules/system/init.te +@@ -1105,3 +1105,8 @@ allow init_t self:capability2 audit_read; + + allow initrc_t init_t:system { start status reboot }; + allow initrc_t init_var_run_t:service { start status }; ++ ++allow initrc_t init_var_run_t:service stop; ++allow initrc_t init_t:dbus send_msg; ++ ++allow init_t initrc_t:dbus { send_msg acquire_svc }; +diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te +index 09ec33f..be25c82 100644 +--- a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te +@@ -284,3 +284,6 @@ allow local_login_t var_run_t:file { open read write lock}; + allow local_login_t var_run_t:sock_file write; + allow local_login_t tmpfs_t:dir { add_name write search}; + allow local_login_t tmpfs_t:file { create open read write lock }; ++allow local_login_t init_var_run_t:fifo_file write; ++allow local_login_t initrc_t:dbus send_msg; ++allow initrc_t local_login_t:dbus send_msg; +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index 822c03d..8723527 100644 +--- a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +@@ -205,9 +205,11 @@ interface(`systemd_service_file_operations',` + # + interface(`systemd_service_lib_function',` + gen_require(` +- class service start; ++ class service { start status stop }; ++ class file { execmod open }; + ') + +- allow initrc_t $1:service start; ++ allow initrc_t $1:service { start status stop }; ++ allow initrc_t $1:file execmod; + + ') +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 70ccb0e..22021eb 100644 +--- a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +@@ -265,6 +265,7 @@ tunable_policy(`systemd_tmpfiles_manage_all
[yocto] [meta-selinux][RFC 6/8] systemd: mount: enable requiried refpolicy booleans
From: Shrikant Bobade enable required refpolicy booleans for these modules mount: allow_mount_anyfile & systemd:systemd_tmpfiles_manage_all Signed-off-by: Shrikant Bobade --- ...mount-enable-requiried-refpolicy-booleans.patch | 43 ++ .../refpolicy/refpolicy_2.20151208.inc | 1 + 2 files changed, 44 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/0006-systemd-mount-enable-requiried-refpolicy-booleans.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/0006-systemd-mount-enable-requiried-refpolicy-booleans.patch b/recipes-security/refpolicy/refpolicy-2.20151208/0006-systemd-mount-enable-requiried-refpolicy-booleans.patch new file mode 100644 index 000..cd93d1d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20151208/0006-systemd-mount-enable-requiried-refpolicy-booleans.patch @@ -0,0 +1,43 @@ +systemd: mount: enable requiried refpolicy booleans + +enable required refpolicy booleans for these modules + +i. mount: allow_mount_anyfile +without enabling this boolean we are getting below avc denial + +audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media +/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0 +tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0 + +This avc can be allowed using the boolean 'allow_mount_anyfile' +allow mount_t initrc_var_run_t:dir mounton; + +ii. systemd : systemd_tmpfiles_manage_all +without enabling this boolean we are not getting access to mount systemd +essential tmpfs during bootup, also not getting access to create audit.log + + ls /var/log + /var/log -> volatile/log +:~# + +upstream-status: pending + +Signed-off-by: Shrikant Bobade + +--- a/policy/booleans.conf b/policy/booleans.conf +@@ -1156,12 +1156,12 @@ racoon_read_shadow = false + # + # Allow the mount command to mount any directory or file. + # +-allow_mount_anyfile = false ++allow_mount_anyfile = true + + # + # Enable support for systemd-tmpfiles to manage all non-security files. + # +-systemd_tmpfiles_manage_all = false ++systemd_tmpfiles_manage_all = true + + # + # Allow users to connect to mysql diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc b/recipes-security/refpolicy/refpolicy_2.20151208.inc index d319561..b62167f 100644 --- a/recipes-security/refpolicy/refpolicy_2.20151208.inc +++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc @@ -67,6 +67,7 @@ SYSTEMD_REFPOLICY_PATCHES = "\ file://0003-systemd-mount-logging-authlogin-add-allow-rules.patch \ file://0004-locallogin-add-allow-rules-for-type-local_login_t.patch \ file://0005-init-fix-reboot-with-systemd-as-init-manager.patch \ + file://0006-systemd-mount-enable-requiried-refpolicy-booleans.patch \ " -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][RFC 5/8] init: fix reboot with systemd as init manager.
From: Shrikant Bobade add allow rule to fix avc denial during system reboot. Signed-off-by: Shrikant Bobade --- ...t-fix-reboot-with-systemd-as-init-manager.patch | 35 ++ .../refpolicy/refpolicy_2.20151208.inc | 1 + 2 files changed, 36 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/0005-init-fix-reboot-with-systemd-as-init-manager.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/0005-init-fix-reboot-with-systemd-as-init-manager.patch b/recipes-security/refpolicy/refpolicy-2.20151208/0005-init-fix-reboot-with-systemd-as-init-manager.patch new file mode 100644 index 000..69a9019 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20151208/0005-init-fix-reboot-with-systemd-as-init-manager.patch @@ -0,0 +1,35 @@ +From cabab1db81115da296193ea8d917dc7cadfdd8f6 Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade +Date: Mon, 25 Jul 2016 18:30:59 +0530 +Subject: [PATCH 5/6] init: fix reboot with systemd as init manager. + +add allow rule to fix avc denial during system reboot. + +without this change we are getting: + +audit: type=1107 audit(): pid=1 uid=0 auid=4294967295 ses=4294967295 subj= +system_u:system_r:init_t:s0 msg='avc: denied { reboot } for auid=n/a uid=0 +gid=0 cmdline="/bin/systemctl --force reboot" scontext=system_u:system_r: +initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system + +upstream-status: pending + +Signed-off-by: Shrikant Bobade +--- + policy/modules/system/init.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index f9d7114..19a7a20 100644 +--- a/policy/modules/system/init.te b/policy/modules/system/init.te +@@ -1103,5 +1103,5 @@ allow devpts_t device_t:filesystem associate; + allow init_t self:capability2 block_suspend; + allow init_t self:capability2 audit_read; + +-allow initrc_t init_t:system { start status }; ++allow initrc_t init_t:system { start status reboot }; + allow initrc_t init_var_run_t:service { start status }; +-- +1.9.1 + diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc b/recipes-security/refpolicy/refpolicy_2.20151208.inc index 151c973..d319561 100644 --- a/recipes-security/refpolicy/refpolicy_2.20151208.inc +++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc @@ -66,6 +66,7 @@ SYSTEMD_REFPOLICY_PATCHES = "\ file://0002-audit-logging-getty-audit-related-allow-rules.patch \ file://0003-systemd-mount-logging-authlogin-add-allow-rules.patch \ file://0004-locallogin-add-allow-rules-for-type-local_login_t.patch \ + file://0005-init-fix-reboot-with-systemd-as-init-manager.patch \ " -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][RFC 4/8] locallogin: add allow rules for type local_login_t
From: Shrikant Bobade add allow rules for locallogin module avc denials. Signed-off-by: Shrikant Bobade --- ...in-add-allow-rules-for-type-local_login_t.patch | 52 ++ .../refpolicy/refpolicy_2.20151208.inc | 1 + 2 files changed, 53 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/0004-locallogin-add-allow-rules-for-type-local_login_t.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/0004-locallogin-add-allow-rules-for-type-local_login_t.patch b/recipes-security/refpolicy/refpolicy-2.20151208/0004-locallogin-add-allow-rules-for-type-local_login_t.patch new file mode 100644 index 000..fd3d477 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20151208/0004-locallogin-add-allow-rules-for-type-local_login_t.patch @@ -0,0 +1,52 @@ +From 545ebd866283ae929cfec716d067cd34015ad142 Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade +Date: Mon, 25 Jul 2016 18:26:18 +0530 +Subject: [PATCH 4/6] locallogin: add allow rules for type local_login_t + +add allow rules for locallogin module avc denials. + +without this change we are getting errors like these: + +type=AVC msg=audit(): avc: denied { read write open } for pid=353 +comm="login" path="/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext +=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r: +var_log_t:s0 tclass=file permissive=1 + +type=AVC msg=audit(): avc: denied { sendto } for pid=353 comm="login" +path="/run/systemd/journal/dev-log" scontext=system_u:system_r: +local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 +tclass=unix_dgram_socket permissive=1 + +type=AVC msg=audit(): avc: denied { lock } for pid=353 comm="login" path= +"/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext=system_u:system_r +:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass +=file permissive=1 + +upstream-status: pending + +Signed-off-by: Shrikant Bobade +--- + policy/modules/system/locallogin.te | 10 ++ + 1 file changed, 10 insertions(+) + +diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te +index 53923f8..09ec33f 100644 +--- a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te +@@ -274,3 +274,13 @@ optional_policy(` + optional_policy(` + nscd_use(sulogin_t) + ') ++ ++allow local_login_t initrc_t:fd use; ++allow local_login_t initrc_t:unix_dgram_socket sendto; ++allow local_login_t initrc_t:unix_stream_socket connectto; ++allow local_login_t self:capability net_admin; ++allow local_login_t var_log_t:file { create lock open read write }; ++allow local_login_t var_run_t:file { open read write lock}; ++allow local_login_t var_run_t:sock_file write; ++allow local_login_t tmpfs_t:dir { add_name write search}; ++allow local_login_t tmpfs_t:file { create open read write lock }; +-- +1.9.1 + diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc b/recipes-security/refpolicy/refpolicy_2.20151208.inc index c051aec..151c973 100644 --- a/recipes-security/refpolicy/refpolicy_2.20151208.inc +++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc @@ -65,6 +65,7 @@ SYSTEMD_REFPOLICY_PATCHES = "\ file://0001-systemd-unconfined-lib-add-systemd-services-allow-ru.patch \ file://0002-audit-logging-getty-audit-related-allow-rules.patch \ file://0003-systemd-mount-logging-authlogin-add-allow-rules.patch \ + file://0004-locallogin-add-allow-rules-for-type-local_login_t.patch \ " -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][RFC 2/8] audit: logging: getty: audit related allow rules
From: Shrikant Bobade add allow rules for audit.log file & resolve dependent avc denials. Signed-off-by: Shrikant Bobade --- ...t-logging-getty-audit-related-allow-rules.patch | 66 ++ .../refpolicy/refpolicy_2.20151208.inc | 1 + 2 files changed, 67 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/0002-audit-logging-getty-audit-related-allow-rules.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/0002-audit-logging-getty-audit-related-allow-rules.patch b/recipes-security/refpolicy/refpolicy-2.20151208/0002-audit-logging-getty-audit-related-allow-rules.patch new file mode 100644 index 000..e0c0132 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20151208/0002-audit-logging-getty-audit-related-allow-rules.patch @@ -0,0 +1,66 @@ +From 674a1c03a08bae583e1a50acd48489dd2d4f3f33 Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade +Date: Mon, 25 Jul 2016 17:44:13 +0530 +Subject: [PATCH 2/6] audit: logging: getty: audit related allow rules + +add allow rules for audit.log file & resolve dependent avc denials. + +without this change we are getting audit avc denials mixed into bootlog & +audit other avc denials. + +audit: type=1400 audit(): avc: denied { getattr } for pid=217 comm="mount" +name="/" dev="proc" ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_0 +audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd" +path="/run/systemd/journal/dev-log" scontext=sy0 +audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd" +path="/run/systemd/journal/dev-log" scontext=system_u:system_r:klogd_t:s0 +audit(): avc: denied { open } for pid=540 comm="agetty" path="/var/ +volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t +:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 + +upstream-status: pending + +Signed-off-by: Shrikant Bobade +--- + policy/modules/system/getty.te | 3 +++ + policy/modules/system/logging.te | 8 + 2 files changed, 11 insertions(+) + +diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te +index f6743ea..84eaf77 100644 +--- a/policy/modules/system/getty.te b/policy/modules/system/getty.te +@@ -139,3 +139,6 @@ optional_policy(` + optional_policy(` + udev_read_db(getty_t) + ') ++ ++allow getty_t tmpfs_t:dir search; ++allow getty_t tmpfs_t:file { open write lock }; +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 9b18aad..fdf86ef 100644 +--- a/policy/modules/system/logging.te b/policy/modules/system/logging.te +@@ -238,6 +238,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms; + allow audisp_t self:unix_dgram_socket create_socket_perms; + + allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; ++allow audisp_t initrc_t:unix_dgram_socket sendto; + + manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) + files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) +@@ -569,3 +570,10 @@ optional_policy(` + # log to the xconsole + xserver_rw_console(syslogd_t) + ') ++ ++ ++allow auditd_t tmpfs_t:file { getattr setattr create open read append }; ++allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; ++allow auditd_t initrc_t:unix_dgram_socket sendto; ++ ++allow klogd_t initrc_t:unix_dgram_socket sendto; +\ No newline at end of file +-- +1.9.1 + diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc b/recipes-security/refpolicy/refpolicy_2.20151208.inc index 861bfdc..4d07e62 100644 --- a/recipes-security/refpolicy/refpolicy_2.20151208.inc +++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc @@ -63,6 +63,7 @@ SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', ' ${SYSTEMD_REFPO SYSTEMD_REFPOLICY_PATCHES = "\ file://0001-systemd-unconfined-lib-add-systemd-services-allow-ru.patch \ + file://0002-audit-logging-getty-audit-related-allow-rules.patch \ " -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][RFC 3/8] systemd: mount: logging: authlogin: add allow rules
