[yocto] [Yocto pyro] username adding via recipe in capital letters allowed?

2017-11-02 Thread Shrikant Bobade 
Hi ,

I am using yocto pyro and for creating users via recipe using inherit
useradd, followed
http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta-skeleton/recipes-skeleton/useradd/useradd-example.bb?h=pyro

with lowercase I am able to create user e.g user as expected.
but just want to check username adding via recipe in capital letters
allowed?

I tried capital/upper & lower case mixed user e.g. User Or only with
capital/uppercase e.g. USER I am getting failure
ERROR: user-1.0-r0 do_prepare_recipe_sysroot: user: useradd command did not
succeed.

based on current findings it seems capital letters not allowed, but it is
worth to confirm once if anyone faced similar stuff and there is any way to
do it.

Any pointers or details will be helpful.

Thanks
Shrikant
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] SELinux with Busybox on morty

2017-07-25 Thread Shrikant Bobade 
Hi Marco,

On similar lines, as Joe suggested please try with refpolicy 2.20151208
from morty,
also I would like to recommend start with refpolicy-minimum policy variant,
then you can explore other variants like refpolicy-targeted.

On Mon, Jul 24, 2017 at 1:15 PM, Marco Ostini  wrote:
>
> Hi Joe & Shrikant,
>
> Many thanks for your response. It was good to know that busybox can
function with SELinux enforcing enabled.
>
I also confirm busybox works fine with enforcing mode on minimum variant,
used it in multiple ways.

> Sorry not to mention the policy we're currently using. It's:
>refpolicy-targeted
>
> ||/ NameVersion  Architecture
Description
>
+++-===---
> ii  refpolicy-targeted  git-r0   amd64
 SELinux targeted policy
>
> We'll build policy based on 2.20151208 and give it a try to see how it
behaves.
>
> It appears to me that policy itself is responsible for semanage not
functioning. When I try:
>
>semanage -v port -l
>
> I see errors like this:
>
> 1088. 07/24/17 07:29:46 semanage
unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 2 dir write
system_u:object_r:lib_t:s0 denied 1095
> 1089. 07/24/17 07:29:46 semanage
unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 2 dir write
system_u:object_r:lib_t:s0 denied 1096
>
> or
>
> time->Mon Jul 24 07:29:46 2017
> type=PROCTITLE msg=audit(1500881386.907:1101):
proctitle=2F7573722F62696E2F707974686F6E002D4573002F7573722F7362696E2F73656D616E616765002D7600706F7274002D6C
> type=SYSCALL msg=audit(1500881386.907:1101): arch=c03e syscall=2
success=no exit=-13 a0=7ddf20 a1=2c1 a2=81a4 a3=5640003640100 items=0
ppid=496 pid=1201 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 ses=1 comm="semanage" exe="/usr/bin/python2.7"
subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1500881386.907:1101): avc:  denied  { write } for
 pid=1201 comm="semanage" name="sepolgen" dev="vda" ino=6091
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0
>
> The majority of the errors however are related to start_getty:
>
> 142. 07/24/17 06:14:04 start_getty system_u:system_r:getty_t:s0 4 dir
search system_u:object_r:default_t:s0 denied 149
>
> time->Mon Jul 24 07:34:21 2017
> type=PROCTITLE msg=audit(1500881661.906:1160):
proctitle=2F62696E2F7368002F62696E2F73746172745F676574747900313135323030007474795330
> type=SYSCALL msg=audit(1500881661.906:1160): arch=c03e syscall=59
success=no exit=-13 a0=6fca60 a1=6fcc40 a2=6faf90 a3=59a items=0 ppid=1244
pid=1246 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="start_getty" exe="/bin/bash"
subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1500881661.906:1160): avc:  denied  { search } for
 pid=1246 comm="start_getty" name="sbin" dev="vda" ino=7236
scontext=system_u:system_r:getty_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=0
>
> I've applied an appropriate context to start_getty, but that didn't
prevent the errors:
>
> ls -alZ /bin/start_getty
> -rwxr-xr-x. 1 root root system_u:object_r:getty_exec_t:s0 99 Jul 21 02:55
/bin/start_getty
>
> start_getty is a shell script that points back to /sbin/getty which is a
symlink to /usr/lib/busybox/sbin/getty
>
> So I applied a context to  /usr/lib/busybox/sbin/getty without it
preventing the above mentioned errors:
>
> ls -alZ /usr/lib/busybox/sbin/getty
> -rwxr-xr-x. 1 root root system_u:object_r:getty_exec_t:s0 21 Jun  9 03:39
/usr/lib/busybox/sbin/getty
>

I think you are trying to patch the policy Or fixing the avc denials w.r.to
context,

To do it, we have audit tools available from meta-selinux which will help
to understand the avc denials in detail,
please try using audit2why on avc denials to get why we hit with denials.
& further using audit2allow to generate the allow rules based on current
policy & then try with generated allow rules.

Hope it helps :)

> I'm keen to see how policy based on 2.20151208 will look.
>
> Additional to trying 2.20151208 if you have any suggestions or advice I'd
be grateful to hear it.
Please start exploring with refpolicy-minimum..

>
> Cheers,
> Marco
>
>

Thanks
Shrikant

>
> On 22 July 2017 at 05:46, Joe MacDonald  wrote:
>>
>> Hi Justin / Marco,
>>
>> [Re: SELinux with Busybox on morty] On 17.07.19 (Wed 16:05) Justin
Clacherty wrote:
>>
>> > Hi Joe,
>> >
>> > Is this something you or one of the other meta-selinux devs are able
>> > to help out with or is it more of an upstream question?
>>
>> I'll see if I can give this a shot.  :-)
>>
>> >
>> > Cheers,
>> > Justin.
>> >
>> >
>> > > On 17 Jul 2017, at 4:57 pm, Marco Ostini  wrote:
>> > >
>> > >
>> > > Hi All,

Re: [yocto] [meta-selinux] What's the point of refpolicy-minimum?

2017-01-16 Thread Shrikant Bobade 
Hi Joe,

On Thu, Jan 12, 2017 at 8:57 PM, Joe MacDonald 
wrote:
>
> Hi guys,
>
> [Re: [meta-selinux] What's the point of refpolicy-minimum?] On 17.01.12
(Thu 12:57) wenzong fan wrote:
>
> > On 01/10/2017 10:48 PM, Joe MacDonald wrote:
> > >Wenzong / Shrikant,
> > >
> > >I thought I knew the answer to the above question, and maybe my
> > >understanding is still correct, but I think I need to ask it now
anyway.
> > >
> > >I don't use refpolicy-minimum for anything, so when I did the updates
to
> > >refpolicy*_git I didn't even glance at refpolicy-minimum_git.
Wenzong's
> > >change to refpolicy-minimum_2.20161023 (in the same thread as the uprev
> > >of the recipe) piqued my curiosity, so I had a look.  Of course,
> > >refpolicy-minimum_git.bb also needs to be updated (or thrown out), but
> > >now that I'm looking at the recipe I see what seems like conflicting
> > >statements in the recipe:
> > >
> > >   recipes-security/refpolicy/refpolicy-minimum_2.20161023.bb:
> > >
> > > 1 include refpolicy-targeted_${PV}.bb
> > > 2
> > > 3 SUMMARY = "SELinux minimum policy"
> > > 4 DESCRIPTION = "\
> > > 5 This is a minimum reference policy with just core policy
modules, and \
> > > 6 could be used as a base for customizing targeted policy. \
> > > 7 Pretty much everything runs as initrc_t or unconfined_t so all
of the \
> > > 8 domains are unconfined. \
> > > 9 "
> > >
> > >and:
> > >
> > >   recipes-security/refpolicy/refpolicy-targeted_2.20161023.bb:
> > >
> > > 1 SUMMARY = "SELinux targeted policy"
> > > 2 DESCRIPTION = "\
> > > 3 This is the targeted variant of the SELinux reference policy.
Most service \
> > > 4 domains are locked down. Users and admins will login in with
unconfined_t \
> > > 5 domain, so they have the same access to the system as if
SELinux was not \
> > > 6 enabled. \
> > > 7 "
> > >
> > >So now I'm trying to understand what the point of refpolicy-minimum
> > >really is here.  Those of you who are using it, what are you using it
> > >for and what do you expect would be the correct behaviour of a system
> > >running that policy?
> > >
> >
> > I don't have much experience on using the refpolicy-minimum as well.
> >
> > But from the original logs it should be "minimum targeted policy".
> >
> > commit 65675f02e33f5da31ec5dbac7a45849f4952569b
> > Author: Wenzong Fan 
> > Date:   Mon Mar 24 21:07:50 2014 -0400
> >
> > refpolicy: add minimum targeted policy
> >
> > This is a minimum targeted policy with just core policy modules, and
> > could be used as a base for customizing targeted policy.
> > Pretty much everything runs as initrc_t or unconfined_t so all of
the
> > domains are unconfined.
> >
> > Signed-off-by: Wenzong Fan 
> > Signed-off-by: Joe MacDonald 
> >
> >
> > >At the very least, I'm going to remove the 'include [...].bb' from both
> > >'minimum' recipes, as that's completely incorrect, but when I do that I
> > >want to know what anyone using this recipe wants to see from it, so
> > >whatever the 'include' gets replaced with is doing the right thing
> > >(which isn't necessarily what it's doing today).
> >
> > I won't object to make the changes, if you think there should be a
different
> > minimum policy with targeted.
>
> I'm not proposing an alternative, I'm just saying that the statements in
> the descriptions of the recipes seem to conflict.  (And do note that the
> git log you quoted is precisely the text in DESCRIPTION for
> refpolicy-minimum.
>
> What I'm confused by is this in minimum:
>
> > Pretty much everything runs as initrc_t or unconfined_t so all of
the
> > domains are unconfined.
>
> and this in targeted:
>
> > > Most service domains are locked down.
>
> So I guess my question is what is the desired behaviour out of this
> recipe?  If nobody knows and it's not being used, I'm leaning toward a
> 'git rm'-based solution.  :-)
>
> It sounds, though, like Shrikant is using it, so it's of some use, I
> guess.  Shrikant, on the systems you've used the minimum policy, what
> does the policy look like on your running system?  In the current world
> refpolicy-minimum inherits POLICY_TYPE and POLICY_MLS_SENS from
> refpolicy-targeted, is that good / bad / irrelevant to what you're doing
> with it?  If I just rework minimum to remove the include and bring in
> the minimal number of changes to get the policy to load again, is that
> good enough for your purposes?  Do you want to volunteer to test my
> changes for me before I commit them?  :-)

Sure, the rework for minimum to remove the include and minimal no. of
changes to get the policy loading,
seems good to server the expectations from it.
Happy to volunteer  to validate the changes, please advise the location to
fork the in-progress changes. :)

>
> --
> -Joe MacDonald.
> :wq
>
> --
> ___

Re: [yocto] [meta-selinux] What's the point of refpolicy-minimum?

2017-01-10 Thread Shrikant Bobade 
Hi Joe,


On Tue, Jan 10, 2017 at 8:18 PM, Joe MacDonald 
wrote:
>
> Wenzong / Shrikant,
>
> I thought I knew the answer to the above question, and maybe my
> understanding is still correct, but I think I need to ask it now anyway.
>
> I don't use refpolicy-minimum for anything, so when I did the updates to
> refpolicy*_git I didn't even glance at refpolicy-minimum_git.  Wenzong's
> change to refpolicy-minimum_2.20161023 (in the same thread as the uprev
> of the recipe) piqued my curiosity, so I had a look.  Of course,
> refpolicy-minimum_git.bb also needs to be updated (or thrown out), but
> now that I'm looking at the recipe I see what seems like conflicting
> statements in the recipe:
>
>recipes-security/refpolicy/refpolicy-minimum_2.20161023.bb:
>
>  1 include refpolicy-targeted_${PV}.bb
>  2
>  3 SUMMARY = "SELinux minimum policy"
>  4 DESCRIPTION = "\
>  5 This is a minimum reference policy with just core policy modules,
and \
>  6 could be used as a base for customizing targeted policy. \
>  7 Pretty much everything runs as initrc_t or unconfined_t so all of
the \
>  8 domains are unconfined. \
>  9 "
>
> and:
>
>recipes-security/refpolicy/refpolicy-targeted_2.20161023.bb:
>
>  1 SUMMARY = "SELinux targeted policy"
>  2 DESCRIPTION = "\
>  3 This is the targeted variant of the SELinux reference policy.
Most service \
>  4 domains are locked down. Users and admins will login in with
unconfined_t \
>  5 domain, so they have the same access to the system as if SELinux
was not \
>  6 enabled. \
>  7 "
>
> So now I'm trying to understand what the point of refpolicy-minimum
> really is here.  Those of you who are using it, what are you using it
> for and what do you expect would be the correct behaviour of a system
> running that policy?

recently used refpolicy-minimum, as it provides protection/security for
minimum modules
and reaming things with unconfined, the minimum coverage(modules) of policy
easy to start on
& cross check the prepared infrastructure against the expected selinux
behavior.

Also it is easy to patch for systemd compared to other policies. Till
refpolicy v20151208 release
we have refpolicy-minimum working with systemd as init manager.
regarding the latest release need to check.

But moving ahead similar policy with minimum modules can be used..

>
> At the very least, I'm going to remove the 'include [...].bb' from both
> 'minimum' recipes, as that's completely incorrect, but when I do that I
> want to know what anyone using this recipe wants to see from it, so
> whatever the 'include' gets replaced with is doing the right thing
> (which isn't necessarily what it's doing today).

agree..
>
> --
> -Joe MacDonald.
> :wq
>
> --
> ___
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>

Thanks
Shrikant
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 3/3] refpolicy_2.20151208/git: restrict systemd related patches

2016-09-20 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

restrict systemd related patches based on distro feature.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 recipes-security/refpolicy/refpolicy_2.20151208.inc | 2 +-
 recipes-security/refpolicy/refpolicy_git.inc| 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc 
b/recipes-security/refpolicy/refpolicy_2.20151208.inc
index ce90b13..1123f3a 100644
--- a/recipes-security/refpolicy/refpolicy_2.20151208.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc
@@ -29,7 +29,7 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
 file://poky-fc-rpm.patch \
 file://poky-fc-ftpwho-dir.patch \
 file://poky-fc-fix-real-path_su.patch \
-file://refpolicy-update-for_systemd.patch \
+${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 
'file://refpolicy-update-for_systemd.patch', '', d)} \
"
 
 # Specific policy for Poky
diff --git a/recipes-security/refpolicy/refpolicy_git.inc 
b/recipes-security/refpolicy/refpolicy_git.inc
index d031f81..93ba6e5 100644
--- a/recipes-security/refpolicy/refpolicy_git.inc
+++ b/recipes-security/refpolicy/refpolicy_git.inc
@@ -32,7 +32,7 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
 file://poky-fc-rpm.patch \
 file://poky-fc-ftpwho-dir.patch \
 file://poky-fc-fix-real-path_su.patch \
-file://refpolicy-update-for_systemd.patch \
+${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 
'file://refpolicy-update-for_systemd.patch', '', d)} \
"
 
 # Specific policy for Poky
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 2/3] cleanup 'virtual/refpolicy' & switch to 'refpolicy'

2016-09-20 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

this change drop complete use of 'virtual/refpolicy' & switch to 'refpolicy'
use, the mix use of both results in mismatching policy varient selection.

with use of 'virtual/refpolicy' at config. level, when we try to switch to
other policy varients using 'refpolicy' at local.conf level we
continue to get the policy varient set at config. level, so drop the use of
'virtual/refpolicy' & switch to 'refpolicy'.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 conf/distro/oe-selinux.conf | 2 +-
 recipes-security/refpolicy/refpolicy_common.inc | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/conf/distro/oe-selinux.conf b/conf/distro/oe-selinux.conf
index 0011d45..f4574d0 100644
--- a/conf/distro/oe-selinux.conf
+++ b/conf/distro/oe-selinux.conf
@@ -2,4 +2,4 @@ DISTRO = "oe-selinux"
 DISTROOVERRIDES .= ":selinux"
 
 DISTRO_FEATURES_append = " acl xattr pam selinux"
-PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls"
+PREFERRED_PROVIDER_refpolicy ?= "refpolicy-mls"
diff --git a/recipes-security/refpolicy/refpolicy_common.inc 
b/recipes-security/refpolicy/refpolicy_common.inc
index a9dc466..1017d29 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -5,7 +5,7 @@ LICENSE = "GPLv2"
 
 LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833"
 
-PROVIDES += "virtual/refpolicy"
+PROVIDES += "refpolicy"
 RPROVIDES_${PN} += "refpolicy"
 
 # Specific config files for Poky
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 1/3] selinux-initsh.inc: selinux-init/autorelabel: add force reboot

2016-09-20 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

Add force reboot during SELinux init and autorelabel, required for smooth
auto-reboot functionality with sysvinit as init manager.

It is required only for sysvinit, so restricting only for sysvinit and not
for systemd.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 recipes-security/selinux/selinux-initsh.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/recipes-security/selinux/selinux-initsh.inc 
b/recipes-security/selinux/selinux-initsh.inc
index bcdd449..dbbb4f8 100644
--- a/recipes-security/selinux/selinux-initsh.inc
+++ b/recipes-security/selinux/selinux-initsh.inc
@@ -21,6 +21,8 @@ do_install () {
install -d ${D}${sysconfdir}/init.d/
install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh 
${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}
 
+   sed -i 's#/sbin/reboot#/sbin/reboot -f#g' 
${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}
+
install -d ${D}${systemd_unitdir}/system
install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service 
${D}${systemd_unitdir}/system
 
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux] [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog

2016-08-29 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

syslog & getty related allow rules required to fix the syslog mixup with
boot log, while using systemd as init manager.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 ...-refpolicy-minimum-systemd-fix-for-syslog.patch | 69 ++
 .../refpolicy/refpolicy-minimum_2.20151208.bb  |  1 +
 2 files changed, 70 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch

diff --git 
a/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
 
b/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
new file mode 100644
index 000..b01947d
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
@@ -0,0 +1,69 @@
+From 9476fb0aad7caa725014e72cd009b78389ba66d5 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bob...@mentor.com>
+Date: Fri, 26 Aug 2016 17:54:29 +0530
+Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog
+
+syslog & getty related allow rules required to fix the syslog mixup with
+boot log, while using systemd as init manager.
+
+without this change we are getting these avc denials:
+
+audit: avc:  denied  { search } for  pid=484 comm="syslogd" name="/"
+dev="tmpfs" ino=7269 scontext=system_u:system_r:syslogd_t:s0 tcontext=
+system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
+
+audit: avc:  denied  { write } for  pid=372 comm="syslogd" name="log" dev=
+"tmpfs" ino=954 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:
+object_r:tmpfs_t:s0 tclass=dir permissive=0
+
+audit: avc:  denied  { add_name } for  pid=390 comm="syslogd" name=
+"messages" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r
+:tmpfs_t:s0 tclass=dir permissive=0
+
+audit: avc:  denied  { sendto } for  pid=558 comm="agetty" path="/run/systemd
+/journal/dev-log" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:
+system_r:initrc_t:s0 tclass=unix_dgram_socket permissive=0
+
+audit: avc:  denied  { create } for  pid=374 comm="syslogd" name="messages"
+scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:
+s0 tclass=file permissive=0
+
+audit: avc:  denied  { append } for  pid=423 comm="syslogd" name="messages"
+dev="tmpfs" ino=7995 scontext=system_u:system_r:syslogd_t:s0 tcontext=
+system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
+
+audit: avc:  denied  { getattr } for  pid=425 comm="syslogd" path="/var/
+volatile/log/messages" dev="tmpfs" ino=8857 scontext=system_u:system_r:
+syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
+---
+ policy/modules/system/getty.te   | 1 +
+ policy/modules/system/logging.te | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
+index 84eaf77..2e53daf 100644
+--- a/policy/modules/system/getty.te
 b/policy/modules/system/getty.te
+@@ -142,3 +142,4 @@ optional_policy(`
+ 
+ allow getty_t tmpfs_t:dir search;
+ allow getty_t tmpfs_t:file { open write lock };
++allow getty_t initrc_t:unix_dgram_socket sendto;
+diff --git a/policy/modules/system/logging.te 
b/policy/modules/system/logging.te
+index 107db03..95de86d 100644
+--- a/policy/modules/system/logging.te
 b/policy/modules/system/logging.te
+@@ -581,4 +581,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto;
+ allow syslogd_t self:shm create;
+ allow syslogd_t self:sem { create read unix_write write };
+ allow syslogd_t self:shm { read unix_read unix_write write };
+-allow syslogd_t tmpfs_t:file { read write };
++allow syslogd_t tmpfs_t:file { read write create getattr append open };
++allow syslogd_t tmpfs_t:dir { search write add_name };
+-- 
+1.9.1
+
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb 
b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
index 9f01492..da6626e 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
@@ -80,4 +80,5 @@ SYSTEMD_REFPOLICY_PATCHES = " \
file://0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch \
file://0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch \
file://0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch \
+   file://0009-refpolicy-minimum-systemd-fix-for-syslog.patch \
"
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux] [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files services

