* [meta-selinux][PATCH 0/2] initscripts/devpts.sh: fix context for /dev/pts
@ 2014-05-12 7:31 wenzong.fan
2014-05-12 7:31 ` [meta-selinux][PATCH 1/2] initscripts: add a local copy of devpts.sh wenzong.fan
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: wenzong.fan @ 2014-05-12 7:31 UTC (permalink / raw)
To: yocto, xin.ouyang, mark.hatle
From: Wenzong Fan <wenzong.fan@windriver.com>
devpts use file_use_trans to allocate security contexts. As there are no
range_trans rules for initrc_t mounting devpts, the security level of
mountpoint will be derived from the initrc process, to be systemhigh
(s15:c0.c1023), instead of expected systemlow(s0).
This will block login shells to search PTYs, so use restorecon to fix
this.
The following changes since commit 368f65a475069ed384d82be09c2515fb765e22ec:
initscripts/checkroot.sh: restore file contexts for /run (2014-05-09 08:59:54 -0400)
are available in the git repository at:
git://git.pokylinux.org/poky-contrib wenzong/fix-pts
http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/fix-pts
Wenzong Fan (2):
initscripts: add a local copy of devpts.sh
initscripts/devpts.sh: fix context for /dev/pts
recipes-core/initscripts/initscripts/devpts.sh | 29 +++++++++++++++++++++
recipes-core/initscripts/initscripts_1.0.bbappend | 2 ++
2 files changed, 31 insertions(+)
create mode 100755 recipes-core/initscripts/initscripts/devpts.sh
--
1.7.9.5
^ permalink raw reply [flat|nested] 4+ messages in thread
* [meta-selinux][PATCH 1/2] initscripts: add a local copy of devpts.sh
2014-05-12 7:31 [meta-selinux][PATCH 0/2] initscripts/devpts.sh: fix context for /dev/pts wenzong.fan
@ 2014-05-12 7:31 ` wenzong.fan
2014-05-12 7:31 ` [meta-selinux][PATCH 2/2] initscripts/devpts.sh: fix context for /dev/pts wenzong.fan
2014-06-23 6:29 ` [meta-selinux][PATCH 0/2] " Pascal Ouyang
2 siblings, 0 replies; 4+ messages in thread
From: wenzong.fan @ 2014-05-12 7:31 UTC (permalink / raw)
To: yocto, xin.ouyang, mark.hatle
From: Wenzong Fan <wenzong.fan@windriver.com>
Start point to make SELinux specific changes in devpts.sh, copied from
oe-core layer.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
recipes-core/initscripts/initscripts/devpts.sh | 28 +++++++++++++++++++++
recipes-core/initscripts/initscripts_1.0.bbappend | 2 ++
2 files changed, 30 insertions(+)
create mode 100755 recipes-core/initscripts/initscripts/devpts.sh
diff --git a/recipes-core/initscripts/initscripts/devpts.sh b/recipes-core/initscripts/initscripts/devpts.sh
new file mode 100755
index 0000000..c6043fb
--- /dev/null
+++ b/recipes-core/initscripts/initscripts/devpts.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides: devpts
+# Required-Start: udev
+# Required-Stop:
+# Default-Start: S
+# Default-Stop:
+# Short-Description: Mount /dev/pts file systems.
+### END INIT INFO
+
+. /etc/default/devpts
+
+if grep -q devpts /proc/filesystems
+then
+ #
+ # Create multiplexor device.
+ #
+ test -c /dev/ptmx || mknod -m 666 /dev/ptmx c 5 2
+
+ #
+ # Mount /dev/pts if needed.
+ #
+ if ! grep -q devpts /proc/mounts
+ then
+ mkdir -p /dev/pts
+ mount -t devpts devpts /dev/pts -ogid=${TTYGRP},mode=${TTYMODE}
+ fi
+fi
diff --git a/recipes-core/initscripts/initscripts_1.0.bbappend b/recipes-core/initscripts/initscripts_1.0.bbappend
index 367cd6b..462db6f 100644
--- a/recipes-core/initscripts/initscripts_1.0.bbappend
+++ b/recipes-core/initscripts/initscripts_1.0.bbappend
@@ -1,5 +1,7 @@
PR .= ".3"
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
do_install_append () {
cat <<-EOF >> ${D}${sysconfdir}/init.d/populate-volatile.sh
touch /var/log/lastlog
--
1.7.9.5
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [meta-selinux][PATCH 2/2] initscripts/devpts.sh: fix context for /dev/pts
2014-05-12 7:31 [meta-selinux][PATCH 0/2] initscripts/devpts.sh: fix context for /dev/pts wenzong.fan
2014-05-12 7:31 ` [meta-selinux][PATCH 1/2] initscripts: add a local copy of devpts.sh wenzong.fan
@ 2014-05-12 7:31 ` wenzong.fan
2014-06-23 6:29 ` [meta-selinux][PATCH 0/2] " Pascal Ouyang
2 siblings, 0 replies; 4+ messages in thread
From: wenzong.fan @ 2014-05-12 7:31 UTC (permalink / raw)
To: yocto, xin.ouyang, mark.hatle
From: Wenzong Fan <wenzong.fan@windriver.com>
devpts use file_use_trans to allocate security contexts. As there are no
range_trans rules for initrc_t mounting devpts, the security level of
mountpoint will be derived from the initrc process, to be systemhigh
(s15:c0.c1023), instead of expected systemlow(s0).
This will block login shells to search PTYs, so use restorecon to fix
this.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
recipes-core/initscripts/initscripts/devpts.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/recipes-core/initscripts/initscripts/devpts.sh b/recipes-core/initscripts/initscripts/devpts.sh
index c6043fb..a0b037f 100755
--- a/recipes-core/initscripts/initscripts/devpts.sh
+++ b/recipes-core/initscripts/initscripts/devpts.sh
@@ -24,5 +24,6 @@ then
then
mkdir -p /dev/pts
mount -t devpts devpts /dev/pts -ogid=${TTYGRP},mode=${TTYMODE}
+ test ! -x /sbin/restorecon || /sbin/restorecon -F /dev/pts
fi
fi
--
1.7.9.5
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [meta-selinux][PATCH 0/2] initscripts/devpts.sh: fix context for /dev/pts
2014-05-12 7:31 [meta-selinux][PATCH 0/2] initscripts/devpts.sh: fix context for /dev/pts wenzong.fan
2014-05-12 7:31 ` [meta-selinux][PATCH 1/2] initscripts: add a local copy of devpts.sh wenzong.fan
2014-05-12 7:31 ` [meta-selinux][PATCH 2/2] initscripts/devpts.sh: fix context for /dev/pts wenzong.fan
@ 2014-06-23 6:29 ` Pascal Ouyang
2 siblings, 0 replies; 4+ messages in thread
From: Pascal Ouyang @ 2014-06-23 6:29 UTC (permalink / raw)
To: wenzong.fan, yocto, mark.hatle
于 14-5-12 下午3:31, wenzong.fan@windriver.com 写道:
> From: Wenzong Fan <wenzong.fan@windriver.com>
>
> devpts use file_use_trans to allocate security contexts. As there are no
> range_trans rules for initrc_t mounting devpts, the security level of
> mountpoint will be derived from the initrc process, to be systemhigh
> (s15:c0.c1023), instead of expected systemlow(s0).
>
> This will block login shells to search PTYs, so use restorecon to fix
> this.
>
> The following changes since commit 368f65a475069ed384d82be09c2515fb765e22ec:
>
> initscripts/checkroot.sh: restore file contexts for /run (2014-05-09 08:59:54 -0400)
>
> are available in the git repository at:
>
> git://git.pokylinux.org/poky-contrib wenzong/fix-pts
> http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/fix-pts
>
> Wenzong Fan (2):
> initscripts: add a local copy of devpts.sh
> initscripts/devpts.sh: fix context for /dev/pts
>
> recipes-core/initscripts/initscripts/devpts.sh | 29 +++++++++++++++++++++
> recipes-core/initscripts/initscripts_1.0.bbappend | 2 ++
> 2 files changed, 31 insertions(+)
> create mode 100755 recipes-core/initscripts/initscripts/devpts.sh
>
Merged, thanks. :)
--
- Pascal
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-06-23 6:29 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-05-12 7:31 [meta-selinux][PATCH 0/2] initscripts/devpts.sh: fix context for /dev/pts wenzong.fan
2014-05-12 7:31 ` [meta-selinux][PATCH 1/2] initscripts: add a local copy of devpts.sh wenzong.fan
2014-05-12 7:31 ` [meta-selinux][PATCH 2/2] initscripts/devpts.sh: fix context for /dev/pts wenzong.fan
2014-06-23 6:29 ` [meta-selinux][PATCH 0/2] " Pascal Ouyang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.