From: Shrikant Bobade add allow rules for avc denails for systemd, mount, logging & authlogin modules. without this change we are getting avc. denials from these modules. Signed-off-by: Shrikant Bobade --- ...d-mount-logging-authlogin-add-allow-rules.patch | 92 ++ .../refpolicy/refpolicy_2.20151208.inc | 1 + 2 files changed, 93 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/0003-systemd-mount-logging-authlogin-add-allow-rules.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/0003-systemd-mount-logging-authlogin-add-allow-rules.patch b/recipes-security/refpolicy/refpolicy-2.20151208/0003-systemd-mount-logging-authlogin-add-allow-rules.patch new file mode 100644 index 000..8e330ce --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20151208/0003-systemd-mount-logging-authlogin-add-allow-rules.patch @@ -0,0 +1,92 @@ +From 9a9490491e6d4c30249033c84c21634dac988b06 Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade +Date: Mon, 25 Jul 2016 18:10:28 +0530 +Subject: [PATCH 3/6] systemd: mount: logging: authlogin: add allow rules + +add allow rules for avc denails for systemd, mount, logging & authlogin +modules. + +without this change we are getting avc denial like these: + +type=AVC msg=audit(): avc: denied { sendto } for pid=893 comm="systemd- +tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r: +systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass= +unix_dgram_socket permissive=0 + +type=AVC msg=audit(): avc: denied { open } for pid=703 comm="systemd- +tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u: +system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass= +file permissive=0 + +type=AVC msg=audit(): avc: denied { read write } for pid=486 comm="mount" +path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r: +mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket + +type=AVC msg=audit(): avc: denied { unix_read unix_write } for pid=292 +comm="syslogd" key=1095648583 scontext=system_u:system_r:syslogd_t:s0 +tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1 + +upstream-status: pending + +Signed-off-by: Shrikant Bobade +--- + policy/modules/system/authlogin.te | 2 ++ + policy/modules/system/logging.te | 7 ++- + policy/modules/system/mount.te | 3 +++ + policy/modules/system/systemd.te | 6 ++ + 4 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +index f80dfcb..5fab54a 100644 +--- a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +@@ -464,3 +464,5 @@ optional_policy(` + samba_read_var_files(nsswitch_domain) + samba_dontaudit_write_var_files(nsswitch_domain) + ') ++ ++allow chkpwd_t proc_t:filesystem getattr; +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index fdf86ef..107db03 100644 +--- a/policy/modules/system/logging.te b/policy/modules/system/logging.te +@@ -576,4 +576,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append }; + allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; + allow auditd_t initrc_t:unix_dgram_socket sendto; + +-allow klogd_t initrc_t:unix_dgram_socket sendto; +\ No newline at end of file ++allow klogd_t initrc_t:unix_dgram_socket sendto; ++ ++allow syslogd_t self:shm create; ++allow syslogd_t self:sem { create read unix_write write }; ++allow syslogd_t self:shm { read unix_read unix_write write }; ++allow syslogd_t tmpfs_t:file { read write }; +diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te +index 1c2fc33..b699309 100644 +--- a/policy/modules/system/mount.te b/policy/modules/system/mount.te +@@ -229,3 +229,6 @@ optional_policy(` + files_etc_filetrans_etc_runtime(unconfined_mount_t, file) + unconfined_domain(unconfined_mount_t) + ') ++ ++allow mount_t proc_t:filesystem getattr; ++allow mount_t initrc_t:udp_socket { read write }; +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index fdb9fef..734d455 100644 +--- a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +@@ -262,3 +262,9 @@ tunable_policy(`systemd_tmpfiles_manage_all',` + files_relabel_non_security_dirs(systemd_tmpfiles_t) + files_relabel_non_security_files(systemd_tmpfiles_t) + ') ++ ++allow systemd_tmpfiles_t init_t:dir search; ++allow systemd_tmpfiles_t proc_t:filesystem getattr; ++allow systemd_tmpfiles_t init_t:file read; ++allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; ++allow systemd_tmpfiles_t self:capability net_admin; +-- +1.9.1 + diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc b/recipes-security/
[yocto] [meta-selinux][RFC 1/8] systemd:unconfined:lib: add systemd services allow rules
From: Shrikant Bobade systemd allow rules for systemd service file operations: start, stop, restart & allow rule for unconfined systemd service. without this change we are geting avc denials and access denied to perform operations service file. Signed-off-by: Shrikant Bobade --- ...onfined-lib-add-systemd-services-allow-ru.patch | 123 + .../refpolicy/refpolicy_2.20151208.inc | 9 ++ 2 files changed, 132 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/0001-systemd-unconfined-lib-add-systemd-services-allow-ru.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/0001-systemd-unconfined-lib-add-systemd-services-allow-ru.patch b/recipes-security/refpolicy/refpolicy-2.20151208/0001-systemd-unconfined-lib-add-systemd-services-allow-ru.patch new file mode 100644 index 000..2b09e1c --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20151208/0001-systemd-unconfined-lib-add-systemd-services-allow-ru.patch @@ -0,0 +1,123 @@ +From 0bd77bedc3edab3703738f018cf76c70c8026a16 Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade +Date: Mon, 25 Jul 2016 16:58:59 +0530 +Subject: [PATCH 1/6] systemd:unconfined:lib: add systemd services allow rules + +systemd allow rules for systemd service file operations: start, stop, restart +& allow rule for unconfined systemd service. + +without this change we are getting these errors: +:~# systemctl status selinux-init.service +Failed to get properties: Access denied + +:~# systemctl stop selinux-init.service +Failed to stop selinux-init.service: Access denied + +:~# systemctl restart selinux-init.service +audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj= +system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 +gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl +restart selinux-init.service" scontext=unconfined_u:unconfined_r: +unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service + +upstream-status: pending + +Signed-off-by: Shrikant Bobade +--- + policy/modules/system/init.te | 6 +- + policy/modules/system/libraries.te | 3 +++ + policy/modules/system/systemd.if| 40 + + policy/modules/system/unconfined.te | 6 ++ + 4 files changed, 54 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index d710fb0..f9d7114 100644 +--- a/policy/modules/system/init.te b/policy/modules/system/init.te +@@ -1100,4 +1100,8 @@ optional_policy(` + # systemd related allow rules + allow kernel_t init_t:process dyntransition; + allow devpts_t device_t:filesystem associate; +-allow init_t self:capability2 block_suspend; +\ No newline at end of file ++allow init_t self:capability2 block_suspend; ++allow init_t self:capability2 audit_read; ++ ++allow initrc_t init_t:system { start status }; ++allow initrc_t init_var_run_t:service { start status }; +diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te +index 0f5cd56..df98fe9 100644 +--- a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te +@@ -144,3 +144,6 @@ optional_policy(` + optional_policy(` + unconfined_domain(ldconfig_t) + ') ++ ++# systemd: init domain to start lib domain service ++systemd_service_lib_function(lib_t) +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index 3cd6670..822c03d 100644 +--- a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +@@ -171,3 +171,43 @@ interface(`systemd_start_power_units',` + + allow $1 power_unit_t:service start; + ') ++ ++ ++ ++## ++## Allow specified domain to start stop reset systemd service ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`systemd_service_file_operations',` ++ gen_require(` ++ class service { start status stop }; ++ ') ++ ++ allow $1 lib_t:service { start status stop }; ++ ++') ++ ++ ++ ++## ++## Allow init domain to start lib domain service ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`systemd_service_lib_function',` ++ gen_require(` ++ class service start; ++ ') ++ ++ allow initrc_t $1:service start; ++ ++') +diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te +index 99cab31..87a1b03 100644 +--- a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te +@@ -220,3 +220,9 @@ unconfined_domain_noaudit(unconfined_execmem_t) + optional_policy(` + unconfined_dbus_chat(unconfined_execmem_t) + ') ++ ++ ++# systemd: specified domain to start stop reset systemd service ++systemd_service_file_operations(unconfined_t) ++ ++a
[yocto] [meta-selinux] Regarding "systemd" support with refpolicy-minimum v20151208
Hi, Using refpolicy-minimum v20151208 with systemd as init manager, I am facing few issues during enforcing mode, 1. systemd service status check, start & stop 2. auditd logfile error, so it is mixing with the boot log. 3. also other avc denials related to tmpfs & other types etc.. setup details:poky and meta-selinux: both at master head & systemd enabled. with these SELinux booleans enabled: i.systemd_tmpfiles_manage_all ii.allow_mount_anyfile captured the avc denial to fix the systemd execution well, attached SELinux-Modules.txt :- the allow rules generated using audit tools. I am trying to merge these module into actual refpolicy modules, so we get the out of box experience for smooth systemd execution. Observed policy store seems corrupted some time, when start inserting the prepared policy modules allow rules into actual refpolicy modules.. Does anyone also faced similar issues? Any pointers or references will be a great help. Thanks Shrikant # SELinux Modules require { type unconfined_t; type init_t; class system reload; } #= unconfined_t == allow unconfined_t init_t:system reload; ## require { type tmpfs_t; type auditd_t; class file create; } #= auditd_t == allow auditd_t tmpfs_t:file create; ## require { type tmpfs_t; type auditd_t; class file { open read }; } #= auditd_t == allow auditd_t tmpfs_t:file { open read }; ## require { type tmpfs_t; type auditd_t; class file append; } #= auditd_t == allow auditd_t tmpfs_t:file append; ## require { type tmpfs_t; type auditd_t; class file getattr; } #= auditd_t == allow auditd_t tmpfs_t:file getattr; ## require { type tmpfs_t; type auditd_t; class file setattr; } #= auditd_t == allow auditd_t tmpfs_t:file setattr; require { type tmpfs_t; type auditd_t; class dir open; } #= auditd_t == allow auditd_t tmpfs_t:dir open; ## require { type tmpfs_t; type auditd_t; class dir read; } #= auditd_t == allow auditd_t tmpfs_t:dir read; ## require { type tmpfs_t; type auditd_t; class dir open; } #= auditd_t == allow auditd_t tmpfs_t:dir open; require { type tmpfs_t; type initrc_t; type auditd_t; class unix_dgram_socket sendto; class dir search; } #= auditd_t == allow auditd_t initrc_t:unix_dgram_socket sendto; allow auditd_t tmpfs_t:dir search; require { type tmpfs_t; type auditd_t; class dir add_name; } #= auditd_t == allow auditd_t tmpfs_t:dir add_name; ## require { type tmpfs_t; type auditd_t; class dir write; } #= auditd_t == allow auditd_t tmpfs_t:dir write; ## require { type var_run_t; type init_t; type syslogd_t; type systemd_tmpfiles_t; type initrc_t; type klogd_t; type chkpwd_t; type local_login_t; type proc_t; type getty_t; type tmpfs_t; type mount_t; class capability2 audit_read; class file read; class filesystem getattr; class unix_dgram_socket sendto; class shm create; class dir search; } #= chkpwd_t == allow chkpwd_t proc_t:filesystem getattr; #= getty_t == allow getty_t tmpfs_t:dir search; #= init_t == allow init_t self:capability2 audit_read; #= klogd_t == # This avc is allowed in the current policy allow klogd_t initrc_t:unix_dgram_socket sendto; #= local_login_t == allow local_login_t var_run_t:file read; #= mount_t == allow mount_t proc_t:filesystem getattr; #= syslogd_t == allow syslogd_t self:shm create; #= systemd_tmpfiles
[yocto] [meta-selinux][PATCH] eudev: add wildcard version
From: Shrikant Bobade eudev version at poky updated to v3.2 from v3.1.5, so moving it to use wildcard in order to fix the parsing error. Signed-off-by: Shrikant Bobade --- recipes-core/eudev/eudev_%.bbappend | 3 +++ recipes-core/eudev/eudev_3.1.5.bbappend | 3 --- 2 files changed, 3 insertions(+), 3 deletions(-) create mode 100644 recipes-core/eudev/eudev_%.bbappend delete mode 100644 recipes-core/eudev/eudev_3.1.5.bbappend diff --git a/recipes-core/eudev/eudev_%.bbappend b/recipes-core/eudev/eudev_%.bbappend new file mode 100644 index 000..e1e7cd1 --- /dev/null +++ b/recipes-core/eudev/eudev_%.bbappend @@ -0,0 +1,3 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +inherit enable-selinux diff --git a/recipes-core/eudev/eudev_3.1.5.bbappend b/recipes-core/eudev/eudev_3.1.5.bbappend deleted file mode 100644 index e1e7cd1..000 --- a/recipes-core/eudev/eudev_3.1.5.bbappend +++ /dev/null @@ -1,3 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -inherit enable-selinux -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] packagegroup-selinux-policycoreutils: add policycoreutils-hll