2016-08-29 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

fix for systemd tmp files setup services:
systemd-journal-flush.service & systemd-logind.service.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 ...inimum-systemd-fix-for-systemd-tmp-files-.patch | 111 +
 .../refpolicy/refpolicy-minimum_2.20151208.bb  |   1 +
 2 files changed, 112 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch

diff --git 
a/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
 
b/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
new file mode 100644
index 000..a7338e1
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
@@ -0,0 +1,111 @@
+From ec96260a28f9aae44afc8eec0e089bf95a36b557 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bob...@mentor.com>
+Date: Fri, 26 Aug 2016 17:54:17 +0530
+Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files
+ services
+
+fix for systemd tmp files setup service while using refpolicy-minimum and
+systemd as init manager.
+
+these allow rules require kernel domain & files access, so added interfaces
+at systemd.te to merge these allow rules.
+
+without these changes we are getting avc denails like these and below
+systemd services failure:
+
+audit[]: AVC avc:  denied  { getattr } for  pid=232 comm="systemd-tmpfile"
+path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd
+_tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file
+
+audit[]: AVC avc:  denied  { search } for  pid=232 comm="systemd-tmpfile"
+name="kernel" dev="proc" ino=9341 scontext=system_u:system_r:
+systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0
+tclass=dir permissive=0
+
+[FAILED] Failed to start Create Static Device Nodes in /dev.
+See 'systemctl status systemd-tmpfiles-setup-dev.service' for details.
+
+[FAILED] Failed to start Create Volatile Files and Directories.
+See 'systemctl status systemd-tmpfiles-setup.service' for details.
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
+---
+ policy/modules/kernel/files.if   | 19 +++
+ policy/modules/kernel/kernel.if  | 23 +++
+ policy/modules/system/systemd.te |  3 +++
+ 3 files changed, 45 insertions(+)
+
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index 1cedea2..4ea7d55 100644
+--- a/policy/modules/kernel/files.if
 b/policy/modules/kernel/files.if
+@@ -6729,3 +6729,22 @@ interface(`files_unconfined',`
+ 
+   typeattribute $1 files_unconfined_type;
+ ')
++
++
++## 
++##systemd tmp files access to kernel tmp files domain
++## 
++## 
++##
++##Domain allowed access.
++##
++## 
++#
++interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',`
++  gen_require(`
++  type tmp_t;
++class lnk_file getattr;
++  ')
++
++  allow $1 tmp_t:lnk_file getattr;
++')
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index f1130d1..4604441 100644
+--- a/policy/modules/kernel/kernel.if
 b/policy/modules/kernel/kernel.if
+@@ -3323,3 +3323,26 @@ interface(`kernel_unconfined',`
+   typeattribute $1 kern_unconfined;
+   kernel_load_module($1)
+ ')
++
++
++## 
++##systemd tmp files access to kernel sysctl domain
++## 
++## 
++##
++##Domain allowed access.
++##
++## 
++#
++interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',`
++ gen_require(`
++type sysctl_kernel_t;
++class dir search;
++class file { open read };
++ ')
++
++allow $1 sysctl_kernel_t:dir search;
++allow $1 sysctl_kernel_t:file { open read };
++
++')
++
+diff --git a/policy/modules/system/systemd.te 
b/policy/modules/system/systemd.te
+index 22021eb..8813664 100644
+--- a/policy/modules/system/systemd.te
 b/policy/modules/system/systemd.te
+@@ -269,3 +269,6 @@ allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
+ allow systemd_tmpfiles_t self:capability net_admin;
+ 
+ allow systemd_tmpfiles_t init_t:file { open getattr read };
++
++systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t)
++systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t)
+-- 
+1.9.1
+
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb 
b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
index 7312ada..9f01492 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
+++ b/recipes-se

[yocto] [meta-selinux] [PATCH 5/9] refpolicy-minimum: init: fix reboot with systemd as init manager.

2016-08-29 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

add allow rule to fix avc denial during system reboot.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 ...inimum-init-fix-reboot-with-systemd-as-in.patch | 36 ++
 .../refpolicy/refpolicy-minimum_2.20151208.bb  |  1 +
 2 files changed, 37 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-minimum/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch

diff --git 
a/recipes-security/refpolicy/refpolicy-minimum/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
 
b/recipes-security/refpolicy/refpolicy-minimum/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
new file mode 100644
index 000..c88f2b2
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-minimum/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
@@ -0,0 +1,36 @@
+From 07b7eb45458de8a6781019a927c66aabe736e03a Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bob...@mentor.com>
+Date: Fri, 26 Aug 2016 17:53:53 +0530
+Subject: [PATCH 5/9] refpolicy-minimum: init: fix reboot with systemd as init
+ manager.
+
+add allow rule to fix avc denial during system reboot.
+
+without this change we are getting:
+
+audit: type=1107 audit(): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
+system_u:system_r:init_t:s0 msg='avc:  denied  { reboot } for auid=n/a uid=0
+gid=0 cmdline="/bin/systemctl --force reboot" scontext=system_u:system_r:
+initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
+---
+ policy/modules/system/init.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index f9d7114..19a7a20 100644
+--- a/policy/modules/system/init.te
 b/policy/modules/system/init.te
+@@ -1103,5 +1103,5 @@ allow devpts_t device_t:filesystem associate;
+ allow init_t self:capability2 block_suspend;
+ allow init_t self:capability2 audit_read;
+ 
+-allow initrc_t init_t:system { start status };
++allow initrc_t init_t:system { start status reboot };
+ allow initrc_t init_var_run_t:service { start status };
+-- 
+1.9.1
+
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb 
b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
index d1ea37d..9c806c4 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
@@ -76,4 +76,5 @@ SYSTEMD_REFPOLICY_PATCHES = " \
file://0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch \
file://0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \
file://0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \
+   file://0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch \
"
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux] [PATCH 4/9] refpolicy-minimum: locallogin: add allow rules for type local_login_t

2016-08-29 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

add allow rules for locallogin module avc denials.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 ...inimum-locallogin-add-allow-rules-for-typ.patch | 53 ++
 .../refpolicy/refpolicy-minimum_2.20151208.bb  |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch

diff --git 
a/recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
 
b/recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
new file mode 100644
index 000..3623215
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
@@ -0,0 +1,53 @@
+From 0e99f9e7c6d69d5f784fe7352c9507791d8cbef9 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bob...@mentor.com>
+Date: Fri, 26 Aug 2016 17:53:46 +0530
+Subject: [PATCH 4/9] refpolicy-minimum: locallogin: add allow rules for type
+ local_login_t
+
+add allow rules for locallogin module avc denials.
+
+without this change we are getting errors like these:
+
+type=AVC msg=audit(): avc:  denied  { read write open } for  pid=353
+comm="login" path="/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext
+=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:
+var_log_t:s0 tclass=file permissive=1
+
+type=AVC msg=audit(): avc:  denied  { sendto } for  pid=353 comm="login"
+path="/run/systemd/journal/dev-log" scontext=system_u:system_r:
+local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0
+tclass=unix_dgram_socket permissive=1
+
+type=AVC msg=audit(): avc:  denied  { lock } for  pid=353 comm="login" path=
+"/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext=system_u:system_r
+:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass
+=file permissive=1
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
+---
+ policy/modules/system/locallogin.te | 10 ++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/policy/modules/system/locallogin.te 
b/policy/modules/system/locallogin.te
+index 53923f8..09ec33f 100644
+--- a/policy/modules/system/locallogin.te
 b/policy/modules/system/locallogin.te
+@@ -274,3 +274,13 @@ optional_policy(`
+ optional_policy(`
+   nscd_use(sulogin_t)
+ ')
++
++allow local_login_t initrc_t:fd use;
++allow local_login_t initrc_t:unix_dgram_socket sendto;
++allow local_login_t initrc_t:unix_stream_socket connectto;
++allow local_login_t self:capability net_admin;
++allow local_login_t var_log_t:file { create lock open read write };
++allow local_login_t var_run_t:file { open read write lock};
++allow local_login_t var_run_t:sock_file write;
++allow local_login_t tmpfs_t:dir { add_name write search};
++allow local_login_t tmpfs_t:file { create open read write lock };
+-- 
+1.9.1
+
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb 
b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
index f4b80bc..d1ea37d 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
@@ -75,4 +75,5 @@ SYSTEMD_REFPOLICY_PATCHES = " \
 file://0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch 
\
file://0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch \
file://0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \
+   file://0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \
"
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux] [PATCH 3/9] refpolicy-minimum: systemd: mount: logging: authlogin: add allow rules

2016-08-29 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

add allow rules for avc denails for systemd, mount, logging & authlogin
modules. without this change we are  getting avc. denials from these
modules.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 ...inimum-systemd-mount-logging-authlogin-ad.patch | 93 ++
 .../refpolicy/refpolicy-minimum_2.20151208.bb  |  1 +
 2 files changed, 94 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch

diff --git 
a/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
 
b/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
new file mode 100644
index 000..35a8e1b
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
@@ -0,0 +1,93 @@
+From edae03ea521a501a2b3229383609f1aec85575c1 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bob...@mentor.com>
+Date: Fri, 26 Aug 2016 17:53:37 +0530
+Subject: [PATCH 3/9] refpolicy-minimum: systemd: mount: logging: authlogin:
+ add allow rules
+
+add allow rules for avc denails for systemd, mount, logging & authlogin
+modules.
+
+without this change we are getting avc denial like these:
+
+type=AVC msg=audit(): avc:  denied  { sendto } for pid=893 comm="systemd-
+tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r:
+systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=
+unix_dgram_socket permissive=0
+
+type=AVC msg=audit(): avc:  denied  { open } for  pid=703 comm="systemd-
+tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u:
+system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=
+file permissive=0
+
+type=AVC msg=audit(): avc:  denied  { read write } for  pid=486 comm="mount"
+path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r:
+mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket
+
+type=AVC msg=audit(): avc:  denied  { unix_read unix_write } for  pid=292
+comm="syslogd" key=1095648583  scontext=system_u:system_r:syslogd_t:s0
+tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
+---
+ policy/modules/system/authlogin.te | 2 ++
+ policy/modules/system/logging.te   | 7 ++-
+ policy/modules/system/mount.te | 3 +++
+ policy/modules/system/systemd.te   | 6 ++
+ 4 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/authlogin.te 
b/policy/modules/system/authlogin.te
+index f80dfcb..5fab54a 100644
+--- a/policy/modules/system/authlogin.te
 b/policy/modules/system/authlogin.te
+@@ -464,3 +464,5 @@ optional_policy(`
+   samba_read_var_files(nsswitch_domain)
+   samba_dontaudit_write_var_files(nsswitch_domain)
+ ')
++
++allow chkpwd_t proc_t:filesystem getattr;
+diff --git a/policy/modules/system/logging.te 
b/policy/modules/system/logging.te
+index fdf86ef..107db03 100644
+--- a/policy/modules/system/logging.te
 b/policy/modules/system/logging.te
+@@ -576,4 +576,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open 
read append };
+ allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
+ allow auditd_t initrc_t:unix_dgram_socket sendto;
+ 
+-allow klogd_t initrc_t:unix_dgram_socket sendto;
+\ No newline at end of file
++allow klogd_t initrc_t:unix_dgram_socket sendto;
++
++allow syslogd_t self:shm create;
++allow syslogd_t self:sem { create read unix_write write };
++allow syslogd_t self:shm { read unix_read unix_write write };
++allow syslogd_t tmpfs_t:file { read write };
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index 1c2fc33..b699309 100644
+--- a/policy/modules/system/mount.te
 b/policy/modules/system/mount.te
+@@ -229,3 +229,6 @@ optional_policy(`
+   files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+   unconfined_domain(unconfined_mount_t)
+ ')
++
++allow mount_t proc_t:filesystem getattr;
++allow mount_t initrc_t:udp_socket { read write };
+diff --git a/policy/modules/system/systemd.te 
b/policy/modules/system/systemd.te
+index fdb9fef..734d455 100644
+--- a/policy/modules/system/systemd.te
 b/policy/modules/system/systemd.te
+@@ -262,3 +262,9 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
+   files_relabel_non_security_dirs(systemd_tmpfiles_t)
+   files_relabel_non_security_files(systemd_tmpfiles_t)
+ ')
++
++allow systemd_tmpfiles_t init_t:dir search;
++allow systemd_tmpfiles_t proc_t:filesystem getattr;
++allow systemd_tmpfiles_t init_t:file read;
++allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sen

[yocto] [meta-selinux] [PATCH 2/9] refpolicy-minimum: audit: logging: getty: audit related allow rules

2016-08-29 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

add allow rules for audit.log file & resolve dependent avc denials.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 ...inimum-audit-logging-getty-audit-related-.patch | 67 ++
 .../refpolicy/refpolicy-minimum_2.20151208.bb  |  1 +
 2 files changed, 68 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-minimum/0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch

diff --git 
a/recipes-security/refpolicy/refpolicy-minimum/0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch
 
b/recipes-security/refpolicy/refpolicy-minimum/0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch
new file mode 100644
index 000..23bc397
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-minimum/0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch
@@ -0,0 +1,67 @@
+From edbc234baecfbf5b8e2dbadc976750071d5e7f7f Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bob...@mentor.com>
+Date: Fri, 26 Aug 2016 17:51:44 +0530
+Subject: [PATCH 2/9] refpolicy-minimum: audit: logging: getty: audit related
+ allow rules
+
+add allow rules for audit.log file & resolve dependent avc denials.
+
+without this change we are getting audit avc denials mixed into bootlog &
+audit other avc denials.
+
+audit: type=1400 audit(): avc:  denied  { getattr } for  pid=217 comm="mount"
+name="/" dev="proc" ino=1 scontext=system_u:system_r:mount_t:s0 
tcontext=system_0
+audit: type=1400 audit(): avc:  denied  { sendto } for  pid=310 comm="klogd"
+path="/run/systemd/journal/dev-log" scontext=sy0
+audit: type=1400 audit(): avc:  denied  { sendto } for  pid=310 comm="klogd"
+path="/run/systemd/journal/dev-log" scontext=system_u:system_r:klogd_t:s0
+audit(): avc:  denied  { open } for  pid=540 comm="agetty" path="/var/
+volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t
+:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
+---
+ policy/modules/system/getty.te   | 3 +++
+ policy/modules/system/logging.te | 8 
+ 2 files changed, 11 insertions(+)
+
+diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
+index f6743ea..84eaf77 100644
+--- a/policy/modules/system/getty.te
 b/policy/modules/system/getty.te
+@@ -139,3 +139,6 @@ optional_policy(`
+ optional_policy(`
+   udev_read_db(getty_t)
+ ')
++
++allow getty_t tmpfs_t:dir search;
++allow getty_t tmpfs_t:file { open write lock };
+diff --git a/policy/modules/system/logging.te 
b/policy/modules/system/logging.te
+index 9b18aad..fdf86ef 100644
+--- a/policy/modules/system/logging.te
 b/policy/modules/system/logging.te
+@@ -238,6 +238,7 @@ allow audisp_t self:unix_stream_socket 
create_stream_socket_perms;
+ allow audisp_t self:unix_dgram_socket create_socket_perms;
+ 
+ allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
++allow audisp_t initrc_t:unix_dgram_socket sendto;
+ 
+ manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
+ files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
+@@ -569,3 +570,10 @@ optional_policy(`
+   # log to the xconsole
+   xserver_rw_console(syslogd_t)
+ ')
++
++
++allow auditd_t tmpfs_t:file { getattr setattr create open read append };
++allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
++allow auditd_t initrc_t:unix_dgram_socket sendto;
++
++allow klogd_t initrc_t:unix_dgram_socket sendto;
+\ No newline at end of file
+-- 
+1.9.1
+
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb 
b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
index 16592e5..9e1dc9b 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
@@ -73,4 +73,5 @@ SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 
'systemd', ' ${SYSTEMD_REFPO
 
 SYSTEMD_REFPOLICY_PATCHES = " \
 file://0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch 
\
+   file://0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch \
"
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux] [PATCH 1/9] refpolicy-minimum: systemd:unconfined:lib: add systemd services allow rules

2016-08-29 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

systemd allow rules for systemd service file operations: start, stop, restart
& allow rule for unconfined systemd service.

without this change we are geting avc denials and access denied to perform
operations on service file.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 ...inimum-systemd-unconfined-lib-add-systemd.patch | 124 +
 .../refpolicy/refpolicy-minimum_2.20151208.bb  |   7 ++
 2 files changed, 131 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch

diff --git 
a/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
 
b/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
new file mode 100644
index 000..7a72f18
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
@@ -0,0 +1,124 @@
+From 17507a42ce91376b00069ff22b43786894910ed6 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bob...@mentor.com>
+Date: Fri, 26 Aug 2016 17:51:32 +0530
+Subject: [PATCH 1/9] refpolicy-minimum: systemd:unconfined:lib: add systemd
+ services allow rules
+
+systemd allow rules for systemd service file operations: start, stop, restart
+& allow rule for unconfined systemd service.
+
+without this change we are getting these errors:
+:~# systemctl status selinux-init.service
+Failed to get properties: Access denied
+
+:~# systemctl stop selinux-init.service
+Failed to stop selinux-init.service: Access denied
+
+:~# systemctl restart  selinux-init.service
+audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
+system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0
+gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl
+restart selinux-init.service" scontext=unconfined_u:unconfined_r:
+unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
+---
+ policy/modules/system/init.te   |  6 +-
+ policy/modules/system/libraries.te  |  3 +++
+ policy/modules/system/systemd.if| 40 +
+ policy/modules/system/unconfined.te |  6 ++
+ 4 files changed, 54 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index d710fb0..f9d7114 100644
+--- a/policy/modules/system/init.te
 b/policy/modules/system/init.te
+@@ -1100,4 +1100,8 @@ optional_policy(`
+ # systemd related allow rules
+ allow kernel_t init_t:process dyntransition;
+ allow devpts_t device_t:filesystem associate;
+-allow init_t self:capability2 block_suspend;
+\ No newline at end of file
++allow init_t self:capability2 block_suspend;
++allow init_t self:capability2 audit_read;
++
++allow initrc_t init_t:system { start status };
++allow initrc_t init_var_run_t:service { start status };
+diff --git a/policy/modules/system/libraries.te 
b/policy/modules/system/libraries.te
+index 0f5cd56..df98fe9 100644
+--- a/policy/modules/system/libraries.te
 b/policy/modules/system/libraries.te
+@@ -144,3 +144,6 @@ optional_policy(`
+ optional_policy(`
+   unconfined_domain(ldconfig_t)
+ ')
++
++# systemd: init domain to start lib domain service
++systemd_service_lib_function(lib_t)
+diff --git a/policy/modules/system/systemd.if 
b/policy/modules/system/systemd.if
+index 3cd6670..822c03d 100644
+--- a/policy/modules/system/systemd.if
 b/policy/modules/system/systemd.if
+@@ -171,3 +171,43 @@ interface(`systemd_start_power_units',`
+ 
+   allow $1 power_unit_t:service start;
+ ')
++
++
++
++## 
++## Allow specified domain to start stop reset systemd service
++## 
++## 
++## 
++## Domain to not audit.
++## 
++## 
++#
++interface(`systemd_service_file_operations',`
++ gen_require(`
++   class service { start status stop };
++ ')
++
++  allow $1 lib_t:service { start status stop };
++
++')
++
++
++
++## 
++## Allow init domain to start lib domain service
++## 
++## 
++## 
++## Domain to not audit.
++## 
++## 
++#
++interface(`systemd_service_lib_function',`
++ gen_require(`
++   class service start;
++ ')
++
++  allow initrc_t $1:service start;
++
++')
+diff --git a/policy/modules/system/unconfined.te 
b/policy/modules/system/unconfined.te
+index 99cab31..87a1b03 100644
+--- a/policy/modules/system/unconfined.te
 b/policy/modules/system/unconfined.te
+@@ -220,3 +220,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
+ optional_policy(`
+   unconfined_dbus_chat(unconfined_execmem_t)
+ ')
++
++
++# systemd:

Re: [yocto] [meta-selinux][PATCH 1/5] selinux-initsh.inc: add systemd support

2016-08-29 Thread Shrikant Bobade 
Hi,


@Ping,


Thanks
Shrikant

On Mon, Aug 22, 2016 at 6:36 PM, Shrikant Bobade <bobadeshrik...@gmail.com>
wrote:

> From: Shrikant Bobade <shrikant_bob...@mentor.com>
>
> add support for systemd service file and handling of script required by
> systemd service file.
>
> Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
> ---
>  recipes-security/selinux/selinux-initsh.inc | 12 +++-
>  1 file changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/recipes-security/selinux/selinux-initsh.inc
> b/recipes-security/selinux/selinux-initsh.inc
> index f7348bb..bcdd449 100644
> --- a/recipes-security/selinux/selinux-initsh.inc
> +++ b/recipes-security/selinux/selinux-initsh.inc
> @@ -13,11 +13,21 @@ CONFFILES_${PN} += "${sysconfdir}/init.d/${
> SELINUX_SCRIPT_DST}"
>
>  PACKAGE_ARCH ?= "${MACHINE_ARCH}"
>
> -inherit update-rc.d
> +inherit update-rc.d systemd
> +
> +SYSTEMD_SERVICE_${PN} = "${SELINUX_SCRIPT_SRC}.service"
>
>  do_install () {
> install -d ${D}${sysconfdir}/init.d/
> install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh
> ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}
> +
> +   install -d ${D}${systemd_unitdir}/system
> +   install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service
> ${D}${systemd_unitdir}/system
> +
> +   if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true',
> 'false', d)}; then
> +   install -d ${D}${bindir}
> +   install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh
> ${D}${bindir}
> +   fi
>  }
>
>  sysroot_stage_all_append () {
> --
> 1.9.1
>
>
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] packagegroup-core-selinux: add auditd support for audit log

2016-08-24 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

this change provide dependency required by audit log file, to prepare it at
/var/log/audit/audit.log and get cleaner boot log.
without this change all avc denial messages mix with the boot log & it is
difficult for avc denial analysis.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 recipes-security/packagegroups/packagegroup-core-selinux.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb 
b/recipes-security/packagegroups/packagegroup-core-selinux.bb
index 9c74458..a0152a9 100644
--- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
+++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
@@ -27,4 +27,5 @@ RDEPENDS_${PN} = " \
selinux-labeldev \
refpolicy \
coreutils \
+   auditd \
"
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 5/5] refpolicy_common.inc: add refpolicy minimum banner at selinux config.

2016-08-22 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 recipes-security/refpolicy/refpolicy_common.inc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/recipes-security/refpolicy/refpolicy_common.inc 
b/recipes-security/refpolicy/refpolicy_common.inc
index e1eac50..a9dc466 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -158,6 +158,7 @@ install_config () {
 # disabled - No SELinux policy is loaded.
 SELINUX=${DEFAULT_ENFORCING}
 # SELINUXTYPE= can take one of these values:
+# minimum - Minimum Security protection.
 # standard - Standard Security protection.
 # mls - Multi Level Security protection.
 # targeted - Targeted processes are protected.
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 4/5] selinux-labeldev: add systemd service file support

2016-08-22 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

add systemd service file for handling selinux labeldev, this change improves
handling of systemd service functionality like:status check, debug etc.
compared to sysvinit compatibility mode scripts.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 .../selinux/selinux-labeldev/selinux-labeldev.service | 11 +++
 recipes-security/selinux/selinux-labeldev_0.1.bb  |  5 -
 2 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 
recipes-security/selinux/selinux-labeldev/selinux-labeldev.service

diff --git a/recipes-security/selinux/selinux-labeldev/selinux-labeldev.service 
b/recipes-security/selinux/selinux-labeldev/selinux-labeldev.service
new file mode 100644
index 000..d45ecbc
--- /dev/null
+++ b/recipes-security/selinux/selinux-labeldev/selinux-labeldev.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=SELinux init for /dev service loading
+DefaultDependencies=no
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/selinux-labeldev.sh
+
+[Install]
+WantedBy=multi-user.target
diff --git a/recipes-security/selinux/selinux-labeldev_0.1.bb 
b/recipes-security/selinux/selinux-labeldev_0.1.bb
index b692bb2..8eb5db4 100644
--- a/recipes-security/selinux/selinux-labeldev_0.1.bb
+++ b/recipes-security/selinux/selinux-labeldev_0.1.bb
@@ -10,7 +10,10 @@ ${PN}_RDEPENDS = " \
 policycoreutils-setfiles \
 "
 
-SRC_URI = "file://${BPN}.sh"
+SRC_URI = "file://${BPN}.sh \
+   file://${BPN}.service \
+   "
+
 SELINUX_SCRIPT_DST = "0${BPN}"
 
 require selinux-initsh.inc
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 3/5] selinux-autorelabel: add systemd service file support

2016-08-22 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

add systemd service file for handling selinux autorelabel, this change
improves handling of systemd service functionality like:status check,
re-run, debug etc. compared to sysvinit compatibility mode scripts.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 .../selinux/selinux-autorelabel/selinux-autorelabel.service   | 11 +++
 recipes-security/selinux/selinux-autorelabel_0.1.bb   |  5 -
 2 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 
recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.service

diff --git 
a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.service 
b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.service
new file mode 100644
index 000..9520f6e
--- /dev/null
+++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=SELinux autorelabel service loading
+DefaultDependencies=no
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/selinux-autorelabel.sh
+
+[Install]
+WantedBy=multi-user.target
diff --git a/recipes-security/selinux/selinux-autorelabel_0.1.bb 
b/recipes-security/selinux/selinux-autorelabel_0.1.bb
index 2664863..4eb2b4e 100644
--- a/recipes-security/selinux/selinux-autorelabel_0.1.bb
+++ b/recipes-security/selinux/selinux-autorelabel_0.1.bb
@@ -11,7 +11,10 @@ ${PN}_RDEPENDS = " \
 policycoreutils-setfiles \
 "
 
-SRC_URI = "file://${BPN}.sh"
+SRC_URI = "file://${BPN}.sh \
+   file://${BPN}.service \
+   "
+
 INITSCRIPT_PARAMS = "start 01 S ."
 
 require selinux-initsh.inc
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 2/5] selinux-init: add systemd service file support

2016-08-22 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

add systemd service file for handling selinux initialization, this change
improves handling of systemd service functionality like:status check, debug
etc. compared to sysvinit compatibility mode scripts.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 recipes-security/selinux/selinux-init/selinux-init.service | 11 +++
 recipes-security/selinux/selinux-init_0.1.bb   |  5 -
 2 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 recipes-security/selinux/selinux-init/selinux-init.service

diff --git a/recipes-security/selinux/selinux-init/selinux-init.service 
b/recipes-security/selinux/selinux-init/selinux-init.service
new file mode 100644
index 000..93cc6ce
--- /dev/null
+++ b/recipes-security/selinux/selinux-init/selinux-init.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=SELinux init service loading
+DefaultDependencies=no
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/selinux-init.sh
+
+[Install]
+WantedBy=multi-user.target
diff --git a/recipes-security/selinux/selinux-init_0.1.bb 
b/recipes-security/selinux/selinux-init_0.1.bb
index 54932e8..38b5900 100644
--- a/recipes-security/selinux/selinux-init_0.1.bb
+++ b/recipes-security/selinux/selinux-init_0.1.bb
@@ -14,7 +14,10 @@ ${PN}_RDEPENDS = " \
 policycoreutils-setfiles \
 "
 
-SRC_URI = "file://${BPN}.sh"
+SRC_URI = "file://${BPN}.sh \
+   file://${BPN}.service \
+   "
+
 INITSCRIPT_PARAMS = "start 01 S ."
 
 require selinux-initsh.inc
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 1/5] selinux-initsh.inc: add systemd support

2016-08-22 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

add support for systemd service file and handling of script required by
systemd service file.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 recipes-security/selinux/selinux-initsh.inc | 12 +++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/recipes-security/selinux/selinux-initsh.inc 
b/recipes-security/selinux/selinux-initsh.inc
index f7348bb..bcdd449 100644
--- a/recipes-security/selinux/selinux-initsh.inc
+++ b/recipes-security/selinux/selinux-initsh.inc
@@ -13,11 +13,21 @@ CONFFILES_${PN} += 
"${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}"
 
 PACKAGE_ARCH ?= "${MACHINE_ARCH}"
 
-inherit update-rc.d
+inherit update-rc.d systemd
+
+SYSTEMD_SERVICE_${PN} = "${SELINUX_SCRIPT_SRC}.service"
 
 do_install () {
install -d ${D}${sysconfdir}/init.d/
install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh 
${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}
+
+   install -d ${D}${systemd_unitdir}/system
+   install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service 
${D}${systemd_unitdir}/system
+
+   if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', 
d)}; then
+   install -d ${D}${bindir}
+   install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh 
${D}${bindir}
+   fi
 }
 
 sysroot_stage_all_append () {
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux] Regarding "systemd" support with refpolicy-minimum v20151208

2016-07-29 Thread Shrikant Bobade 
Hi,


Request for comment set from:
https://lists.yoctoproject.org/pipermail/yocto/2016-July/031362.html to
https://lists.yoctoproject.org/pipermail/yocto/2016-July/031369.html

checked on below build config. with refpolicy-minimum using systemd as init
manager.

These are comparative boot logs.
refpolicy-minimum without RFC set: http://paste.ubuntu.com/21383917/

refpolicy-minimum with RFC set: http://paste.ubuntu.com/21383939/



Build Configuration:
BB_VERSION= "1.31.0"
BUILD_SYS = "x86_64-linux"
NATIVELSBSTRING   = "universal"
TARGET_SYS= "arm-poky-linux-gnueabi"
MACHINE   = "qemuarm"
DISTRO= "poky-selinux"
DISTRO_VERSION= "2.1+snapshot-20160729"
TUNE_FEATURES = "arm armv5 thumb dsp"
TARGET_FPU= "soft"
meta
meta-poky
meta-yocto-bsp= "master:039f47ad197a9a53109c9f3deadd9c35e62c056d"
meta-selinux  = "master:d0f889259b610c3365962775c6e96a7cba407177"



Please advice, It will be a great help !


Thanks
Shrikant


On Fri, Jul 1, 2016 at 7:13 PM, Shrikant Bobade <bobadeshrik...@gmail.com>
wrote:

> Hi,
>
> Using refpolicy-minimum v20151208 with systemd as init manager,
>
> I am facing few issues during enforcing mode,
> 1. systemd service status check, start & stop
> 2. auditd logfile error, so it is mixing with the boot log.
> 3. also other avc denials related to tmpfs & other types etc..
>
>
> setup details:poky and meta-selinux: both at master head & systemd enabled.
> with these SELinux booleans enabled: i.systemd_tmpfiles_manage_all
> ii.allow_mount_anyfile
>
> captured the avc denial to fix the systemd execution well, attached
> SELinux-Modules.txt :- the allow rules generated using audit tools.
> I am trying to merge these module into actual refpolicy modules, so we get
> the out of box experience for smooth systemd execution.
> Observed policy store seems corrupted some time, when start inserting the
> prepared policy modules allow rules into actual refpolicy modules..
>
> Does anyone also faced similar issues?
>
> Any pointers or references will be a great help.
>
>
> Thanks
> Shrikant
>
>
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][RFC 8/8] systemd: fix for systemd tmp-files services

2016-07-29 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

fix for systemd tmp files setup services:
systemd-journal-flush.service & systemd-logind.service.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 ...ystemd-fix-for-systemd-tmp-files-services.patch | 110 +
 .../refpolicy/refpolicy_2.20151208.inc |   1 +
 2 files changed, 111 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20151208/0008-systemd-fix-for-systemd-tmp-files-services.patch

diff --git 
a/recipes-security/refpolicy/refpolicy-2.20151208/0008-systemd-fix-for-systemd-tmp-files-services.patch
 
b/recipes-security/refpolicy/refpolicy-2.20151208/0008-systemd-fix-for-systemd-tmp-files-services.patch
new file mode 100644
index 000..385e6e2
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-2.20151208/0008-systemd-fix-for-systemd-tmp-files-services.patch
@@ -0,0 +1,110 @@
+From 2156e7428c5f58f3b13cfa95a1a4789299d2c448 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bob...@mentor.com>
+Date: Wed, 27 Jul 2016 19:42:43 +0530
+Subject: [PATCH 8/8] systemd: fix for systemd tmp-files services
+
+fix for systemd tmp files setup service while using refpolicy-minimum and
+systemd as init manager.
+
+these allow rules require kernel domain & files access, so added interfaces
+at systemd.te to merge these allow rules.
+
+without these changes we are getting avc denails like these and below
+systemd services failure:
+
+audit[]: AVC avc:  denied  { getattr } for  pid=232 comm="systemd-tmpfile"
+path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd
+_tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file
+
+audit[]: AVC avc:  denied  { search } for  pid=232 comm="systemd-tmpfile"
+name="kernel" dev="proc" ino=9341 scontext=system_u:system_r:
+systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0
+tclass=dir permissive=0
+
+[FAILED] Failed to start Create Static Device Nodes in /dev.
+See 'systemctl status systemd-tmpfiles-setup-dev.service' for details.
+
+[FAILED] Failed to start Create Volatile Files and Directories.
+See 'systemctl status systemd-tmpfiles-setup.service' for details.
+
+upstream-status: pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
+---
+ policy/modules/kernel/files.if   | 19 +++
+ policy/modules/kernel/kernel.if  | 23 +++
+ policy/modules/system/systemd.te |  3 +++
+ 3 files changed, 45 insertions(+)
+
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index 1cedea2..4ea7d55 100644
+--- a/policy/modules/kernel/files.if
 b/policy/modules/kernel/files.if
+@@ -6729,3 +6729,22 @@ interface(`files_unconfined',`
+ 
+   typeattribute $1 files_unconfined_type;
+ ')
++
++
++## 
++##systemd tmp files access to kernel tmp files domain
++## 
++## 
++##
++##Domain allowed access.
++##
++## 
++#
++interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',`
++  gen_require(`
++  type tmp_t;
++class lnk_file getattr;
++  ')
++
++  allow $1 tmp_t:lnk_file getattr;
++')
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index f1130d1..4604441 100644
+--- a/policy/modules/kernel/kernel.if
 b/policy/modules/kernel/kernel.if
+@@ -3323,3 +3323,26 @@ interface(`kernel_unconfined',`
+   typeattribute $1 kern_unconfined;
+   kernel_load_module($1)
+ ')
++
++
++## 
++##systemd tmp files access to kernel sysctl domain
++## 
++## 
++##
++##Domain allowed access.
++##
++## 
++#
++interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',`
++ gen_require(`
++type sysctl_kernel_t;
++class dir search;
++class file { open read };
++ ')
++
++allow $1 sysctl_kernel_t:dir search;
++allow $1 sysctl_kernel_t:file { open read };
++
++')
++
+diff --git a/policy/modules/system/systemd.te 
b/policy/modules/system/systemd.te
+index 22021eb..8813664 100644
+--- a/policy/modules/system/systemd.te
 b/policy/modules/system/systemd.te
+@@ -269,3 +269,6 @@ allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
+ allow systemd_tmpfiles_t self:capability net_admin;
+ 
+ allow systemd_tmpfiles_t init_t:file { open getattr read };
++
++systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t)
++systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t)
+-- 
+1.9.1
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc 
b/recipes-security/refpolicy/refpolicy_2.20151208.inc
index 74f7e19..8a73293 100644
--- a/recipes-security/refpolicy/refpolicy_2.20151208.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc
@@ -69,6 +69,7 @@ SYSTEMD_R

[yocto] [meta-selinux][RFC 7/8] systemd: fix for login & journal service

2016-07-29 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

1. fix for systemd services: login & journal wile using refpolicy-minimum and
systemd as init manager.
2. fix login duration after providing root password.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 ...007-systemd-fix-for-login-journal-service.patch | 104 +
 .../refpolicy/refpolicy_2.20151208.inc |   1 +
 2 files changed, 105 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20151208/0007-systemd-fix-for-login-journal-service.patch

diff --git 
a/recipes-security/refpolicy/refpolicy-2.20151208/0007-systemd-fix-for-login-journal-service.patch
 
b/recipes-security/refpolicy/refpolicy-2.20151208/0007-systemd-fix-for-login-journal-service.patch
new file mode 100644
index 000..9af0469
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-2.20151208/0007-systemd-fix-for-login-journal-service.patch
@@ -0,0 +1,104 @@
+From b767672932ecafa14480cffa0494a44dc78962fa Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bob...@mentor.com>
+Date: Wed, 27 Jul 2016 18:09:34 +0530
+Subject: [PATCH 7/8] systemd: fix for login & journal service
+
+1. fix for systemd services: login & journal wile using refpolicy-minimum and
+systemd as init manager.
+2. fix login duration after providing root password.
+
+without these changes we are getting avc denails like these and below
+systemd services failure:
+
+audit[]: AVC avc:  denied  { write } for  pid=422 comm="login" path="/run/
+systemd/sessions/c1.ref" dev="tmpfs" ino=13455 scontext=system_u:system_r:
+local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0
+tclass=fifo_file permissive=0
+
+audit[]: AVC avc:  denied  { open } for  pid=216 comm="systemd-tmpfile" path
+="/proc/1/environ" dev="proc" ino=9221 scontext=system_u:system_r:
+systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
+
+audit[]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:
+system_r:init_t:s0 msg='avc:  denied  { stop } for auid=n/a uid=0 gid=0 path
+="/lib/systemd/system/systemd-journald.service" cmdline="/bin/journalctl
+--flush" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:
+lib_t:s0 tclass=service
+
+[FAILED] Failed to start Flush Journal to Persistent Storage.
+See 'systemctl status systemd-journal-flush.service' for details.
+
+[FAILED] Failed to start Login Service.
+See 'systemctl status systemd-logind.service' for details.
+
+[FAILED] Failed to start Avahi mDNS/DNS-SD Stack.
+See 'systemctl status avahi-daemon.service' for details.
+
+upstream-status: pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
+---
+ policy/modules/system/init.te   | 5 +
+ policy/modules/system/locallogin.te | 3 +++
+ policy/modules/system/systemd.if| 6 --
+ policy/modules/system/systemd.te| 3 ++-
+ 4 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 19a7a20..cefa59d 100644
+--- a/policy/modules/system/init.te
 b/policy/modules/system/init.te
+@@ -1105,3 +1105,8 @@ allow init_t self:capability2 audit_read;
+ 
+ allow initrc_t init_t:system { start status reboot };
+ allow initrc_t init_var_run_t:service { start status };
++
++allow initrc_t init_var_run_t:service stop;
++allow initrc_t init_t:dbus send_msg;
++
++allow init_t initrc_t:dbus { send_msg acquire_svc };
+diff --git a/policy/modules/system/locallogin.te 
b/policy/modules/system/locallogin.te
+index 09ec33f..be25c82 100644
+--- a/policy/modules/system/locallogin.te
 b/policy/modules/system/locallogin.te
+@@ -284,3 +284,6 @@ allow local_login_t var_run_t:file { open read write lock};
+ allow local_login_t var_run_t:sock_file write;
+ allow local_login_t tmpfs_t:dir { add_name write search};
+ allow local_login_t tmpfs_t:file { create open read write lock };
++allow local_login_t init_var_run_t:fifo_file write;
++allow local_login_t initrc_t:dbus send_msg;
++allow initrc_t local_login_t:dbus send_msg;
+diff --git a/policy/modules/system/systemd.if 
b/policy/modules/system/systemd.if
+index 822c03d..8723527 100644
+--- a/policy/modules/system/systemd.if
 b/policy/modules/system/systemd.if
+@@ -205,9 +205,11 @@ interface(`systemd_service_file_operations',`
+ #
+ interface(`systemd_service_lib_function',`
+  gen_require(`
+-   class service start;
++  class service { start status stop };
++  class file { execmod open };
+  ')
+ 
+-  allow initrc_t $1:service start;
++  allow initrc_t $1:service { start status stop };
++  allow initrc_t $1:file execmod;
+ 
+ ')
+diff --git a/policy/modules/system/systemd.te 
b/policy/modules/system/systemd.te
+index 70ccb0e..22021eb 100644
+--- a/policy/modules/system/systemd.te
 b/policy/modules

[yocto] [meta-selinux][RFC 6/8] systemd: mount: enable requiried refpolicy booleans

2016-07-29 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

enable required refpolicy booleans for these modules mount:
allow_mount_anyfile & systemd:systemd_tmpfiles_manage_all

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 ...mount-enable-requiried-refpolicy-booleans.patch | 43 ++
 .../refpolicy/refpolicy_2.20151208.inc |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20151208/0006-systemd-mount-enable-requiried-refpolicy-booleans.patch

diff --git 
a/recipes-security/refpolicy/refpolicy-2.20151208/0006-systemd-mount-enable-requiried-refpolicy-booleans.patch
 
b/recipes-security/refpolicy/refpolicy-2.20151208/0006-systemd-mount-enable-requiried-refpolicy-booleans.patch
new file mode 100644
index 000..cd93d1d
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-2.20151208/0006-systemd-mount-enable-requiried-refpolicy-booleans.patch
@@ -0,0 +1,43 @@
+systemd: mount: enable requiried refpolicy booleans
+
+enable required refpolicy booleans for these modules
+
+i. mount:  allow_mount_anyfile
+without enabling this boolean we are getting below avc denial
+
+audit(): avc:  denied  { mounton } for  pid=462 comm="mount" path="/run/media
+/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0
+tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0
+
+This avc can be allowed using the boolean 'allow_mount_anyfile'
+allow mount_t initrc_var_run_t:dir mounton;
+
+ii. systemd : systemd_tmpfiles_manage_all
+without enabling this boolean we are not getting access to mount systemd
+essential tmpfs during bootup, also not getting access to create audit.log
+
+ ls  /var/log
+ /var/log -> volatile/log
+:~#
+
+upstream-status: pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
+
+--- a/policy/booleans.conf
 b/policy/booleans.conf
+@@ -1156,12 +1156,12 @@ racoon_read_shadow = false
+ #
+ # Allow the mount command to mount any directory or file.
+ # 
+-allow_mount_anyfile = false
++allow_mount_anyfile = true
+ 
+ #
+ # Enable support for systemd-tmpfiles to manage all non-security files.
+ # 
+-systemd_tmpfiles_manage_all = false
++systemd_tmpfiles_manage_all = true
+ 
+ #
+ # Allow users to connect to mysql
diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc 
b/recipes-security/refpolicy/refpolicy_2.20151208.inc
index d319561..b62167f 100644
--- a/recipes-security/refpolicy/refpolicy_2.20151208.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc
@@ -67,6 +67,7 @@ SYSTEMD_REFPOLICY_PATCHES = "\
file://0003-systemd-mount-logging-authlogin-add-allow-rules.patch \
file://0004-locallogin-add-allow-rules-for-type-local_login_t.patch \
file://0005-init-fix-reboot-with-systemd-as-init-manager.patch \
+   file://0006-systemd-mount-enable-requiried-refpolicy-booleans.patch \
 "
 
 
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][RFC 5/8] init: fix reboot with systemd as init manager.

2016-07-29 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

add allow rule to fix avc denial during system reboot.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 ...t-fix-reboot-with-systemd-as-init-manager.patch | 35 ++
 .../refpolicy/refpolicy_2.20151208.inc |  1 +
 2 files changed, 36 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20151208/0005-init-fix-reboot-with-systemd-as-init-manager.patch

diff --git 
a/recipes-security/refpolicy/refpolicy-2.20151208/0005-init-fix-reboot-with-systemd-as-init-manager.patch
 
b/recipes-security/refpolicy/refpolicy-2.20151208/0005-init-fix-reboot-with-systemd-as-init-manager.patch
new file mode 100644
index 000..69a9019
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-2.20151208/0005-init-fix-reboot-with-systemd-as-init-manager.patch
@@ -0,0 +1,35 @@
+From cabab1db81115da296193ea8d917dc7cadfdd8f6 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bob...@mentor.com>
+Date: Mon, 25 Jul 2016 18:30:59 +0530
+Subject: [PATCH 5/6] init: fix reboot with systemd as init manager.
+
+add allow rule to fix avc denial during system reboot.
+
+without this change we are getting:
+
+audit: type=1107 audit(): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
+system_u:system_r:init_t:s0 msg='avc:  denied  { reboot } for auid=n/a uid=0
+gid=0 cmdline="/bin/systemctl --force reboot" scontext=system_u:system_r:
+initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system
+
+upstream-status: pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
+---
+ policy/modules/system/init.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index f9d7114..19a7a20 100644
+--- a/policy/modules/system/init.te
 b/policy/modules/system/init.te
+@@ -1103,5 +1103,5 @@ allow devpts_t device_t:filesystem associate;
+ allow init_t self:capability2 block_suspend;
+ allow init_t self:capability2 audit_read;
+ 
+-allow initrc_t init_t:system { start status };
++allow initrc_t init_t:system { start status reboot };
+ allow initrc_t init_var_run_t:service { start status };
+-- 
+1.9.1
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc 
b/recipes-security/refpolicy/refpolicy_2.20151208.inc
index 151c973..d319561 100644
--- a/recipes-security/refpolicy/refpolicy_2.20151208.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc
@@ -66,6 +66,7 @@ SYSTEMD_REFPOLICY_PATCHES = "\
file://0002-audit-logging-getty-audit-related-allow-rules.patch \
file://0003-systemd-mount-logging-authlogin-add-allow-rules.patch \
file://0004-locallogin-add-allow-rules-for-type-local_login_t.patch \
+   file://0005-init-fix-reboot-with-systemd-as-init-manager.patch \
 "
 
 
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][RFC 4/8] locallogin: add allow rules for type local_login_t

2016-07-29 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

add allow rules for locallogin module avc denials.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 ...in-add-allow-rules-for-type-local_login_t.patch | 52 ++
 .../refpolicy/refpolicy_2.20151208.inc |  1 +
 2 files changed, 53 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20151208/0004-locallogin-add-allow-rules-for-type-local_login_t.patch

diff --git 
a/recipes-security/refpolicy/refpolicy-2.20151208/0004-locallogin-add-allow-rules-for-type-local_login_t.patch
 
b/recipes-security/refpolicy/refpolicy-2.20151208/0004-locallogin-add-allow-rules-for-type-local_login_t.patch
new file mode 100644
index 000..fd3d477
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-2.20151208/0004-locallogin-add-allow-rules-for-type-local_login_t.patch
@@ -0,0 +1,52 @@
+From 545ebd866283ae929cfec716d067cd34015ad142 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bob...@mentor.com>
+Date: Mon, 25 Jul 2016 18:26:18 +0530
+Subject: [PATCH 4/6] locallogin: add allow rules for type local_login_t
+
+add allow rules for locallogin module avc denials.
+
+without this change we are getting errors like these:
+
+type=AVC msg=audit(): avc:  denied  { read write open } for  pid=353
+comm="login" path="/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext
+=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:
+var_log_t:s0 tclass=file permissive=1
+
+type=AVC msg=audit(): avc:  denied  { sendto } for  pid=353 comm="login"
+path="/run/systemd/journal/dev-log" scontext=system_u:system_r:
+local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0
+tclass=unix_dgram_socket permissive=1
+
+type=AVC msg=audit(): avc:  denied  { lock } for  pid=353 comm="login" path=
+"/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext=system_u:system_r
+:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass
+=file permissive=1
+
+upstream-status: pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
+---
+ policy/modules/system/locallogin.te | 10 ++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/policy/modules/system/locallogin.te 
b/policy/modules/system/locallogin.te
+index 53923f8..09ec33f 100644
+--- a/policy/modules/system/locallogin.te
 b/policy/modules/system/locallogin.te
+@@ -274,3 +274,13 @@ optional_policy(`
+ optional_policy(`
+   nscd_use(sulogin_t)
+ ')
++
++allow local_login_t initrc_t:fd use;
++allow local_login_t initrc_t:unix_dgram_socket sendto;
++allow local_login_t initrc_t:unix_stream_socket connectto;
++allow local_login_t self:capability net_admin;
++allow local_login_t var_log_t:file { create lock open read write };
++allow local_login_t var_run_t:file { open read write lock};
++allow local_login_t var_run_t:sock_file write;
++allow local_login_t tmpfs_t:dir { add_name write search};
++allow local_login_t tmpfs_t:file { create open read write lock };
+-- 
+1.9.1
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc 
b/recipes-security/refpolicy/refpolicy_2.20151208.inc
index c051aec..151c973 100644
--- a/recipes-security/refpolicy/refpolicy_2.20151208.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc
@@ -65,6 +65,7 @@ SYSTEMD_REFPOLICY_PATCHES = "\
file://0001-systemd-unconfined-lib-add-systemd-services-allow-ru.patch \
file://0002-audit-logging-getty-audit-related-allow-rules.patch \
file://0003-systemd-mount-logging-authlogin-add-allow-rules.patch \
+   file://0004-locallogin-add-allow-rules-for-type-local_login_t.patch \
 "
 
 
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][RFC 2/8] audit: logging: getty: audit related allow rules

2016-07-29 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

add allow rules for audit.log file & resolve dependent avc denials.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 ...t-logging-getty-audit-related-allow-rules.patch | 66 ++
 .../refpolicy/refpolicy_2.20151208.inc |  1 +
 2 files changed, 67 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20151208/0002-audit-logging-getty-audit-related-allow-rules.patch

diff --git 
a/recipes-security/refpolicy/refpolicy-2.20151208/0002-audit-logging-getty-audit-related-allow-rules.patch
 
b/recipes-security/refpolicy/refpolicy-2.20151208/0002-audit-logging-getty-audit-related-allow-rules.patch
new file mode 100644
index 000..e0c0132
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-2.20151208/0002-audit-logging-getty-audit-related-allow-rules.patch
@@ -0,0 +1,66 @@
+From 674a1c03a08bae583e1a50acd48489dd2d4f3f33 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bob...@mentor.com>
+Date: Mon, 25 Jul 2016 17:44:13 +0530
+Subject: [PATCH 2/6] audit: logging: getty: audit related allow rules
+
+add allow rules for audit.log file & resolve dependent avc denials.
+
+without this change we are getting audit avc denials mixed into bootlog &
+audit other avc denials.
+
+audit: type=1400 audit(): avc:  denied  { getattr } for  pid=217 comm="mount"
+name="/" dev="proc" ino=1 scontext=system_u:system_r:mount_t:s0 
tcontext=system_0
+audit: type=1400 audit(): avc:  denied  { sendto } for  pid=310 comm="klogd"
+path="/run/systemd/journal/dev-log" scontext=sy0
+audit: type=1400 audit(): avc:  denied  { sendto } for  pid=310 comm="klogd"
+path="/run/systemd/journal/dev-log" scontext=system_u:system_r:klogd_t:s0
+audit(): avc:  denied  { open } for  pid=540 comm="agetty" path="/var/
+volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t
+:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
+
+upstream-status: pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
+---
+ policy/modules/system/getty.te   | 3 +++
+ policy/modules/system/logging.te | 8 
+ 2 files changed, 11 insertions(+)
+
+diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
+index f6743ea..84eaf77 100644
+--- a/policy/modules/system/getty.te
 b/policy/modules/system/getty.te
+@@ -139,3 +139,6 @@ optional_policy(`
+ optional_policy(`
+   udev_read_db(getty_t)
+ ')
++
++allow getty_t tmpfs_t:dir search;
++allow getty_t tmpfs_t:file { open write lock };
+diff --git a/policy/modules/system/logging.te 
b/policy/modules/system/logging.te
+index 9b18aad..fdf86ef 100644
+--- a/policy/modules/system/logging.te
 b/policy/modules/system/logging.te
+@@ -238,6 +238,7 @@ allow audisp_t self:unix_stream_socket 
create_stream_socket_perms;
+ allow audisp_t self:unix_dgram_socket create_socket_perms;
+ 
+ allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
++allow audisp_t initrc_t:unix_dgram_socket sendto;
+ 
+ manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
+ files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
+@@ -569,3 +570,10 @@ optional_policy(`
+   # log to the xconsole
+   xserver_rw_console(syslogd_t)
+ ')
++
++
++allow auditd_t tmpfs_t:file { getattr setattr create open read append };
++allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
++allow auditd_t initrc_t:unix_dgram_socket sendto;
++
++allow klogd_t initrc_t:unix_dgram_socket sendto;
+\ No newline at end of file
+-- 
+1.9.1
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc 
b/recipes-security/refpolicy/refpolicy_2.20151208.inc
index 861bfdc..4d07e62 100644
--- a/recipes-security/refpolicy/refpolicy_2.20151208.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc
@@ -63,6 +63,7 @@ SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 
'systemd', ' ${SYSTEMD_REFPO
 
 SYSTEMD_REFPOLICY_PATCHES = "\
file://0001-systemd-unconfined-lib-add-systemd-services-allow-ru.patch \
+   file://0002-audit-logging-getty-audit-related-allow-rules.patch \
 "
 
 
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][RFC 3/8] systemd: mount: logging: authlogin: add allow rules

2016-07-29 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

add allow rules for avc denails for systemd, mount, logging & authlogin
modules. without this change we are  getting avc. denials from these
modules.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 ...d-mount-logging-authlogin-add-allow-rules.patch | 92 ++
 .../refpolicy/refpolicy_2.20151208.inc |  1 +
 2 files changed, 93 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20151208/0003-systemd-mount-logging-authlogin-add-allow-rules.patch

diff --git 
a/recipes-security/refpolicy/refpolicy-2.20151208/0003-systemd-mount-logging-authlogin-add-allow-rules.patch
 
b/recipes-security/refpolicy/refpolicy-2.20151208/0003-systemd-mount-logging-authlogin-add-allow-rules.patch
new file mode 100644
index 000..8e330ce
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-2.20151208/0003-systemd-mount-logging-authlogin-add-allow-rules.patch
@@ -0,0 +1,92 @@
+From 9a9490491e6d4c30249033c84c21634dac988b06 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bob...@mentor.com>
+Date: Mon, 25 Jul 2016 18:10:28 +0530
+Subject: [PATCH 3/6] systemd: mount: logging: authlogin: add allow rules
+
+add allow rules for avc denails for systemd, mount, logging & authlogin
+modules.
+
+without this change we are getting avc denial like these:
+
+type=AVC msg=audit(): avc:  denied  { sendto } for pid=893 comm="systemd-
+tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r:
+systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=
+unix_dgram_socket permissive=0
+
+type=AVC msg=audit(): avc:  denied  { open } for  pid=703 comm="systemd-
+tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u:
+system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=
+file permissive=0
+
+type=AVC msg=audit(): avc:  denied  { read write } for  pid=486 comm="mount"
+path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r:
+mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket
+
+type=AVC msg=audit(): avc:  denied  { unix_read unix_write } for  pid=292
+comm="syslogd" key=1095648583  scontext=system_u:system_r:syslogd_t:s0
+tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1
+
+upstream-status: pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
+---
+ policy/modules/system/authlogin.te | 2 ++
+ policy/modules/system/logging.te   | 7 ++-
+ policy/modules/system/mount.te | 3 +++
+ policy/modules/system/systemd.te   | 6 ++
+ 4 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/authlogin.te 
b/policy/modules/system/authlogin.te
+index f80dfcb..5fab54a 100644
+--- a/policy/modules/system/authlogin.te
 b/policy/modules/system/authlogin.te
+@@ -464,3 +464,5 @@ optional_policy(`
+   samba_read_var_files(nsswitch_domain)
+   samba_dontaudit_write_var_files(nsswitch_domain)
+ ')
++
++allow chkpwd_t proc_t:filesystem getattr;
+diff --git a/policy/modules/system/logging.te 
b/policy/modules/system/logging.te
+index fdf86ef..107db03 100644
+--- a/policy/modules/system/logging.te
 b/policy/modules/system/logging.te
+@@ -576,4 +576,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open 
read append };
+ allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
+ allow auditd_t initrc_t:unix_dgram_socket sendto;
+ 
+-allow klogd_t initrc_t:unix_dgram_socket sendto;
+\ No newline at end of file
++allow klogd_t initrc_t:unix_dgram_socket sendto;
++
++allow syslogd_t self:shm create;
++allow syslogd_t self:sem { create read unix_write write };
++allow syslogd_t self:shm { read unix_read unix_write write };
++allow syslogd_t tmpfs_t:file { read write };
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index 1c2fc33..b699309 100644
+--- a/policy/modules/system/mount.te
 b/policy/modules/system/mount.te
+@@ -229,3 +229,6 @@ optional_policy(`
+   files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+   unconfined_domain(unconfined_mount_t)
+ ')
++
++allow mount_t proc_t:filesystem getattr;
++allow mount_t initrc_t:udp_socket { read write };
+diff --git a/policy/modules/system/systemd.te 
b/policy/modules/system/systemd.te
+index fdb9fef..734d455 100644
+--- a/policy/modules/system/systemd.te
 b/policy/modules/system/systemd.te
+@@ -262,3 +262,9 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
+   files_relabel_non_security_dirs(systemd_tmpfiles_t)
+   files_relabel_non_security_files(systemd_tmpfiles_t)
+ ')
++
++allow systemd_tmpfiles_t init_t:dir search;
++allow systemd_tmpfiles_t proc_t:filesystem getattr;
++allow systemd_tmpfiles_t init_t:file read;
++allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
++allow systemd_tmpfiles_t sel

[yocto] [meta-selinux][RFC 1/8] systemd:unconfined:lib: add systemd services allow rules

2016-07-29 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

systemd allow rules for systemd service file operations: start, stop, restart
& allow rule for unconfined systemd service.

without this change we are geting avc denials and access denied to perform
operations service file.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 ...onfined-lib-add-systemd-services-allow-ru.patch | 123 +
 .../refpolicy/refpolicy_2.20151208.inc |   9 ++
 2 files changed, 132 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20151208/0001-systemd-unconfined-lib-add-systemd-services-allow-ru.patch

diff --git 
a/recipes-security/refpolicy/refpolicy-2.20151208/0001-systemd-unconfined-lib-add-systemd-services-allow-ru.patch
 
b/recipes-security/refpolicy/refpolicy-2.20151208/0001-systemd-unconfined-lib-add-systemd-services-allow-ru.patch
new file mode 100644
index 000..2b09e1c
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-2.20151208/0001-systemd-unconfined-lib-add-systemd-services-allow-ru.patch
@@ -0,0 +1,123 @@
+From 0bd77bedc3edab3703738f018cf76c70c8026a16 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bob...@mentor.com>
+Date: Mon, 25 Jul 2016 16:58:59 +0530
+Subject: [PATCH 1/6] systemd:unconfined:lib: add systemd services allow rules
+
+systemd allow rules for systemd service file operations: start, stop, restart
+& allow rule for unconfined systemd service.
+
+without this change we are getting these errors:
+:~# systemctl status selinux-init.service
+Failed to get properties: Access denied
+
+:~# systemctl stop selinux-init.service
+Failed to stop selinux-init.service: Access denied
+
+:~# systemctl restart  selinux-init.service
+audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
+system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0
+gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl
+restart selinux-init.service" scontext=unconfined_u:unconfined_r:
+unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service
+
+upstream-status: pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
+---
+ policy/modules/system/init.te   |  6 +-
+ policy/modules/system/libraries.te  |  3 +++
+ policy/modules/system/systemd.if| 40 +
+ policy/modules/system/unconfined.te |  6 ++
+ 4 files changed, 54 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index d710fb0..f9d7114 100644
+--- a/policy/modules/system/init.te
 b/policy/modules/system/init.te
+@@ -1100,4 +1100,8 @@ optional_policy(`
+ # systemd related allow rules
+ allow kernel_t init_t:process dyntransition;
+ allow devpts_t device_t:filesystem associate;
+-allow init_t self:capability2 block_suspend;
+\ No newline at end of file
++allow init_t self:capability2 block_suspend;
++allow init_t self:capability2 audit_read;
++
++allow initrc_t init_t:system { start status };
++allow initrc_t init_var_run_t:service { start status };
+diff --git a/policy/modules/system/libraries.te 
b/policy/modules/system/libraries.te
+index 0f5cd56..df98fe9 100644
+--- a/policy/modules/system/libraries.te
 b/policy/modules/system/libraries.te
+@@ -144,3 +144,6 @@ optional_policy(`
+ optional_policy(`
+   unconfined_domain(ldconfig_t)
+ ')
++
++# systemd: init domain to start lib domain service
++systemd_service_lib_function(lib_t)
+diff --git a/policy/modules/system/systemd.if 
b/policy/modules/system/systemd.if
+index 3cd6670..822c03d 100644
+--- a/policy/modules/system/systemd.if
 b/policy/modules/system/systemd.if
+@@ -171,3 +171,43 @@ interface(`systemd_start_power_units',`
+ 
+   allow $1 power_unit_t:service start;
+ ')
++
++
++
++## 
++## Allow specified domain to start stop reset systemd service
++## 
++## 
++## 
++## Domain to not audit.
++## 
++## 
++#
++interface(`systemd_service_file_operations',`
++ gen_require(`
++   class service { start status stop };
++ ')
++
++  allow $1 lib_t:service { start status stop };
++
++')
++
++
++
++## 
++## Allow init domain to start lib domain service
++## 
++## 
++## 
++## Domain to not audit.
++## 
++## 
++#
++interface(`systemd_service_lib_function',`
++ gen_require(`
++   class service start;
++ ')
++
++  allow initrc_t $1:service start;
++
++')
+diff --git a/policy/modules/system/unconfined.te 
b/policy/modules/system/unconfined.te
+index 99cab31..87a1b03 100644
+--- a/policy/modules/system/unconfined.te
 b/policy/modules/system/unconfined.te
+@@ -220,3 +220,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
+ optional_policy(`
+   unconfined_dbus_chat(unconfined_execmem_t)
+ ')
++
++
++# systemd:

[yocto] [meta-selinux] Regarding "systemd" support with refpolicy-minimum v20151208

2016-07-01 Thread Shrikant Bobade 
Hi,

Using refpolicy-minimum v20151208 with systemd as init manager,

I am facing few issues during enforcing mode,
1. systemd service status check, start & stop
2. auditd logfile error, so it is mixing with the boot log.
3. also other avc denials related to tmpfs & other types etc..


setup details:poky and meta-selinux: both at master head & systemd enabled.
with these SELinux booleans enabled: i.systemd_tmpfiles_manage_all
ii.allow_mount_anyfile

captured the avc denial to fix the systemd execution well, attached
SELinux-Modules.txt :- the allow rules generated using audit tools.
I am trying to merge these module into actual refpolicy modules, so we get
the out of box experience for smooth systemd execution.
Observed policy store seems corrupted some time, when start inserting the
prepared policy modules allow rules into actual refpolicy modules..

Does anyone also faced similar issues?

Any pointers or references will be a great help.


Thanks
Shrikant
# SELinux Modules 



require {
type unconfined_t;
type init_t;
class system reload;
}

#= unconfined_t ==
allow unconfined_t init_t:system reload;

##

require {
type tmpfs_t;
type auditd_t;
class file create;
}

#= auditd_t ==
allow auditd_t tmpfs_t:file create;

##

require {
type tmpfs_t;
type auditd_t;
class file { open read };
}

#= auditd_t ==
allow auditd_t tmpfs_t:file { open read };

##

require {
type tmpfs_t;
type auditd_t;
class file append;
}

#= auditd_t ==
allow auditd_t tmpfs_t:file append;

##

require {
type tmpfs_t;
type auditd_t;
class file getattr;
}

#= auditd_t ==
allow auditd_t tmpfs_t:file getattr;

##

require {
type tmpfs_t;
type auditd_t;
class file setattr;
}

#= auditd_t ==
allow auditd_t tmpfs_t:file setattr;


require {
type tmpfs_t;
type auditd_t;
class dir open;
}

#= auditd_t ==
allow auditd_t tmpfs_t:dir open;

##

require {
type tmpfs_t;
type auditd_t;
class dir read;
}

#= auditd_t ==
allow auditd_t tmpfs_t:dir read;

##

require {
type tmpfs_t;
type auditd_t;
class dir open;
}

#= auditd_t ==
allow auditd_t tmpfs_t:dir open;



require {
type tmpfs_t;
type initrc_t;
type auditd_t;
class unix_dgram_socket sendto;
class dir search;
}

#= auditd_t ==
allow auditd_t initrc_t:unix_dgram_socket sendto;
allow auditd_t tmpfs_t:dir search;


require {
type tmpfs_t;
type auditd_t;
class dir add_name;
}

#= auditd_t ==
allow auditd_t tmpfs_t:dir add_name;


##

require {
type tmpfs_t;
type auditd_t;
class dir write;
}

#= auditd_t ==
allow auditd_t tmpfs_t:dir write;

##

require {
type var_run_t;
type init_t;
type syslogd_t;
type systemd_tmpfiles_t;
type initrc_t;
type klogd_t;
type chkpwd_t;
type local_login_t;
type proc_t;
type getty_t;
type tmpfs_t;
type mount_t;
class capability2 audit_read;
class file read;
class filesystem getattr;
class unix_dgram_socket sendto;
class shm create;
class dir search;
}

#= chkpwd_t ==
allow chkpwd_t proc_t:filesystem getattr;

#= getty_t ==
allow getty_t tmpfs_t:dir search;

#= init_t ==
allow init_t self:capability2 audit_read;

#= klogd_t ==

# This avc is allowed in the current policy
allow klogd_t initrc_t:unix_dgram_socket sendto;

#= local_login_t ==
allow local_login_t var_run_t:file read;

#= mount_t ==
allow mount_t proc_t:filesystem getattr;

#= syslogd_t ==
allow syslogd_t self:shm create;

#=

[yocto] [meta-selinux][PATCH] eudev: add wildcard version

2016-06-15 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

eudev version at poky updated to v3.2 from v3.1.5, so moving it to use
wildcard in order to fix the parsing error.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 recipes-core/eudev/eudev_%.bbappend | 3 +++
 recipes-core/eudev/eudev_3.1.5.bbappend | 3 ---
 2 files changed, 3 insertions(+), 3 deletions(-)
 create mode 100644 recipes-core/eudev/eudev_%.bbappend
 delete mode 100644 recipes-core/eudev/eudev_3.1.5.bbappend

diff --git a/recipes-core/eudev/eudev_%.bbappend 
b/recipes-core/eudev/eudev_%.bbappend
new file mode 100644
index 000..e1e7cd1
--- /dev/null
+++ b/recipes-core/eudev/eudev_%.bbappend
@@ -0,0 +1,3 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+inherit enable-selinux
diff --git a/recipes-core/eudev/eudev_3.1.5.bbappend 
b/recipes-core/eudev/eudev_3.1.5.bbappend
deleted file mode 100644
index e1e7cd1..000
--- a/recipes-core/eudev/eudev_3.1.5.bbappend
+++ /dev/null
@@ -1,3 +0,0 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-
-inherit enable-selinux
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] packagegroup-selinux-policycoreutils: add policycoreutils-hll

2016-05-31 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

we need policycoreutils-hll to insert custom policy module/package, without
it semodule install fail with error:

libsemanage.semanage_pipe_data: Unable to execute /usr/libexec/selinux/hll/
pp : No such file or directory
libsemanage.semanage_direct_commit: Failed to compile hll files into cil
files. (No such file or directory).
semodule:  Failed!

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git 
a/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb 
b/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb
index 7f56d7c..b566134 100644
--- a/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb
+++ b/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb
@@ -33,5 +33,6 @@ RDEPENDS_${PN} = "\
policycoreutils-sestatus \
policycoreutils-setfiles \
policycoreutils-setsebool \
+   policycoreutils-hll \
system-config-selinux \
 "
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] iproute2: fix qa warning by using with-selinux

2016-05-31 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

WARNING: iproute2-4.6.0-r0 do_package_qa: QA Issue: iproute2-ss rdepends on
libselinux, but it isn't a build dependency, missing libselinux in DEPENDS
or PACKAGECONFIG? [build-deps]

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 recipes-connectivity/iproute2/iproute2_%.bbappend | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 recipes-connectivity/iproute2/iproute2_%.bbappend

diff --git a/recipes-connectivity/iproute2/iproute2_%.bbappend 
b/recipes-connectivity/iproute2/iproute2_%.bbappend
new file mode 100644
index 000..c1e8ed6
--- /dev/null
+++ b/recipes-connectivity/iproute2/iproute2_%.bbappend
@@ -0,0 +1 @@
+inherit with-selinux
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] libselinux_git: fix warnings of unavailable patches

2016-05-26 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

Drop unavailable patches entry to fix the warning, even we are using
libselinux v2.5 these warnings pop-up during recipes parsing.

WARNING:..libselinux_git.bb: Unable to get checksum for libselinux SRC_URI
entry libselinux-get-pywrap-depends-on-selinux.py.patch: file could not be
found
WARNING:..libselinux_git.bb: Unable to get checksum for libselinux SRC_URI
entry libselinux-mount-procfs-before-check.patch: file could not be found

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 recipes-security/selinux/libselinux_git.bb | 2 --
 1 file changed, 2 deletions(-)

diff --git a/recipes-security/selinux/libselinux_git.bb 
b/recipes-security/selinux/libselinux_git.bb
index 20b5534..d2e4a32 100644
--- a/recipes-security/selinux/libselinux_git.bb
+++ b/recipes-security/selinux/libselinux_git.bb
@@ -11,7 +11,5 @@ SRC_URI += "\
file://libselinux-make-O_CLOEXEC-optional.patch \
file://libselinux-make-SOCK_CLOEXEC-optional.patch \
file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
-   file://libselinux-get-pywrap-depends-on-selinux.py.patch \
file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
-   file://libselinux-mount-procfs-before-check.patch \
"
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] refpolicy-minimum_git: add systemd dependent policy modules

2016-05-26 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

with systemd enabled refpolicy-minimum build breaks due to missing dependent
policy modules, so add the dependent modules: clock, systemd, udev
conditionally based on DISTRO_FEATURES.

dependent systemd policy modules needed to fix these errors:

* Failed to resolve 'adjtime_t' in typeattributeset statement at line 138 of
.. modules/100/init/cil

* Failed to resolve 'systemd_kmod_conf_t' in typeattributeset statement at
line 141 of.. moules/100/init/cil

* Failed to resolve 'udev_t' in typeattributeset statement at line 143 of
modules/100/init/cil semodule:  Failed!

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 recipes-security/refpolicy/refpolicy-minimum_git.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/recipes-security/refpolicy/refpolicy-minimum_git.bb 
b/recipes-security/refpolicy/refpolicy-minimum_git.bb
index 47ed558..04ceadd 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_git.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_git.bb
@@ -17,6 +17,8 @@ CORE_POLICY_MODULES = "unconfined \
application libraries miscfiles logging userdomain \
init mount modutils getty authlogin locallogin \
"
+#systemd dependent policy modules
+CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 
'clock systemd udev', '', d)}"
 
 # nscd caches libc-issued requests to the name service.
 # Without nscd.pp, commands want to use these caches will be blocked.
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 2/2] refpolicy-minimum_2.20151208: add systemd dependent policy modules

2016-05-25 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

with systemd enabled refpolicy-minimum build breaks due to missing dependent
policy modules, so add the dependent modules: clock, systemd, udev
conditionally based on DISTRO_FEATURES.

dependent systemd policy modules needed to fix these errors:

* Failed to resolve 'adjtime_t' in typeattributeset statement at line 138 of
 .. modules/100/init/cil

* Failed to resolve 'systemd_kmod_conf_t' in typeattributeset statement at
line 141 of.. moules/100/init/cil

* Failed to resolve 'udev_t' in typeattributeset statement at line 143 of
modules/100/init/cil semodule:  Failed!

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb 
b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
index 47ed558..04ceadd 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
@@ -17,6 +17,8 @@ CORE_POLICY_MODULES = "unconfined \
application libraries miscfiles logging userdomain \
init mount modutils getty authlogin locallogin \
"
+#systemd dependent policy modules
+CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 
'clock systemd udev', '', d)}"
 
 # nscd caches libc-issued requests to the name service.
 # Without nscd.pp, commands want to use these caches will be blocked.
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 1/2] refpolicy_common.inc: enable conditional systemd support

2016-05-25 Thread Shrikant Bobade 
From: Shrikant Bobade <shrikant_bob...@mentor.com>

refpolicy now introduced systemd support using POLICY_SYSTEMD variable,
with systemd enabled setup we need the refpolicy with systemd support, so
enable systemd support based on DISTRO_FEATURES.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 recipes-security/refpolicy/refpolicy_common.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/refpolicy/refpolicy_common.inc 
b/recipes-security/refpolicy/refpolicy_common.inc
index 6112c28..1d3b93f 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -40,7 +40,7 @@ POLICY_DISTRO ?= "redhat"
 POLICY_UBAC ?= "n"
 POLICY_UNK_PERMS ?= "allow"
 POLICY_DIRECT_INITRC ?= "n"
-POLICY_SYSTEMD ?= "n"
+POLICY_SYSTEMD ?= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'y', 
'n', d)}"
 POLICY_MONOLITHIC ?= "n"
 POLICY_CUSTOM_BUILDOPT ?= ""
 POLICY_QUIET ?= "y"
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux] Jethro branch

2016-03-02 Thread Shrikant Bobade 
Checked jethro branch, image booting successfully, policy loads well &
label file-system thanks !
used distro : poky-selinux & image: core-image-selinux

meta-yocto-bsp= "branch_jethro:b1f23d1254682866236bfaeb843c0d8aa332efc2"
meta-selinux  = "branch_jethro:4c75d9cbcf1d75043c7c5ab315aa383d9b227510"


Thanks
Shrikant


On Wed, Mar 2, 2016 at 11:31 AM, Philip Tricca  wrote:

> On 03/01/2016 08:20 PM, Philip Tricca wrote:
> > Hey all,
> >
> > meta-selinux has been tracking release branches for a while but we're
> > missing a Jethro. I've had a Jethro branch on my github fork for a bit.
> > It's pointing at 4c75d9cbc from master with no additional changes. Both
> > images build, boot, login and pass the basic smoke test. Seems like this
> > may be useful to others so I'll put it up in the yocto repo as well.
>
> I've just pushed this branch. I've tested all 3 kernels in both images
> for basic boot / smoke tests. The root user can login and the shell ends
> up in the right context. The filesystem is labeled properly. Please post
> issues and patches to the list.
>
> Philip
>
> --
> ___
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux][PATCH] audit: fix qa warning of unrecognised config

2015-08-14 Thread Shrikant Bobade 
Hi,

observed: WARNING: QA Issue: audit: configure was passed unrecognised
options: --with-armeb [unknown-configure-option]
on core-image-selinux (poky-selinux distro)

build tag:
Build Configuration:
BB_VERSION= 1.27.1
BUILD_SYS = x86_64-linux
NATIVELSBSTRING   = Ubuntu-12.04
TARGET_SYS= arm-poky-linux-gnueabi
MACHINE   = qemuarm
DISTRO= poky-selinux
DISTRO_VERSION= 1.8+snapshot-20150814
TUNE_FEATURES = arm armv5 thumb dsp
TARGET_FPU= soft
meta
meta-yocto
meta-yocto-bsp= master:a533776d6ff83b6e3e830137455b8382d002768b
meta-selinux  = master:684ee9401f33db7c9d5b183988d89c688c9dd0be


Thanks
Shrikant

On Fri, Aug 14, 2015 at 2:16 PM, Shrikant Bobade bobadeshrik...@gmail.com
wrote:

 From: Shrikant Bobade shrikant_bob...@mentor.com

 remove --with-armeb=yes to fix the configure
 unrecognised option qa warning.

 Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
 ---
  recipes-security/audit/audit_2.4.3.bb |1 -
  1 file changed, 1 deletion(-)

 diff --git a/recipes-security/audit/audit_2.4.3.bb
 b/recipes-security/audit/audit_2.4.3.bb
 index 8f125c0..31f4b03 100644
 --- a/recipes-security/audit/audit_2.4.3.bb
 +++ b/recipes-security/audit/audit_2.4.3.bb
 @@ -41,7 +41,6 @@ EXTRA_OECONF += --without-prelude \
  --without-python3 \
  --disable-zos-remote \
 
 -EXTRA_OECONF_append_arm =  --with-armeb=yes

  EXTRA_OEMAKE += PYLIBVER='python${PYTHON_BASEVERSION}' \
 PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \
 --
 1.7.9.5


-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] audit: fix qa warning of unrecognised config

2015-08-14 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

remove --with-armeb=yes to fix the configure
unrecognised option qa warning.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 recipes-security/audit/audit_2.4.3.bb |1 -
 1 file changed, 1 deletion(-)

diff --git a/recipes-security/audit/audit_2.4.3.bb 
b/recipes-security/audit/audit_2.4.3.bb
index 8f125c0..31f4b03 100644
--- a/recipes-security/audit/audit_2.4.3.bb
+++ b/recipes-security/audit/audit_2.4.3.bb
@@ -41,7 +41,6 @@ EXTRA_OECONF += --without-prelude \
 --without-python3 \
 --disable-zos-remote \

-EXTRA_OECONF_append_arm =  --with-armeb=yes
 
 EXTRA_OEMAKE += PYLIBVER='python${PYTHON_BASEVERSION}' \
PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \
-- 
1.7.9.5

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux][PATCH] audit: fix qa warning of unrecognised config

2015-08-14 Thread Shrikant Bobade 
On Fri, Aug 14, 2015 at 2:29 PM, Khem Raj raj.k...@gmail.com wrote:

 On Fri, Aug 14, 2015 at 1:53 AM, Shrikant Bobade
 bobadeshrik...@gmail.com wrote:
  Hi,
 
  observed: WARNING: QA Issue: audit: configure was passed unrecognised
  options: --with-armeb [unknown-configure-option]
  on core-image-selinux (poky-selinux distro)
 
  build tag:
  Build Configuration:
  BB_VERSION= 1.27.1
  BUILD_SYS = x86_64-linux
  NATIVELSBSTRING   = Ubuntu-12.04
  TARGET_SYS= arm-poky-linux-gnueabi
  MACHINE   = qemuarm
  DISTRO= poky-selinux
  DISTRO_VERSION= 1.8+snapshot-20150814
  TUNE_FEATURES = arm armv5 thumb dsp
  TARGET_FPU= soft
  meta
  meta-yocto
  meta-yocto-bsp= master:a533776d6ff83b6e3e830137455b8382d002768b
  meta-selinux  = master:684ee9401f33db7c9d5b183988d89c688c9dd0be
 
 
  Thanks
  Shrikant
 
  On Fri, Aug 14, 2015 at 2:16 PM, Shrikant Bobade 
 bobadeshrik...@gmail.com
  wrote:
 
  From: Shrikant Bobade shrikant_bob...@mentor.com
 
  remove --with-armeb=yes to fix the configure
  unrecognised option qa warning.
 
  Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
  ---
   recipes-security/audit/audit_2.4.3.bb |1 -
   1 file changed, 1 deletion(-)
 
  diff --git a/recipes-security/audit/audit_2.4.3.bb
  b/recipes-security/audit/audit_2.4.3.bb
  index 8f125c0..31f4b03 100644
  --- a/recipes-security/audit/audit_2.4.3.bb
  +++ b/recipes-security/audit/audit_2.4.3.bb
  @@ -41,7 +41,6 @@ EXTRA_OECONF += --without-prelude \
   --without-python3 \
   --disable-zos-remote \
  
  -EXTRA_OECONF_append_arm =  --with-armeb=yes

 this is not right fix because the option has been renamed so you
 should change it to

 EXTRA_OECONF_append_arm =  --with-arm=yes

 and while you are at ti also add

 EXTRA_OECONF_append_aarch64 =  --with-aarch64=yes


Thanks, I will update the patch and will re-send it.

Thanks
Shrikant
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH v2] audit: fix qa warning, update config option

2015-08-14 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

update config option '--with-armeb' to '--with-arm'
for audit qa warning fix.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 recipes-security/audit/audit_2.4.3.bb |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/audit/audit_2.4.3.bb 
b/recipes-security/audit/audit_2.4.3.bb
index 8f125c0..869713a 100644
--- a/recipes-security/audit/audit_2.4.3.bb
+++ b/recipes-security/audit/audit_2.4.3.bb
@@ -41,7 +41,7 @@ EXTRA_OECONF += --without-prelude \
 --without-python3 \
 --disable-zos-remote \

-EXTRA_OECONF_append_arm =  --with-armeb=yes
+EXTRA_OECONF_append_arm =  --with-arm=yes
 
 EXTRA_OEMAKE += PYLIBVER='python${PYTHON_BASEVERSION}' \
PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \
-- 
1.7.9.5

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux][PATCH v1] libpam: use wildcard for version and cleanup

2015-08-11 Thread Shrikant Bobade 
Hi Philip,


On Tue, Aug 11, 2015 at 10:39 AM, Philip Tricca fl...@twobit.us wrote:

 Hey Shrikant,

 On 07/30/2015 02:31 AM, Shrikant Bobade wrote:
  This patch provides green build for core-image-selinux
  (meta-selinux:master  poky:master) against libpam upgrade from 1.1.6 to
  1.2.1,
  image boots fine,but I am unable to login at target. I have prepared
  build for qemuarm, does anyone else facing similar issue? please advice.
 
  Observed the login issue appears even with disabled selinux support
  (selinux=0).

 I just tested this again after Joe merged the commits from the backlog.
 I'm not longer able to reproduce the failed login. Are you still having
 login problems?


I also got similar results:
With the check on latest bits: the login issue is not reproducible on
core-image-selinux(with poky-selinux distro)
I can now login properly.


Build Configuration:
BB_VERSION= 1.27.1
BUILD_SYS = x86_64-linux
NATIVELSBSTRING   = Ubuntu-12.04
TARGET_SYS= arm-poky-linux-gnueabi
MACHINE   = qemuarm
DISTRO= poky-selinux
DISTRO_VERSION= 1.8+snapshot-20150811
TUNE_FEATURES = arm armv5 thumb dsp
TARGET_FPU= soft
meta
meta-yocto
meta-yocto-bsp= master:a16e0b4014173af46ef80d643bb71055219b0dab
meta-selinux  = master:684ee9401f33db7c9d5b183988d89c688c9dd0be

Thanks!
Shrikant



 Philip

  On Thu, Jul 30, 2015 at 2:55 PM, Shrikant Bobade
  bobadeshrik...@gmail.com mailto:bobadeshrik...@gmail.com wrote:
 
  From: Shrikant Bobade shrikant_bob...@mentor.com
  mailto:shrikant_bob...@mentor.com
 
  use wildcard for version: adopting libpam upgrade from 1.1.6 to
 1.2.1,
  cleanup older recipe and remove patch
 sepermit-add-DESTDIR-prefix.patch
  since the changes already available with latest source.
 
  Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
  mailto:shrikant_bob...@mentor.com
  ---
   .../pam/libpam/sepermit-add-DESTDIR-prefix.patch   |   31
  
   recipes-extended/pam/libpam_%.bbappend |3 ++
   recipes-extended/pam/libpam_1.1.6.bbappend |   10 ---
   3 files changed, 3 insertions(+), 41 deletions(-)
   delete mode 100644
  recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch
   create mode 100644 recipes-extended/pam/libpam_%.bbappend
   delete mode 100644 recipes-extended/pam/libpam_1.1.6.bbappend
 
  diff --git
  a/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch
  b/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch
  deleted file mode 100644
  index d48d386..000
  --- a/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch
  +++ /dev/null
  @@ -1,31 +0,0 @@
  -Subject: [PATCH] libpam: add missing DESTDIR prefix
  -
  -The DESTDIR prefix is missing, this will cause build failures for
  -mkdir /var/run/sepermit on the host.
  -
  -| mkdir -p /var/run/sepermit
  -| mkdir: cannot create directory `/var/run/sepermit': Permission
 denied
  -
  -Upstream-Status: Pending
  -
  -Signed-off-by: Xin Ouyang xin.ouy...@windriver.com
  mailto:xin.ouy...@windriver.com
  
  - modules/pam_sepermit/Makefile.am |2 +-
  - 1 files changed, 1 insertions(+), 1 deletions(-)
  -
  -diff --git a/modules/pam_sepermit/Makefile.am
  b/modules/pam_sepermit/Makefile.am
  -index cfc5594..bc82275 100644
   a/modules/pam_sepermit/Makefile.am
  -+++ b/modules/pam_sepermit/Makefile.am
  -@@ -35,7 +35,7 @@ if HAVE_LIBSELINUX
  -   securelib_LTLIBRARIES = pam_sepermit.la http://pam_sepermit.la
  -
  - install-data-local:
  --  mkdir -p $(sepermitlockdir)
  -+  mkdir -p $(DESTDIR)$(sepermitlockdir)
  - endif
  - if ENABLE_REGENERATE_MAN
  - noinst_DATA = README pam_sepermit.8 sepermit.conf.5
  ---
  -1.7.5.4
  -
  diff --git a/recipes-extended/pam/libpam_%.bbappend
  b/recipes-extended/pam/libpam_%.bbappend
  new file mode 100644
  index 000..adcf938
  --- /dev/null
  +++ b/recipes-extended/pam/libpam_%.bbappend
  @@ -0,0 +1,3 @@
  +inherit enable-selinux
  +
  +RDEPENDS_${PN}-runtime += ${@target_selinux(d,
 'pam-plugin-selinux')}
  diff --git a/recipes-extended/pam/libpam_1.1.6.bbappend
  b/recipes-extended/pam/libpam_1.1.6.bbappend
  deleted file mode 100644
  index 71acecc..000
  --- a/recipes-extended/pam/libpam_1.1.6.bbappend
  +++ /dev/null
  @@ -1,10 +0,0 @@
  -#FILESEXTRAPATHS_prepend := ${THISDIR}/${PN}:
  -FILESPATH_append := :${@base_set_filespath(['${THISDIR}/${PN}'],
 d)}
  -
  -SRC_URI += file://sepermit-add-DESTDIR-prefix.patch
  -
  -PR .= .4
  -
  -inherit enable-selinux
  -
  -RDEPENDS_${PN}-runtime += ${@target_selinux(d,
 'pam-plugin-selinux')}
  --
  1.7.9.5

[yocto] [meta-selinux][PATCH 1/8] refpolicy git: update refpolicy to git repository

2015-08-03 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

A straight update from refpolicy 2.20140311 to refpolicy git
repository for the core policy variants and forward-porting
of policy patches as appropriate.

This approach is useful for building refpolicy  refpolicy-contrib
directly from the git repos, rather than release tarballs.
It helps to check the refpolicy based on source commits by just
updating the git repo rev. as appropriate in refpolicy_git.inc

ref: https://github.com/TresysTechnology/refpolicy/wiki

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 .../ftp-add-ftpd_t-to-mlsfilewrite.patch   |   39 
 .../refpolicy/refpolicy-git/poky-fc-clock.patch|   22 ++
 .../refpolicy-git/poky-fc-corecommands.patch   |   24 ++
 .../refpolicy/refpolicy-git/poky-fc-dmesg.patch|   20 ++
 .../refpolicy/refpolicy-git/poky-fc-fix-bind.patch |   30 +++
 .../poky-fc-fix-real-path_login.patch  |   37 
 .../poky-fc-fix-real-path_resolv.conf.patch|   24 ++
 .../poky-fc-fix-real-path_shadow.patch |   34 +++
 .../refpolicy-git/poky-fc-fix-real-path_su.patch   |   25 +++
 .../refpolicy/refpolicy-git/poky-fc-fstools.patch  |   65 ++
 .../refpolicy-git/poky-fc-ftpwho-dir.patch |   27 +++
 .../refpolicy/refpolicy-git/poky-fc-iptables.patch |   24 ++
 .../refpolicy/refpolicy-git/poky-fc-mta.patch  |   27 +++
 .../refpolicy/refpolicy-git/poky-fc-netutils.patch |   24 ++
 .../refpolicy/refpolicy-git/poky-fc-nscd.patch |   27 +++
 .../refpolicy/refpolicy-git/poky-fc-rpm.patch  |   25 +++
 .../refpolicy/refpolicy-git/poky-fc-screen.patch   |   27 +++
 .../refpolicy/refpolicy-git/poky-fc-ssh.patch  |   24 ++
 .../refpolicy/refpolicy-git/poky-fc-su.patch   |   23 ++
 .../refpolicy-git/poky-fc-subs_dist.patch  |   29 +++
 .../refpolicy-git/poky-fc-sysnetwork.patch |   41 
 .../refpolicy/refpolicy-git/poky-fc-udevd.patch|   35 +++
 .../poky-fc-update-alternatives_hostname.patch |   23 ++
 .../poky-fc-update-alternatives_sysklogd.patch |   59 +
 .../poky-fc-update-alternatives_sysvinit.patch |   53 +
 ...poky-policy-add-rules-for-bsdpty_device_t.patch |  121 +++
 ...ky-policy-add-rules-for-syslogd_t-symlink.patch |   30 +++
 .../poky-policy-add-rules-for-tmp-symlink.patch|   99 +
 ...ky-policy-add-rules-for-var-cache-symlink.patch |   34 +++
 ...licy-add-rules-for-var-log-symlink-apache.patch |   31 +++
 ...rules-for-var-log-symlink-audisp_remote_t.patch |   29 +++
 ...poky-policy-add-rules-for-var-log-symlink.patch |  145 +
 ...ky-policy-add-syslogd_t-to-trusted-object.patch |   31 +++
 ...-policy-allow-nfsd-to-exec-shell-commands.patch |   58 +
 ...-policy-allow-setfiles_t-to-read-symlinks.patch |   29 +++
 .../poky-policy-allow-sysadm-to-run-rpcinfo.patch  |   33 +++
 .../poky-policy-don-t-audit-tty_device_t.patch |   35 +++
 .../poky-policy-fix-dmesg-to-use-dev-kmsg.patch|   37 
 .../poky-policy-fix-new-SELINUXMNT-in-sys.patch|  229 
 ...poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch |   65 ++
 ...olicy-fix-setfiles-statvfs-get-file-count.patch |   31 +++
 ...ky-policy-fix-seutils-manage-config-files.patch |   43 
 .../refpolicy-update-for_systemd.patch |   46 
 recipes-security/refpolicy/refpolicy_git.inc   |   62 ++
 44 files changed, 1976 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-git/poky-fc-corecommands.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-git/poky-fc-iptables.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-git/poky-fc-netutils.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc

[yocto] [meta-selinux][PATCH 3/8] refpolicy-targeted: update base refpolicy to git repo

2015-08-03 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

A simple forward-port of refpolicy-targeted to use the
refpolicy from git repository.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 .../refpolicy/refpolicy-targeted_git.bb|   20 
 1 file changed, 20 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-targeted_git.bb

diff --git a/recipes-security/refpolicy/refpolicy-targeted_git.bb 
b/recipes-security/refpolicy/refpolicy-targeted_git.bb
new file mode 100644
index 000..b169604
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-targeted_git.bb
@@ -0,0 +1,20 @@
+SUMMARY = SELinux targeted policy
+DESCRIPTION = \
+This is the targeted variant of the SELinux reference policy.  Most service \
+domains are locked down. Users and admins will login in with unconfined_t \
+domain, so they have the same access to the system as if SELinux was not \
+enabled. \
+
+
+FILESEXTRAPATHS_prepend := ${THISDIR}/refpolicy-${PV}:
+
+POLICY_NAME = targeted
+POLICY_TYPE = mcs
+POLICY_MLS_SENS = 0
+
+include refpolicy_${PV}.inc
+
+SRC_URI +=  \
+file://refpolicy-fix-optional-issue-on-sysadm-module.patch \
+file://refpolicy-unconfined_u-default-user.patch \
+   
-- 
1.7.9.5

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 4/8] refpolicy-mcs: update base refpolicy to git repo

2015-08-03 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

A simple forward-port of refpolicy-mcs to use the
refpolicy from git repository.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 recipes-security/refpolicy/refpolicy-mcs_git.bb |   11 +++
 1 file changed, 11 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-mcs_git.bb

diff --git a/recipes-security/refpolicy/refpolicy-mcs_git.bb 
b/recipes-security/refpolicy/refpolicy-mcs_git.bb
new file mode 100644
index 000..062727b
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-mcs_git.bb
@@ -0,0 +1,11 @@
+SUMMARY = MCS (Multi Category Security) variant of the SELinux policy
+DESCRIPTION = \
+This is the reference policy for SE Linux built with MCS support. \
+An MCS policy is the same as an MLS policy but with only one sensitivity \
+level. This is useful on systems where a hierarchical policy (MLS) isn't \
+needed (pretty much all systems) but the non-hierarchical categories are. \
+
+
+POLICY_TYPE = mcs
+
+include refpolicy_${PV}.inc
-- 
1.7.9.5

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 6/8] refpolicy-standard: update base refpolicy to git repo

2015-08-03 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

A simple forward-port of refpolicy-standard to use the
refpolicy from git repository.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 .../refpolicy/refpolicy-standard_git.bb|8 
 1 file changed, 8 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-standard_git.bb

diff --git a/recipes-security/refpolicy/refpolicy-standard_git.bb 
b/recipes-security/refpolicy/refpolicy-standard_git.bb
new file mode 100644
index 000..3674fdd
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-standard_git.bb
@@ -0,0 +1,8 @@
+SUMMARY = Standard variants of the SELinux policy
+DESCRIPTION = \
+This is the reference policy for SELinux built with type enforcement \
+only.
+
+POLICY_TYPE = standard
+
+include refpolicy_${PV}.inc
-- 
1.7.9.5

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 5/8] refpolicy-mls: update base refpolicy to git repo

2015-08-03 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

A simple forward-port of refpolicy-mls to use the
refpolicy from git repository.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 recipes-security/refpolicy/refpolicy-mls_git.bb |   10 ++
 1 file changed, 10 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-mls_git.bb

diff --git a/recipes-security/refpolicy/refpolicy-mls_git.bb 
b/recipes-security/refpolicy/refpolicy-mls_git.bb
new file mode 100644
index 000..7388232
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-mls_git.bb
@@ -0,0 +1,10 @@
+SUMMARY = MLS (Multi Level Security) variant of the SELinux policy
+DESCRIPTION = \
+This is the reference policy for SE Linux built with MLS support. \
+It allows giving data labels such as \Top Secret\ and preventing \
+such data from leaking to processes or files with lower classification. \
+
+
+POLICY_TYPE = mls
+
+include refpolicy_${PV}.inc
-- 
1.7.9.5

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 8/8] README : update supported refpolicy version details

2015-08-03 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

README updated with the supported refpolicy version
details and information of refpolicy building from
git repository.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 README |   15 +++
 1 file changed, 15 insertions(+)

diff --git a/README b/README
index 3fe8af4..afee84a 100644
--- a/README
+++ b/README
@@ -66,6 +66,21 @@ working with this layer, without the additional Poky meta 
data.  This
 approach may work, but is not generally tested by the maintainers.
 
 
+Using different versions of refpolicy
+-
+To prepare selinux enabled images using different ver. of refpolicy,
+we can choose supported releases of refpolicy
+refer to available versions under recipes-security/refpolicy
+
+We can use the refpolicy directly from git repository instead of release 
tarballs.
+By default refpolicy from git builds head commit of master branch, we can 
update
+SRCREV for refpolicy and refpolicy-contrib as appropriate at refpolicy_git.inc
+to check refpolicy as per required commits.
+
+* enable the preferred refpolicy-mls to local.conf or oe-selinux.conf
+e.g. REFERRED_VERSION_refpolicy-mls = 2.20140311
+
+
 License
 ---
 
-- 
1.7.9.5

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 2/8] refpolicy git: rebase patches with code base

2015-08-03 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

During forward-port of these patches from refpolicy 20140311,
requires rebase with the refpolicy git repos head master
code base,in order to resolve the patch conflicts.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 .../refpolicy/refpolicy-git/poky-fc-fstools.patch  |   49 +++-
 .../refpolicy-git/poky-fc-sysnetwork.patch |   27 ++-
 ...-policy-allow-setfiles_t-to-read-symlinks.patch |   17 +++
 ...olicy-fix-setfiles-statvfs-get-file-count.patch |9 ++--
 .../refpolicy-update-for_systemd.patch |   49 +++-
 5 files changed, 74 insertions(+), 77 deletions(-)

diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch 
b/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch
index 38c96c4..9c45694 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch
@@ -1,4 +1,4 @@
-From 7fdfd2ef8764ddfaeb43e53a756af83d42d8ac8b Mon Sep 17 00:00:00 2001
+From b420621f7bacdb803bfd104686e9b1785d7a6309 Mon Sep 17 00:00:00 2001
 From: Wenzong Fan wenzong@windriver.com
 Date: Mon, 27 Jan 2014 03:54:01 -0500
 Subject: [PATCH] refpolicy: fix real path for fstools
@@ -7,59 +7,64 @@ Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Wenzong Fan wenzong@windriver.com
 Signed-off-by: Joe MacDonald joe_macdon...@mentor.com
+Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
 ---
- policy/modules/system/fstools.fc |   11 +++
- 1 file changed, 11 insertions(+)
+ policy/modules/system/fstools.fc |9 +
+ 1 file changed, 9 insertions(+)
 
+diff --git a/policy/modules/system/fstools.fc 
b/policy/modules/system/fstools.fc
+index d10368d..f22761a 100644
 --- a/policy/modules/system/fstools.fc
 +++ b/policy/modules/system/fstools.fc
 @@ -1,6 +1,8 @@
  /sbin/badblocks   --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/blkid   --  gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/blkid\.util-linux   --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/blkid/.util-linux   --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/blockdev--  
gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/blockdev\.util-linux--  
gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/blockdev/.util-linux--  
gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/cfdisk  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/dosfsck --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/dump--  gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -9,9 +11,11 @@
+@@ -9,9 +11,12 @@
  /sbin/e4fsck  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/e2label --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/fdisk   --  gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/fdisk\.util-linux   --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/fdisk/.util-linux   --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/findfs  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/findfs  --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/fsck.*  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/hdparm  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/hdparm\.hdparm  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/hdparm/.util-linux  --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/install-mbr --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/jfs_.*  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/losetup.*   --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -24,6 +28,7 @@
+@@ -24,6 +29,7 @@
  /sbin/mkraid  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/mkreiserfs  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/mkswap  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/mkswap\.util-linux  --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/mkswap/.util-linux  --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/parted  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partprobe   --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partx   --  gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -34,6 +39,7 @@
+@@ -32,8 +38,10 @@
+ /sbin/reiserfs(ck|tune)   --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/resize.*fs  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/scsi_info   --  
gen_context(system_u:object_r:fsadm_exec_t,s0

[yocto] [meta-selinux][PATCH 7/8] refpolicy-minimum: update base refpolicy to git repo

2015-08-03 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

A simple forward-port of refpolicy-minimum to use the
refpolicy from git repository.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 .../refpolicy/refpolicy-minimum_git.bb |   48 
 1 file changed, 48 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-minimum_git.bb

diff --git a/recipes-security/refpolicy/refpolicy-minimum_git.bb 
b/recipes-security/refpolicy/refpolicy-minimum_git.bb
new file mode 100644
index 000..b275821
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-minimum_git.bb
@@ -0,0 +1,48 @@
+include refpolicy-targeted_${PV}.bb
+
+SUMMARY = SELinux minimum policy
+DESCRIPTION = \
+This is a minimum reference policy with just core policy modules, and \
+could be used as a base for customizing targeted policy. \
+Pretty much everything runs as initrc_t or unconfined_t so all of the \
+domains are unconfined. \
+
+
+POLICY_NAME = minimum
+
+FILESEXTRAPATHS_prepend := 
${THISDIR}/files:${THISDIR}/refpolicy-${PV}:${THISDIR}/refpolicy-targeted:
+
+CORE_POLICY_MODULES = unconfined \
+   selinuxutil storage sysnetwork \
+   application libraries miscfiles logging userdomain \
+   init mount modutils getty authlogin locallogin \
+   
+
+# nscd caches libc-issued requests to the name service.
+# Without nscd.pp, commands want to use these caches will be blocked.
+EXTRA_POLICY_MODULES += nscd
+
+# pam_mail module enables checking and display of mailbox status upon
+# login, so login process will access to /var/spool/mail.
+EXTRA_POLICY_MODULES += mta
+
+POLICY_MODULES_MIN = ${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}
+
+# re-write the same func from refpolicy_common.inc
+prepare_policy_store () {
+   oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
+
+   # Prepare to create policy store
+   mkdir -p ${D}${sysconfdir}/selinux/
+   mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy
+   mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
+   mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
+   touch 
${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
+   for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
+   bzip2 -f $i  mv -f $i.bz2 $i
+   done
+   cp base.pp 
${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
+   for i in ${POLICY_MODULES_MIN}; do
+   cp ${i}.pp 
${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i.pp`
+   done
+}
-- 
1.7.9.5

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 2/7] refpolicy 20141203: rebase patches with code base

2015-07-30 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

During forward-port of these patches from refpolicy 2014120311,
requires rebase with the refpolicy 20141203 code base,
in order to resolve the patch conflicts.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 .../refpolicy-2.20141203/poky-fc-fstools.patch |   49 +++-
 .../refpolicy-2.20141203/poky-fc-sysnetwork.patch  |   27 ++-
 ...-policy-allow-setfiles_t-to-read-symlinks.patch |   17 +++
 ...olicy-fix-setfiles-statvfs-get-file-count.patch |9 ++--
 .../refpolicy-update-for_systemd.patch |   49 +++-
 5 files changed, 73 insertions(+), 78 deletions(-)

diff --git 
a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fstools.patch 
b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fstools.patch
index 38c96c4..9c45694 100644
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fstools.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fstools.patch
@@ -1,4 +1,4 @@
-From 7fdfd2ef8764ddfaeb43e53a756af83d42d8ac8b Mon Sep 17 00:00:00 2001
+From b420621f7bacdb803bfd104686e9b1785d7a6309 Mon Sep 17 00:00:00 2001
 From: Wenzong Fan wenzong@windriver.com
 Date: Mon, 27 Jan 2014 03:54:01 -0500
 Subject: [PATCH] refpolicy: fix real path for fstools
@@ -7,59 +7,64 @@ Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Wenzong Fan wenzong@windriver.com
 Signed-off-by: Joe MacDonald joe_macdon...@mentor.com
+Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
 ---
- policy/modules/system/fstools.fc |   11 +++
- 1 file changed, 11 insertions(+)
+ policy/modules/system/fstools.fc |9 +
+ 1 file changed, 9 insertions(+)
 
+diff --git a/policy/modules/system/fstools.fc 
b/policy/modules/system/fstools.fc
+index d10368d..f22761a 100644
 --- a/policy/modules/system/fstools.fc
 +++ b/policy/modules/system/fstools.fc
 @@ -1,6 +1,8 @@
  /sbin/badblocks   --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/blkid   --  gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/blkid\.util-linux   --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/blkid/.util-linux   --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/blockdev--  
gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/blockdev\.util-linux--  
gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/blockdev/.util-linux--  
gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/cfdisk  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/dosfsck --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/dump--  gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -9,9 +11,11 @@
+@@ -9,9 +11,12 @@
  /sbin/e4fsck  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/e2label --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/fdisk   --  gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/fdisk\.util-linux   --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/fdisk/.util-linux   --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/findfs  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/findfs  --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/fsck.*  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/hdparm  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/hdparm\.hdparm  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/hdparm/.util-linux  --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/install-mbr --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/jfs_.*  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/losetup.*   --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -24,6 +28,7 @@
+@@ -24,6 +29,7 @@
  /sbin/mkraid  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/mkreiserfs  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/mkswap  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/mkswap\.util-linux  --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/mkswap/.util-linux  --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/parted  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partprobe   --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partx   --  gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -34,6 +39,7 @@
+@@ -32,8 +38,10 @@
+ /sbin/reiserfs(ck|tune)   --  
gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/resize.*fs  --  gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/scsi_info   --  
gen_context

[yocto] [meta-selinux][PATCH 6/7] refpolicy-standard: update base refpolicy 20141203

2015-07-30 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

A simple forward-port of refpolicy-standard to use the 20141203
base refpolicy.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 .../refpolicy/refpolicy-standard_2.20141203.bb |8 
 1 file changed, 8 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-standard_2.20141203.bb

diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20141203.bb 
b/recipes-security/refpolicy/refpolicy-standard_2.20141203.bb
new file mode 100644
index 000..3674fdd
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-standard_2.20141203.bb
@@ -0,0 +1,8 @@
+SUMMARY = Standard variants of the SELinux policy
+DESCRIPTION = \
+This is the reference policy for SELinux built with type enforcement \
+only.
+
+POLICY_TYPE = standard
+
+include refpolicy_${PV}.inc
-- 
1.7.9.5

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 1/7] refpolicy: update refpolicy to 20141203 release

2015-07-30 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

A straight update from refpolicy 2.20140311 to 2.20141203 for the core
policy variants and forward-porting of policy patches as appropriate.

ref: https://github.com/TresysTechnology/refpolicy/wiki

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 .../ftp-add-ftpd_t-to-mlsfilewrite.patch   |   39 
 .../refpolicy-2.20141203/poky-fc-clock.patch   |   22 ++
 .../poky-fc-corecommands.patch |   24 ++
 .../refpolicy-2.20141203/poky-fc-dmesg.patch   |   20 ++
 .../refpolicy-2.20141203/poky-fc-fix-bind.patch|   30 +++
 .../poky-fc-fix-real-path_login.patch  |   37 
 .../poky-fc-fix-real-path_resolv.conf.patch|   24 ++
 .../poky-fc-fix-real-path_shadow.patch |   34 +++
 .../poky-fc-fix-real-path_su.patch |   25 +++
 .../refpolicy-2.20141203/poky-fc-fstools.patch |   65 ++
 .../refpolicy-2.20141203/poky-fc-ftpwho-dir.patch  |   27 +++
 .../refpolicy-2.20141203/poky-fc-iptables.patch|   24 ++
 .../refpolicy-2.20141203/poky-fc-mta.patch |   27 +++
 .../refpolicy-2.20141203/poky-fc-netutils.patch|   24 ++
 .../refpolicy-2.20141203/poky-fc-nscd.patch|   27 +++
 .../refpolicy-2.20141203/poky-fc-rpm.patch |   25 +++
 .../refpolicy-2.20141203/poky-fc-screen.patch  |   27 +++
 .../refpolicy-2.20141203/poky-fc-ssh.patch |   24 ++
 .../refpolicy-2.20141203/poky-fc-su.patch  |   23 ++
 .../refpolicy-2.20141203/poky-fc-subs_dist.patch   |   29 +++
 .../refpolicy-2.20141203/poky-fc-sysnetwork.patch  |   41 
 .../refpolicy-2.20141203/poky-fc-udevd.patch   |   35 +++
 .../poky-fc-update-alternatives_hostname.patch |   23 ++
 .../poky-fc-update-alternatives_sysklogd.patch |   59 +
 .../poky-fc-update-alternatives_sysvinit.patch |   53 +
 ...poky-policy-add-rules-for-bsdpty_device_t.patch |  121 +++
 ...ky-policy-add-rules-for-syslogd_t-symlink.patch |   30 +++
 .../poky-policy-add-rules-for-tmp-symlink.patch|   99 +
 ...ky-policy-add-rules-for-var-cache-symlink.patch |   34 +++
 ...licy-add-rules-for-var-log-symlink-apache.patch |   31 +++
 ...rules-for-var-log-symlink-audisp_remote_t.patch |   29 +++
 ...poky-policy-add-rules-for-var-log-symlink.patch |  145 +
 ...ky-policy-add-syslogd_t-to-trusted-object.patch |   31 +++
 ...-policy-allow-nfsd-to-exec-shell-commands.patch |   58 +
 ...-policy-allow-setfiles_t-to-read-symlinks.patch |   29 +++
 .../poky-policy-allow-sysadm-to-run-rpcinfo.patch  |   33 +++
 .../poky-policy-don-t-audit-tty_device_t.patch |   35 +++
 .../poky-policy-fix-dmesg-to-use-dev-kmsg.patch|   37 
 .../poky-policy-fix-new-SELINUXMNT-in-sys.patch|  229 
 ...poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch |   65 ++
 ...olicy-fix-setfiles-statvfs-get-file-count.patch |   31 +++
 ...ky-policy-fix-seutils-manage-config-files.patch |   43 
 .../refpolicy-update-for_systemd.patch |   46 
 .../refpolicy/refpolicy_2.20141203.inc |   60 +
 44 files changed, 1974 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20141203/ftp-add-ftpd_t-to-mlsfilewrite.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-clock.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-corecommands.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-dmesg.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-bind.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_login.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_resolv.conf.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_shadow.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_su.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fstools.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-ftpwho-dir.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-iptables.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-mta.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-netutils.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-nscd.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-rpm.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-screen.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-ssh.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-su.patch
 create mode 100644 
recipes-security

[yocto] [meta-selinux][PATCH 4/7] refpolicy-mcs: update base refpolicy 20141203

2015-07-30 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

A simple forward-port of refpolicy-mcs to use the 20141203
base refpolicy.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 .../refpolicy/refpolicy-mcs_2.20141203.bb  |   11 +++
 1 file changed, 11 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-mcs_2.20141203.bb

diff --git a/recipes-security/refpolicy/refpolicy-mcs_2.20141203.bb 
b/recipes-security/refpolicy/refpolicy-mcs_2.20141203.bb
new file mode 100644
index 000..062727b
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-mcs_2.20141203.bb
@@ -0,0 +1,11 @@
+SUMMARY = MCS (Multi Category Security) variant of the SELinux policy
+DESCRIPTION = \
+This is the reference policy for SE Linux built with MCS support. \
+An MCS policy is the same as an MLS policy but with only one sensitivity \
+level. This is useful on systems where a hierarchical policy (MLS) isn't \
+needed (pretty much all systems) but the non-hierarchical categories are. \
+
+
+POLICY_TYPE = mcs
+
+include refpolicy_${PV}.inc
-- 
1.7.9.5

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 7/7] refpolicy-minimum: update base refpolicy 20141203

2015-07-30 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

A simple forward-port of refpolicy-minimum to use the 20141203
base refpolicy.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 .../refpolicy/refpolicy-minimum_2.20141203.bb  |   48 
 1 file changed, 48 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-minimum_2.20141203.bb

diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20141203.bb 
b/recipes-security/refpolicy/refpolicy-minimum_2.20141203.bb
new file mode 100644
index 000..b275821
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20141203.bb
@@ -0,0 +1,48 @@
+include refpolicy-targeted_${PV}.bb
+
+SUMMARY = SELinux minimum policy
+DESCRIPTION = \
+This is a minimum reference policy with just core policy modules, and \
+could be used as a base for customizing targeted policy. \
+Pretty much everything runs as initrc_t or unconfined_t so all of the \
+domains are unconfined. \
+
+
+POLICY_NAME = minimum
+
+FILESEXTRAPATHS_prepend := 
${THISDIR}/files:${THISDIR}/refpolicy-${PV}:${THISDIR}/refpolicy-targeted:
+
+CORE_POLICY_MODULES = unconfined \
+   selinuxutil storage sysnetwork \
+   application libraries miscfiles logging userdomain \
+   init mount modutils getty authlogin locallogin \
+   
+
+# nscd caches libc-issued requests to the name service.
+# Without nscd.pp, commands want to use these caches will be blocked.
+EXTRA_POLICY_MODULES += nscd
+
+# pam_mail module enables checking and display of mailbox status upon
+# login, so login process will access to /var/spool/mail.
+EXTRA_POLICY_MODULES += mta
+
+POLICY_MODULES_MIN = ${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}
+
+# re-write the same func from refpolicy_common.inc
+prepare_policy_store () {
+   oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
+
+   # Prepare to create policy store
+   mkdir -p ${D}${sysconfdir}/selinux/
+   mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy
+   mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
+   mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
+   touch 
${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
+   for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
+   bzip2 -f $i  mv -f $i.bz2 $i
+   done
+   cp base.pp 
${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
+   for i in ${POLICY_MODULES_MIN}; do
+   cp ${i}.pp 
${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i.pp`
+   done
+}
-- 
1.7.9.5

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 5/7] refpolicy-mls: update base refpolicy 20141203

2015-07-30 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

A simple forward-port of refpolicy-mls to use the 20141203
base refpolicy.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 .../refpolicy/refpolicy-mls_2.20141203.bb  |   10 ++
 1 file changed, 10 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-mls_2.20141203.bb

diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20141203.bb 
b/recipes-security/refpolicy/refpolicy-mls_2.20141203.bb
new file mode 100644
index 000..7388232
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-mls_2.20141203.bb
@@ -0,0 +1,10 @@
+SUMMARY = MLS (Multi Level Security) variant of the SELinux policy
+DESCRIPTION = \
+This is the reference policy for SE Linux built with MLS support. \
+It allows giving data labels such as \Top Secret\ and preventing \
+such data from leaking to processes or files with lower classification. \
+
+
+POLICY_TYPE = mls
+
+include refpolicy_${PV}.inc
-- 
1.7.9.5

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 3/7] refpolicy-targeted: update base refpolicy 20141203

2015-07-30 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

A simple forward-port of refpolicy-targeted to use the 20141203
base refpolicy.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 .../refpolicy/refpolicy-targeted_2.20141203.bb |   20 
 1 file changed, 20 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20141203.bb

diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20141203.bb 
b/recipes-security/refpolicy/refpolicy-targeted_2.20141203.bb
new file mode 100644
index 000..b169604
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-targeted_2.20141203.bb
@@ -0,0 +1,20 @@
+SUMMARY = SELinux targeted policy
+DESCRIPTION = \
+This is the targeted variant of the SELinux reference policy.  Most service \
+domains are locked down. Users and admins will login in with unconfined_t \
+domain, so they have the same access to the system as if SELinux was not \
+enabled. \
+
+
+FILESEXTRAPATHS_prepend := ${THISDIR}/refpolicy-${PV}:
+
+POLICY_NAME = targeted
+POLICY_TYPE = mcs
+POLICY_MLS_SENS = 0
+
+include refpolicy_${PV}.inc
+
+SRC_URI +=  \
+file://refpolicy-fix-optional-issue-on-sysadm-module.patch \
+file://refpolicy-unconfined_u-default-user.patch \
+   
-- 
1.7.9.5

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH v1] libpam: use wildcard for version and cleanup

2015-07-30 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

use wildcard for version: adopting libpam upgrade from 1.1.6 to 1.2.1,
cleanup older recipe and remove patch sepermit-add-DESTDIR-prefix.patch
since the changes already available with latest source.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 .../pam/libpam/sepermit-add-DESTDIR-prefix.patch   |   31 
 recipes-extended/pam/libpam_%.bbappend |3 ++
 recipes-extended/pam/libpam_1.1.6.bbappend |   10 ---
 3 files changed, 3 insertions(+), 41 deletions(-)
 delete mode 100644 
recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch
 create mode 100644 recipes-extended/pam/libpam_%.bbappend
 delete mode 100644 recipes-extended/pam/libpam_1.1.6.bbappend

diff --git a/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch 
b/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch
deleted file mode 100644
index d48d386..000
--- a/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Subject: [PATCH] libpam: add missing DESTDIR prefix
-
-The DESTDIR prefix is missing, this will cause build failures for
-mkdir /var/run/sepermit on the host.
-
-| mkdir -p /var/run/sepermit
-| mkdir: cannot create directory `/var/run/sepermit': Permission denied
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang xin.ouy...@windriver.com

- modules/pam_sepermit/Makefile.am |2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/modules/pam_sepermit/Makefile.am 
b/modules/pam_sepermit/Makefile.am
-index cfc5594..bc82275 100644
 a/modules/pam_sepermit/Makefile.am
-+++ b/modules/pam_sepermit/Makefile.am
-@@ -35,7 +35,7 @@ if HAVE_LIBSELINUX
-   securelib_LTLIBRARIES = pam_sepermit.la
- 
- install-data-local:
--  mkdir -p $(sepermitlockdir)
-+  mkdir -p $(DESTDIR)$(sepermitlockdir)
- endif
- if ENABLE_REGENERATE_MAN
- noinst_DATA = README pam_sepermit.8 sepermit.conf.5
--- 
-1.7.5.4
-
diff --git a/recipes-extended/pam/libpam_%.bbappend 
b/recipes-extended/pam/libpam_%.bbappend
new file mode 100644
index 000..adcf938
--- /dev/null
+++ b/recipes-extended/pam/libpam_%.bbappend
@@ -0,0 +1,3 @@
+inherit enable-selinux
+
+RDEPENDS_${PN}-runtime += ${@target_selinux(d, 'pam-plugin-selinux')}
diff --git a/recipes-extended/pam/libpam_1.1.6.bbappend 
b/recipes-extended/pam/libpam_1.1.6.bbappend
deleted file mode 100644
index 71acecc..000
--- a/recipes-extended/pam/libpam_1.1.6.bbappend
+++ /dev/null
@@ -1,10 +0,0 @@
-#FILESEXTRAPATHS_prepend := ${THISDIR}/${PN}:
-FILESPATH_append := :${@base_set_filespath(['${THISDIR}/${PN}'], d)}
-
-SRC_URI += file://sepermit-add-DESTDIR-prefix.patch
-
-PR .= .4
-
-inherit enable-selinux
-
-RDEPENDS_${PN}-runtime += ${@target_selinux(d, 'pam-plugin-selinux')}
-- 
1.7.9.5

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux][PATCH v1] libpam: use wildcard for version and cleanup

2015-07-30 Thread Shrikant Bobade 
Hi,

This patch provides green build for core-image-selinux (meta-selinux:master
 poky:master) against libpam upgrade from 1.1.6 to 1.2.1,
image boots fine,but I am unable to login at target. I have prepared build
for qemuarm, does anyone else facing similar issue? please advice.

Observed the login issue appears even with disabled selinux support
(selinux=0).

Thanks
Shrikant Bobade

On Thu, Jul 30, 2015 at 2:55 PM, Shrikant Bobade bobadeshrik...@gmail.com
wrote:

 From: Shrikant Bobade shrikant_bob...@mentor.com

 use wildcard for version: adopting libpam upgrade from 1.1.6 to 1.2.1,
 cleanup older recipe and remove patch sepermit-add-DESTDIR-prefix.patch
 since the changes already available with latest source.

 Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
 ---
  .../pam/libpam/sepermit-add-DESTDIR-prefix.patch   |   31
 
  recipes-extended/pam/libpam_%.bbappend |3 ++
  recipes-extended/pam/libpam_1.1.6.bbappend |   10 ---
  3 files changed, 3 insertions(+), 41 deletions(-)
  delete mode 100644
 recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch
  create mode 100644 recipes-extended/pam/libpam_%.bbappend
  delete mode 100644 recipes-extended/pam/libpam_1.1.6.bbappend

 diff --git a/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch
 b/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch
 deleted file mode 100644
 index d48d386..000
 --- a/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch
 +++ /dev/null
 @@ -1,31 +0,0 @@
 -Subject: [PATCH] libpam: add missing DESTDIR prefix
 -
 -The DESTDIR prefix is missing, this will cause build failures for
 -mkdir /var/run/sepermit on the host.
 -
 -| mkdir -p /var/run/sepermit
 -| mkdir: cannot create directory `/var/run/sepermit': Permission denied
 -
 -Upstream-Status: Pending
 -
 -Signed-off-by: Xin Ouyang xin.ouy...@windriver.com
 
 - modules/pam_sepermit/Makefile.am |2 +-
 - 1 files changed, 1 insertions(+), 1 deletions(-)
 -
 -diff --git a/modules/pam_sepermit/Makefile.am
 b/modules/pam_sepermit/Makefile.am
 -index cfc5594..bc82275 100644
  a/modules/pam_sepermit/Makefile.am
 -+++ b/modules/pam_sepermit/Makefile.am
 -@@ -35,7 +35,7 @@ if HAVE_LIBSELINUX
 -   securelib_LTLIBRARIES = pam_sepermit.la
 -
 - install-data-local:
 --  mkdir -p $(sepermitlockdir)
 -+  mkdir -p $(DESTDIR)$(sepermitlockdir)
 - endif
 - if ENABLE_REGENERATE_MAN
 - noinst_DATA = README pam_sepermit.8 sepermit.conf.5
 ---
 -1.7.5.4
 -
 diff --git a/recipes-extended/pam/libpam_%.bbappend
 b/recipes-extended/pam/libpam_%.bbappend
 new file mode 100644
 index 000..adcf938
 --- /dev/null
 +++ b/recipes-extended/pam/libpam_%.bbappend
 @@ -0,0 +1,3 @@
 +inherit enable-selinux
 +
 +RDEPENDS_${PN}-runtime += ${@target_selinux(d, 'pam-plugin-selinux')}
 diff --git a/recipes-extended/pam/libpam_1.1.6.bbappend
 b/recipes-extended/pam/libpam_1.1.6.bbappend
 deleted file mode 100644
 index 71acecc..000
 --- a/recipes-extended/pam/libpam_1.1.6.bbappend
 +++ /dev/null
 @@ -1,10 +0,0 @@
 -#FILESEXTRAPATHS_prepend := ${THISDIR}/${PN}:
 -FILESPATH_append := :${@base_set_filespath(['${THISDIR}/${PN}'], d)}
 -
 -SRC_URI += file://sepermit-add-DESTDIR-prefix.patch
 -
 -PR .= .4
 -
 -inherit enable-selinux
 -
 -RDEPENDS_${PN}-runtime += ${@target_selinux(d, 'pam-plugin-selinux')}
 --
 1.7.9.5


-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] libpam: use wildcard for version and cleanup

2015-07-30 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

use wildcard for version: adopting libpam upgrade from 1.6.1 to 1.2.1,
cleanup older recipe and remove patch sepermit-add-DESTDIR-prefix.patch
since the changes already available with latest source.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 .../pam/libpam/sepermit-add-DESTDIR-prefix.patch   |   31 
 recipes-extended/pam/libpam_%.bbappend |3 ++
 recipes-extended/pam/libpam_1.1.6.bbappend |   10 ---
 3 files changed, 3 insertions(+), 41 deletions(-)
 delete mode 100644 
recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch
 create mode 100644 recipes-extended/pam/libpam_%.bbappend
 delete mode 100644 recipes-extended/pam/libpam_1.1.6.bbappend

diff --git a/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch 
b/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch
deleted file mode 100644
index d48d386..000
--- a/recipes-extended/pam/libpam/sepermit-add-DESTDIR-prefix.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Subject: [PATCH] libpam: add missing DESTDIR prefix
-
-The DESTDIR prefix is missing, this will cause build failures for
-mkdir /var/run/sepermit on the host.
-
-| mkdir -p /var/run/sepermit
-| mkdir: cannot create directory `/var/run/sepermit': Permission denied
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang xin.ouy...@windriver.com

- modules/pam_sepermit/Makefile.am |2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/modules/pam_sepermit/Makefile.am 
b/modules/pam_sepermit/Makefile.am
-index cfc5594..bc82275 100644
 a/modules/pam_sepermit/Makefile.am
-+++ b/modules/pam_sepermit/Makefile.am
-@@ -35,7 +35,7 @@ if HAVE_LIBSELINUX
-   securelib_LTLIBRARIES = pam_sepermit.la
- 
- install-data-local:
--  mkdir -p $(sepermitlockdir)
-+  mkdir -p $(DESTDIR)$(sepermitlockdir)
- endif
- if ENABLE_REGENERATE_MAN
- noinst_DATA = README pam_sepermit.8 sepermit.conf.5
--- 
-1.7.5.4
-
diff --git a/recipes-extended/pam/libpam_%.bbappend 
b/recipes-extended/pam/libpam_%.bbappend
new file mode 100644
index 000..adcf938
--- /dev/null
+++ b/recipes-extended/pam/libpam_%.bbappend
@@ -0,0 +1,3 @@
+inherit enable-selinux
+
+RDEPENDS_${PN}-runtime += ${@target_selinux(d, 'pam-plugin-selinux')}
diff --git a/recipes-extended/pam/libpam_1.1.6.bbappend 
b/recipes-extended/pam/libpam_1.1.6.bbappend
deleted file mode 100644
index 71acecc..000
--- a/recipes-extended/pam/libpam_1.1.6.bbappend
+++ /dev/null
@@ -1,10 +0,0 @@
-#FILESEXTRAPATHS_prepend := ${THISDIR}/${PN}:
-FILESPATH_append := :${@base_set_filespath(['${THISDIR}/${PN}'], d)}
-
-SRC_URI += file://sepermit-add-DESTDIR-prefix.patch
-
-PR .= .4
-
-inherit enable-selinux
-
-RDEPENDS_${PN}-runtime += ${@target_selinux(d, 'pam-plugin-selinux')}
-- 
1.7.9.5

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 1/2] linux-yocto: enable selinux support for kernel v4.1

2015-07-30 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

The default kernel is now v4.1. So we need the selinux support
for kernel v4.1, inorder to get selinux enabled images out of box.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 recipes-kernel/linux/linux-yocto_4.1.bbappend |8 
 1 file changed, 8 insertions(+)
 create mode 100644 recipes-kernel/linux/linux-yocto_4.1.bbappend

diff --git a/recipes-kernel/linux/linux-yocto_4.1.bbappend 
b/recipes-kernel/linux/linux-yocto_4.1.bbappend
new file mode 100644
index 000..a8c0647
--- /dev/null
+++ b/recipes-kernel/linux/linux-yocto_4.1.bbappend
@@ -0,0 +1,8 @@
+FILESEXTRAPATHS_prepend := ${THISDIR}/${PN}:
+
+# Enable selinux support in the kernel if the feature is enabled
+SRC_URI += ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 
'file://selinux.cfg', '', d)}
+
+# For inconsistent kallsyms data bug on ARM
+# 
http://lists.infradead.org/pipermail/linux-arm-kernel/2012-March/thread.html#89718
+EXTRA_OEMAKE += ${@bb.utils.contains('TARGET_ARCH', 'arm', ' 
KALLSYMS_EXTRA_PASS=1', '', d)}
-- 
1.7.9.5

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 2/2] README: update supported linux-yocto versions

2015-07-30 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

README updated with the list of supported linux-yocto
versions and details to use it while preparing selinux
enabled images.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 README |   10 ++
 1 file changed, 10 insertions(+)

diff --git a/README b/README
index 3fe8af4..22d7599 100644
--- a/README
+++ b/README
@@ -66,6 +66,16 @@ working with this layer, without the additional Poky meta 
data.  This
 approach may work, but is not generally tested by the maintainers.
 
 
+Using different versions of linux-yocto
+---
+To prepare selinux enabled images using different ver. of linux-yocto,
+we can choose supported versions of linux-yocto,
+currently supported: v3.14, v3.19, v4.1(by default).
+
+* enable the preferred linux-yocto to local.conf or oe-selinux.conf
+e.g. PREFERRED_VERSION_linux-yocto_qemuarm = 3.19%
+
+
 License
 ---
 
-- 
1.7.9.5

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] linux-yocto: enable selinux support for kernel v3.19

2015-06-05 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

The default kernel is now v3.19. So we need the selinux support
for kernel v3.19, inorder to get selinux enabled images out of box.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 recipes-kernel/linux/linux-yocto_3.19.bbappend |8 
 1 file changed, 8 insertions(+)
 create mode 100644 recipes-kernel/linux/linux-yocto_3.19.bbappend

diff --git a/recipes-kernel/linux/linux-yocto_3.19.bbappend 
b/recipes-kernel/linux/linux-yocto_3.19.bbappend
new file mode 100644
index 000..65c79ef
--- /dev/null
+++ b/recipes-kernel/linux/linux-yocto_3.19.bbappend
@@ -0,0 +1,8 @@
+FILESEXTRAPATHS_prepend := ${THISDIR}/${PN}:
+
+# Enable selinux support in the kernel if the feature is enabled
+SRC_URI += ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 
'file://selinux.cfg', '', d)}
+
+# For inconsistent kallsyms data bug on ARM
+# 
http://lists.infradead.org/pipermail/linux-arm-kernel/2012-March/thread.html#89718
 
+EXTRA_OEMAKE += ${@bb.utils.contains('TARGET_ARCH', 'arm', ' 
KALLSYMS_EXTRA_PASS=1', '', d)}
-- 
1.7.9.5

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux][PATCH 1/3] V2 refpolicy:20140311 update for systemd

2015-01-05 Thread Shrikant Bobade 
Hello,

Please provide review comments or feedback if any, It will be a great
help.
@Ping.

Thanks
Shrikant

On Wed, Nov 19, 2014 at 1:43 PM, Shrikant Bobade bobadeshrik...@gmail.com
wrote:

 From: Shrikant Bobade shrikant_bob...@mentor.com

 Systemd init type and related allow rules
 updated for refpolicy.

 Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
 ---
  .../refpolicy-update-for_systemd.patch |   46
 
  .../refpolicy/refpolicy_2.20140311.inc |1 +
  2 files changed, 47 insertions(+)
  create mode 100644
 recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch

 diff --git
 a/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
 b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
 new file mode 100644
 index 000..80b420c
 --- /dev/null
 +++
 b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
 @@ -0,0 +1,46 @@
 +refpolicy: update for systemd
 +
 +It provides the systemd support for refpolicy
 +and related allow rules.
 +The restorecon provides systemd init labeled
 +as init_exec_t.
 +
 +Upstream-Status: Pending
 +
 +
 +Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
 +
 +--- a/policy/modules/contrib/shutdown.fc
  b/policy/modules/contrib/shutdown.fc
 +@@ -5,6 +5,9 @@
 + /sbin/shutdown--
 gen_context(system_u:object_r:shutdown_exec_t,s0)
 + /sbin/shutdown\.sysvinit  --
 gen_context(system_u:object_r:shutdown_exec_t,s0)
 +
 ++# systemd support
 ++/bin/systemctl--
 gen_context(system_u:object_r:shutdown_exec_t,s0)
 ++
 + /usr/lib/upstart/shutdown --
 gen_context(system_u:object_r:shutdown_exec_t,s0)
 +
 + /usr/sbin/shutdown--
 gen_context(system_u:object_r:shutdown_exec_t,s0)
 +--- a/policy/modules/system/init.fc
  b/policy/modules/system/init.fc
 +@@ -31,6 +31,8 @@
 + #
 + /sbin/init(ng)?   --
 gen_context(system_u:object_r:init_exec_t,s0)
 + /sbin/init\.sysvinit  --
 gen_context(system_u:object_r:init_exec_t,s0)
 ++# systemd support
 ++/lib/systemd/systemd  --
 gen_context(system_u:object_r:init_exec_t,s0)
 + # because nowadays, /sbin/init is often a symlink to /sbin/upstart
 + /sbin/upstart --
 gen_context(system_u:object_r:init_exec_t,s0)
 +
 +--- a/policy/modules/system/init.te
  b/policy/modules/system/init.te
 +@@ -913,3 +913,8 @@
 + optional_policy(`
 +   zebra_read_config(initrc_t)
 + ')
 ++
 ++# systemd related allow rules
 ++allow kernel_t init_t:process dyntransition;
 ++allow devpts_t device_t:filesystem associate;
 ++allow init_t self:capability2 block_suspend;
 diff --git a/recipes-security/refpolicy/refpolicy_2.20140311.inc
 b/recipes-security/refpolicy/refpolicy_2.20140311.inc
 index 8894583..557b4ab 100644
 --- a/recipes-security/refpolicy/refpolicy_2.20140311.inc
 +++ b/recipes-security/refpolicy/refpolicy_2.20140311.inc
 @@ -29,6 +29,7 @@ SRC_URI += file://poky-fc-subs_dist.patch \
  file://poky-fc-rpm.patch \
  file://poky-fc-ftpwho-dir.patch \
  file://poky-fc-fix-real-path_su.patch \
 +file://refpolicy-update-for_systemd.patch \
 

  # Specific policy for Poky
 --
 1.7.9.5


-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux][PATCH 3/3] pkggrp-core-selinux: coreutils addition

2015-01-05 Thread Shrikant Bobade 
Hello,

Please provide review comments or feedback if any, It will be a great
help.
@Ping.

Thanks
Shrikant

On Wed, Nov 19, 2014 at 1:46 PM, Shrikant Bobade bobadeshrik...@gmail.com
wrote:

 From: Shrikant Bobade shrikant_bob...@mentor.com

 To add coreutils to packagegroup-core-selinux
 inorder to get chcon avaibility.

 Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
 ---
  .../packagegroups/packagegroup-core-selinux.bb |1 +
  1 file changed, 1 insertion(+)

 diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb
 b/recipes-security/packagegroups/packagegroup-core-selinux.bb
 index 1852aba..40b35d1 100644
 --- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
 +++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
 @@ -25,4 +25,5 @@ RDEPENDS_${PN} =  \
 selinux-config \
 refpolicy-standard \
 refpolicy-mls \
 +   coreutils \
 
 --
 1.7.9.5


-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 1/3] V2 refpolicy:20140311 update for systemd

2014-11-19 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

Systemd init type and related allow rules
updated for refpolicy.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 .../refpolicy-update-for_systemd.patch |   46 
 .../refpolicy/refpolicy_2.20140311.inc |1 +
 2 files changed, 47 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch

diff --git 
a/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
 
b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
new file mode 100644
index 000..80b420c
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
@@ -0,0 +1,46 @@
+refpolicy: update for systemd
+ 
+It provides the systemd support for refpolicy 
+and related allow rules. 
+The restorecon provides systemd init labeled 
+as init_exec_t.
+
+Upstream-Status: Pending
+
+
+Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
+
+--- a/policy/modules/contrib/shutdown.fc
 b/policy/modules/contrib/shutdown.fc
+@@ -5,6 +5,9 @@
+ /sbin/shutdown--  
gen_context(system_u:object_r:shutdown_exec_t,s0)
+ /sbin/shutdown\.sysvinit  --  
gen_context(system_u:object_r:shutdown_exec_t,s0)
+ 
++# systemd support
++/bin/systemctl--  
gen_context(system_u:object_r:shutdown_exec_t,s0)
++
+ /usr/lib/upstart/shutdown --  
gen_context(system_u:object_r:shutdown_exec_t,s0)
+ 
+ /usr/sbin/shutdown--  
gen_context(system_u:object_r:shutdown_exec_t,s0)
+--- a/policy/modules/system/init.fc
 b/policy/modules/system/init.fc
+@@ -31,6 +31,8 @@
+ #
+ /sbin/init(ng)?   --  
gen_context(system_u:object_r:init_exec_t,s0)
+ /sbin/init\.sysvinit  --  gen_context(system_u:object_r:init_exec_t,s0)
++# systemd support
++/lib/systemd/systemd  --  gen_context(system_u:object_r:init_exec_t,s0)
+ # because nowadays, /sbin/init is often a symlink to /sbin/upstart
+ /sbin/upstart --  gen_context(system_u:object_r:init_exec_t,s0)
+ 
+--- a/policy/modules/system/init.te
 b/policy/modules/system/init.te
+@@ -913,3 +913,8 @@
+ optional_policy(`
+   zebra_read_config(initrc_t)
+ ')
++
++# systemd related allow rules
++allow kernel_t init_t:process dyntransition;
++allow devpts_t device_t:filesystem associate;
++allow init_t self:capability2 block_suspend;
diff --git a/recipes-security/refpolicy/refpolicy_2.20140311.inc 
b/recipes-security/refpolicy/refpolicy_2.20140311.inc
index 8894583..557b4ab 100644
--- a/recipes-security/refpolicy/refpolicy_2.20140311.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20140311.inc
@@ -29,6 +29,7 @@ SRC_URI += file://poky-fc-subs_dist.patch \
 file://poky-fc-rpm.patch \
 file://poky-fc-ftpwho-dir.patch \
 file://poky-fc-fix-real-path_su.patch \
+file://refpolicy-update-for_systemd.patch \

 
 # Specific policy for Poky
-- 
1.7.9.5

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 2/3] selinux-init: update for systemd

2014-11-19 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

selinux-init.sh updated to reboot system
normally to fix the labelling during systemd
execution. Due to force reboot labelling won't
be proper and system continuously reboot to
label it like first time boot.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 .../selinux/selinux-config/selinux-init.sh |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-security/selinux/selinux-config/selinux-init.sh 
b/recipes-security/selinux/selinux-config/selinux-init.sh
index 9aaf454..f9f0914 100644
--- a/recipes-security/selinux/selinux-config/selinux-init.sh
+++ b/recipes-security/selinux/selinux-config/selinux-init.sh
@@ -48,7 +48,7 @@ if [ -f /.autorelabel ]; then
${FIXFILES} -F -f relabel
/bin/rm -f /.autorelabel
echo  * Relabel done, rebooting the system.
-   /sbin/reboot -f
+   /sbin/reboot
 fi
 
 # If first booting, the security context type of init would be
@@ -62,7 +62,7 @@ if [ `${SECON} -t --pid 1` = kernel_t ]; then
${RESTORECON} -RF /
${RESTORECON} -F /
echo  * Relabel done, rebooting the system.
-   /sbin/reboot -f
+   /sbin/reboot
 fi
 
 # Now, we should relabel /dev for most services.
-- 
1.7.9.5

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 3/3] pkggrp-core-selinux: coreutils addition

2014-11-19 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

To add coreutils to packagegroup-core-selinux
inorder to get chcon avaibility.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 .../packagegroups/packagegroup-core-selinux.bb |1 +
 1 file changed, 1 insertion(+)

diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb 
b/recipes-security/packagegroups/packagegroup-core-selinux.bb
index 1852aba..40b35d1 100644
--- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
+++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
@@ -25,4 +25,5 @@ RDEPENDS_${PN} =  \
selinux-config \
refpolicy-standard \
refpolicy-mls \
+   coreutils \

-- 
1.7.9.5

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] refpolicy:20140311 update for systemd

2014-11-18 Thread Shrikant Bobade 
From: Shrikant Bobade shrikant_bob...@mentor.com

Systemd init type and related allow rules
updated for refpolicy.

Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
 .../refpolicy-update-for_systemd.patch |   50 
 .../refpolicy/refpolicy_2.20140311.inc |1 +
 2 files changed, 51 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch

diff --git 
a/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
 
b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
new file mode 100644
index 000..634061e
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
@@ -0,0 +1,50 @@
+refpolicy: update for systemd
+ 
+It provides the systemd support for refpolicy 
+and related allow rules. 
+The restorecon provides systemd init labeled 
+as init_exec_t.
+
+ 
+Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
+
+Index: refpolicy/policy/modules/contrib/shutdown.fc
+===
+--- refpolicy.orig/policy/modules/contrib/shutdown.fc  2014-11-17 
21:01:05.040804419 +0530
 refpolicy/policy/modules/contrib/shutdown.fc   2014-11-18 
14:38:50.854860908 +0530
+@@ -5,6 +5,9 @@
+ /sbin/shutdown--  
gen_context(system_u:object_r:shutdown_exec_t,s0)
+ /sbin/shutdown\.sysvinit  --  
gen_context(system_u:object_r:shutdown_exec_t,s0)
+ 
++# systemd support
++/bin/systemctl--  
gen_context(system_u:object_r:shutdown_exec_t,s0)
++
+ /usr/lib/upstart/shutdown --  
gen_context(system_u:object_r:shutdown_exec_t,s0)
+ 
+ /usr/sbin/shutdown--  
gen_context(system_u:object_r:shutdown_exec_t,s0)
+Index: refpolicy/policy/modules/system/init.fc
+===
+--- refpolicy.orig/policy/modules/system/init.fc   2014-11-17 
21:01:05.040804419 +0530
 refpolicy/policy/modules/system/init.fc2014-11-18 14:38:04.467444078 
+0530
+@@ -31,6 +31,8 @@
+ #
+ /sbin/init(ng)?   --  
gen_context(system_u:object_r:init_exec_t,s0)
+ /sbin/init\.sysvinit  --  gen_context(system_u:object_r:init_exec_t,s0)
++# systemd support
++/lib/systemd/systemd  --  gen_context(system_u:object_r:init_exec_t,s0)
+ # because nowadays, /sbin/init is often a symlink to /sbin/upstart
+ /sbin/upstart --  gen_context(system_u:object_r:init_exec_t,s0)
+ 
+Index: refpolicy/policy/modules/system/init.te
+===
+--- refpolicy.orig/policy/modules/system/init.te   2014-11-17 
21:03:01.577129153 +0530
 refpolicy/policy/modules/system/init.te2014-11-18 14:37:45.647680675 
+0530
+@@ -913,3 +913,8 @@
+ optional_policy(`
+   zebra_read_config(initrc_t)
+ ')
++
++# systemd related allow rules
++allow kernel_t init_t:process dyntransition;
++allow devpts_t device_t:filesystem associate;
++allow init_t self:capability2 block_suspend;
diff --git a/recipes-security/refpolicy/refpolicy_2.20140311.inc 
b/recipes-security/refpolicy/refpolicy_2.20140311.inc
index 8894583..19b41eb 100644
--- a/recipes-security/refpolicy/refpolicy_2.20140311.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20140311.inc
@@ -29,6 +29,7 @@ SRC_URI += file://poky-fc-subs_dist.patch \
 file://poky-fc-rpm.patch \
 file://poky-fc-ftpwho-dir.patch \
 file://poky-fc-fix-real-path_su.patch \
+   file://refpolicy-update-for_systemd.patch \

 
 # Specific policy for Poky
-- 
1.7.9.5

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto