Hi ,
I am using yocto pyro and for creating users via recipe using inherit
useradd, followed
http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta-skeleton/recipes-skeleton/useradd/useradd-example.bb?h=pyro
with lowercase I am able to create user e.g user as expected.
but just want to check us
Hi Marco,
On similar lines, as Joe suggested please try with refpolicy 2.20151208
from morty,
also I would like to recommend start with refpolicy-minimum policy variant,
then you can explore other variants like refpolicy-targeted.
On Mon, Jul 24, 2017 at 1:15 PM, Marco Ostini wrote:
>
> Hi Joe &
Hi Joe,
On Thu, Jan 12, 2017 at 8:57 PM, Joe MacDonald
wrote:
>
> Hi guys,
>
> [Re: [meta-selinux] What's the point of refpolicy-minimum?] On 17.01.12
(Thu 12:57) wenzong fan wrote:
>
> > On 01/10/2017 10:48 PM, Joe MacDonald wrote:
> > >Wenzong / Shrikant,
> > >
> > >I thought I knew the answer
Hi Joe,
On Tue, Jan 10, 2017 at 8:18 PM, Joe MacDonald
wrote:
>
> Wenzong / Shrikant,
>
> I thought I knew the answer to the above question, and maybe my
> understanding is still correct, but I think I need to ask it now anyway.
>
> I don't use refpolicy-minimum for anything, so when I did the u
From: Shrikant Bobade
restrict systemd related patches based on distro feature.
Signed-off-by: Shrikant Bobade
---
recipes-security/refpolicy/refpolicy_2.20151208.inc | 2 +-
recipes-security/refpolicy/refpolicy_git.inc| 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff
From: Shrikant Bobade
this change drop complete use of 'virtual/refpolicy' & switch to 'refpolicy'
use, the mix use of both results in mismatching policy varient selection.
with use of 'virtual/refpolicy' at config. level, when we try to switch to
other po
From: Shrikant Bobade
Add force reboot during SELinux init and autorelabel, required for smooth
auto-reboot functionality with sysvinit as init manager.
It is required only for sysvinit, so restricting only for sysvinit and not
for systemd.
Signed-off-by: Shrikant Bobade
---
recipes-security
systemd as
init manager, below are reference logs.
refpolicy-minimum with patch set: http://paste.ubuntu.com/23107423/
refpolicy-minimum without patch set: http://paste.ubuntu.com/23107437/
Please advise !
Thanks
Shrikant
On Fri, Jul 29, 2016 at 2:54 PM, Shrikant Bobade
wrote:
> Hi,
>
>
From: Shrikant Bobade
syslog & getty related allow rules required to fix the syslog mixup with
boot log, while using systemd as init manager.
Signed-off-by: Shrikant Bobade
---
...-refpolicy-minimum-systemd-fix-for-syslog.patch | 69 ++
.../refpolicy/refpo
From: Shrikant Bobade
enable required refpolicy booleans for these modules mount:
allow_mount_anyfile & systemd:systemd_tmpfiles_manage_all
Signed-off-by: Shrikant Bobade
---
...inimum-systemd-mount-enable-requiried-ref.patch | 47 ++
.../refpolicy/refpo
From: Shrikant Bobade
fix for systemd tmp files setup services:
systemd-journal-flush.service & systemd-logind.service.
Signed-off-by: Shrikant Bobade
---
...inimum-systemd-fix-for-systemd-tmp-files-.patch | 111 +
.../refpolicy/refpolicy-minimum_2.20151208.bb |
From: Shrikant Bobade
1. fix for systemd services: login & journal wile using refpolicy-minimum
and systemd as init manager.
2. fix login duration after providing root password.
Signed-off-by: Shrikant Bobade
---
...inimum-systemd-fix-for-login-journal-serv.patch |
From: Shrikant Bobade
add allow rule to fix avc denial during system reboot.
Signed-off-by: Shrikant Bobade
---
...inimum-init-fix-reboot-with-systemd-as-in.patch | 36 ++
.../refpolicy/refpolicy-minimum_2.20151208.bb | 1 +
2 files changed, 37 insertions(+)
create
From: Shrikant Bobade
add allow rules for locallogin module avc denials.
Signed-off-by: Shrikant Bobade
---
...inimum-locallogin-add-allow-rules-for-typ.patch | 53 ++
.../refpolicy/refpolicy-minimum_2.20151208.bb | 1 +
2 files changed, 54 insertions(+)
create mode
From: Shrikant Bobade
add allow rules for avc denails for systemd, mount, logging & authlogin
modules. without this change we are getting avc. denials from these
modules.
Signed-off-by: Shrikant Bobade
---
...inimum-systemd-mount-logging-authlogin-ad.patch
From: Shrikant Bobade
add allow rules for audit.log file & resolve dependent avc denials.
Signed-off-by: Shrikant Bobade
---
...inimum-audit-logging-getty-audit-related-.patch | 67 ++
.../refpolicy/refpolicy-minimum_2.20151208.bb | 1 +
2 files changed
From: Shrikant Bobade
systemd allow rules for systemd service file operations: start, stop, restart
& allow rule for unconfined systemd service.
without this change we are geting avc denials and access denied to perform
operations on service file.
Signed-off-by: Shrikant Bobade
---
...in
Hi,
@Ping,
Thanks
Shrikant
On Mon, Aug 22, 2016 at 6:36 PM, Shrikant Bobade
wrote:
> From: Shrikant Bobade
>
> add support for systemd service file and handling of script required by
> systemd service file.
>
> Signed-off-by: Shrikant Bobade
> ---
> recipes-
From: Shrikant Bobade
this change provide dependency required by audit log file, to prepare it at
/var/log/audit/audit.log and get cleaner boot log.
without this change all avc denial messages mix with the boot log & it is
difficult for avc denial analysis.
Signed-off-by: Shrikant Bo
From: Shrikant Bobade
Signed-off-by: Shrikant Bobade
---
recipes-security/refpolicy/refpolicy_common.inc | 1 +
1 file changed, 1 insertion(+)
diff --git a/recipes-security/refpolicy/refpolicy_common.inc
b/recipes-security/refpolicy/refpolicy_common.inc
index e1eac50..a9dc466 100644
--- a
From: Shrikant Bobade
add systemd service file for handling selinux labeldev, this change improves
handling of systemd service functionality like:status check, debug etc.
compared to sysvinit compatibility mode scripts.
Signed-off-by: Shrikant Bobade
---
.../selinux/selinux-labeldev/selinux
From: Shrikant Bobade
add systemd service file for handling selinux autorelabel, this change
improves handling of systemd service functionality like:status check,
re-run, debug etc. compared to sysvinit compatibility mode scripts.
Signed-off-by: Shrikant Bobade
---
.../selinux/selinux
From: Shrikant Bobade
add systemd service file for handling selinux initialization, this change
improves handling of systemd service functionality like:status check, debug
etc. compared to sysvinit compatibility mode scripts.
Signed-off-by: Shrikant Bobade
---
recipes-security/selinux/selinux
From: Shrikant Bobade
add support for systemd service file and handling of script required by
systemd service file.
Signed-off-by: Shrikant Bobade
---
recipes-security/selinux/selinux-initsh.inc | 12 +++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/recipes-security
ta-poky
meta-yocto-bsp= "master:039f47ad197a9a53109c9f3deadd9c35e62c056d"
meta-selinux = "master:d0f889259b610c3365962775c6e96a7cba407177"
Please advice, It will be a great help !
Thanks
Shrikant
On Fri, Jul 1, 2016 at 7:13 PM, Shrikant Bobade
wrote:
> Hi,
>
> Using refpolicy
From: Shrikant Bobade
fix for systemd tmp files setup services:
systemd-journal-flush.service & systemd-logind.service.
Signed-off-by: Shrikant Bobade
---
...ystemd-fix-for-systemd-tmp-files-services.patch | 110 +
.../refpolicy/refpolicy_2.20151208.inc |
From: Shrikant Bobade
1. fix for systemd services: login & journal wile using refpolicy-minimum and
systemd as init manager.
2. fix login duration after providing root password.
Signed-off-by: Shrikant Bobade
---
...007-systemd-fix-for-login-journal-service.patch |
From: Shrikant Bobade
enable required refpolicy booleans for these modules mount:
allow_mount_anyfile & systemd:systemd_tmpfiles_manage_all
Signed-off-by: Shrikant Bobade
---
...mount-enable-requiried-refpolicy-booleans.patch | 43 ++
.../refpolicy/refpolicy_2.20151208
From: Shrikant Bobade
add allow rule to fix avc denial during system reboot.
Signed-off-by: Shrikant Bobade
---
...t-fix-reboot-with-systemd-as-init-manager.patch | 35 ++
.../refpolicy/refpolicy_2.20151208.inc | 1 +
2 files changed, 36 insertions(+)
create
From: Shrikant Bobade
add allow rules for locallogin module avc denials.
Signed-off-by: Shrikant Bobade
---
...in-add-allow-rules-for-type-local_login_t.patch | 52 ++
.../refpolicy/refpolicy_2.20151208.inc | 1 +
2 files changed, 53 insertions(+)
create mode
From: Shrikant Bobade
add allow rules for audit.log file & resolve dependent avc denials.
Signed-off-by: Shrikant Bobade
---
...t-logging-getty-audit-related-allow-rules.patch | 66 ++
.../refpolicy/refpolicy_2.20151208.inc | 1 +
2 files changed
From: Shrikant Bobade
add allow rules for avc denails for systemd, mount, logging & authlogin
modules. without this change we are getting avc. denials from these
modules.
Signed-off-by: Shrikant Bobade
---
...d-mount-logging-authlogin-add-allow-rules.patch
From: Shrikant Bobade
systemd allow rules for systemd service file operations: start, stop, restart
& allow rule for unconfined systemd service.
without this change we are geting avc denials and access denied to perform
operations service file.
Signed-off-by: Shrikant Bobade
---
...onf
Hi,
Using refpolicy-minimum v20151208 with systemd as init manager,
I am facing few issues during enforcing mode,
1. systemd service status check, start & stop
2. auditd logfile error, so it is mixing with the boot log.
3. also other avc denials related to tmpfs & other types etc..
setup detail
From: Shrikant Bobade
eudev version at poky updated to v3.2 from v3.1.5, so moving it to use
wildcard in order to fix the parsing error.
Signed-off-by: Shrikant Bobade
---
recipes-core/eudev/eudev_%.bbappend | 3 +++
recipes-core/eudev/eudev_3.1.5.bbappend | 3 ---
2 files changed, 3
From: Shrikant Bobade
we need policycoreutils-hll to insert custom policy module/package, without
it semodule install fail with error:
libsemanage.semanage_pipe_data: Unable to execute /usr/libexec/selinux/hll/
pp : No such file or directory
libsemanage.semanage_direct_commit: Failed to compile
From: Shrikant Bobade
WARNING: iproute2-4.6.0-r0 do_package_qa: QA Issue: iproute2-ss rdepends on
libselinux, but it isn't a build dependency, missing libselinux in DEPENDS
or PACKAGECONFIG? [build-deps]
Signed-off-by: Shrikant Bobade
---
recipes-connectivity/iproute2/iproute2_%.bbappen
From: Shrikant Bobade
Drop unavailable patches entry to fix the warning, even we are using
libselinux v2.5 these warnings pop-up during recipes parsing.
WARNING:..libselinux_git.bb: Unable to get checksum for libselinux SRC_URI
entry libselinux-get-pywrap-depends-on-selinux.py.patch: file could
From: Shrikant Bobade
with systemd enabled refpolicy-minimum build breaks due to missing dependent
policy modules, so add the dependent modules: clock, systemd, udev
conditionally based on DISTRO_FEATURES.
dependent systemd policy modules needed to fix these errors:
* Failed to resolve
From: Shrikant Bobade
with systemd enabled refpolicy-minimum build breaks due to missing dependent
policy modules, so add the dependent modules: clock, systemd, udev
conditionally based on DISTRO_FEATURES.
dependent systemd policy modules needed to fix these errors:
* Failed to resolve
From: Shrikant Bobade
refpolicy now introduced systemd support using POLICY_SYSTEMD variable,
with systemd enabled setup we need the refpolicy with systemd support, so
enable systemd support based on DISTRO_FEATURES.
Signed-off-by: Shrikant Bobade
---
recipes-security/refpolicy
Checked jethro branch, image booting successfully, policy loads well &
label file-system thanks !
used distro : poky-selinux & image: core-image-selinux
meta-yocto-bsp= "branch_jethro:b1f23d1254682866236bfaeb843c0d8aa332efc2"
meta-selinux = "branch_jethro:4c75d9cbcf1d75043c7c5ab315aa383d9
obade/Mentor/POKY_meta-selinux_poky_master/meta-selinux/recipes-security/selinux/libselinux_2.4.bb,
do_install
Summary: There were 2 WARNING messages shown.
Summary: There were 2 ERROR messages shown, returning a non-zero exit code.
sbobade@sbobade-VirtualBox:~/Mentor/POKY
From: Shrikant Bobade
update config option '--with-armeb' to '--with-arm'
for audit qa warning fix.
Signed-off-by: Shrikant Bobade
---
recipes-security/audit/audit_2.4.3.bb |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/recipes-security/audit/audit
On Fri, Aug 14, 2015 at 2:29 PM, Khem Raj wrote:
> On Fri, Aug 14, 2015 at 1:53 AM, Shrikant Bobade
> wrote:
> > Hi,
> >
> > observed: WARNING: QA Issue: audit: configure was passed unrecognised
> > options: --with-armeb [unknown-configure-option]
> > on cor
armv5 thumb dsp"
TARGET_FPU= "soft"
meta
meta-yocto
meta-yocto-bsp= "master:a533776d6ff83b6e3e830137455b8382d002768b"
meta-selinux = "master:684ee9401f33db7c9d5b183988d89c688c9dd0be"
Thanks
Shrikant
On Fri, Aug 14, 2015 at 2:16 PM, Shrikant Bobade
wrote:
> From: Shrikant Bobade
>
From: Shrikant Bobade
remove --with-armeb=yes to fix the configure
unrecognised option qa warning.
Signed-off-by: Shrikant Bobade
---
recipes-security/audit/audit_2.4.3.bb |1 -
1 file changed, 1 deletion(-)
diff --git a/recipes-security/audit/audit_2.4.3.bb
b/recipes-security/audit
On Tue, Aug 11, 2015 at 7:07 PM, Joe MacDonald
wrote:
> [Re: [yocto] [meta-selinux][PATCH v1] libpam: use wildcard for version and
> cleanup] On 15.08.11 (Tue 16:39) Shrikant Bobade wrote:
>
> > Hi Philip,
> >
> >
> > On Tue, Aug 11, 2015 at 10:39 AM, Phil
Thanks for an update.
Works for me too..
Thanks
Shrikant
On Tue, Aug 11, 2015 at 11:07 AM, Robert Yang
wrote:
> There isn't lib/machinetabs.h any more, there isn't data structures like
> "static const char machine_strings", either.
>
> This fixed a do_patch error when arm.
>
> Signed-off-by: R
Hi Philip,
On Tue, Aug 11, 2015 at 10:39 AM, Philip Tricca wrote:
> Hey Shrikant,
>
> On 07/30/2015 02:31 AM, Shrikant Bobade wrote:
> > This patch provides green build for core-image-selinux
> > (meta-selinux:master & poky:master) against libpam upgrade from 1.1.
From: Shrikant Bobade
README updated with the supported refpolicy version
details and information of refpolicy building from
git repository.
Signed-off-by: Shrikant Bobade
---
README | 15 +++
1 file changed, 15 insertions(+)
diff --git a/README b/README
index 3fe8af4..afee84a
From: Shrikant Bobade
A simple forward-port of refpolicy-minimum to use the
refpolicy from git repository.
Signed-off-by: Shrikant Bobade
---
.../refpolicy/refpolicy-minimum_git.bb | 48
1 file changed, 48 insertions(+)
create mode 100644 recipes-security
From: Shrikant Bobade
A simple forward-port of refpolicy-standard to use the
refpolicy from git repository.
Signed-off-by: Shrikant Bobade
---
.../refpolicy/refpolicy-standard_git.bb|8
1 file changed, 8 insertions(+)
create mode 100644 recipes-security/refpolicy
From: Shrikant Bobade
A simple forward-port of refpolicy-mls to use the
refpolicy from git repository.
Signed-off-by: Shrikant Bobade
---
recipes-security/refpolicy/refpolicy-mls_git.bb | 10 ++
1 file changed, 10 insertions(+)
create mode 100644 recipes-security/refpolicy
From: Shrikant Bobade
A simple forward-port of refpolicy-mcs to use the
refpolicy from git repository.
Signed-off-by: Shrikant Bobade
---
recipes-security/refpolicy/refpolicy-mcs_git.bb | 11 +++
1 file changed, 11 insertions(+)
create mode 100644 recipes-security/refpolicy
From: Shrikant Bobade
A simple forward-port of refpolicy-targeted to use the
refpolicy from git repository.
Signed-off-by: Shrikant Bobade
---
.../refpolicy/refpolicy-targeted_git.bb| 20
1 file changed, 20 insertions(+)
create mode 100644 recipes-security
From: Shrikant Bobade
During forward-port of these patches from refpolicy 20140311,
requires rebase with the refpolicy git repos head master
code base,in order to resolve the patch conflicts.
Signed-off-by: Shrikant Bobade
---
.../refpolicy/refpolicy-git/poky-fc-fstools.patch | 49
From: Shrikant Bobade
A straight update from refpolicy 2.20140311 to refpolicy git
repository for the core policy variants and forward-porting
of policy patches as appropriate.
This approach is useful for building refpolicy & refpolicy-contrib
directly from the git repos, rather than rel
From: Shrikant Bobade
A simple forward-port of refpolicy-minimum to use the 20141203
base refpolicy.
Signed-off-by: Shrikant Bobade
---
.../refpolicy/refpolicy-minimum_2.20141203.bb | 48
1 file changed, 48 insertions(+)
create mode 100644 recipes-security
From: Shrikant Bobade
A simple forward-port of refpolicy-standard to use the 20141203
base refpolicy.
Signed-off-by: Shrikant Bobade
---
.../refpolicy/refpolicy-standard_2.20141203.bb |8
1 file changed, 8 insertions(+)
create mode 100644 recipes-security/refpolicy/refpolicy
From: Shrikant Bobade
A simple forward-port of refpolicy-mls to use the 20141203
base refpolicy.
Signed-off-by: Shrikant Bobade
---
.../refpolicy/refpolicy-mls_2.20141203.bb | 10 ++
1 file changed, 10 insertions(+)
create mode 100644 recipes-security/refpolicy/refpolicy
From: Shrikant Bobade
A simple forward-port of refpolicy-mcs to use the 20141203
base refpolicy.
Signed-off-by: Shrikant Bobade
---
.../refpolicy/refpolicy-mcs_2.20141203.bb | 11 +++
1 file changed, 11 insertions(+)
create mode 100644 recipes-security/refpolicy/refpolicy
From: Shrikant Bobade
A simple forward-port of refpolicy-targeted to use the 20141203
base refpolicy.
Signed-off-by: Shrikant Bobade
---
.../refpolicy/refpolicy-targeted_2.20141203.bb | 20
1 file changed, 20 insertions(+)
create mode 100644 recipes-security
From: Shrikant Bobade
During forward-port of these patches from refpolicy 2014120311,
requires rebase with the refpolicy 20141203 code base,
in order to resolve the patch conflicts.
Signed-off-by: Shrikant Bobade
---
.../refpolicy-2.20141203/poky-fc-fstools.patch | 49
From: Shrikant Bobade
A straight update from refpolicy 2.20140311 to 2.20141203 for the core
policy variants and forward-porting of policy patches as appropriate.
ref: https://github.com/TresysTechnology/refpolicy/wiki
Signed-off-by: Shrikant Bobade
---
.../ftp-add-ftpd_t-to
From: Shrikant Bobade
README updated with the list of supported linux-yocto
versions and details to use it while preparing selinux
enabled images.
Signed-off-by: Shrikant Bobade
---
README | 10 ++
1 file changed, 10 insertions(+)
diff --git a/README b/README
index 3fe8af4..22d7599
From: Shrikant Bobade
The default kernel is now v4.1. So we need the selinux support
for kernel v4.1, inorder to get selinux enabled images out of box.
Signed-off-by: Shrikant Bobade
---
recipes-kernel/linux/linux-yocto_4.1.bbappend |8
1 file changed, 8 insertions(+)
create
the login issue appears even with disabled selinux support
(selinux=0).
Thanks
Shrikant Bobade
On Thu, Jul 30, 2015 at 2:55 PM, Shrikant Bobade
wrote:
> From: Shrikant Bobade
>
> use wildcard for version: adopting libpam upgrade from 1.1.6 to 1.2.1,
> cleanup older recipe and remov
From: Shrikant Bobade
use wildcard for version: adopting libpam upgrade from 1.1.6 to 1.2.1,
cleanup older recipe and remove patch sepermit-add-DESTDIR-prefix.patch
since the changes already available with latest source.
Signed-off-by: Shrikant Bobade
---
.../pam/libpam/sepermit-add-DESTDIR
From: Shrikant Bobade
use wildcard for version: adopting libpam upgrade from 1.6.1 to 1.2.1,
cleanup older recipe and remove patch sepermit-add-DESTDIR-prefix.patch
since the changes already available with latest source.
Signed-off-by: Shrikant Bobade
---
.../pam/libpam/sepermit-add-DESTDIR
From: Shrikant Bobade
The default kernel is now v3.19. So we need the selinux support
for kernel v3.19, inorder to get selinux enabled images out of box.
Signed-off-by: Shrikant Bobade
---
recipes-kernel/linux/linux-yocto_3.19.bbappend |8
1 file changed, 8 insertions(+)
create
Hello,
Please provide review comments or feedback if any, It will be a great
help.
@Ping.
Thanks
Shrikant
On Wed, Nov 19, 2014 at 1:46 PM, Shrikant Bobade
wrote:
> From: Shrikant Bobade
>
> To add coreutils to packagegroup-core-selinux
> inorder to get chcon avaibility.
>
Hello,
Please provide review comments or feedback if any, It will be a great
help.
@Ping.
Thanks
Shrikant
On Wed, Nov 19, 2014 at 1:43 PM, Shrikant Bobade
wrote:
> From: Shrikant Bobade
>
> selinux-init.sh updated to reboot system
> normally to fix the labelling during systemd
Hello,
Please provide review comments or feedback if any, It will be a great
help.
@Ping.
Thanks
Shrikant
On Wed, Nov 19, 2014 at 1:43 PM, Shrikant Bobade
wrote:
> From: Shrikant Bobade
>
> Systemd init type and related allow rules
> updated for refpolicy.
>
> Signed-off-b
From: Shrikant Bobade
To add coreutils to packagegroup-core-selinux
inorder to get chcon avaibility.
Signed-off-by: Shrikant Bobade
---
.../packagegroups/packagegroup-core-selinux.bb |1 +
1 file changed, 1 insertion(+)
diff --git a/recipes-security/packagegroups/packagegroup-core
From: Shrikant Bobade
selinux-init.sh updated to reboot system
normally to fix the labelling during systemd
execution. Due to force reboot labelling won't
be proper and system continuously reboot to
label it like first time boot.
Signed-off-by: Shrikant Bobade
---
.../selinux/selinux-c
From: Shrikant Bobade
Systemd init type and related allow rules
updated for refpolicy.
Signed-off-by: Shrikant Bobade
---
.../refpolicy-update-for_systemd.patch | 46
.../refpolicy/refpolicy_2.20140311.inc |1 +
2 files changed, 47 insertions
From: Shrikant Bobade
Systemd init type and related allow rules
updated for refpolicy.
Signed-off-by: Shrikant Bobade
---
.../refpolicy-update-for_systemd.patch | 50
.../refpolicy/refpolicy_2.20140311.inc |1 +
2 files changed, 51 insertions
78 matches
Mail list logo
