[yocto] [meta-selinux][PATCH 1/2] refpolicy: Replace 2.2014120 with release 2.20151208.
Philip Tricca
flihp at twobit.us
Sun Mar 20 21:26:45 PDT 2016
This was mostly straight forward. Had to refresh a single patch:
poky-policy-fix-new-SELINUXMNT-in-sys.patch
Signed-off-by: Philip Tricca <flihp at twobit.us>
---
.../ftp-add-ftpd_t-to-mlsfilewrite.patch | 39 ----
.../refpolicy-2.20141203/poky-fc-clock.patch | 22 --
.../poky-fc-corecommands.patch | 24 ---
.../refpolicy-2.20141203/poky-fc-dmesg.patch | 20 --
.../refpolicy-2.20141203/poky-fc-fix-bind.patch | 30 ---
.../poky-fc-fix-real-path_login.patch | 37 ----
.../poky-fc-fix-real-path_resolv.conf.patch | 24 ---
.../poky-fc-fix-real-path_shadow.patch | 34 ---
.../poky-fc-fix-real-path_su.patch | 25 ---
.../refpolicy-2.20141203/poky-fc-fstools.patch | 70 -------
.../refpolicy-2.20141203/poky-fc-ftpwho-dir.patch | 27 ---
.../refpolicy-2.20141203/poky-fc-iptables.patch | 24 ---
.../refpolicy-2.20141203/poky-fc-mta.patch | 27 ---
.../refpolicy-2.20141203/poky-fc-netutils.patch | 24 ---
.../refpolicy-2.20141203/poky-fc-nscd.patch | 27 ---
.../refpolicy-2.20141203/poky-fc-rpm.patch | 25 ---
.../refpolicy-2.20141203/poky-fc-screen.patch | 27 ---
.../refpolicy-2.20141203/poky-fc-ssh.patch | 24 ---
.../refpolicy-2.20141203/poky-fc-su.patch | 23 ---
.../refpolicy-2.20141203/poky-fc-subs_dist.patch | 29 ---
.../refpolicy-2.20141203/poky-fc-sysnetwork.patch | 46 -----
.../refpolicy-2.20141203/poky-fc-udevd.patch | 35 ----
.../poky-fc-update-alternatives_hostname.patch | 23 ---
.../poky-fc-update-alternatives_sysklogd.patch | 59 ------
.../poky-fc-update-alternatives_sysvinit.patch | 53 -----
...poky-policy-add-rules-for-bsdpty_device_t.patch | 121 -----------
...ky-policy-add-rules-for-syslogd_t-symlink.patch | 30 ---
.../poky-policy-add-rules-for-tmp-symlink.patch | 99 ---------
...ky-policy-add-rules-for-var-cache-symlink.patch | 34 ---
...licy-add-rules-for-var-log-symlink-apache.patch | 31 ---
...rules-for-var-log-symlink-audisp_remote_t.patch | 29 ---
...poky-policy-add-rules-for-var-log-symlink.patch | 145 -------------
...ky-policy-add-syslogd_t-to-trusted-object.patch | 31 ---
...-policy-allow-nfsd-to-exec-shell-commands.patch | 58 ------
...-policy-allow-setfiles_t-to-read-symlinks.patch | 30 ---
.../poky-policy-allow-sysadm-to-run-rpcinfo.patch | 33 ---
.../poky-policy-don-t-audit-tty_device_t.patch | 35 ----
.../poky-policy-fix-dmesg-to-use-dev-kmsg.patch | 37 ----
.../poky-policy-fix-new-SELINUXMNT-in-sys.patch | 229 ---------------------
...poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch | 65 ------
...olicy-fix-setfiles-statvfs-get-file-count.patch | 32 ---
...ky-policy-fix-seutils-manage-config-files.patch | 43 ----
.../refpolicy-update-for_systemd.patch | 29 ---
.../ftp-add-ftpd_t-to-mlsfilewrite.patch | 39 ++++
.../refpolicy-2.20151208/poky-fc-clock.patch | 22 ++
.../poky-fc-corecommands.patch | 24 +++
.../refpolicy-2.20151208/poky-fc-dmesg.patch | 20 ++
.../refpolicy-2.20151208/poky-fc-fix-bind.patch | 30 +++
.../poky-fc-fix-real-path_login.patch | 37 ++++
.../poky-fc-fix-real-path_resolv.conf.patch | 24 +++
.../poky-fc-fix-real-path_shadow.patch | 34 +++
.../poky-fc-fix-real-path_su.patch | 25 +++
.../refpolicy-2.20151208/poky-fc-fstools.patch | 70 +++++++
.../refpolicy-2.20151208/poky-fc-ftpwho-dir.patch | 27 +++
.../refpolicy-2.20151208/poky-fc-iptables.patch | 24 +++
.../refpolicy-2.20151208/poky-fc-mta.patch | 27 +++
.../refpolicy-2.20151208/poky-fc-netutils.patch | 24 +++
.../refpolicy-2.20151208/poky-fc-nscd.patch | 27 +++
.../refpolicy-2.20151208/poky-fc-rpm.patch | 25 +++
.../refpolicy-2.20151208/poky-fc-screen.patch | 27 +++
.../refpolicy-2.20151208/poky-fc-ssh.patch | 24 +++
.../refpolicy-2.20151208/poky-fc-su.patch | 23 +++
.../refpolicy-2.20151208/poky-fc-subs_dist.patch | 29 +++
.../refpolicy-2.20151208/poky-fc-sysnetwork.patch | 46 +++++
.../refpolicy-2.20151208/poky-fc-udevd.patch | 35 ++++
.../poky-fc-update-alternatives_hostname.patch | 23 +++
.../poky-fc-update-alternatives_sysklogd.patch | 59 ++++++
.../poky-fc-update-alternatives_sysvinit.patch | 53 +++++
...poky-policy-add-rules-for-bsdpty_device_t.patch | 121 +++++++++++
...ky-policy-add-rules-for-syslogd_t-symlink.patch | 30 +++
.../poky-policy-add-rules-for-tmp-symlink.patch | 99 +++++++++
...ky-policy-add-rules-for-var-cache-symlink.patch | 34 +++
...licy-add-rules-for-var-log-symlink-apache.patch | 31 +++
...rules-for-var-log-symlink-audisp_remote_t.patch | 29 +++
...poky-policy-add-rules-for-var-log-symlink.patch | 145 +++++++++++++
...ky-policy-add-syslogd_t-to-trusted-object.patch | 31 +++
...-policy-allow-nfsd-to-exec-shell-commands.patch | 58 ++++++
...-policy-allow-setfiles_t-to-read-symlinks.patch | 30 +++
.../poky-policy-allow-sysadm-to-run-rpcinfo.patch | 33 +++
.../poky-policy-don-t-audit-tty_device_t.patch | 35 ++++
.../poky-policy-fix-dmesg-to-use-dev-kmsg.patch | 37 ++++
.../poky-policy-fix-new-SELINUXMNT-in-sys.patch | 185 +++++++++++++++++
...poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch | 65 ++++++
...olicy-fix-setfiles-statvfs-get-file-count.patch | 32 +++
...ky-policy-fix-seutils-manage-config-files.patch | 43 ++++
.../refpolicy-update-for_systemd.patch | 29 +++
.../refpolicy/refpolicy-mcs_2.20141203.bb | 11 -
.../refpolicy/refpolicy-mcs_2.20151208.bb | 11 +