From: Shrikant Bobade we need policycoreutils-hll to insert custom policy module/package, without it semodule install fail with error: libsemanage.semanage_pipe_data: Unable to execute /usr/libexec/selinux/hll/ pp : No such file or directory libsemanage.semanage_direct_commit: Failed to compile hll files into cil files. (No such file or directory). semodule: Failed! Signed-off-by: Shrikant Bobade --- recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb b/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb index 7f56d7c..b566134 100644 --- a/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb +++ b/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb @@ -33,5 +33,6 @@ RDEPENDS_${PN} = "\ policycoreutils-sestatus \ policycoreutils-setfiles \ policycoreutils-setsebool \ + policycoreutils-hll \ system-config-selinux \ " -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] iproute2: fix qa warning by using with-selinux
From: Shrikant Bobade WARNING: iproute2-4.6.0-r0 do_package_qa: QA Issue: iproute2-ss rdepends on libselinux, but it isn't a build dependency, missing libselinux in DEPENDS or PACKAGECONFIG? [build-deps] Signed-off-by: Shrikant Bobade --- recipes-connectivity/iproute2/iproute2_%.bbappend | 1 + 1 file changed, 1 insertion(+) create mode 100644 recipes-connectivity/iproute2/iproute2_%.bbappend diff --git a/recipes-connectivity/iproute2/iproute2_%.bbappend b/recipes-connectivity/iproute2/iproute2_%.bbappend new file mode 100644 index 000..c1e8ed6 --- /dev/null +++ b/recipes-connectivity/iproute2/iproute2_%.bbappend @@ -0,0 +1 @@ +inherit with-selinux -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] libselinux_git: fix warnings of unavailable patches
From: Shrikant Bobade Drop unavailable patches entry to fix the warning, even we are using libselinux v2.5 these warnings pop-up during recipes parsing. WARNING:..libselinux_git.bb: Unable to get checksum for libselinux SRC_URI entry libselinux-get-pywrap-depends-on-selinux.py.patch: file could not be found WARNING:..libselinux_git.bb: Unable to get checksum for libselinux SRC_URI entry libselinux-mount-procfs-before-check.patch: file could not be found Signed-off-by: Shrikant Bobade --- recipes-security/selinux/libselinux_git.bb | 2 -- 1 file changed, 2 deletions(-) diff --git a/recipes-security/selinux/libselinux_git.bb b/recipes-security/selinux/libselinux_git.bb index 20b5534..d2e4a32 100644 --- a/recipes-security/selinux/libselinux_git.bb +++ b/recipes-security/selinux/libselinux_git.bb @@ -11,7 +11,5 @@ SRC_URI += "\ file://libselinux-make-O_CLOEXEC-optional.patch \ file://libselinux-make-SOCK_CLOEXEC-optional.patch \ file://libselinux-define-FD_CLOEXEC-as-necessary.patch \ - file://libselinux-get-pywrap-depends-on-selinux.py.patch \ file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \ - file://libselinux-mount-procfs-before-check.patch \ " -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] refpolicy-minimum_git: add systemd dependent policy modules
From: Shrikant Bobade with systemd enabled refpolicy-minimum build breaks due to missing dependent policy modules, so add the dependent modules: clock, systemd, udev conditionally based on DISTRO_FEATURES. dependent systemd policy modules needed to fix these errors: * Failed to resolve 'adjtime_t' in typeattributeset statement at line 138 of .. modules/100/init/cil * Failed to resolve 'systemd_kmod_conf_t' in typeattributeset statement at line 141 of.. moules/100/init/cil * Failed to resolve 'udev_t' in typeattributeset statement at line 143 of modules/100/init/cil semodule: Failed! Signed-off-by: Shrikant Bobade --- recipes-security/refpolicy/refpolicy-minimum_git.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/recipes-security/refpolicy/refpolicy-minimum_git.bb b/recipes-security/refpolicy/refpolicy-minimum_git.bb index 47ed558..04ceadd 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_git.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_git.bb @@ -17,6 +17,8 @@ CORE_POLICY_MODULES = "unconfined \ application libraries miscfiles logging userdomain \ init mount modutils getty authlogin locallogin \ " +#systemd dependent policy modules +CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev', '', d)}" # nscd caches libc-issued requests to the name service. # Without nscd.pp, commands want to use these caches will be blocked. -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 2/2] refpolicy-minimum_2.20151208: add systemd dependent policy modules
From: Shrikant Bobade with systemd enabled refpolicy-minimum build breaks due to missing dependent policy modules, so add the dependent modules: clock, systemd, udev conditionally based on DISTRO_FEATURES. dependent systemd policy modules needed to fix these errors: * Failed to resolve 'adjtime_t' in typeattributeset statement at line 138 of .. modules/100/init/cil * Failed to resolve 'systemd_kmod_conf_t' in typeattributeset statement at line 141 of.. moules/100/init/cil * Failed to resolve 'udev_t' in typeattributeset statement at line 143 of modules/100/init/cil semodule: Failed! Signed-off-by: Shrikant Bobade --- recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb index 47ed558..04ceadd 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb @@ -17,6 +17,8 @@ CORE_POLICY_MODULES = "unconfined \ application libraries miscfiles logging userdomain \ init mount modutils getty authlogin locallogin \ " +#systemd dependent policy modules +CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev', '', d)}" # nscd caches libc-issued requests to the name service. # Without nscd.pp, commands want to use these caches will be blocked. -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 1/2] refpolicy_common.inc: enable conditional systemd support
From: Shrikant Bobade refpolicy now introduced systemd support using POLICY_SYSTEMD variable, with systemd enabled setup we need the refpolicy with systemd support, so enable systemd support based on DISTRO_FEATURES. Signed-off-by: Shrikant Bobade --- recipes-security/refpolicy/refpolicy_common.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 6112c28..1d3b93f 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -40,7 +40,7 @@ POLICY_DISTRO ?= "redhat" POLICY_UBAC ?= "n" POLICY_UNK_PERMS ?= "allow" POLICY_DIRECT_INITRC ?= "n" -POLICY_SYSTEMD ?= "n" +POLICY_SYSTEMD ?= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'y', 'n', d)}" POLICY_MONOLITHIC ?= "n" POLICY_CUSTOM_BUILDOPT ?= "" POLICY_QUIET ?= "y" -- 1.9.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux] Jethro branch
Checked jethro branch, image booting successfully, policy loads well & label file-system thanks ! used distro : poky-selinux & image: core-image-selinux meta-yocto-bsp= "branch_jethro:b1f23d1254682866236bfaeb843c0d8aa332efc2" meta-selinux = "branch_jethro:4c75d9cbcf1d75043c7c5ab315aa383d9b227510" Thanks Shrikant On Wed, Mar 2, 2016 at 11:31 AM, Philip Tricca wrote: > On 03/01/2016 08:20 PM, Philip Tricca wrote: > > Hey all, > > > > meta-selinux has been tracking release branches for a while but we're > > missing a Jethro. I've had a Jethro branch on my github fork for a bit. > > It's pointing at 4c75d9cbc from master with no additional changes. Both > > images build, boot, login and pass the basic smoke test. Seems like this > > may be useful to others so I'll put it up in the yocto repo as well. > > I've just pushed this branch. I've tested all 3 kernels in both images > for basic boot / smoke tests. The root user can login and the shell ends > up in the right context. The filesystem is labeled properly. Please post > issues and patches to the list. > > Philip > > -- > ___ > yocto mailing list > yocto@yoctoproject.org > https://lists.yoctoproject.org/listinfo/yocto > -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux] Enquiry Regarding build break of libsepol & libselinux w.r.to 5.2.0
d /home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/work/x86_64-linux/libselinux-native/2.4-r0/image//home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/sysroots/x86_64-linux/usr/lib || install -m 755 -d /home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/work/x86_64-linux/libselinux-native/2.4-r0/image//home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/sysroots/x86_64-linux/usr/lib | install -m 644 libselinux.a /home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/work/x86_64-linux/libselinux-native/2.4-r0/image//home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/sysroots/x86_64-linux/usr/lib | test -d /home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/work/x86_64-linux/libselinux-native/2.4-r0/image//home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/sysroots/x86_64-linux/lib || install -m 755 -d /home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/work/x86_64-linux/libselinux-native/2.4-r0/image//home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/sysroots/x86_64-linux/lib | install -m 755 libselinux.so.1 /home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/work/x86_64-linux/libselinux-native/2.4-r0/image//home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/sysroots/x86_64-linux/lib | test -d /home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/work/x86_64-linux/libselinux-native/2.4-r0/image//home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/sysroots/x86_64-linux/usr/lib/pkgconfig || install -m 755 -d /home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/work/x86_64-linux/libselinux-native/2.4-r0/image//home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/sysroots/x86_64-linux/usr/lib/pkgconfig | install -m 644 libselinux.pc /home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/work/x86_64-linux/libselinux-native/2.4-r0/image//home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/sysroots/x86_64-linux/usr/lib/pkgconfig | ln -sf --relative /home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/work/x86_64-linux/libselinux-native/2.4-r0/image//home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/sysroots/x86_64-linux/lib/libselinux.so.1 /home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/work/x86_64-linux/libselinux-native/2.4-r0/image//home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/sysroots/x86_64-linux/usr/lib/libselinux.so | ln: unrecognized option '--relative' | Try `ln --help' for more information. | make[1]: *** [install] Error 1 | make[1]: Leaving directory `/home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/work/x86_64-linux/libselinux-native/2.4-r0/libselinux-2.4/src' | make: *** [install] Error 1 | ERROR: oe_runmake failed | ERROR: Function failed: do_install (log file is located at /home/sbobade/Mentor/POKY_meta-selinux_poky_master/BUILD/tmp/work/x86_64-linux/libselinux-native/2.4-r0/temp/log.do_install.17700) ERROR: Task 3304 (virtual:native:/home/sbobade/Mentor/POKY_meta-selinux_poky_master/meta-selinux/recipes-security/selinux/libselinux_2.4.bb, do_install) failed with exit code '1' NOTE: Tasks Summary: Attempted 1131 tasks of which 958 didn't need to be rerun and 1 failed. Waiting for 0 running tasks to finish: Summary: 1 task failed: virtual:native:/home/sbobade/Mentor/POKY_meta-selinux_poky_master/meta-selinux/recipes-security/selinux/libselinux_2.4.bb, do_install Summary: There were 2 WARNING messages shown. Summary: There were 2 ERROR messages shown, returning a non-zero exit code. sbobade@sbobade-VirtualBox:~/Mentor/POKY_meta-selinux_poky_master/BUILD$ From f1fa2fe8c12b1d82c72ac0bbdf773a541709b941 Mon Sep 17 00:00:00 2001 From: Shrikant Bobade Date: Tue, 29 Sep 2015 19:36:09 +0530 Subject: [PATCH] libselinux: fix build break w.r.to gcc 5.2.0 this patch provide build break fix w.r.to gcc 5.2.0 Signed-off-by: Shrikant Bobade --- ...x_fix_build_break_w.r.to_gcc_5.2.0_for_ln.patch | 20 recipes-security/selinux/libselinux_2.4.bb |3 ++- 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 recipes-security/selinux/libselinux/libselinux_fix_build_break_w.r.to_gcc_5.2.0_for_ln.patch diff --git a/recipes-security/selinux/libselinux/libselinux_fix_build_break_w.r.to_gcc_5.2.0_for_ln.patch b/recipes-security/selinux/libselinux/libselinux_fix_build_break_w.r.to_gcc_5.2.0_for_ln.patch new file mode 100644 index 000..80596c2 --- /dev/null +++ b/recipes-security/selinux/libselinux/libselinux_fix_build_break_w.r.to_gcc_5.2.0_for_ln.patch @@ -0,0 +1,20 @@ +libselinux: fix build break w.r.to gcc 5.2.0 for ln + +this patch provide build break fix against gcc 5.2.0 +for ln with unrecognized option '--relative' + +upstream-status: pending + +Signed-off-by: Shrikant Bobade + +--- a/src/Makefile b/src/Makefile +@@ -148,7 +148,7 @@ + install -m 755 $(LIBSO) $(SHLIBDIR) +
[yocto] [meta-selinux][PATCH v2] audit: fix qa warning, update config option
From: Shrikant Bobade update config option '--with-armeb' to '--with-arm' for audit qa warning fix. Signed-off-by: Shrikant Bobade --- recipes-security/audit/audit_2.4.3.bb |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-security/audit/audit_2.4.3.bb b/recipes-security/audit/audit_2.4.3.bb index 8f125c0..869713a 100644 --- a/recipes-security/audit/audit_2.4.3.bb +++ b/recipes-security/audit/audit_2.4.3.bb @@ -41,7 +41,7 @@ EXTRA_OECONF += "--without-prelude \ --without-python3 \ --disable-zos-remote \ " -EXTRA_OECONF_append_arm = " --with-armeb=yes" +EXTRA_OECONF_append_arm = " --with-arm=yes" EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \ PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \ -- 1.7.9.5 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux][PATCH] audit: fix qa warning of unrecognised config
On Fri, Aug 14, 2015 at 2:29 PM, Khem Raj wrote: > On Fri, Aug 14, 2015 at 1:53 AM, Shrikant Bobade > wrote: > > Hi, > > > > observed: WARNING: QA Issue: audit: configure was passed unrecognised > > options: --with-armeb [unknown-configure-option] > > on core-image-selinux (poky-selinux distro) > > > > build tag: > > Build Configuration: > > BB_VERSION= "1.27.1" > > BUILD_SYS = "x86_64-linux" > > NATIVELSBSTRING = "Ubuntu-12.04" > > TARGET_SYS= "arm-poky-linux-gnueabi" > > MACHINE = "qemuarm" > > DISTRO= "poky-selinux" > > DISTRO_VERSION= "1.8+snapshot-20150814" > > TUNE_FEATURES = "arm armv5 thumb dsp" > > TARGET_FPU= "soft" > > meta > > meta-yocto > > meta-yocto-bsp = "master:a533776d6ff83b6e3e830137455b8382d002768b" > > meta-selinux = "master:684ee9401f33db7c9d5b183988d89c688c9dd0be" > > > > > > Thanks > > Shrikant > > > > On Fri, Aug 14, 2015 at 2:16 PM, Shrikant Bobade < > bobadeshrik...@gmail.com> > > wrote: > >> > >> From: Shrikant Bobade > >> > >> remove --with-armeb=yes to fix the configure > >> unrecognised option qa warning. > >> > >> Signed-off-by: Shrikant Bobade > >> --- > >> recipes-security/audit/audit_2.4.3.bb |1 - > >> 1 file changed, 1 deletion(-) > >> > >> diff --git a/recipes-security/audit/audit_2.4.3.bb > >> b/recipes-security/audit/audit_2.4.3.bb > >> index 8f125c0..31f4b03 100644 > >> --- a/recipes-security/audit/audit_2.4.3.bb > >> +++ b/recipes-security/audit/audit_2.4.3.bb > >> @@ -41,7 +41,6 @@ EXTRA_OECONF += "--without-prelude \ > >> --without-python3 \ > >> --disable-zos-remote \ > >> " > >> -EXTRA_OECONF_append_arm = " --with-armeb=yes" > > this is not right fix because the option has been renamed so you > should change it to > > EXTRA_OECONF_append_arm = " --with-arm=yes" > > and while you are at ti also add > > EXTRA_OECONF_append_aarch64 = " --with-aarch64=yes" > Thanks, I will update the patch and will re-send it. Thanks Shrikant -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux][PATCH] audit: fix qa warning of unrecognised config
Hi, observed: WARNING: QA Issue: audit: configure was passed unrecognised options: --with-armeb [unknown-configure-option] on core-image-selinux (poky-selinux distro) build tag: Build Configuration: BB_VERSION= "1.27.1" BUILD_SYS = "x86_64-linux" NATIVELSBSTRING = "Ubuntu-12.04" TARGET_SYS= "arm-poky-linux-gnueabi" MACHINE = "qemuarm" DISTRO= "poky-selinux" DISTRO_VERSION= "1.8+snapshot-20150814" TUNE_FEATURES = "arm armv5 thumb dsp" TARGET_FPU= "soft" meta meta-yocto meta-yocto-bsp= "master:a533776d6ff83b6e3e830137455b8382d002768b" meta-selinux = "master:684ee9401f33db7c9d5b183988d89c688c9dd0be" Thanks Shrikant On Fri, Aug 14, 2015 at 2:16 PM, Shrikant Bobade wrote: > From: Shrikant Bobade > > remove --with-armeb=yes to fix the configure > unrecognised option qa warning. > > Signed-off-by: Shrikant Bobade > --- > recipes-security/audit/audit_2.4.3.bb |1 - > 1 file changed, 1 deletion(-) > > diff --git a/recipes-security/audit/audit_2.4.3.bb > b/recipes-security/audit/audit_2.4.3.bb > index 8f125c0..31f4b03 100644 > --- a/recipes-security/audit/audit_2.4.3.bb > +++ b/recipes-security/audit/audit_2.4.3.bb > @@ -41,7 +41,6 @@ EXTRA_OECONF += "--without-prelude \ > --without-python3 \ > --disable-zos-remote \ > " > -EXTRA_OECONF_append_arm = " --with-armeb=yes" > > EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \ > PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \ > -- > 1.7.9.5 > > -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] audit: fix qa warning of unrecognised config
From: Shrikant Bobade remove --with-armeb=yes to fix the configure unrecognised option qa warning. Signed-off-by: Shrikant Bobade --- recipes-security/audit/audit_2.4.3.bb |1 - 1 file changed, 1 deletion(-) diff --git a/recipes-security/audit/audit_2.4.3.bb b/recipes-security/audit/audit_2.4.3.bb index 8f125c0..31f4b03 100644 --- a/recipes-security/audit/audit_2.4.3.bb +++ b/recipes-security/audit/audit_2.4.3.bb @@ -41,7 +41,6 @@ EXTRA_OECONF += "--without-prelude \ --without-python3 \ --disable-zos-remote \ " -EXTRA_OECONF_append_arm = " --with-armeb=yes" EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \ PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \ -- 1.7.9.5 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux][PATCH v1] libpam: use wildcard for version and cleanup
On Tue, Aug 11, 2015 at 7:07 PM, Joe MacDonald wrote: > [Re: [yocto] [meta-selinux][PATCH v1] libpam: use wildcard for version and > cleanup] On 15.08.11 (Tue 16:39) Shrikant Bobade wrote: > > > Hi Philip, > > > > > > On Tue, Aug 11, 2015 at 10:39 AM, Philip Tricca wrote: > > > > Hey Shrikant, > > > > On 07/30/2015 02:31 AM, Shrikant Bobade wrote: > > > This patch provides green build for core-image-selinux > > > (meta-selinux:master & poky:master) against libpam upgrade from > 1.1.6 to > > > 1.2.1, > > > image boots fine,but I am unable to login at target. I have > prepared > > > build for qemuarm, does anyone else facing similar issue? please > advice. > > > > > > Observed the login issue appears even with disabled selinux support > > > (selinux=0). > > > > I just tested this again after Joe merged the commits from the > backlog. > > I'm not longer able to reproduce the failed login. Are you still > having > > login problems? > > > > > > I also got similar results: > > With the check on latest bits: the login issue is not reproducible on > > core-image-selinux(with poky-selinux distro) > > I can now login properly. > > I'm glad to hear that, guys, because I wasn't able to reproduce the > login problem on my setup and was thinking I needed to spend time in the > next couple of days hunting down what's polluting my environment that I > was getting different results than you. :-) This is a nice treat. > > -J. > > Thanks Joe & Philip, I just compared my latest setup (login working) with older one(login issue) observed this patch at poky served the login fix: http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/meta/recipes-extended/pam/libpam?id=c75cefe8a382a63f625123c156137782db118f64 Thanks! Shrikant > > > > > > Build Configuration: > > BB_VERSION= "1.27.1" > > BUILD_SYS = "x86_64-linux" > > NATIVELSBSTRING = "Ubuntu-12.04" > > TARGET_SYS= "arm-poky-linux-gnueabi" > > MACHINE = "qemuarm" > > DISTRO= "poky-selinux" > > DISTRO_VERSION= "1.8+snapshot-20150811" > > TUNE_FEATURES = "arm armv5 thumb dsp" > > TARGET_FPU= "soft" > > meta > > meta-yocto > > meta-yocto-bsp= "master:a16e0b4014173af46ef80d643bb71055219b0dab" > > meta-selinux = "master:684ee9401f33db7c9d5b183988d89c688c9dd0be" > > > > Thanks! > > Shrikant > > > > > > > > > > Philip > > > > > On Thu, Jul 30, 2015 at 2:55 PM, Shrikant Bobade > > > mailto:bobadeshrik...@gmail.com>> > wrote: > > > > > > From: Shrikant Bobade > > <mailto:shrikant_bob...@mentor.com>> > > > > > > use wildcard for version: adopting libpam upgrade from 1.1.6 to > > 1.2.1, > > > cleanup older recipe and remove patch > > sepermit-add-DESTDIR-prefix.patch > > > since the changes already available with latest source. > > > > > > Signed-off-by: Shrikant Bobade > > <mailto:shrikant_bob...@mentor.com>> > > > --- > > > .../pam/libpam/sepermit-add-DESTDIR-prefix.patch | 31 > > > > > > recipes-extended/pam/libpam_%.bbappend |3 ++ > > > recipes-extended/pam/libpam_1.1.6.bbappend | 10 > --- > > > 3 files changed, 3 insertions(+), 41 deletions(-) > > > delete mode 100644 > > > recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch > > > create mode 100644 recipes-extended/pam/libpam_%.bbappend > > > delete mode 100644 recipes-extended/pam/libpam_1.1.6.bbappend > > > > > > diff --git > > > a/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch > > > b/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch > > > deleted file mode 100644 > > > index d48d386..000 > > > --- > a/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch > > > +++ /dev/null > > > @@ -1,31 +0,0 @@ > > > -Subject: [PATCH] libpam: add missing DESTDIR prefix > > > - > > >
Re: [yocto] [meta-selinux] [PATCH] audit: remove add-system-call-table-for-ARM.patch
Thanks for an update. Works for me too.. Thanks Shrikant On Tue, Aug 11, 2015 at 11:07 AM, Robert Yang wrote: > There isn't lib/machinetabs.h any more, there isn't data structures like > "static const char machine_strings", either. > > This fixed a do_patch error when arm. > > Signed-off-by: Robert Yang > --- > .../audit/add-system-call-table-for-ARM.patch | 46 > > recipes-security/audit/audit_2.4.3.bb |2 - > 2 files changed, 48 deletions(-) > delete mode 100644 > recipes-security/audit/audit/add-system-call-table-for-ARM.patch > > diff --git > a/recipes-security/audit/audit/add-system-call-table-for-ARM.patch > b/recipes-security/audit/audit/add-system-call-table-for-ARM.patch > deleted file mode 100644 > index ad94d11..000 > --- a/recipes-security/audit/audit/add-system-call-table-for-ARM.patch > +++ /dev/null > @@ -1,46 +0,0 @@ > -From 52ff74be2f01182ed9d4fcc3da059512fad63d72 Mon Sep 17 00:00:00 2001 > -From: Han Chao > -Date: Thu, 27 Feb 2014 14:58:57 +0800 > -Subject: [PATCH] add system call table for ARM. > - > -This change enable audit system call on ARM. > -Add arm System call table on machinetabs.h. > -Audit system call need enable kernel config CONFIG_AUDITSYSCALL. > - > -Signed-off-by: Han Chao > > - lib/machinetabs.h | 11 ++- > - 1 file changed, 6 insertions(+), 5 deletions(-) > - > -diff --git a/lib/machinetabs.h b/lib/machinetabs.h > -index ec2d033..1c2e284 100644 > a/lib/machinetabs.h > -+++ b/lib/machinetabs.h > -@@ -1,10 +1,11 @@ > --/* This is a generated file, see Makefile.am for its inputs. */ > --static const char machine_strings[] = > "i386\0i486\0i586\0i686\0ia64\0ppc\0ppc64\0s390\0s390x\0x86_64"; > -+/* Such is aways generated file, see Makefile.am for its inputs. > -+ * But this version is not generated file, which is for ARM. */ > -+static const char machine_strings[] = > "armeb\0armv5tejl\0armv5tel\0armv6l\0armv7l"; > - static const unsigned machine_s2i_s[] = { > -- 0,5,10,15,20,25,29,35,40,46, > -+ 0,6,16,25,32, > - }; > - static const int machine_s2i_i[] = { > -- 0,0,0,0,2,4,3,6,5,1, > -+ 8,8,8,8,8, > - }; > - static int machine_s2i(const char *s, int *value) { > - size_t len, i; > -@@ -19,7 +20,7 @@ static int machine_s2i(const char *s, int *value) { > - } > - } > - static const unsigned machine_i2s_direct[] = { > -- 0,46,20,29,25,40,35, > -+39,85,59,68,64, > - }; > - static const char *machine_i2s(int v) { > - return i2s_direct__(machine_strings, machine_i2s_direct, 0, 6, v); > --- > -1.7.9.5 > - > diff --git a/recipes-security/audit/audit_2.4.3.bb > b/recipes-security/audit/audit_2.4.3.bb > index 233fb00..3f5026c 100644 > --- a/recipes-security/audit/audit_2.4.3.bb > +++ b/recipes-security/audit/audit_2.4.3.bb > @@ -20,8 +20,6 @@ SRC_URI = " > http://people.redhat.com/sgrubb/audit/audit-${PV}.tar.gz \ > SRC_URI[md5sum] = "544d863af2016b76afd8d1691b251164" > SRC_URI[sha256sum] = > "9c914704fecc602e143e37152f3efbab2469692684c1a8cc1b801c1b49c7abc6" > > -SRC_URI_append_arm = "file://add-system-call-table-for-ARM.patch" > - > inherit autotools pythonnative update-rc.d systemd > > UPDATERCPN = "auditd" > -- > 1.7.9.5 > > -- > ___ > yocto mailing list > yocto@yoctoproject.org > https://lists.yoctoproject.org/listinfo/yocto > -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux][PATCH v1] libpam: use wildcard for version and cleanup
Hi Philip, On Tue, Aug 11, 2015 at 10:39 AM, Philip Tricca wrote: > Hey Shrikant, > > On 07/30/2015 02:31 AM, Shrikant Bobade wrote: > > This patch provides green build for core-image-selinux > > (meta-selinux:master & poky:master) against libpam upgrade from 1.1.6 to > > 1.2.1, > > image boots fine,but I am unable to login at target. I have prepared > > build for qemuarm, does anyone else facing similar issue? please advice. > > > > Observed the login issue appears even with disabled selinux support > > (selinux=0). > > I just tested this again after Joe merged the commits from the backlog. > I'm not longer able to reproduce the failed login. Are you still having > login problems? > I also got similar results: With the check on latest bits: the login issue is not reproducible on core-image-selinux(with poky-selinux distro) I can now login properly. Build Configuration: BB_VERSION= "1.27.1" BUILD_SYS = "x86_64-linux" NATIVELSBSTRING = "Ubuntu-12.04" TARGET_SYS= "arm-poky-linux-gnueabi" MACHINE = "qemuarm" DISTRO= "poky-selinux" DISTRO_VERSION= "1.8+snapshot-20150811" TUNE_FEATURES = "arm armv5 thumb dsp" TARGET_FPU= "soft" meta meta-yocto meta-yocto-bsp= "master:a16e0b4014173af46ef80d643bb71055219b0dab" meta-selinux = "master:684ee9401f33db7c9d5b183988d89c688c9dd0be" Thanks! Shrikant > Philip > > > On Thu, Jul 30, 2015 at 2:55 PM, Shrikant Bobade > > mailto:bobadeshrik...@gmail.com>> wrote: > > > > From: Shrikant Bobade > <mailto:shrikant_bob...@mentor.com>> > > > > use wildcard for version: adopting libpam upgrade from 1.1.6 to > 1.2.1, > > cleanup older recipe and remove patch > sepermit-add-DESTDIR-prefix.patch > > since the changes already available with latest source. > > > > Signed-off-by: Shrikant Bobade > <mailto:shrikant_bob...@mentor.com>> > > --- > > .../pam/libpam/sepermit-add-DESTDIR-prefix.patch | 31 > > > > recipes-extended/pam/libpam_%.bbappend |3 ++ > > recipes-extended/pam/libpam_1.1.6.bbappend | 10 --- > > 3 files changed, 3 insertions(+), 41 deletions(-) > > delete mode 100644 > > recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch > > create mode 100644 recipes-extended/pam/libpam_%.bbappend > > delete mode 100644 recipes-extended/pam/libpam_1.1.6.bbappend > > > > diff --git > > a/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch > > b/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch > > deleted file mode 100644 > > index d48d386..000 > > --- a/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch > > +++ /dev/null > > @@ -1,31 +0,0 @@ > > -Subject: [PATCH] libpam: add missing DESTDIR prefix > > - > > -The DESTDIR prefix is missing, this will cause build failures for > > -mkdir /var/run/sepermit on the host. > > - > > -| mkdir -p /var/run/sepermit > > -| mkdir: cannot create directory `/var/run/sepermit': Permission > denied > > - > > -Upstream-Status: Pending > > - > > -Signed-off-by: Xin Ouyang > <mailto:xin.ouy...@windriver.com>> > > > > - modules/pam_sepermit/Makefile.am |2 +- > > - 1 files changed, 1 insertions(+), 1 deletions(-) > > - > > -diff --git a/modules/pam_sepermit/Makefile.am > > b/modules/pam_sepermit/Makefile.am > > -index cfc5594..bc82275 100644 > > a/modules/pam_sepermit/Makefile.am > > -+++ b/modules/pam_sepermit/Makefile.am > > -@@ -35,7 +35,7 @@ if HAVE_LIBSELINUX > > - securelib_LTLIBRARIES = pam_sepermit.la <http://pam_sepermit.la> > > - > > - install-data-local: > > -- mkdir -p $(sepermitlockdir) > > -+ mkdir -p $(DESTDIR)$(sepermitlockdir) > > - endif > > - if ENABLE_REGENERATE_MAN > > - noinst_DATA = README pam_sepermit.8 sepermit.conf.5 > > --- > > -1.7.5.4 > > - > > diff --git a/recipes-extended/pam/libpam_%.bbappend > > b/recipes-extended/pam/libpam_%.bbappend > > new file mode 100644 > > index 000..adcf938 > > --- /dev/null > > +++ b/recipes-extended/pam/libpam_%.bbappend > > @@ -0,0 +1,3 @@ > > +inherit ena
[yocto] [meta-selinux][PATCH 8/8] README : update supported refpolicy version details
From: Shrikant Bobade README updated with the supported refpolicy version details and information of refpolicy building from git repository. Signed-off-by: Shrikant Bobade --- README | 15 +++ 1 file changed, 15 insertions(+) diff --git a/README b/README index 3fe8af4..afee84a 100644 --- a/README +++ b/README @@ -66,6 +66,21 @@ working with this layer, without the additional Poky meta data. This approach may work, but is not generally tested by the maintainers. +Using different versions of refpolicy +- +To prepare selinux enabled images using different ver. of refpolicy, +we can choose supported releases of refpolicy +refer to available versions under recipes-security/refpolicy + +We can use the refpolicy directly from git repository instead of release tarballs. +By default refpolicy from git builds head commit of master branch, we can update +SRCREV for refpolicy and refpolicy-contrib as appropriate at refpolicy_git.inc +to check refpolicy as per required commits. + +* enable the preferred refpolicy-mls to local.conf or oe-selinux.conf +e.g. REFERRED_VERSION_refpolicy-mls = "2.20140311" + + License --- -- 1.7.9.5 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 7/8] refpolicy-minimum: update base refpolicy to git repo
From: Shrikant Bobade A simple forward-port of refpolicy-minimum to use the refpolicy from git repository. Signed-off-by: Shrikant Bobade --- .../refpolicy/refpolicy-minimum_git.bb | 48 1 file changed, 48 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-minimum_git.bb diff --git a/recipes-security/refpolicy/refpolicy-minimum_git.bb b/recipes-security/refpolicy/refpolicy-minimum_git.bb new file mode 100644 index 000..b275821 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-minimum_git.bb @@ -0,0 +1,48 @@ +include refpolicy-targeted_${PV}.bb + +SUMMARY = "SELinux minimum policy" +DESCRIPTION = "\ +This is a minimum reference policy with just core policy modules, and \ +could be used as a base for customizing targeted policy. \ +Pretty much everything runs as initrc_t or unconfined_t so all of the \ +domains are unconfined. \ +" + +POLICY_NAME = "minimum" + +FILESEXTRAPATHS_prepend := "${THISDIR}/files:${THISDIR}/refpolicy-${PV}:${THISDIR}/refpolicy-targeted:" + +CORE_POLICY_MODULES = "unconfined \ + selinuxutil storage sysnetwork \ + application libraries miscfiles logging userdomain \ + init mount modutils getty authlogin locallogin \ + " + +# nscd caches libc-issued requests to the name service. +# Without nscd.pp, commands want to use these caches will be blocked. +EXTRA_POLICY_MODULES += "nscd" + +# pam_mail module enables checking and display of mailbox status upon +# "login", so "login" process will access to /var/spool/mail. +EXTRA_POLICY_MODULES += "mta" + +POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}" + +# re-write the same func from refpolicy_common.inc +prepare_policy_store () { + oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install + + # Prepare to create policy store + mkdir -p ${D}${sysconfdir}/selinux/ + mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy + mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules + mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files + touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local + for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do + bzip2 -f $i && mv -f $i.bz2 $i + done + cp base.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp + for i in ${POLICY_MODULES_MIN}; do + cp ${i}.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i.pp` + done +} -- 1.7.9.5 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 6/8] refpolicy-standard: update base refpolicy to git repo
From: Shrikant Bobade A simple forward-port of refpolicy-standard to use the refpolicy from git repository. Signed-off-by: Shrikant Bobade --- .../refpolicy/refpolicy-standard_git.bb|8 1 file changed, 8 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-standard_git.bb diff --git a/recipes-security/refpolicy/refpolicy-standard_git.bb b/recipes-security/refpolicy/refpolicy-standard_git.bb new file mode 100644 index 000..3674fdd --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-standard_git.bb @@ -0,0 +1,8 @@ +SUMMARY = "Standard variants of the SELinux policy" +DESCRIPTION = "\ +This is the reference policy for SELinux built with type enforcement \ +only." + +POLICY_TYPE = "standard" + +include refpolicy_${PV}.inc -- 1.7.9.5 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 5/8] refpolicy-mls: update base refpolicy to git repo
From: Shrikant Bobade A simple forward-port of refpolicy-mls to use the refpolicy from git repository. Signed-off-by: Shrikant Bobade --- recipes-security/refpolicy/refpolicy-mls_git.bb | 10 ++ 1 file changed, 10 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-mls_git.bb diff --git a/recipes-security/refpolicy/refpolicy-mls_git.bb b/recipes-security/refpolicy/refpolicy-mls_git.bb new file mode 100644 index 000..7388232 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-mls_git.bb @@ -0,0 +1,10 @@ +SUMMARY = "MLS (Multi Level Security) variant of the SELinux policy" +DESCRIPTION = "\ +This is the reference policy for SE Linux built with MLS support. \ +It allows giving data labels such as \"Top Secret\" and preventing \ +such data from leaking to processes or files with lower classification. \ +" + +POLICY_TYPE = "mls" + +include refpolicy_${PV}.inc -- 1.7.9.5 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 4/8] refpolicy-mcs: update base refpolicy to git repo
From: Shrikant Bobade A simple forward-port of refpolicy-mcs to use the refpolicy from git repository. Signed-off-by: Shrikant Bobade --- recipes-security/refpolicy/refpolicy-mcs_git.bb | 11 +++ 1 file changed, 11 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-mcs_git.bb diff --git a/recipes-security/refpolicy/refpolicy-mcs_git.bb b/recipes-security/refpolicy/refpolicy-mcs_git.bb new file mode 100644 index 000..062727b --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-mcs_git.bb @@ -0,0 +1,11 @@ +SUMMARY = "MCS (Multi Category Security) variant of the SELinux policy" +DESCRIPTION = "\ +This is the reference policy for SE Linux built with MCS support. \ +An MCS policy is the same as an MLS policy but with only one sensitivity \ +level. This is useful on systems where a hierarchical policy (MLS) isn't \ +needed (pretty much all systems) but the non-hierarchical categories are. \ +" + +POLICY_TYPE = "mcs" + +include refpolicy_${PV}.inc -- 1.7.9.5 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 3/8] refpolicy-targeted: update base refpolicy to git repo
From: Shrikant Bobade A simple forward-port of refpolicy-targeted to use the refpolicy from git repository. Signed-off-by: Shrikant Bobade --- .../refpolicy/refpolicy-targeted_git.bb| 20 1 file changed, 20 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-targeted_git.bb diff --git a/recipes-security/refpolicy/refpolicy-targeted_git.bb b/recipes-security/refpolicy/refpolicy-targeted_git.bb new file mode 100644 index 000..b169604 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-targeted_git.bb @@ -0,0 +1,20 @@ +SUMMARY = "SELinux targeted policy" +DESCRIPTION = "\ +This is the targeted variant of the SELinux reference policy. Most service \ +domains are locked down. Users and admins will login in with unconfined_t \ +domain, so they have the same access to the system as if SELinux was not \ +enabled. \ +" + +FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:" + +POLICY_NAME = "targeted" +POLICY_TYPE = "mcs" +POLICY_MLS_SENS = "0" + +include refpolicy_${PV}.inc + +SRC_URI += " \ +file://refpolicy-fix-optional-issue-on-sysadm-module.patch \ +file://refpolicy-unconfined_u-default-user.patch \ + " -- 1.7.9.5 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 2/8] refpolicy git: rebase patches with code base
From: Shrikant Bobade During forward-port of these patches from refpolicy 20140311, requires rebase with the refpolicy git repos head master code base,in order to resolve the patch conflicts. Signed-off-by: Shrikant Bobade --- .../refpolicy/refpolicy-git/poky-fc-fstools.patch | 49 +++- .../refpolicy-git/poky-fc-sysnetwork.patch | 27 ++- ...-policy-allow-setfiles_t-to-read-symlinks.patch | 17 +++ ...olicy-fix-setfiles-statvfs-get-file-count.patch |9 ++-- .../refpolicy-update-for_systemd.patch | 49 +++- 5 files changed, 74 insertions(+), 77 deletions(-) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch index 38c96c4..9c45694 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch @@ -1,4 +1,4 @@ -From 7fdfd2ef8764ddfaeb43e53a756af83d42d8ac8b Mon Sep 17 00:00:00 2001 +From b420621f7bacdb803bfd104686e9b1785d7a6309 Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Mon, 27 Jan 2014 03:54:01 -0500 Subject: [PATCH] refpolicy: fix real path for fstools @@ -7,59 +7,64 @@ Upstream-Status: Inappropriate [configuration] Signed-off-by: Wenzong Fan Signed-off-by: Joe MacDonald +Signed-off-by: Shrikant Bobade --- - policy/modules/system/fstools.fc | 11 +++ - 1 file changed, 11 insertions(+) + policy/modules/system/fstools.fc |9 + + 1 file changed, 9 insertions(+) +diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc +index d10368d..f22761a 100644 --- a/policy/modules/system/fstools.fc +++ b/policy/modules/system/fstools.fc @@ -1,6 +1,8 @@ /sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/sbin/blkid/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blockdev-- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/blockdev\.util-linux-- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/sbin/blockdev/.util-linux-- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/dump-- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -9,9 +11,11 @@ +@@ -9,9 +11,12 @@ /sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/sbin/fdisk/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/hdparm\.hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/sbin/hdparm/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -24,6 +28,7 @@ +@@ -24,6 +29,7 @@ /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/sbin/mkswap/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -34,6 +39,7 @@ +@@ -32,8 +38,10 @@ + /sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/sfdisk -- gen_context
[yocto] [meta-selinux][PATCH 1/8] refpolicy git: update refpolicy to git repository
From: Shrikant Bobade A straight update from refpolicy 2.20140311 to refpolicy git repository for the core policy variants and forward-porting of policy patches as appropriate. This approach is useful for building refpolicy & refpolicy-contrib directly from the git repos, rather than release tarballs. It helps to check the refpolicy based on source commits by just updating the git repo rev. as appropriate in refpolicy_git.inc ref: https://github.com/TresysTechnology/refpolicy/wiki Signed-off-by: Shrikant Bobade --- .../ftp-add-ftpd_t-to-mlsfilewrite.patch | 39 .../refpolicy/refpolicy-git/poky-fc-clock.patch| 22 ++ .../refpolicy-git/poky-fc-corecommands.patch | 24 ++ .../refpolicy/refpolicy-git/poky-fc-dmesg.patch| 20 ++ .../refpolicy/refpolicy-git/poky-fc-fix-bind.patch | 30 +++ .../poky-fc-fix-real-path_login.patch | 37 .../poky-fc-fix-real-path_resolv.conf.patch| 24 ++ .../poky-fc-fix-real-path_shadow.patch | 34 +++ .../refpolicy-git/poky-fc-fix-real-path_su.patch | 25 +++ .../refpolicy/refpolicy-git/poky-fc-fstools.patch | 65 ++ .../refpolicy-git/poky-fc-ftpwho-dir.patch | 27 +++ .../refpolicy/refpolicy-git/poky-fc-iptables.patch | 24 ++ .../refpolicy/refpolicy-git/poky-fc-mta.patch | 27 +++ .../refpolicy/refpolicy-git/poky-fc-netutils.patch | 24 ++ .../refpolicy/refpolicy-git/poky-fc-nscd.patch | 27 +++ .../refpolicy/refpolicy-git/poky-fc-rpm.patch | 25 +++ .../refpolicy/refpolicy-git/poky-fc-screen.patch | 27 +++ .../refpolicy/refpolicy-git/poky-fc-ssh.patch | 24 ++ .../refpolicy/refpolicy-git/poky-fc-su.patch | 23 ++ .../refpolicy-git/poky-fc-subs_dist.patch | 29 +++ .../refpolicy-git/poky-fc-sysnetwork.patch | 41 .../refpolicy/refpolicy-git/poky-fc-udevd.patch| 35 +++ .../poky-fc-update-alternatives_hostname.patch | 23 ++ .../poky-fc-update-alternatives_sysklogd.patch | 59 + .../poky-fc-update-alternatives_sysvinit.patch | 53 + ...poky-policy-add-rules-for-bsdpty_device_t.patch | 121 +++ ...ky-policy-add-rules-for-syslogd_t-symlink.patch | 30 +++ .../poky-policy-add-rules-for-tmp-symlink.patch| 99 + ...ky-policy-add-rules-for-var-cache-symlink.patch | 34 +++ ...licy-add-rules-for-var-log-symlink-apache.patch | 31 +++ ...rules-for-var-log-symlink-audisp_remote_t.patch | 29 +++ ...poky-policy-add-rules-for-var-log-symlink.patch | 145 + ...ky-policy-add-syslogd_t-to-trusted-object.patch | 31 +++ ...-policy-allow-nfsd-to-exec-shell-commands.patch | 58 + ...-policy-allow-setfiles_t-to-read-symlinks.patch | 29 +++ .../poky-policy-allow-sysadm-to-run-rpcinfo.patch | 33 +++ .../poky-policy-don-t-audit-tty_device_t.patch | 35 +++ .../poky-policy-fix-dmesg-to-use-dev-kmsg.patch| 37 .../poky-policy-fix-new-SELINUXMNT-in-sys.patch| 229 ...poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch | 65 ++ ...olicy-fix-setfiles-statvfs-get-file-count.patch | 31 +++ ...ky-policy-fix-seutils-manage-config-files.patch | 43 .../refpolicy-update-for_systemd.patch | 46 recipes-security/refpolicy/refpolicy_git.inc | 62 ++ 44 files changed, 1976 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-corecommands.patch create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-iptables.patch create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-netutils.patch create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch create mode 100644 recipes-secu
[yocto] [meta-selinux][PATCH 7/7] refpolicy-minimum: update base refpolicy 20141203
From: Shrikant Bobade A simple forward-port of refpolicy-minimum to use the 20141203 base refpolicy. Signed-off-by: Shrikant Bobade --- .../refpolicy/refpolicy-minimum_2.20141203.bb | 48 1 file changed, 48 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-minimum_2.20141203.bb diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20141203.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20141203.bb new file mode 100644 index 000..b275821 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20141203.bb @@ -0,0 +1,48 @@ +include refpolicy-targeted_${PV}.bb + +SUMMARY = "SELinux minimum policy" +DESCRIPTION = "\ +This is a minimum reference policy with just core policy modules, and \ +could be used as a base for customizing targeted policy. \ +Pretty much everything runs as initrc_t or unconfined_t so all of the \ +domains are unconfined. \ +" + +POLICY_NAME = "minimum" + +FILESEXTRAPATHS_prepend := "${THISDIR}/files:${THISDIR}/refpolicy-${PV}:${THISDIR}/refpolicy-targeted:" + +CORE_POLICY_MODULES = "unconfined \ + selinuxutil storage sysnetwork \ + application libraries miscfiles logging userdomain \ + init mount modutils getty authlogin locallogin \ + " + +# nscd caches libc-issued requests to the name service. +# Without nscd.pp, commands want to use these caches will be blocked. +EXTRA_POLICY_MODULES += "nscd" + +# pam_mail module enables checking and display of mailbox status upon +# "login", so "login" process will access to /var/spool/mail. +EXTRA_POLICY_MODULES += "mta" + +POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}" + +# re-write the same func from refpolicy_common.inc +prepare_policy_store () { + oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install + + # Prepare to create policy store + mkdir -p ${D}${sysconfdir}/selinux/ + mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy + mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules + mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files + touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local + for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do + bzip2 -f $i && mv -f $i.bz2 $i + done + cp base.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp + for i in ${POLICY_MODULES_MIN}; do + cp ${i}.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i.pp` + done +} -- 1.7.9.5 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 6/7] refpolicy-standard: update base refpolicy 20141203
From: Shrikant Bobade A simple forward-port of refpolicy-standard to use the 20141203 base refpolicy. Signed-off-by: Shrikant Bobade --- .../refpolicy/refpolicy-standard_2.20141203.bb |8 1 file changed, 8 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-standard_2.20141203.bb diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20141203.bb b/recipes-security/refpolicy/refpolicy-standard_2.20141203.bb new file mode 100644 index 000..3674fdd --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-standard_2.20141203.bb @@ -0,0 +1,8 @@ +SUMMARY = "Standard variants of the SELinux policy" +DESCRIPTION = "\ +This is the reference policy for SELinux built with type enforcement \ +only." + +POLICY_TYPE = "standard" + +include refpolicy_${PV}.inc -- 1.7.9.5 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 5/7] refpolicy-mls: update base refpolicy 20141203
From: Shrikant Bobade A simple forward-port of refpolicy-mls to use the 20141203 base refpolicy. Signed-off-by: Shrikant Bobade --- .../refpolicy/refpolicy-mls_2.20141203.bb | 10 ++ 1 file changed, 10 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-mls_2.20141203.bb diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20141203.bb b/recipes-security/refpolicy/refpolicy-mls_2.20141203.bb new file mode 100644 index 000..7388232 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-mls_2.20141203.bb @@ -0,0 +1,10 @@ +SUMMARY = "MLS (Multi Level Security) variant of the SELinux policy" +DESCRIPTION = "\ +This is the reference policy for SE Linux built with MLS support. \ +It allows giving data labels such as \"Top Secret\" and preventing \ +such data from leaking to processes or files with lower classification. \ +" + +POLICY_TYPE = "mls" + +include refpolicy_${PV}.inc -- 1.7.9.5 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 4/7] refpolicy-mcs: update base refpolicy 20141203
From: Shrikant Bobade A simple forward-port of refpolicy-mcs to use the 20141203 base refpolicy. Signed-off-by: Shrikant Bobade --- .../refpolicy/refpolicy-mcs_2.20141203.bb | 11 +++ 1 file changed, 11 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-mcs_2.20141203.bb diff --git a/recipes-security/refpolicy/refpolicy-mcs_2.20141203.bb b/recipes-security/refpolicy/refpolicy-mcs_2.20141203.bb new file mode 100644 index 000..062727b --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-mcs_2.20141203.bb @@ -0,0 +1,11 @@ +SUMMARY = "MCS (Multi Category Security) variant of the SELinux policy" +DESCRIPTION = "\ +This is the reference policy for SE Linux built with MCS support. \ +An MCS policy is the same as an MLS policy but with only one sensitivity \ +level. This is useful on systems where a hierarchical policy (MLS) isn't \ +needed (pretty much all systems) but the non-hierarchical categories are. \ +" + +POLICY_TYPE = "mcs" + +include refpolicy_${PV}.inc -- 1.7.9.5 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 3/7] refpolicy-targeted: update base refpolicy 20141203
From: Shrikant Bobade A simple forward-port of refpolicy-targeted to use the 20141203 base refpolicy. Signed-off-by: Shrikant Bobade --- .../refpolicy/refpolicy-targeted_2.20141203.bb | 20 1 file changed, 20 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20141203.bb diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20141203.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20141203.bb new file mode 100644 index 000..b169604 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-targeted_2.20141203.bb @@ -0,0 +1,20 @@ +SUMMARY = "SELinux targeted policy" +DESCRIPTION = "\ +This is the targeted variant of the SELinux reference policy. Most service \ +domains are locked down. Users and admins will login in with unconfined_t \ +domain, so they have the same access to the system as if SELinux was not \ +enabled. \ +" + +FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:" + +POLICY_NAME = "targeted" +POLICY_TYPE = "mcs" +POLICY_MLS_SENS = "0" + +include refpolicy_${PV}.inc + +SRC_URI += " \ +file://refpolicy-fix-optional-issue-on-sysadm-module.patch \ +file://refpolicy-unconfined_u-default-user.patch \ + " -- 1.7.9.5 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 2/7] refpolicy 20141203: rebase patches with code base
From: Shrikant Bobade During forward-port of these patches from refpolicy 2014120311, requires rebase with the refpolicy 20141203 code base, in order to resolve the patch conflicts. Signed-off-by: Shrikant Bobade --- .../refpolicy-2.20141203/poky-fc-fstools.patch | 49 +++- .../refpolicy-2.20141203/poky-fc-sysnetwork.patch | 27 ++- ...-policy-allow-setfiles_t-to-read-symlinks.patch | 17 +++ ...olicy-fix-setfiles-statvfs-get-file-count.patch |9 ++-- .../refpolicy-update-for_systemd.patch | 49 +++- 5 files changed, 73 insertions(+), 78 deletions(-) diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fstools.patch index 38c96c4..9c45694 100644 --- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fstools.patch +++ b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fstools.patch @@ -1,4 +1,4 @@ -From 7fdfd2ef8764ddfaeb43e53a756af83d42d8ac8b Mon Sep 17 00:00:00 2001 +From b420621f7bacdb803bfd104686e9b1785d7a6309 Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Mon, 27 Jan 2014 03:54:01 -0500 Subject: [PATCH] refpolicy: fix real path for fstools @@ -7,59 +7,64 @@ Upstream-Status: Inappropriate [configuration] Signed-off-by: Wenzong Fan Signed-off-by: Joe MacDonald +Signed-off-by: Shrikant Bobade --- - policy/modules/system/fstools.fc | 11 +++ - 1 file changed, 11 insertions(+) + policy/modules/system/fstools.fc |9 + + 1 file changed, 9 insertions(+) +diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc +index d10368d..f22761a 100644 --- a/policy/modules/system/fstools.fc +++ b/policy/modules/system/fstools.fc @@ -1,6 +1,8 @@ /sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/sbin/blkid/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blockdev-- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/blockdev\.util-linux-- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/sbin/blockdev/.util-linux-- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/dump-- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -9,9 +11,11 @@ +@@ -9,9 +11,12 @@ /sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/sbin/fdisk/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/hdparm\.hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/sbin/hdparm/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -24,6 +28,7 @@ +@@ -24,6 +29,7 @@ /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/sbin/mkswap/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -34,6 +39,7 @@ +@@ -32,8 +38,10 @@ + /sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/sfdisk -- gen_context
[yocto] [meta-selinux][PATCH 1/7] refpolicy: update refpolicy to 20141203 release
From: Shrikant Bobade A straight update from refpolicy 2.20140311 to 2.20141203 for the core policy variants and forward-porting of policy patches as appropriate. ref: https://github.com/TresysTechnology/refpolicy/wiki Signed-off-by: Shrikant Bobade --- .../ftp-add-ftpd_t-to-mlsfilewrite.patch | 39 .../refpolicy-2.20141203/poky-fc-clock.patch | 22 ++ .../poky-fc-corecommands.patch | 24 ++ .../refpolicy-2.20141203/poky-fc-dmesg.patch | 20 ++ .../refpolicy-2.20141203/poky-fc-fix-bind.patch| 30 +++ .../poky-fc-fix-real-path_login.patch | 37 .../poky-fc-fix-real-path_resolv.conf.patch| 24 ++ .../poky-fc-fix-real-path_shadow.patch | 34 +++ .../poky-fc-fix-real-path_su.patch | 25 +++ .../refpolicy-2.20141203/poky-fc-fstools.patch | 65 ++ .../refpolicy-2.20141203/poky-fc-ftpwho-dir.patch | 27 +++ .../refpolicy-2.20141203/poky-fc-iptables.patch| 24 ++ .../refpolicy-2.20141203/poky-fc-mta.patch | 27 +++ .../refpolicy-2.20141203/poky-fc-netutils.patch| 24 ++ .../refpolicy-2.20141203/poky-fc-nscd.patch| 27 +++ .../refpolicy-2.20141203/poky-fc-rpm.patch | 25 +++ .../refpolicy-2.20141203/poky-fc-screen.patch | 27 +++ .../refpolicy-2.20141203/poky-fc-ssh.patch | 24 ++ .../refpolicy-2.20141203/poky-fc-su.patch | 23 ++ .../refpolicy-2.20141203/poky-fc-subs_dist.patch | 29 +++ .../refpolicy-2.20141203/poky-fc-sysnetwork.patch | 41 .../refpolicy-2.20141203/poky-fc-udevd.patch | 35 +++ .../poky-fc-update-alternatives_hostname.patch | 23 ++ .../poky-fc-update-alternatives_sysklogd.patch | 59 + .../poky-fc-update-alternatives_sysvinit.patch | 53 + ...poky-policy-add-rules-for-bsdpty_device_t.patch | 121 +++ ...ky-policy-add-rules-for-syslogd_t-symlink.patch | 30 +++ .../poky-policy-add-rules-for-tmp-symlink.patch| 99 + ...ky-policy-add-rules-for-var-cache-symlink.patch | 34 +++ ...licy-add-rules-for-var-log-symlink-apache.patch | 31 +++ ...rules-for-var-log-symlink-audisp_remote_t.patch | 29 +++ ...poky-policy-add-rules-for-var-log-symlink.patch | 145 + ...ky-policy-add-syslogd_t-to-trusted-object.patch | 31 +++ ...-policy-allow-nfsd-to-exec-shell-commands.patch | 58 + ...-policy-allow-setfiles_t-to-read-symlinks.patch | 29 +++ .../poky-policy-allow-sysadm-to-run-rpcinfo.patch | 33 +++ .../poky-policy-don-t-audit-tty_device_t.patch | 35 +++ .../poky-policy-fix-dmesg-to-use-dev-kmsg.patch| 37 .../poky-policy-fix-new-SELINUXMNT-in-sys.patch| 229 ...poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch | 65 ++ ...olicy-fix-setfiles-statvfs-get-file-count.patch | 31 +++ ...ky-policy-fix-seutils-manage-config-files.patch | 43 .../refpolicy-update-for_systemd.patch | 46 .../refpolicy/refpolicy_2.20141203.inc | 60 + 44 files changed, 1974 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/ftp-add-ftpd_t-to-mlsfilewrite.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-clock.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-corecommands.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-dmesg.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-bind.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_login.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_resolv.conf.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_shadow.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_su.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fstools.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-ftpwho-dir.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-iptables.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-mta.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-netutils.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-nscd.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-rpm.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-screen.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-ssh.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-su.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-subs_dist.patch
[yocto] [meta-selinux][PATCH 2/2] README: update supported linux-yocto versions
From: Shrikant Bobade README updated with the list of supported linux-yocto versions and details to use it while preparing selinux enabled images. Signed-off-by: Shrikant Bobade --- README | 10 ++ 1 file changed, 10 insertions(+) diff --git a/README b/README index 3fe8af4..22d7599 100644 --- a/README +++ b/README @@ -66,6 +66,16 @@ working with this layer, without the additional Poky meta data. This approach may work, but is not generally tested by the maintainers. +Using different versions of linux-yocto +--- +To prepare selinux enabled images using different ver. of linux-yocto, +we can choose supported versions of linux-yocto, +currently supported: v3.14, v3.19, v4.1(by default). + +* enable the preferred linux-yocto to local.conf or oe-selinux.conf +e.g. PREFERRED_VERSION_linux-yocto_qemuarm = "3.19%" + + License --- -- 1.7.9.5 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 1/2] linux-yocto: enable selinux support for kernel v4.1
From: Shrikant Bobade The default kernel is now v4.1. So we need the selinux support for kernel v4.1, inorder to get selinux enabled images out of box. Signed-off-by: Shrikant Bobade --- recipes-kernel/linux/linux-yocto_4.1.bbappend |8 1 file changed, 8 insertions(+) create mode 100644 recipes-kernel/linux/linux-yocto_4.1.bbappend diff --git a/recipes-kernel/linux/linux-yocto_4.1.bbappend b/recipes-kernel/linux/linux-yocto_4.1.bbappend new file mode 100644 index 000..a8c0647 --- /dev/null +++ b/recipes-kernel/linux/linux-yocto_4.1.bbappend @@ -0,0 +1,8 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +# Enable selinux support in the kernel if the feature is enabled +SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'file://selinux.cfg', '', d)}" + +# For inconsistent kallsyms data bug on ARM +# http://lists.infradead.org/pipermail/linux-arm-kernel/2012-March/thread.html#89718 +EXTRA_OEMAKE += "${@bb.utils.contains('TARGET_ARCH', 'arm', ' KALLSYMS_EXTRA_PASS=1', '', d)}" -- 1.7.9.5 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux][PATCH v1] libpam: use wildcard for version and cleanup
Hi, This patch provides green build for core-image-selinux (meta-selinux:master & poky:master) against libpam upgrade from 1.1.6 to 1.2.1, image boots fine,but I am unable to login at target. I have prepared build for qemuarm, does anyone else facing similar issue? please advice. Observed the login issue appears even with disabled selinux support (selinux=0). Thanks Shrikant Bobade On Thu, Jul 30, 2015 at 2:55 PM, Shrikant Bobade wrote: > From: Shrikant Bobade > > use wildcard for version: adopting libpam upgrade from 1.1.6 to 1.2.1, > cleanup older recipe and remove patch sepermit-add-DESTDIR-prefix.patch > since the changes already available with latest source. > > Signed-off-by: Shrikant Bobade > --- > .../pam/libpam/sepermit-add-DESTDIR-prefix.patch | 31 > > recipes-extended/pam/libpam_%.bbappend |3 ++ > recipes-extended/pam/libpam_1.1.6.bbappend | 10 --- > 3 files changed, 3 insertions(+), 41 deletions(-) > delete mode 100644 > recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch > create mode 100644 recipes-extended/pam/libpam_%.bbappend > delete mode 100644 recipes-extended/pam/libpam_1.1.6.bbappend > > diff --git a/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch > b/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch > deleted file mode 100644 > index d48d386..000 > --- a/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch > +++ /dev/null > @@ -1,31 +0,0 @@ > -Subject: [PATCH] libpam: add missing DESTDIR prefix > - > -The DESTDIR prefix is missing, this will cause build failures for > -mkdir /var/run/sepermit on the host. > - > -| mkdir -p /var/run/sepermit > -| mkdir: cannot create directory `/var/run/sepermit': Permission denied > - > -Upstream-Status: Pending > - > -Signed-off-by: Xin Ouyang > > - modules/pam_sepermit/Makefile.am |2 +- > - 1 files changed, 1 insertions(+), 1 deletions(-) > - > -diff --git a/modules/pam_sepermit/Makefile.am > b/modules/pam_sepermit/Makefile.am > -index cfc5594..bc82275 100644 > a/modules/pam_sepermit/Makefile.am > -+++ b/modules/pam_sepermit/Makefile.am > -@@ -35,7 +35,7 @@ if HAVE_LIBSELINUX > - securelib_LTLIBRARIES = pam_sepermit.la > - > - install-data-local: > -- mkdir -p $(sepermitlockdir) > -+ mkdir -p $(DESTDIR)$(sepermitlockdir) > - endif > - if ENABLE_REGENERATE_MAN > - noinst_DATA = README pam_sepermit.8 sepermit.conf.5 > --- > -1.7.5.4 > - > diff --git a/recipes-extended/pam/libpam_%.bbappend > b/recipes-extended/pam/libpam_%.bbappend > new file mode 100644 > index 000..adcf938 > --- /dev/null > +++ b/recipes-extended/pam/libpam_%.bbappend > @@ -0,0 +1,3 @@ > +inherit enable-selinux > + > +RDEPENDS_${PN}-runtime += "${@target_selinux(d, 'pam-plugin-selinux')}" > diff --git a/recipes-extended/pam/libpam_1.1.6.bbappend > b/recipes-extended/pam/libpam_1.1.6.bbappend > deleted file mode 100644 > index 71acecc..000 > --- a/recipes-extended/pam/libpam_1.1.6.bbappend > +++ /dev/null > @@ -1,10 +0,0 @@ > -#FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" > -FILESPATH_append := ":${@base_set_filespath(['${THISDIR}/${PN}'], d)}" > - > -SRC_URI += "file://sepermit-add-DESTDIR-prefix.patch" > - > -PR .= ".4" > - > -inherit enable-selinux > - > -RDEPENDS_${PN}-runtime += "${@target_selinux(d, 'pam-plugin-selinux')}" > -- > 1.7.9.5 > > -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH v1] libpam: use wildcard for version and cleanup
From: Shrikant Bobade use wildcard for version: adopting libpam upgrade from 1.1.6 to 1.2.1, cleanup older recipe and remove patch sepermit-add-DESTDIR-prefix.patch since the changes already available with latest source. Signed-off-by: Shrikant Bobade --- .../pam/libpam/sepermit-add-DESTDIR-prefix.patch | 31 recipes-extended/pam/libpam_%.bbappend |3 ++ recipes-extended/pam/libpam_1.1.6.bbappend | 10 --- 3 files changed, 3 insertions(+), 41 deletions(-) delete mode 100644 recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch create mode 100644 recipes-extended/pam/libpam_%.bbappend delete mode 100644 recipes-extended/pam/libpam_1.1.6.bbappend diff --git a/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch b/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch deleted file mode 100644 index d48d386..000 --- a/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch +++ /dev/null @@ -1,31 +0,0 @@ -Subject: [PATCH] libpam: add missing DESTDIR prefix - -The DESTDIR prefix is missing, this will cause build failures for -mkdir /var/run/sepermit on the host. - -| mkdir -p /var/run/sepermit -| mkdir: cannot create directory `/var/run/sepermit': Permission denied - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang - modules/pam_sepermit/Makefile.am |2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/modules/pam_sepermit/Makefile.am b/modules/pam_sepermit/Makefile.am -index cfc5594..bc82275 100644 a/modules/pam_sepermit/Makefile.am -+++ b/modules/pam_sepermit/Makefile.am -@@ -35,7 +35,7 @@ if HAVE_LIBSELINUX - securelib_LTLIBRARIES = pam_sepermit.la - - install-data-local: -- mkdir -p $(sepermitlockdir) -+ mkdir -p $(DESTDIR)$(sepermitlockdir) - endif - if ENABLE_REGENERATE_MAN - noinst_DATA = README pam_sepermit.8 sepermit.conf.5 --- -1.7.5.4 - diff --git a/recipes-extended/pam/libpam_%.bbappend b/recipes-extended/pam/libpam_%.bbappend new file mode 100644 index 000..adcf938 --- /dev/null +++ b/recipes-extended/pam/libpam_%.bbappend @@ -0,0 +1,3 @@ +inherit enable-selinux + +RDEPENDS_${PN}-runtime += "${@target_selinux(d, 'pam-plugin-selinux')}" diff --git a/recipes-extended/pam/libpam_1.1.6.bbappend b/recipes-extended/pam/libpam_1.1.6.bbappend deleted file mode 100644 index 71acecc..000 --- a/recipes-extended/pam/libpam_1.1.6.bbappend +++ /dev/null @@ -1,10 +0,0 @@ -#FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" -FILESPATH_append := ":${@base_set_filespath(['${THISDIR}/${PN}'], d)}" - -SRC_URI += "file://sepermit-add-DESTDIR-prefix.patch" - -PR .= ".4" - -inherit enable-selinux - -RDEPENDS_${PN}-runtime += "${@target_selinux(d, 'pam-plugin-selinux')}" -- 1.7.9.5 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] libpam: use wildcard for version and cleanup
From: Shrikant Bobade use wildcard for version: adopting libpam upgrade from 1.6.1 to 1.2.1, cleanup older recipe and remove patch sepermit-add-DESTDIR-prefix.patch since the changes already available with latest source. Signed-off-by: Shrikant Bobade --- .../pam/libpam/sepermit-add-DESTDIR-prefix.patch | 31 recipes-extended/pam/libpam_%.bbappend |3 ++ recipes-extended/pam/libpam_1.1.6.bbappend | 10 --- 3 files changed, 3 insertions(+), 41 deletions(-) delete mode 100644 recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch create mode 100644 recipes-extended/pam/libpam_%.bbappend delete mode 100644 recipes-extended/pam/libpam_1.1.6.bbappend diff --git a/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch b/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch deleted file mode 100644 index d48d386..000 --- a/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch +++ /dev/null @@ -1,31 +0,0 @@ -Subject: [PATCH] libpam: add missing DESTDIR prefix - -The DESTDIR prefix is missing, this will cause build failures for -mkdir /var/run/sepermit on the host. - -| mkdir -p /var/run/sepermit -| mkdir: cannot create directory `/var/run/sepermit': Permission denied - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang - modules/pam_sepermit/Makefile.am |2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/modules/pam_sepermit/Makefile.am b/modules/pam_sepermit/Makefile.am -index cfc5594..bc82275 100644 a/modules/pam_sepermit/Makefile.am -+++ b/modules/pam_sepermit/Makefile.am -@@ -35,7 +35,7 @@ if HAVE_LIBSELINUX - securelib_LTLIBRARIES = pam_sepermit.la - - install-data-local: -- mkdir -p $(sepermitlockdir) -+ mkdir -p $(DESTDIR)$(sepermitlockdir) - endif - if ENABLE_REGENERATE_MAN - noinst_DATA = README pam_sepermit.8 sepermit.conf.5 --- -1.7.5.4 - diff --git a/recipes-extended/pam/libpam_%.bbappend b/recipes-extended/pam/libpam_%.bbappend new file mode 100644 index 000..adcf938 --- /dev/null +++ b/recipes-extended/pam/libpam_%.bbappend @@ -0,0 +1,3 @@ +inherit enable-selinux + +RDEPENDS_${PN}-runtime += "${@target_selinux(d, 'pam-plugin-selinux')}" diff --git a/recipes-extended/pam/libpam_1.1.6.bbappend b/recipes-extended/pam/libpam_1.1.6.bbappend deleted file mode 100644 index 71acecc..000 --- a/recipes-extended/pam/libpam_1.1.6.bbappend +++ /dev/null @@ -1,10 +0,0 @@ -#FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" -FILESPATH_append := ":${@base_set_filespath(['${THISDIR}/${PN}'], d)}" - -SRC_URI += "file://sepermit-add-DESTDIR-prefix.patch" - -PR .= ".4" - -inherit enable-selinux - -RDEPENDS_${PN}-runtime += "${@target_selinux(d, 'pam-plugin-selinux')}" -- 1.7.9.5 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] linux-yocto: enable selinux support for kernel v3.19
From: Shrikant Bobade The default kernel is now v3.19. So we need the selinux support for kernel v3.19, inorder to get selinux enabled images out of box. Signed-off-by: Shrikant Bobade --- recipes-kernel/linux/linux-yocto_3.19.bbappend |8 1 file changed, 8 insertions(+) create mode 100644 recipes-kernel/linux/linux-yocto_3.19.bbappend diff --git a/recipes-kernel/linux/linux-yocto_3.19.bbappend b/recipes-kernel/linux/linux-yocto_3.19.bbappend new file mode 100644 index 000..65c79ef --- /dev/null +++ b/recipes-kernel/linux/linux-yocto_3.19.bbappend @@ -0,0 +1,8 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +# Enable selinux support in the kernel if the feature is enabled +SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'file://selinux.cfg', '', d)}" + +# For inconsistent kallsyms data bug on ARM +# http://lists.infradead.org/pipermail/linux-arm-kernel/2012-March/thread.html#89718 +EXTRA_OEMAKE += "${@bb.utils.contains('TARGET_ARCH', 'arm', ' KALLSYMS_EXTRA_PASS=1', '', d)}" -- 1.7.9.5 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux][PATCH 3/3] pkggrp-core-selinux: coreutils addition
Hello, Please provide review comments or feedback if any, It will be a great help. @Ping. Thanks Shrikant On Wed, Nov 19, 2014 at 1:46 PM, Shrikant Bobade wrote: > From: Shrikant Bobade > > To add coreutils to packagegroup-core-selinux > inorder to get chcon avaibility. > > Signed-off-by: Shrikant Bobade > --- > .../packagegroups/packagegroup-core-selinux.bb |1 + > 1 file changed, 1 insertion(+) > > diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb > b/recipes-security/packagegroups/packagegroup-core-selinux.bb > index 1852aba..40b35d1 100644 > --- a/recipes-security/packagegroups/packagegroup-core-selinux.bb > +++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb > @@ -25,4 +25,5 @@ RDEPENDS_${PN} = " \ > selinux-config \ > refpolicy-standard \ > refpolicy-mls \ > + coreutils \ > " > -- > 1.7.9.5 > > -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux][PATCH 2/3] selinux-init: update for systemd
Hello, Please provide review comments or feedback if any, It will be a great help. @Ping. Thanks Shrikant On Wed, Nov 19, 2014 at 1:43 PM, Shrikant Bobade wrote: > From: Shrikant Bobade > > selinux-init.sh updated to reboot system > normally to fix the labelling during systemd > execution. Due to force reboot labelling won't > be proper and system continuously reboot to > label it like first time boot. > > Signed-off-by: Shrikant Bobade > --- > .../selinux/selinux-config/selinux-init.sh |4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/recipes-security/selinux/selinux-config/selinux-init.sh > b/recipes-security/selinux/selinux-config/selinux-init.sh > index 9aaf454..f9f0914 100644 > --- a/recipes-security/selinux/selinux-config/selinux-init.sh > +++ b/recipes-security/selinux/selinux-config/selinux-init.sh > @@ -48,7 +48,7 @@ if [ -f /.autorelabel ]; then > ${FIXFILES} -F -f relabel > /bin/rm -f /.autorelabel > echo " * Relabel done, rebooting the system." > - /sbin/reboot -f > + /sbin/reboot > fi > > # If first booting, the security context type of init would be > @@ -62,7 +62,7 @@ if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then > ${RESTORECON} -RF / > ${RESTORECON} -F / > echo " * Relabel done, rebooting the system." > - /sbin/reboot -f > + /sbin/reboot > fi > > # Now, we should relabel /dev for most services. > -- > 1.7.9.5 > > -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux][PATCH 1/3] V2 refpolicy:20140311 update for systemd
Hello, Please provide review comments or feedback if any, It will be a great help. @Ping. Thanks Shrikant On Wed, Nov 19, 2014 at 1:43 PM, Shrikant Bobade wrote: > From: Shrikant Bobade > > Systemd init type and related allow rules > updated for refpolicy. > > Signed-off-by: Shrikant Bobade > --- > .../refpolicy-update-for_systemd.patch | 46 > > .../refpolicy/refpolicy_2.20140311.inc |1 + > 2 files changed, 47 insertions(+) > create mode 100644 > recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch > > diff --git > a/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch > b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch > new file mode 100644 > index 000..80b420c > --- /dev/null > +++ > b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch > @@ -0,0 +1,46 @@ > +refpolicy: update for systemd > + > +It provides the systemd support for refpolicy > +and related allow rules. > +The restorecon provides systemd init labeled > +as init_exec_t. > + > +Upstream-Status: Pending > + > + > +Signed-off-by: Shrikant Bobade > + > +--- a/policy/modules/contrib/shutdown.fc > b/policy/modules/contrib/shutdown.fc > +@@ -5,6 +5,9 @@ > + /sbin/shutdown-- > gen_context(system_u:object_r:shutdown_exec_t,s0) > + /sbin/shutdown\.sysvinit -- > gen_context(system_u:object_r:shutdown_exec_t,s0) > + > ++# systemd support > ++/bin/systemctl-- > gen_context(system_u:object_r:shutdown_exec_t,s0) > ++ > + /usr/lib/upstart/shutdown -- > gen_context(system_u:object_r:shutdown_exec_t,s0) > + > + /usr/sbin/shutdown-- > gen_context(system_u:object_r:shutdown_exec_t,s0) > +--- a/policy/modules/system/init.fc > b/policy/modules/system/init.fc > +@@ -31,6 +31,8 @@ > + # > + /sbin/init(ng)? -- > gen_context(system_u:object_r:init_exec_t,s0) > + /sbin/init\.sysvinit -- > gen_context(system_u:object_r:init_exec_t,s0) > ++# systemd support > ++/lib/systemd/systemd -- > gen_context(system_u:object_r:init_exec_t,s0) > + # because nowadays, /sbin/init is often a symlink to /sbin/upstart > + /sbin/upstart -- > gen_context(system_u:object_r:init_exec_t,s0) > + > +--- a/policy/modules/system/init.te > b/policy/modules/system/init.te > +@@ -913,3 +913,8 @@ > + optional_policy(` > + zebra_read_config(initrc_t) > + ') > ++ > ++# systemd related allow rules > ++allow kernel_t init_t:process dyntransition; > ++allow devpts_t device_t:filesystem associate; > ++allow init_t self:capability2 block_suspend; > diff --git a/recipes-security/refpolicy/refpolicy_2.20140311.inc > b/recipes-security/refpolicy/refpolicy_2.20140311.inc > index 8894583..557b4ab 100644 > --- a/recipes-security/refpolicy/refpolicy_2.20140311.inc > +++ b/recipes-security/refpolicy/refpolicy_2.20140311.inc > @@ -29,6 +29,7 @@ SRC_URI += "file://poky-fc-subs_dist.patch \ > file://poky-fc-rpm.patch \ > file://poky-fc-ftpwho-dir.patch \ > file://poky-fc-fix-real-path_su.patch \ > +file://refpolicy-update-for_systemd.patch \ > " > > # Specific policy for Poky > -- > 1.7.9.5 > > -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 3/3] pkggrp-core-selinux: coreutils addition
From: Shrikant Bobade To add coreutils to packagegroup-core-selinux inorder to get chcon avaibility. Signed-off-by: Shrikant Bobade --- .../packagegroups/packagegroup-core-selinux.bb |1 + 1 file changed, 1 insertion(+) diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb index 1852aba..40b35d1 100644 --- a/recipes-security/packagegroups/packagegroup-core-selinux.bb +++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb @@ -25,4 +25,5 @@ RDEPENDS_${PN} = " \ selinux-config \ refpolicy-standard \ refpolicy-mls \ + coreutils \ " -- 1.7.9.5 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 2/3] selinux-init: update for systemd
From: Shrikant Bobade selinux-init.sh updated to reboot system normally to fix the labelling during systemd execution. Due to force reboot labelling won't be proper and system continuously reboot to label it like first time boot. Signed-off-by: Shrikant Bobade --- .../selinux/selinux-config/selinux-init.sh |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/recipes-security/selinux/selinux-config/selinux-init.sh b/recipes-security/selinux/selinux-config/selinux-init.sh index 9aaf454..f9f0914 100644 --- a/recipes-security/selinux/selinux-config/selinux-init.sh +++ b/recipes-security/selinux/selinux-config/selinux-init.sh @@ -48,7 +48,7 @@ if [ -f /.autorelabel ]; then ${FIXFILES} -F -f relabel /bin/rm -f /.autorelabel echo " * Relabel done, rebooting the system." - /sbin/reboot -f + /sbin/reboot fi # If first booting, the security context type of init would be @@ -62,7 +62,7 @@ if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then ${RESTORECON} -RF / ${RESTORECON} -F / echo " * Relabel done, rebooting the system." - /sbin/reboot -f + /sbin/reboot fi # Now, we should relabel /dev for most services. -- 1.7.9.5 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 1/3] V2 refpolicy:20140311 update for systemd
From: Shrikant Bobade Systemd init type and related allow rules updated for refpolicy. Signed-off-by: Shrikant Bobade --- .../refpolicy-update-for_systemd.patch | 46 .../refpolicy/refpolicy_2.20140311.inc |1 + 2 files changed, 47 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch new file mode 100644 index 000..80b420c --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch @@ -0,0 +1,46 @@ +refpolicy: update for systemd + +It provides the systemd support for refpolicy +and related allow rules. +The restorecon provides systemd init labeled +as init_exec_t. + +Upstream-Status: Pending + + +Signed-off-by: Shrikant Bobade + +--- a/policy/modules/contrib/shutdown.fc b/policy/modules/contrib/shutdown.fc +@@ -5,6 +5,9 @@ + /sbin/shutdown-- gen_context(system_u:object_r:shutdown_exec_t,s0) + /sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) + ++# systemd support ++/bin/systemctl-- gen_context(system_u:object_r:shutdown_exec_t,s0) ++ + /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) + + /usr/sbin/shutdown-- gen_context(system_u:object_r:shutdown_exec_t,s0) +--- a/policy/modules/system/init.fc b/policy/modules/system/init.fc +@@ -31,6 +31,8 @@ + # + /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) + /sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) ++# systemd support ++/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0) + # because nowadays, /sbin/init is often a symlink to /sbin/upstart + /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) + +--- a/policy/modules/system/init.te b/policy/modules/system/init.te +@@ -913,3 +913,8 @@ + optional_policy(` + zebra_read_config(initrc_t) + ') ++ ++# systemd related allow rules ++allow kernel_t init_t:process dyntransition; ++allow devpts_t device_t:filesystem associate; ++allow init_t self:capability2 block_suspend; diff --git a/recipes-security/refpolicy/refpolicy_2.20140311.inc b/recipes-security/refpolicy/refpolicy_2.20140311.inc index 8894583..557b4ab 100644 --- a/recipes-security/refpolicy/refpolicy_2.20140311.inc +++ b/recipes-security/refpolicy/refpolicy_2.20140311.inc @@ -29,6 +29,7 @@ SRC_URI += "file://poky-fc-subs_dist.patch \ file://poky-fc-rpm.patch \ file://poky-fc-ftpwho-dir.patch \ file://poky-fc-fix-real-path_su.patch \ +file://refpolicy-update-for_systemd.patch \ " # Specific policy for Poky -- 1.7.9.5 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] refpolicy:20140311 update for systemd
From: Shrikant Bobade Systemd init type and related allow rules updated for refpolicy. Signed-off-by: Shrikant Bobade --- .../refpolicy-update-for_systemd.patch | 50 .../refpolicy/refpolicy_2.20140311.inc |1 + 2 files changed, 51 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch new file mode 100644 index 000..634061e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch @@ -0,0 +1,50 @@ +refpolicy: update for systemd + +It provides the systemd support for refpolicy +and related allow rules. +The restorecon provides systemd init labeled +as init_exec_t. + + +Signed-off-by: Shrikant Bobade + +Index: refpolicy/policy/modules/contrib/shutdown.fc +=== +--- refpolicy.orig/policy/modules/contrib/shutdown.fc 2014-11-17 21:01:05.040804419 +0530 refpolicy/policy/modules/contrib/shutdown.fc 2014-11-18 14:38:50.854860908 +0530 +@@ -5,6 +5,9 @@ + /sbin/shutdown-- gen_context(system_u:object_r:shutdown_exec_t,s0) + /sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) + ++# systemd support ++/bin/systemctl-- gen_context(system_u:object_r:shutdown_exec_t,s0) ++ + /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) + + /usr/sbin/shutdown-- gen_context(system_u:object_r:shutdown_exec_t,s0) +Index: refpolicy/policy/modules/system/init.fc +=== +--- refpolicy.orig/policy/modules/system/init.fc 2014-11-17 21:01:05.040804419 +0530 refpolicy/policy/modules/system/init.fc2014-11-18 14:38:04.467444078 +0530 +@@ -31,6 +31,8 @@ + # + /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) + /sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) ++# systemd support ++/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0) + # because nowadays, /sbin/init is often a symlink to /sbin/upstart + /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) + +Index: refpolicy/policy/modules/system/init.te +=== +--- refpolicy.orig/policy/modules/system/init.te 2014-11-17 21:03:01.577129153 +0530 refpolicy/policy/modules/system/init.te2014-11-18 14:37:45.647680675 +0530 +@@ -913,3 +913,8 @@ + optional_policy(` + zebra_read_config(initrc_t) + ') ++ ++# systemd related allow rules ++allow kernel_t init_t:process dyntransition; ++allow devpts_t device_t:filesystem associate; ++allow init_t self:capability2 block_suspend; diff --git a/recipes-security/refpolicy/refpolicy_2.20140311.inc b/recipes-security/refpolicy/refpolicy_2.20140311.inc index 8894583..19b41eb 100644 --- a/recipes-security/refpolicy/refpolicy_2.20140311.inc +++ b/recipes-security/refpolicy/refpolicy_2.20140311.inc @@ -29,6 +29,7 @@ SRC_URI += "file://poky-fc-subs_dist.patch \ file://poky-fc-rpm.patch \ file://poky-fc-ftpwho-dir.patch \ file://poky-fc-fix-real-path_su.patch \ + file://refpolicy-update-for_systemd.patch \ " # Specific policy for Poky -- 1.7.9.5 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto