[yocto] [meta-selinux][PATCH] refpolicy: Update to 20180114 release

From: Wenzong Fan Remove patches that included by upstream: - poky-fc-nscd.patch - poky-fc-ftpwho-dir.patch - refpolicy-update-for_systemd.patch - 0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch Rebase patches: - poky-fc-clock.patch -

[yocto] [meta-selinux][PATCH v2] systemd: create /var/lib/systemd/backlight in advance

From: Wenzong Fan v2 changes: * Update patch for Yocto Compat - don't change layer's hash The systemd-backlight@.service which called after selinux-init.service will create /var/lib/systemd/backlight with incorrect

[yocto] [meta-selinux][PATCH] systemd: create /var/lib/systemd/backlight in advance

From: Wenzong Fan The systemd-backlight@.service which called after selinux-init.service will create /var/lib/systemd/backlight with incorrect security labels, this causes the systemd-backlight service fails to start and stop. Creating /var/lib/systemd/backlight in

[yocto] [meta-security][PATCH] xmlsec1: remove host paths from target files

From: Wenzong Fan Signed-off-by: Wenzong Fan --- recipes-security/xmlsec1/xmlsec1_1.2.25.bb | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/recipes-security/xmlsec1/xmlsec1_1.2.25.bb

[linux-yocto] [PATCH] features/net/team: Add Ethernet TEAM drivers

From: Wenzong Fan Add Ethernet TEAM drivers for supporting libteam: The Team softdev Linux driver provides a mechanism to team multiple NICs (ports) into a single logical one (teamdev) at L2 layer. This process is called "channel bonding", "Ethernet bonding", "channel

[yocto] [meta-selinux][PATCH] refpolicy: fix boot failure with systemd + mls

From: Wenzong Fan * Allow kernel_t to lower file level * Allow kernel_t to set process level Signed-off-by: Wenzong Fan --- ...-kernel_t-mls-trusted-for-lowering-file-l.patch | 74 ++

[yocto] [meta-selinux][PATCH v2] policycoreutils: add PACKAGECONFIG for libpam, audit

From: Wenzong Fan * make pam and audit support configurable; * remove INITDIR from EXTRA_OEMAKE, the variable is not supported now. Signed-off-by: Wenzong Fan --- recipes-security/selinux/policycoreutils.inc | 21 ++--- 1

[yocto] [meta-selinux][PATCH] policycoreutils: update AUDITH, PAMH

From: Wenzong Fan Update definition of AUDITH, PAMH according to the upstream changes for Makefiles: commit 89ce96cac6ce5eeed78cb39c58514cd68494d7aa ... -ifeq ($(PAMH), /usr/include/security/pam_appl.h) +ifeq ($(PAMH), y) ... -ifeq ($(AUDITH),

[yocto] [meta-selinux][PATCH 3/3] refpolicy-minimum: fix build error with systemd

From: Wenzong Fan Update patch to fix build error with systemd: * replace below statements with 'init_dbus_chat(initrc_t)': allow initrc_t init_t:dbus send_msg; allow init_t initrc_t:dbus send_msg; * declare class 'dbus' and 'acquire_svc' for: allow init_t

[yocto] [meta-selinux][PATCH 2/3] refpolicy: fix unknown classes and permissions

From: Wenzong Fan Backport upstream patches: - 0001-refpolicy-Define-getrlimit-permission-for-class-proc.patch - 0002-refpolicy-Define-smc_socket-security-class.patch This fixes the runtime issues: $ load_policy SELinux: Permission getrlimit in class process

[yocto] [meta-selinux][PATCH 1/3] refpolicy-targeted: rebase patches for 2.20170204

From: Wenzong Fan Rebase and apply the patches for 2.20170204: - refpolicy-fix-optional-issue-on-sysadm-module.patch - refpolicy-unconfined_u-default-user.patch Signed-off-by: Wenzong Fan ---

[yocto] [meta-selinux][PATCH] selinux-python: fix installed-vs-shipped warnings

From: Wenzong Fan Fix the warnings if ${libdir} = '/usr/lib64': WARNING: selinux-python-2.7-r0 do_package: QA Issue: selinux-python: \ Files/directories were installed but not shipped in any package: /usr/lib/python2.7/site-packages/sepolicy-1.1.egg-info

[yocto] [PATCH 18/20] setools: uprev to 4.1.1

From: Wenzong Fan SETools v4 is a rewrite of SETools in Python, details refer to: https://github.com/TresysTechnology/setools/wiki/Changes-Since-SETools-v3 Changes for upreving: * removed setools_3.3.8.bb and all useless patch * add patches to fix cross-compiling

[yocto] [PATCH 20/20] selinux-python: add setools to RDEPENDS

From: Wenzong Fan Signed-off-by: Wenzong Fan --- recipes-security/selinux/selinux-python.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/recipes-security/selinux/selinux-python.inc b/recipes-security/selinux/selinux-python.inc

[yocto] [PATCH 19/20] packagegroup-*: sync package names

From: Wenzong Fan Some new packages added after SELinux uprev to 2.7, sync the package names accordingly: policycoreutils-audit2allow -> selinux-python-audit2allow policycoreutils-chcat-> selinux-python-chcat policycoreutils-python ->

[yocto] [PATCH 16/20] policycoreutils: fixes for 2.7 uprev

From: Wenzong Fan Remove setools from DEPENDS/RDEPENDS, it was required by sepolicy, sepolgen, semanage which have been moved to python/*. Rebase patch: - policycoreutils-fixfiles-de-bashify.patch Drop useless patch: - policycoreutils-loadpolicy-symlink.patch

[yocto] [PATCH 17/20] refpolicy_common: depends on semodule-utils-native

From: Wenzong Fan Those tools have been moved from policycoreutils to semodule-utils: semodule_deps, semodule_expand, semodule_link, semodule_package Signed-off-by: Wenzong Fan --- recipes-security/refpolicy/refpolicy_common.inc | 2 +-

[yocto] [PATCH 15/20] selinux-gui: add package 2.7 (20170804)

From: Wenzong Fan Move policycoreutils/gui to gui and cleanup policycoreutils.inc. Signed-off-by: Wenzong Fan --- recipes-security/selinux/policycoreutils.inc | 7 --- recipes-security/selinux/selinux-gui.inc | 15 +++

[yocto] [PATCH 12/20] selinux-python: add package 2.7 (20170804)

From: Wenzong Fan Move packages to python/*: - policycoreutils/semanage -> python/semanage - policycoreutils/audit2allow-> python/audit2allow - policycoreutils/sepolgen-ifgen -> python/audit2allow/sepolgen-ifgen - policycoreutils/sepolicy ->

[yocto] [PATCH 14/20] selinux-dbus: add package 2.7 (20170804)

From: Wenzong Fan Move policycoreutils/sepolicy/dbus to dbus. Signed-off-by: Wenzong Fan --- recipes-security/selinux/selinux-dbus.inc| 14 ++ recipes-security/selinux/selinux-dbus_2.7.bb | 7 +++ 2 files changed, 21

[yocto] [PATCH 13/20] semodule-utils: add package 2.7 (20170804)

From: Wenzong Fan Move policycoreutils/semodule_* to semodule-utils/*: - policycoreutils/semodule_deps-> semodule-utils/semodule_deps - policycoreutils/semodule_expand -> semodule-utils/semodule_expand - policycoreutils/semodule_link->

[yocto] [PATCH 09/20] mcstrans: add package 2.7 (20170804)

From: Wenzong Fan Move policycoreutils/mcstrans to mcstrans: * Move and rebase patches: - mcstrans-de-bashify.patch - 0001-mcstrans-fix-the-init-script.patch * Remove useless patch: - enable-mcstrans.patch * Cleanup policycoreutils_2.7.bb and

[yocto] [PATCH 07/20] policycoreutils: uprev to 2.7 (20170804)

From: Wenzong Fan Uprev the recipe file as is. Some packages have been moved out from policycoreutils, they will be added as new packages and the policycoreutils.inc need to be cleaned up from later commits accordingly. Moved packages: From:

[yocto] [PATCH 11/20] selinux-sandbox: add package 2.7 (20170804)

From: Wenzong Fan Move policycoreutils/sandbox to sandbox: * Move and rebase patch: - policycoreutils-sandbox-de-bashify.patch * Cleanup policycoreutils.inc Signed-off-by: Wenzong Fan --- recipes-security/selinux/policycoreutils.inc

[yocto] [PATCH 10/20] restorecond: add package 2.7 (20170804)

From: Wenzong Fan Move policycoreutils/restorecond to restorecond: * Move and rebase patch: - policycoreutils-make-O_CLOEXEC-optional.patch * Cleanup policycoreutils_2.7.bb. Signed-off-by: Wenzong Fan ---

[yocto] [PATCH 08/20] sepolgen: remove package

From: Wenzong Fan The package has been moved to selinux-python/sepolgen. Signed-off-by: Wenzong Fan --- recipes-security/selinux/sepolgen.inc| 34 recipes-security/selinux/sepolgen_2.6.bb | 7 ---

[yocto] [PATCH 04/20] libsemanage: uprev to 2.7 (20170804)

From: Wenzong Fan Remove patches that included by new version: - 0001-libsemanage-simplify-string-utilities-functions.patch - 0002-libsemanage-add-semanage_str_replace-utility-functio.patch - 0003-libsemanage-genhomedircon-drop-ustr-dependency.patch -

[yocto] [PATCH 05/20] checkpolicy: uprev to 2.7 (20170804)

From: Wenzong Fan Remove patch that included by new version: - checkpolicy-Do-not-link-against-libfl.patch Specify LIBSEPOLA to fix build error: make[1]: *** No rule to make target `/usr/lib/libsepol.a' Signed-off-by: Wenzong Fan ---

[yocto] [PATCH 01/20] selinux: uprev include file to 20170804

From: Wenzong Fan Signed-off-by: Wenzong Fan --- recipes-security/selinux/{selinux_20161014.inc => selinux_20170804.inc} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename recipes-security/selinux/{selinux_20161014.inc =>

[yocto] [PATCH 06/20] secilc: uprev to 2.7 (20170804)

From: Wenzong Fan Signed-off-by: Wenzong Fan --- recipes-security/selinux/secilc_2.6.bb | 7 --- recipes-security/selinux/secilc_2.7.bb | 7 +++ 2 files changed, 7 insertions(+), 7 deletions(-) delete mode 100644

[yocto] [PATCH 03/20] libselinux: uprev to 2.7 (20170804)

From: Wenzong Fan Specify LIBSEPOLA to fix build error: make[1]: *** No rule to make target `/usr/lib/libsepol.a', needed by `python-2.7audit2why.so'. Stop. Add python-importlib to RDEPENDS_${PN}-python. Signed-off-by: Wenzong Fan ---

[yocto] [PATCH 02/20] libsepol: uprev to 2.7 (20170804)

From: Wenzong Fan Signed-off-by: Wenzong Fan --- recipes-security/selinux/{libsepol_2.6.bb => libsepol_2.7.bb} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename recipes-security/selinux/{libsepol_2.6.bb => libsepol_2.7.bb}

[yocto] [PATCH 00/20 V2] selinux: uprev to 2.7 (20170804)

From: Wenzong Fan V2 changes: * fix incorrect 'Subject' in patches * apply patches base on mgh/master-next: - drop applied patch: refpolicy: fix a typo in RDEPENDS The following changes since commit ae9553c0d22bc079947aa31170dbe096b20f9de6: systemd: Remove

[yocto] [meta-selinux][PATCH 19/21] setools: uprev to 4.1.1

From: Wenzong Fan SETools v4 is a rewrite of SETools in Python, details refer to: https://github.com/TresysTechnology/setools/wiki/Changes-Since-SETools-v3 Changes for upreving: * removed setools_3.3.8.bb and all useless patch * add patches to fix cross-compiling

[yocto] [meta-selinux][PATCH 21/21] selinux-python: add setools to RDEPENDS

From: Wenzong Fan Signed-off-by: Wenzong Fan --- recipes-security/selinux/selinux-python.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/recipes-security/selinux/selinux-python.inc b/recipes-security/selinux/selinux-python.inc

[yocto] [meta-selinux][PATCH 20/21] packagegroup-*: sync package names

From: Wenzong Fan Some new packages added after SELinux uprev to 2.7, sync the package names accordingly: policycoreutils-audit2allow -> selinux-python-audit2allow policycoreutils-chcat-> selinux-python-chcat policycoreutils-python ->

[yocto] [meta-selinux][PATCH 18/21] refpolicy_common: depends on semodule-utils-native

From: Wenzong Fan Those tools have been moved from policycoreutils to semodule-utils: semodule_deps, semodule_expand, semodule_link, semodule_package Signed-off-by: Wenzong Fan --- recipes-security/refpolicy/refpolicy_common.inc | 2 +-

[yocto] [meta-selinux][PATCH 17/21] refpolicy: fix a typo in RDEPENDS

From: Jackie Huang Underscore ("_") should be used for variable overrides. Signed-off-by: Jackie Huang --- recipes-security/refpolicy/refpolicy_common.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git

[yocto] [meta-selinux][PATCH 16/21] policycoreutils: fixes for 2.7 uprev

From: Wenzong Fan Remove setools from DEPENDS/RDEPENDS, it was required by sepolicy, sepolgen, semanage which have been moved to python/*. Rebase patch: - policycoreutils-fixfiles-de-bashify.patch Drop useless patch: - policycoreutils-loadpolicy-symlink.patch

[yocto] [meta-selinux][PATCH 15/21] selinux-gui: add package 2.7 (20170804)

From: Wenzong Fan Move policycoreutils/gui to gui and cleanup policycoreutils.inc. Signed-off-by: Wenzong Fan --- recipes-security/selinux/policycoreutils.inc | 7 --- recipes-security/selinux/selinux-gui.inc | 15 +++

[yocto] [meta-selinux][PATCH 11/21] selinux-sandbox: add package 2.7 (20170804)

From: Wenzong Fan Move policycoreutils/sandbox to sandbox: * Move and rebase patch: - policycoreutils-sandbox-de-bashify.patch * Cleanup policycoreutils.inc Signed-off-by: Wenzong Fan --- recipes-security/selinux/policycoreutils.inc

[yocto] [meta-selinux][PATCH 10/21] restorecond: add package 2.7 (20170804)

From: Wenzong Fan Move policycoreutils/restorecond to restorecond: * Move and rebase patch: - policycoreutils-make-O_CLOEXEC-optional.patch * Cleanup policycoreutils_2.7.bb. Signed-off-by: Wenzong Fan ---

[yocto] [meta-selinux][PATCH 14/21] selinux-dbus: add package 2.7 (20170804)

From: Wenzong Fan Move policycoreutils/sepolicy/dbus to dbus. Signed-off-by: Wenzong Fan --- recipes-security/selinux/selinux-dbus.inc| 14 ++ recipes-security/selinux/selinux-dbus_2.7.bb | 7 +++ 2 files changed, 21

[yocto] [meta-selinux][PATCH 13/21] semodule-utils: add package 2.7 (20170804)

From: Wenzong Fan Move policycoreutils/semodule_* to semodule-utils/*: - policycoreutils/semodule_deps-> semodule-utils/semodule_deps - policycoreutils/semodule_expand -> semodule-utils/semodule_expand - policycoreutils/semodule_link->

[yocto] [meta-selinux][PATCH 09/21] mcstrans: add package 2.7 (20170804)

From: Wenzong Fan Move policycoreutils/mcstrans to mcstrans: * Move and rebase patches: - mcstrans-de-bashify.patch - 0001-mcstrans-fix-the-init-script.patch * Remove useless patch: - enable-mcstrans.patch * Cleanup policycoreutils_2.7.bb and

[yocto] [meta-selinux][PATCH 08/21] sepolgen: remove package

From: Wenzong Fan The package has been moved to selinux-python/sepolgen. Signed-off-by: Wenzong Fan --- recipes-security/selinux/sepolgen.inc| 34 recipes-security/selinux/sepolgen_2.6.bb | 7 ---

[yocto] [meta-selinux][PATCH 07/21] policycoreutils: uprev to 2.7 (20170804)

From: Wenzong Fan Uprev the recipe file as is. Some packages have been moved out from policycoreutils, they will be added as new packages and the policycoreutils.inc need to be cleaned up from later commits accordingly. Moved packages: From:

[yocto] [meta-selinux][PATCH 05/21] checkpolicy: uprev to 2.7 (20170804)

From: Wenzong Fan Remove patch that included by new version: - checkpolicy-Do-not-link-against-libfl.patch Specify LIBSEPOLA to fix build error: make[1]: *** No rule to make target `/usr/lib/libsepol.a' Signed-off-by: Wenzong Fan ---

[yocto] [meta-selinux][PATCH 06/21] secilc: uprev to 2.7 (20170804)

From: Wenzong Fan Signed-off-by: Wenzong Fan --- recipes-security/selinux/{secilc_2.6.bb => secilc_2.7.bb} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename recipes-security/selinux/{secilc_2.6.bb => secilc_2.7.bb} (35%)

[yocto] [meta-selinux][PATCH 04/21] libsemanage: uprev to 2.7 (20170804)

From: Wenzong Fan Remove patches that included by new version: - 0001-libsemanage-simplify-string-utilities-functions.patch - 0002-libsemanage-add-semanage_str_replace-utility-functio.patch - 0003-libsemanage-genhomedircon-drop-ustr-dependency.patch -

[yocto] [meta-selinux][PATCH 03/21] libselinux: uprev to 2.7 (20170804)

From: Wenzong Fan Specify LIBSEPOLA to fix build error: make[1]: *** No rule to make target `/usr/lib/libsepol.a', needed by `python-2.7audit2why.so'. Stop. Add python-importlib to RDEPENDS_${PN}-python. Signed-off-by: Wenzong Fan ---

[yocto] [meta-selinux][PATCH 02/21] libsepol: uprev to 2.7 (20170804)

From: Wenzong Fan Signed-off-by: Wenzong Fan --- recipes-security/selinux/{libsepol_2.6.bb => libsepol_2.7.bb} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename recipes-security/selinux/{libsepol_2.6.bb => libsepol_2.7.bb}

[yocto] [meta-selinux][PATCH 01/21] selinux: uprev include file to 20170804

From: Wenzong Fan Signed-off-by: Wenzong Fan --- recipes-security/selinux/{selinux_20161014.inc => selinux_20170804.inc} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename recipes-security/selinux/{selinux_20161014.inc =>

[yocto] [meta-measured][PATCH v2] linux-yocto.inc: rename to linux-yocto-measured.inc

From: Wenzong Fan To avoid conflict with the one from oe-core: oe-core/meta/recipes-kernel/linux/linux-yocto.inc Signed-off-by: Wenzong Fan --- recipes-kernel/linux/linux-intel_4.%.bbappend | 2 +-

[yocto] [meta-measured][PATCH] linux-yocto.inc: rename to linux-yocto-measured.inc

From: Wenzong Fan To avoid conflict with the one from oe-core: oe-core/meta/recipes-kernel/linux/linux-yocto.inc Signed-off-by: Wenzong Fan --- recipes-kernel/linux/linux-intel_4.%.bbappend| 2 +-

[yocto] [meta-selinux][PATCH] selinux-init: start service after local-fs.target

From: Wenzong Fan Fixing labels after local-fs.target to make sure all mounted filesystems labeled correctly. Signed-off-by: Wenzong Fan --- recipes-security/selinux/selinux-init/selinux-init.service | 1 + 1 file changed, 1 insertion(+)

[yocto] [meta-security][PATCH] libseccomp: convert test package to ptest

From: Wenzong Fan Signed-off-by: Wenzong Fan --- recipes-security/libseccomp/files/run-ptest | 4 recipes-security/libseccomp/libseccomp.bb | 24 2 files changed, 16 insertions(+), 12 deletions(-) create

[yocto] [meta-selinux][PATCH 2/2] refpolicy-minimum: update patch file

From: Wenzong Fan Fix build errors: | policy/modules/system/init.te:1120:ERROR 'class dbus is not within scope' at token ';' on line 40246: | allow initrc_t init_t:dbus send_msg; | allow init_t initrc_t:dbus { send_msg acquire_svc }; Signed-off-by: Wenzong Fan

[yocto] [meta-selinux][PATCH 1/2] refpolicy: uprev 2.20151208 -> 2.20161023

From: Wenzong Fan Signed-off-by: Wenzong Fan --- .../ftp-add-ftpd_t-to-mlsfilewrite.patch | 0 .../poky-fc-clock.patch | 0 .../poky-fc-corecommands.patch

[yocto] [meta-selinux][PATCH 0/2] uprev refpolicy to 2.20161023

From: Wenzong Fan Uprev refpolicy to 2.20161023 and fix build errors for refpolicy-minimum. The following changes since commit bae51859f0dbcdde9fd563d15128a6dbbb816801: audit: upgrade 2.6.6 -> 2.7 (2017-01-09 08:59:55 -0500) are available in the git repository at:

[yocto] [meta-selinux][PATCH] audit: upgrade 2.6.6 -> 2.7

From: Wenzong Fan Signed-off-by: Wenzong Fan --- recipes-security/audit/{audit_2.6.6.bb => audit_2.7.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename recipes-security/audit/{audit_2.6.6.bb => audit_2.7.bb} (96%) diff

[yocto] [meta-selinux][PATCH 9/9] selinux_common: remove EXTRA_OEMAKE = "-e"

From: Wenzong Fan Some variables are exported by top Makefile and updated from sub Makefile (such as PCRE_LDFLAGS, DISABLE_FLAGS ...). The '-e' option prevents those variables from updating in the sub Makefile and causes libselinux build errors: |

[yocto] [meta-selinux][PATCH 8/9] secilc: uprev to 2.6 (20161014)

From: Wenzong Fan Signed-off-by: Wenzong Fan --- recipes-security/selinux/secilc_2.5.bb | 7 --- recipes-security/selinux/secilc_2.6.bb | 7 +++ 2 files changed, 7 insertions(+), 7 deletions(-) delete mode 100644

[yocto] [meta-selinux][PATCH 7/9] sepolgen: uprev to 2.6 (20161014)

From: Wenzong Fan Signed-off-by: Wenzong Fan --- recipes-security/selinux/sepolgen_1.2.3.bb | 7 --- recipes-security/selinux/sepolgen_2.6.bb | 7 +++ 2 files changed, 7 insertions(+), 7 deletions(-) delete mode 100644

[yocto] [meta-selinux][PATCH 2/9] libsepol: uprev to 2.6 (20161014)

From: Wenzong Fan Signed-off-by: Wenzong Fan --- recipes-security/selinux/{libsepol_2.5.bb => libsepol_2.6.bb} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename recipes-security/selinux/{libsepol_2.5.bb => libsepol_2.6.bb}

[yocto] [meta-selinux][PATCH 6/9] policycoreutils: uprev to 2.6 (20161014)

From: Wenzong Fan * rebase patch: - policycoreutils-process-ValueError-for-sepolicy-seobject.patch Signed-off-by: Wenzong Fan --- ...-process-ValueError-for-sepolicy-seobject.patch | 34 -- ...licycoreutils_2.5.bb =>

[yocto] [meta-selinux][PATCH 5/9] checkpolicy: uprev to 2.6 (20161014)

From: Wenzong Fan Signed-off-by: Wenzong Fan --- recipes-security/selinux/checkpolicy_2.5.bb | 7 --- recipes-security/selinux/checkpolicy_2.6.bb | 7 +++ 2 files changed, 7 insertions(+), 7 deletions(-) delete mode 100644

[yocto] [meta-selinux][PATCH 4/9] libsemanage: uprev to 2.6 (20161014)

From: Wenzong Fan Signed-off-by: Wenzong Fan --- recipes-security/selinux/{libsemanage_2.5.bb => libsemanage_2.6.bb} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename recipes-security/selinux/{libsemanage_2.5.bb =>

[yocto] [meta-selinux][PATCH 1/9] selinux: uprev include file to 20161014

From: Wenzong Fan Signed-off-by: Wenzong Fan --- recipes-security/selinux/{selinux_20160223.inc => selinux_20161014.inc} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename recipes-security/selinux/{selinux_20160223.inc =>

[yocto] [meta-selinux][PATCH 0/9] selinux: uprev to 20161014

From: Wenzong Fan Uprev selinux packages to 2.6 (20161014) and fix build issues. The following changes since commit 02602ac9c1f3e61f11d90053c578575254fa6323: iproute2: make packageconfig selinux work (2016-11-01 09:20:37 -0400) are available in the git repository

[yocto] [meta-security][PATCH] paxctl: allow build of paxctl-native

From: Joe Slater paxctl-native is needed to build paxtest. Do not use the install target in Makefile for paxctl-native, it will fail with error: install: cannot change ownership of '.../sbin/paxctl': \ Operation not permitted Signed-off-by: Joe Slater

[yocto] [meta-selinux][PATCH] selinux: update policy-version to 30

From: Wenzong Fan Both selinux 2.5 and kernel 4.8 support Max Policy Version 30. Signed-off-by: Wenzong Fan --- recipes-security/refpolicy/refpolicy_common.inc | 2 +- recipes-security/selinux/libsemanage.inc| 2 +- 2 files

[yocto] [meta-selinux][PATCH] dhcp: sync init-server with oe-core

From: Wenzong Fan oe-core commit: a162416119ec9deee9fef53455d1281abe573681 dhcpd: create dhcpd user for dhcp dameon Signed-off-by: Wenzong Fan --- recipes-connectivity/dhcp/files/init-server | 2 +- 1 file changed, 1 insertion(+), 1

[yocto] [PATCH][meta-selinux] refpolicy-targeted: remove duplicate type rules

From: Wenzong Fan Remove duplicate type rules from init_t to init_script_file_type, they have been included by systemd policies. This also fixes the errors while installing modules for refpolicy-targeted if systemd support is enabled: | Conflicting type rules | Binary

[yocto] [PATCH][meta-selinux] refpolicy-minimum: port changes for prepare_policy_store

From: Wenzong Fan Apply the changes to refpolicy-minimum_2.20151208.bb: commit bfaf278116e6c3a04bb82c9f8a4f8629a0a85df8 Author: Wenzong Fan Date: Tue Oct 27 06:25:04 2015 -0400 refpolicy-minimum: update prepare_policy_store

[yocto] [PATCH][meta-selinux] refpolicy git: update SRCREV and PV to 2.20151208

From: Wenzong Fan Update git repos rev to latest stable release and use PV to indicate the exact release version just like all of the *_git.bb recipes has been done in oe-core. ref: https://github.com/TresysTechnology/refpolicy/wiki Signed-off-by: Wenzong Fan

[yocto] [PATCH][meta-selinux] audit: upgrade 2.4.3 -> 2.4.4

From: Wenzong Fan * rebase patch audit-python-configure.patch * 2.4.4 includes CVE-2015-5186 and bug fixes, detials refer to: http://people.redhat.com/sgrubb/audit/ChangeLog Signed-off-by: Wenzong Fan ---

[yocto] [PATCH][meta-selinux] openssh: set ChallengeResponseAuthentication to no

From: Wenlin Kang The patch fixes the login fails for ssh -o Batchmode=yes when passwords is empty and without authorized_keys file even if set "PermitEmptyPasswords yes" in sshd_config file. Signed-off-by: Wenlin Kang Signed-off-by:

[yocto] [PATCH][meta-selinux] refpolicy-targeted: rebase patches

From: Wenzong Fan rebase patches against latest git sources: * refpolicy-fix-optional-issue-on-sysadm-module.patch * refpolicy-unconfined_u-default-user.patch Signed-off-by: Wenzong Fan ---

[yocto] [PATCH][meta-selinux] refpolicy-minimum: update prepare_policy_store

From: Wenzong Fan * update prepare_policy_store() for supporting SELinux 2.4 & CIL, the logic is from refpolicy_common.inc but with minimum set of policy modules; * add extra policy modules that required by sysnetwork, without those modules the install process

[yocto] [PATCH][meta-selinux] libselinux, libsepol: depends on coreutils-native

From: Wenzong Fan 'ln --relative' doesn't work on Ubuntu 12.04 that has ln 8.13. The changes involved by SELinux commit: commit 71393a181d63c9baae5fe8dcaeb9411d1f253998 Author: Steve Lawrence Date: Mon Oct 20 15:46:17 2014 -0400

[yocto] [PATCH][meta-selinux] refpolicy: fix exit code issue of bzip2

From: Wenzong Fan 'bzip2 -qt $moudle_name.pp' has different exit codes on different distributions, for example: * On Redhat/CentOS/Fedora, OpenSUSE: $ bzip2 -qt /tmp/tor.pp bzip2: /tmp/tor.pp: bad magic number (file not created by bzip2) $ echo $? 0 This

[yocto] [PATCH 2/2][meta-selinux] swig: remove package

From: Wenzong Fan swig 3.0.6 has been added to oe-croe: 66923c6776da13bd4513a73c3f7c5e60d74eb0f3 No change need to port. Signed-off-by: Wenzong Fan --- recipes-devtools/swig/swig.inc | 59 --

[yocto] [PATCH 1/2][meta-selinux] libcap-ng: remove package

From: Wenzong Fan libcap-ng 0.7.7 has been added to oe-core: ad509d7644803ff9386affefe2ec1a3664027074 No change need to port. Signed-off-by: Wenzong Fan --- recipes-security/libcap-ng/libcap-ng/python.patch | 58 ---

[yocto] [PATCH 0/2][meta-selinux] remove packages: libcap-ng, swig

From: Wenzong Fan They have been added to oe-core. The following changes since commit 463f97bfd1180475540b7d91e3fec6a2b33966bd: audit/auvirt: get inline functions work with both gnu89 & gnu11 (2015-09-21 10:42:27 -0400) are available in the git repository at:

[yocto] [PATCH v2][meta-selinux] audit/auvirt: get inline functions work with both gnu89 & gnu11

From: Wenzong Fan After gcc upgraded to gcc5, and if the codes are compiled without optimization (-O0), and the below error will happen: auvirt.c:484: undefined reference to `copy_str' auvirt.c:667: undefined reference to `is_resource' collect2: error: ld

[yocto] [PATCH][meta-selinux] audit/auvirt: get inline functions work with C99

From: Wenzong Fan This fixes link errors: auvirt.c:484: undefined reference to `copy_str' auvirt.c:667: undefined reference to `is_resource' As gcc5 doc about "Different semantics for inline functions": > C99 extern inline: An externally visible function is

[yocto] [PATCH][meta-selinux] libcap-ng: upgrade 0.7.4 - 0.7.7

From: Wenzong Fan wenzong@windriver.com * Port changes from meta-oe: commit bce4dba5546480c8e43c6442959ac7d0a4ef32f6 Author: Li xin lixin.f...@cn.fujitsu.com Date: Thu Jul 23 15:29:31 2015 +0800 libcap-ng: upgrade 0.7.4 - 0.7.7 Update python.patch,since the contents has

[yocto] [PATCH][meta-selinux] python-ipy: update 0.81 - 0.83

From: Wenzong Fan wenzong@windriver.com * update SRC_URI checksums * remove PKG-INFO that is not in 0.83 Signed-off-by: Wenzong Fan wenzong@windriver.com --- recipes-devtools/python/{python-ipy_0.81.bb = python-ipy_0.83.bb} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)

[yocto] [PATCH][meta-selinux] libselinux: get pywrap depends on selinux.py

From: Wenzong Fan wenzong@windriver.com The selinux.py will be installed as selinux/__init__.py, just make sure it has been generated completely while starting make install-pywrap. This fixes below errors that caused by an empty selinux/__init__.py on target: $ /usr/sbin/semanage -h

[yocto] [PATCH 3/3] audit: build gen_xxx natively

From: Wenzong Fan wenzong@windriver.com The gen_xxx used for generating sources at compile-time, they are built by native C compiler but may involve cross-compilation options via CFLAGS, just use CFLAGS_FOR_BUILD to remove the issue. Signed-off-by: Wenzong Fan wenzong@windriver.com ---

[yocto] [PATCH 2/3] audit: fix unknown-configure-option --with-armeb

From: Wenzong Fan wenzong@windriver.com The option has been replaced by --with-arm: $ ./configure -h --with-arm enable Arm eabi processor support Signed-off-by: Wenzong Fan wenzong@windriver.com --- recipes-security/audit/audit_2.4.3.bb | 2 +- 1 file changed, 1 insertion(+), 1

[yocto] [PATCH 1/3] audit: clean PR after package updated

From: Wenzong Fan wenzong@windriver.com After the PV updated, it's safe to clean the PR and get PRSERVER manage it. Signed-off-by: Wenzong Fan wenzong@windriver.com --- recipes-security/audit/audit_2.4.3.bb | 1 - 1 file changed, 1 deletion(-) diff --git

[yocto] [PATCH 1/1][meta-selinux] policycoreutils: install /var/lib/selinux

From: Wenzong Fan wenzong@windriver.com This dir is required for running command: $ semanage permissive [OPTS] Signed-off-by: Wenzong Fan wenzong@windriver.com --- recipes-security/selinux/policycoreutils.inc | 6 ++ 1 file changed, 6 insertions(+) diff --git

[yocto] [PATCH 1/1][meta-selinux] refpolicy: correct SELINUX_DEVEL_PATH

From: Wenzong Fan wenzong@windriver.com The sepolgen.conf should be installed with devel package to correct the default value of SELINUX_DEVEL_PATH, Makefile will be searched from that path while building policies on target. Signed-off-by: Wenzong Fan wenzong@windriver.com ---

[yocto] [PATCH 1/1][meta-selinux] initscripts: fix contexts for /etc/resolv.conf, adjtime

From: Wenzong Fan wenzong@windriver.com Restore contexts for /etc/{resolv.conf, adjtime}, they are created dynamically and the incorrect contexts maybe prevent some programs from valid accessing. /etc/resolv.conf: etc_t:SystemHigh - etc_t:SystemLow /etc/adjtime: etc_t:SystemHigh -

[yocto] [PATCH][meta-selinux] tar: cleanup duplicate PACKAGECONFIG

From: Wenzong Fan wenzong@windriver.com The tar_1.28.bb has defined this: PACKAGECONFIG[acl] = --with-posix-acls, --without-posix-acls, acl, Signed-off-by: Wenzong Fan wenzong@windriver.com --- recipes-extended/tar/tar_%.bbappend | 6 -- 1 file changed, 6 deletions(-) diff --git

[yocto] [PATCH v2][meta-selinux] udev: restorecon /run to allow mdadm creating /run/mdadm

From: Wenzong Fan wenzong@windriver.com This change bases on the factors during bootup: a. the default type for /run is var_run_t; b. the type for /run will be changed to tmpfs_t after tmpfs mounted; c. the type for /run will be fixed after populate-volatile.sh run. udev service is started

[yocto] [PATCH][meta-selinux] udev: restorecon /run to allow mdadm creating /run/mdadm

From: Wenzong Fan wenzong@windriver.com This change bases on the factors during bootup: a. the default type for /run is var_run_t; b. the type for /run will be changed to tmpfs_t after tmpfs mounted; c. the type for /run will be fixed after populate-volatile.sh run. udev service is started

[yocto] [PATCH][meta-selinux] iscsi-initiator-utils: fix label for initiatorname.iscsi

From: Wenzong Fan wenzong@windriver.com This config file was created by postinstall or initscript, the correct label should be etc_t, run restorecon /etc/iscsi/initiatorname.iscsi to fix it and remove below avc denied issues: avc: denied { read } for pid=6094 comm=iscsid \

  1   2   >