Hi ,
I am using yocto pyro and for creating users via recipe using inherit
useradd, followed
http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta-skeleton/recipes-skeleton/useradd/useradd-example.bb?h=pyro
with lowercase I am able to create user e.g user as expected.
but just want to check
Hi Marco,
On similar lines, as Joe suggested please try with refpolicy 2.20151208
from morty,
also I would like to recommend start with refpolicy-minimum policy variant,
then you can explore other variants like refpolicy-targeted.
On Mon, Jul 24, 2017 at 1:15 PM, Marco Ostini
Hi Joe,
On Thu, Jan 12, 2017 at 8:57 PM, Joe MacDonald
wrote:
>
> Hi guys,
>
> [Re: [meta-selinux] What's the point of refpolicy-minimum?] On 17.01.12
(Thu 12:57) wenzong fan wrote:
>
> > On 01/10/2017 10:48 PM, Joe MacDonald wrote:
> > >Wenzong / Shrikant,
> > >
> > >I
Hi Joe,
On Tue, Jan 10, 2017 at 8:18 PM, Joe MacDonald
wrote:
>
> Wenzong / Shrikant,
>
> I thought I knew the answer to the above question, and maybe my
> understanding is still correct, but I think I need to ask it now anyway.
>
> I don't use refpolicy-minimum for
From: Shrikant Bobade <shrikant_bob...@mentor.com>
restrict systemd related patches based on distro feature.
Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
recipes-security/refpolicy/refpolicy_2.20151208.inc | 2 +-
recipes-security/refpolicy/refpolicy_git.inc
From: Shrikant Bobade <shrikant_bob...@mentor.com>
this change drop complete use of 'virtual/refpolicy' & switch to 'refpolicy'
use, the mix use of both results in mismatching policy varient selection.
with use of 'virtual/refpolicy' at config. level, when we try to switch to
ot
From: Shrikant Bobade <shrikant_bob...@mentor.com>
Add force reboot during SELinux init and autorelabel, required for smooth
auto-reboot functionality with sysvinit as init manager.
It is required only for sysvinit, so restricting only for sysvinit and not
for systemd.
Signed-off-by: Sh
From: Shrikant Bobade <shrikant_bob...@mentor.com>
syslog & getty related allow rules required to fix the syslog mixup with
boot log, while using systemd as init manager.
Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
...-refpolicy-minimum-systemd-fix-for-s
From: Shrikant Bobade <shrikant_bob...@mentor.com>
fix for systemd tmp files setup services:
systemd-journal-flush.service & systemd-logind.service.
Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
...inimum-systemd-fix-for-systemd-tmp-fi
From: Shrikant Bobade <shrikant_bob...@mentor.com>
add allow rule to fix avc denial during system reboot.
Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
...inimum-init-fix-reboot-with-systemd-as-in.patch | 36 ++
.../refpolicy/refpolicy-minimum_2
From: Shrikant Bobade <shrikant_bob...@mentor.com>
add allow rules for locallogin module avc denials.
Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
...inimum-locallogin-add-allow-rules-for-typ.patch | 53 ++
.../refpolicy/refpolicy-minimum_2
From: Shrikant Bobade <shrikant_bob...@mentor.com>
add allow rules for avc denails for systemd, mount, logging & authlogin
modules. without this change we are getting avc. denials from these
modules.
Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
...inim
From: Shrikant Bobade <shrikant_bob...@mentor.com>
add allow rules for audit.log file & resolve dependent avc denials.
Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
...inimum-audit-logging-getty-audit-related-.patch | 67 ++
.../ref
From: Shrikant Bobade <shrikant_bob...@mentor.com>
systemd allow rules for systemd service file operations: start, stop, restart
& allow rule for unconfined systemd service.
without this change we are geting avc denials and access denied to perform
operations on service file.
Hi,
@Ping,
Thanks
Shrikant
On Mon, Aug 22, 2016 at 6:36 PM, Shrikant Bobade <bobadeshrik...@gmail.com>
wrote:
> From: Shrikant Bobade <shrikant_bob...@mentor.com>
>
> add support for systemd service file and handling of script required by
> systemd service file.
>
From: Shrikant Bobade <shrikant_bob...@mentor.com>
this change provide dependency required by audit log file, to prepare it at
/var/log/audit/audit.log and get cleaner boot log.
without this change all avc denial messages mix with the boot log & it is
difficult for avc denial analysi
From: Shrikant Bobade <shrikant_bob...@mentor.com>
Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
recipes-security/refpolicy/refpolicy_common.inc | 1 +
1 file changed, 1 insertion(+)
diff --git a/recipes-security/refpolicy/refpolicy_common.inc
b/recipes-securi
From: Shrikant Bobade <shrikant_bob...@mentor.com>
add systemd service file for handling selinux labeldev, this change improves
handling of systemd service functionality like:status check, debug etc.
compared to sysvinit compatibility mode scripts.
Signed-off-by: Shrikant Bobade <shr
From: Shrikant Bobade <shrikant_bob...@mentor.com>
add systemd service file for handling selinux autorelabel, this change
improves handling of systemd service functionality like:status check,
re-run, debug etc. compared to sysvinit compatibility mode scripts.
Signed-off-by: Shrikant
From: Shrikant Bobade <shrikant_bob...@mentor.com>
add systemd service file for handling selinux initialization, this change
improves handling of systemd service functionality like:status check, debug
etc. compared to sysvinit compatibility mode scripts.
Signed-off-by: Shrikant
From: Shrikant Bobade <shrikant_bob...@mentor.com>
add support for systemd service file and handling of script required by
systemd service file.
Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
recipes-security/selinux/selinux-initsh.inc | 12 +++-
1 file
ta-poky
meta-yocto-bsp= "master:039f47ad197a9a53109c9f3deadd9c35e62c056d"
meta-selinux = "master:d0f889259b610c3365962775c6e96a7cba407177"
Please advice, It will be a great help !
Thanks
Shrikant
On Fri, Jul 1, 2016 at 7:13 PM, Shrikant Bobade <bobadeshrik...@gmail.com>
wrote:
&
From: Shrikant Bobade <shrikant_bob...@mentor.com>
fix for systemd tmp files setup services:
systemd-journal-flush.service & systemd-logind.service.
Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
...ystemd-fix-for-systemd-tmp-files-serv
From: Shrikant Bobade <shrikant_bob...@mentor.com>
1. fix for systemd services: login & journal wile using refpolicy-minimum and
systemd as init manager.
2. fix login duration after providing root password.
Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
..
From: Shrikant Bobade <shrikant_bob...@mentor.com>
enable required refpolicy booleans for these modules mount:
allow_mount_anyfile & systemd:systemd_tmpfiles_manage_all
Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
...mount-enable-requiried-refpolicy-boo
From: Shrikant Bobade <shrikant_bob...@mentor.com>
add allow rule to fix avc denial during system reboot.
Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
...t-fix-reboot-with-systemd-as-init-manager.patch | 35 ++
.../refpolicy/refpolicy_2.
From: Shrikant Bobade <shrikant_bob...@mentor.com>
add allow rules for locallogin module avc denials.
Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
...in-add-allow-rules-for-type-local_login_t.patch | 52 ++
.../refpolicy/refpolicy_2.
From: Shrikant Bobade <shrikant_bob...@mentor.com>
add allow rules for audit.log file & resolve dependent avc denials.
Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
...t-logging-getty-audit-related-allow-rules.patch | 66 +
From: Shrikant Bobade <shrikant_bob...@mentor.com>
add allow rules for avc denails for systemd, mount, logging & authlogin
modules. without this change we are getting avc. denials from these
modules.
Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
...d-mount-l
From: Shrikant Bobade <shrikant_bob...@mentor.com>
systemd allow rules for systemd service file operations: start, stop, restart
& allow rule for unconfined systemd service.
without this change we are geting avc denials and access denied to perform
operations service file.
Hi,
Using refpolicy-minimum v20151208 with systemd as init manager,
I am facing few issues during enforcing mode,
1. systemd service status check, start & stop
2. auditd logfile error, so it is mixing with the boot log.
3. also other avc denials related to tmpfs & other types etc..
setup
From: Shrikant Bobade <shrikant_bob...@mentor.com>
eudev version at poky updated to v3.2 from v3.1.5, so moving it to use
wildcard in order to fix the parsing error.
Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
recipes-core/eudev/eudev_%.bbappend | 3 +++
From: Shrikant Bobade <shrikant_bob...@mentor.com>
we need policycoreutils-hll to insert custom policy module/package, without
it semodule install fail with error:
libsemanage.semanage_pipe_data: Unable to execute /usr/libexec/selinux/hll/
pp : No such file or dir
From: Shrikant Bobade <shrikant_bob...@mentor.com>
WARNING: iproute2-4.6.0-r0 do_package_qa: QA Issue: iproute2-ss rdepends on
libselinux, but it isn't a build dependency, missing libselinux in DEPENDS
or PACKAGECONFIG? [build-deps]
Signed-off-by: Shrikant Bobade <shrikant_bob...@m
From: Shrikant Bobade <shrikant_bob...@mentor.com>
Drop unavailable patches entry to fix the warning, even we are using
libselinux v2.5 these warnings pop-up during recipes parsing.
WARNING:..libselinux_git.bb: Unable to get checksum for libselinux SRC_URI
entry libselinux-get-pywrap-d
From: Shrikant Bobade <shrikant_bob...@mentor.com>
with systemd enabled refpolicy-minimum build breaks due to missing dependent
policy modules, so add the dependent modules: clock, systemd, udev
conditionally based on DISTRO_FEATURES.
dependent systemd policy modules needed to fix these
From: Shrikant Bobade <shrikant_bob...@mentor.com>
with systemd enabled refpolicy-minimum build breaks due to missing dependent
policy modules, so add the dependent modules: clock, systemd, udev
conditionally based on DISTRO_FEATURES.
dependent systemd policy modules needed to fix these
From: Shrikant Bobade <shrikant_bob...@mentor.com>
refpolicy now introduced systemd support using POLICY_SYSTEMD variable,
with systemd enabled setup we need the refpolicy with systemd support, so
enable systemd support based on DISTRO_FEATURES.
Signed-off-by: Shrikant Bobade <shr
Checked jethro branch, image booting successfully, policy loads well &
label file-system thanks !
used distro : poky-selinux & image: core-image-selinux
meta-yocto-bsp= "branch_jethro:b1f23d1254682866236bfaeb843c0d8aa332efc2"
meta-selinux =
-selinux = master:684ee9401f33db7c9d5b183988d89c688c9dd0be
Thanks
Shrikant
On Fri, Aug 14, 2015 at 2:16 PM, Shrikant Bobade bobadeshrik...@gmail.com
wrote:
From: Shrikant Bobade shrikant_bob...@mentor.com
remove --with-armeb=yes to fix the configure
unrecognised option qa warning.
Signed
From: Shrikant Bobade shrikant_bob...@mentor.com
remove --with-armeb=yes to fix the configure
unrecognised option qa warning.
Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
recipes-security/audit/audit_2.4.3.bb |1 -
1 file changed, 1 deletion(-)
diff --git a/recipes
On Fri, Aug 14, 2015 at 2:29 PM, Khem Raj raj.k...@gmail.com wrote:
On Fri, Aug 14, 2015 at 1:53 AM, Shrikant Bobade
bobadeshrik...@gmail.com wrote:
Hi,
observed: WARNING: QA Issue: audit: configure was passed unrecognised
options: --with-armeb [unknown-configure-option]
on core-image
From: Shrikant Bobade shrikant_bob...@mentor.com
update config option '--with-armeb' to '--with-arm'
for audit qa warning fix.
Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
recipes-security/audit/audit_2.4.3.bb |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
Hi Philip,
On Tue, Aug 11, 2015 at 10:39 AM, Philip Tricca fl...@twobit.us wrote:
Hey Shrikant,
On 07/30/2015 02:31 AM, Shrikant Bobade wrote:
This patch provides green build for core-image-selinux
(meta-selinux:master poky:master) against libpam upgrade from 1.1.6 to
1.2.1,
image
From: Shrikant Bobade shrikant_bob...@mentor.com
A straight update from refpolicy 2.20140311 to refpolicy git
repository for the core policy variants and forward-porting
of policy patches as appropriate.
This approach is useful for building refpolicy refpolicy-contrib
directly from the git
From: Shrikant Bobade shrikant_bob...@mentor.com
A simple forward-port of refpolicy-targeted to use the
refpolicy from git repository.
Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
.../refpolicy/refpolicy-targeted_git.bb| 20
1 file changed, 20
From: Shrikant Bobade shrikant_bob...@mentor.com
A simple forward-port of refpolicy-mcs to use the
refpolicy from git repository.
Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
recipes-security/refpolicy/refpolicy-mcs_git.bb | 11 +++
1 file changed, 11 insertions
From: Shrikant Bobade shrikant_bob...@mentor.com
A simple forward-port of refpolicy-standard to use the
refpolicy from git repository.
Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
.../refpolicy/refpolicy-standard_git.bb|8
1 file changed, 8 insertions
From: Shrikant Bobade shrikant_bob...@mentor.com
A simple forward-port of refpolicy-mls to use the
refpolicy from git repository.
Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
recipes-security/refpolicy/refpolicy-mls_git.bb | 10 ++
1 file changed, 10 insertions
From: Shrikant Bobade shrikant_bob...@mentor.com
README updated with the supported refpolicy version
details and information of refpolicy building from
git repository.
Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
README | 15 +++
1 file changed, 15 insertions
From: Shrikant Bobade shrikant_bob...@mentor.com
During forward-port of these patches from refpolicy 20140311,
requires rebase with the refpolicy git repos head master
code base,in order to resolve the patch conflicts.
Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
.../refpolicy
From: Shrikant Bobade shrikant_bob...@mentor.com
A simple forward-port of refpolicy-minimum to use the
refpolicy from git repository.
Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
.../refpolicy/refpolicy-minimum_git.bb | 48
1 file changed, 48
From: Shrikant Bobade shrikant_bob...@mentor.com
During forward-port of these patches from refpolicy 2014120311,
requires rebase with the refpolicy 20141203 code base,
in order to resolve the patch conflicts.
Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
.../refpolicy-2.20141203
From: Shrikant Bobade shrikant_bob...@mentor.com
A simple forward-port of refpolicy-standard to use the 20141203
base refpolicy.
Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
.../refpolicy/refpolicy-standard_2.20141203.bb |8
1 file changed, 8 insertions
From: Shrikant Bobade shrikant_bob...@mentor.com
A straight update from refpolicy 2.20140311 to 2.20141203 for the core
policy variants and forward-porting of policy patches as appropriate.
ref: https://github.com/TresysTechnology/refpolicy/wiki
Signed-off-by: Shrikant Bobade shrikant_bob
From: Shrikant Bobade shrikant_bob...@mentor.com
A simple forward-port of refpolicy-mcs to use the 20141203
base refpolicy.
Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
.../refpolicy/refpolicy-mcs_2.20141203.bb | 11 +++
1 file changed, 11 insertions
From: Shrikant Bobade shrikant_bob...@mentor.com
A simple forward-port of refpolicy-minimum to use the 20141203
base refpolicy.
Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
.../refpolicy/refpolicy-minimum_2.20141203.bb | 48
1 file changed, 48
From: Shrikant Bobade shrikant_bob...@mentor.com
A simple forward-port of refpolicy-mls to use the 20141203
base refpolicy.
Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
.../refpolicy/refpolicy-mls_2.20141203.bb | 10 ++
1 file changed, 10 insertions
From: Shrikant Bobade shrikant_bob...@mentor.com
A simple forward-port of refpolicy-targeted to use the 20141203
base refpolicy.
Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
.../refpolicy/refpolicy-targeted_2.20141203.bb | 20
1 file changed, 20
From: Shrikant Bobade shrikant_bob...@mentor.com
use wildcard for version: adopting libpam upgrade from 1.1.6 to 1.2.1,
cleanup older recipe and remove patch sepermit-add-DESTDIR-prefix.patch
since the changes already available with latest source.
Signed-off-by: Shrikant Bobade shrikant_bob
the login issue appears even with disabled selinux support
(selinux=0).
Thanks
Shrikant Bobade
On Thu, Jul 30, 2015 at 2:55 PM, Shrikant Bobade bobadeshrik...@gmail.com
wrote:
From: Shrikant Bobade shrikant_bob...@mentor.com
use wildcard for version: adopting libpam upgrade from 1.1.6 to 1.2.1
From: Shrikant Bobade shrikant_bob...@mentor.com
use wildcard for version: adopting libpam upgrade from 1.6.1 to 1.2.1,
cleanup older recipe and remove patch sepermit-add-DESTDIR-prefix.patch
since the changes already available with latest source.
Signed-off-by: Shrikant Bobade shrikant_bob
From: Shrikant Bobade shrikant_bob...@mentor.com
The default kernel is now v4.1. So we need the selinux support
for kernel v4.1, inorder to get selinux enabled images out of box.
Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
recipes-kernel/linux/linux-yocto_4.1.bbappend |8
From: Shrikant Bobade shrikant_bob...@mentor.com
README updated with the list of supported linux-yocto
versions and details to use it while preparing selinux
enabled images.
Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
README | 10 ++
1 file changed, 10 insertions
From: Shrikant Bobade shrikant_bob...@mentor.com
The default kernel is now v3.19. So we need the selinux support
for kernel v3.19, inorder to get selinux enabled images out of box.
Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
recipes-kernel/linux/linux-yocto_3.19.bbappend
Hello,
Please provide review comments or feedback if any, It will be a great
help.
@Ping.
Thanks
Shrikant
On Wed, Nov 19, 2014 at 1:43 PM, Shrikant Bobade bobadeshrik...@gmail.com
wrote:
From: Shrikant Bobade shrikant_bob...@mentor.com
Systemd init type and related allow rules
updated
Hello,
Please provide review comments or feedback if any, It will be a great
help.
@Ping.
Thanks
Shrikant
On Wed, Nov 19, 2014 at 1:46 PM, Shrikant Bobade bobadeshrik...@gmail.com
wrote:
From: Shrikant Bobade shrikant_bob...@mentor.com
To add coreutils to packagegroup-core-selinux
inorder
From: Shrikant Bobade shrikant_bob...@mentor.com
Systemd init type and related allow rules
updated for refpolicy.
Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
.../refpolicy-update-for_systemd.patch | 46
.../refpolicy/refpolicy_2.20140311.inc
From: Shrikant Bobade shrikant_bob...@mentor.com
selinux-init.sh updated to reboot system
normally to fix the labelling during systemd
execution. Due to force reboot labelling won't
be proper and system continuously reboot to
label it like first time boot.
Signed-off-by: Shrikant Bobade
From: Shrikant Bobade shrikant_bob...@mentor.com
To add coreutils to packagegroup-core-selinux
inorder to get chcon avaibility.
Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
.../packagegroups/packagegroup-core-selinux.bb |1 +
1 file changed, 1 insertion(+)
diff --git
From: Shrikant Bobade shrikant_bob...@mentor.com
Systemd init type and related allow rules
updated for refpolicy.
Signed-off-by: Shrikant Bobade shrikant_bob...@mentor.com
---
.../refpolicy-update-for_systemd.patch | 50
.../refpolicy/refpolicy_2.20140311.inc
71 matches
Mail list logo