.../refpolicy/refpolicy-minimum_2.20141203.bb | 48 -----
.../refpolicy/refpolicy-minimum_2.20151208.bb | 48 +++++
.../refpolicy/refpolicy-mls_2.20141203.bb | 10 -
.../refpolicy/refpolicy-mls_2.20151208.bb | 10 +
.../refpolicy/refpolicy-standard_2.20141203.bb | 8 -
.../refpolicy/refpolicy-standard_2.20151208.bb | 8 +
.../refpolicy/refpolicy-targeted_2.20141203.bb | 20 --
.../refpolicy/refpolicy-targeted_2.20151208.bb | 20 ++
.../refpolicy/refpolicy_2.20141203.inc | 60 ------
.../refpolicy/refpolicy_2.20151208.inc | 60 ++++++
98 files changed, 2022 insertions(+), 2066 deletions(-)
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/ftp-add-ftpd_t-to-mlsfilewrite.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-clock.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-corecommands.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-dmesg.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-bind.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_login.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_resolv.conf.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_shadow.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_su.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fstools.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-ftpwho-dir.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-iptables.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-mta.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-netutils.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-nscd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-rpm.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-screen.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-ssh.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-su.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-subs_dist.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-sysnetwork.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-udevd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_hostname.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_sysklogd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_sysvinit.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-bsdpty_device_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-syslogd_t-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-tmp-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-cache-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink-apache.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-syslogd_t-to-trusted-object.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-nfsd-to-exec-shell-commands.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-setfiles_t-to-read-symlinks.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-sysadm-to-run-rpcinfo.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-don-t-audit-tty_device_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-new-SELINUXMNT-in-sys.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-setfiles-statvfs-get-file-count.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-seutils-manage-config-files.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/refpolicy-update-for_systemd.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/ftp-add-ftpd_t-to-mlsfilewrite.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-clock.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-corecommands.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-dmesg.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-bind.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_login.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_resolv.conf.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_shadow.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_su.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fstools.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-ftpwho-dir.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-iptables.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-mta.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-netutils.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-nscd.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-rpm.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-screen.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-ssh.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-su.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-subs_dist.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-sysnetwork.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-udevd.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_hostname.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_sysklogd.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_sysvinit.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-bsdpty_device_t.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-syslogd_t-symlink.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-tmp-symlink.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-cache-symlink.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink-apache.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-syslogd_t-to-trusted-object.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-nfsd-to-exec-shell-commands.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-setfiles_t-to-read-symlinks.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-sysadm-to-run-rpcinfo.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-don-t-audit-tty_device_t.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-new-SELINUXMNT-in-sys.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-setfiles-statvfs-get-file-count.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-seutils-manage-config-files.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/refpolicy-update-for_systemd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-mcs_2.20141203.bb
create mode 100644 recipes-security/refpolicy/refpolicy-mcs_2.20151208.bb
delete mode 100644 recipes-security/refpolicy/refpolicy-minimum_2.20141203.bb
create mode 100644 recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
delete mode 100644 recipes-security/refpolicy/refpolicy-mls_2.20141203.bb
create mode 100644 recipes-security/refpolicy/refpolicy-mls_2.20151208.bb
delete mode 100644 recipes-security/refpolicy/refpolicy-standard_2.20141203.bb
create mode 100644 recipes-security/refpolicy/refpolicy-standard_2.20151208.bb
delete mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20141203.bb
create mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20151208.bb
delete mode 100644 recipes-security/refpolicy/refpolicy_2.20141203.inc
create mode 100644 recipes-security/refpolicy/refpolicy_2.20151208.inc
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-2.20141203/ftp-add-ftpd_t-to-mlsfilewrite.patch
deleted file mode 100644
index 49da4b6..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/ftp-add-ftpd_t-to-mlsfilewrite.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From e4e95b723d31c7b678a05cd81a96b10185978b4e Mon Sep 17 00:00:00 2001
-From: Roy Li <rongqing.li at windriver.com>
-Date: Mon, 10 Feb 2014 18:10:12 +0800
-Subject: [PATCH] ftp: add ftpd_t to mls_file_write_all_levels
-
-Proftpd will create file under /var/run, but its mls is in high, and
-can not write to lowlevel
-
-Upstream-Status: Pending
-
-type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm="proftpd" name="/" dev="tmpfs" ino=5853 scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
-type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
-type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null)
-
-root at localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name
- allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
-root at localhost:~#
-
-Signed-off-by: Roy Li <rongqing.li at windriver.com>
----
- policy/modules/contrib/ftp.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
-index 544c512..12a31dd 100644
---- a/policy/modules/contrib/ftp.te
-+++ b/policy/modules/contrib/ftp.te
-@@ -144,6 +144,8 @@ role ftpdctl_roles types ftpdctl_t;
- type ftpdctl_tmp_t;
- files_tmp_file(ftpdctl_tmp_t)
-
-+mls_file_write_all_levels(ftpd_t)
-+
- type sftpd_t;
- domain_type(sftpd_t)
- role system_r types sftpd_t;
---
-1.7.10.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-clock.patch
deleted file mode 100644
index 3ff8f55..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-clock.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for clock
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/system/clock.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
-index c5e05ca..a74c40c 100644
---- a/policy/modules/system/clock.fc
-+++ b/policy/modules/system/clock.fc
-@@ -2,4 +2,5 @@
- /etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0)
-
- /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
-+/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0)
-
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-corecommands.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-corecommands.patch
deleted file mode 100644
index 24b67c3..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-corecommands.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for corecommands
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/kernel/corecommands.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index f051c4a..ab624f3 100644
---- a/policy/modules/kernel/corecommands.fc
-+++ b/policy/modules/kernel/corecommands.fc
-@@ -153,6 +153,7 @@ ifdef(`distro_gentoo',`
- /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
- /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
- /sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
-
- #
- # /opt
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-dmesg.patch
deleted file mode 100644
index db4c4d4..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-dmesg.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for dmesg
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/admin/dmesg.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
-index d6cc2d9..7f3e5b0 100644
---- a/policy/modules/admin/dmesg.fc
-+++ b/policy/modules/admin/dmesg.fc
-@@ -1,2 +1,3 @@
-
- /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
-+/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0)
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-bind.patch
deleted file mode 100644
index 59ba5bc..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-bind.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From e438a9466a615db3f63421157d5ee3bd6d055403 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang at windriver.com>
-Date: Thu, 22 Aug 2013 19:09:11 +0800
-Subject: [PATCH] refpolicy: fix real path for bind.
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/contrib/bind.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc
-index 2b9a3a1..fd45d53 100644
---- a/policy/modules/contrib/bind.fc
-+++ b/policy/modules/contrib/bind.fc
-@@ -1,8 +1,10 @@
- /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-
- /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
- /etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0)
-+/etc/bind/rndc\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
- /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
- /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
- /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_login.patch
deleted file mode 100644
index 427181e..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_login.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Subject: [PATCH] fix real path for login commands.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/system/authlogin.fc | 7 ++++---
- 1 files changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..c8dd17f 100644
---- a/policy/modules/system/authlogin.fc
-+++ b/policy/modules/system/authlogin.fc
-@@ -1,5 +1,7 @@
-
- /bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
-+/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0)
-+/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0)
-
- /etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
- /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
-@@ -9,9 +11,9 @@
-
- /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
- /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
--/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
--/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
--/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-+/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-+/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
-+/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
- ifdef(`distro_suse', `
- /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
- ')
---
-1.7.5.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_resolv.conf.patch
deleted file mode 100644
index 80cca67..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_resolv.conf.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] fix real path for resolv.conf
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/system/sysnetwork.fc | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
-
-diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 346a7cc..dec8632 100644
---- a/policy/modules/system/sysnetwork.fc
-+++ b/policy/modules/system/sysnetwork.fc
-@@ -24,6 +24,7 @@ ifdef(`distro_debian',`
- /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
-+/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
-
- /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
---
-1.7.5.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_shadow.patch
deleted file mode 100644
index 29ac2c3..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_shadow.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Subject: [PATCH] fix real path for shadow commands.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/admin/usermanage.fc | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
-index f82f0ce..841ba9b 100644
---- a/policy/modules/admin/usermanage.fc
-+++ b/policy/modules/admin/usermanage.fc
-@@ -4,11 +4,17 @@ ifdef(`distro_gentoo',`
-
- /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
- /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
-+/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
- /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
-+/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
- /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
- /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
-+/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0)
-+/usr/bin/passwd\.tinylogin -- gen_context(system_u:object_r:passwd_exec_t,s0)
- /usr/bin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-+/sbin/vigr\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/bin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-+/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-
- /usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0)
-
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_su.patch
deleted file mode 100644
index b0392ce..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_su.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 4affa5e9797f5d51597c9b8e0f2503883c766699 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan at windriver.com>
-Date: Thu, 13 Feb 2014 00:33:07 -0500
-Subject: [PATCH] fix real path for su.shadow command
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
----
- policy/modules/admin/su.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
-index a563687..0f43827 100644
---- a/policy/modules/admin/su.fc
-+++ b/policy/modules/admin/su.fc
-@@ -4,3 +4,5 @@
-
- /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
- /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
-+
-+/bin/su.shadow -- gen_context(system_u:object_r:su_exec_t,s0)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fstools.patch
deleted file mode 100644
index 9c45694..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fstools.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From b420621f7bacdb803bfd104686e9b1785d7a6309 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan at windriver.com>
-Date: Mon, 27 Jan 2014 03:54:01 -0500
-Subject: [PATCH] refpolicy: fix real path for fstools
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald at mentor.com>
-Signed-off-by: Shrikant Bobade <shrikant_bobade at mentor.com>
----
- policy/modules/system/fstools.fc | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index d10368d..f22761a 100644
---- a/policy/modules/system/fstools.fc
-+++ b/policy/modules/system/fstools.fc
-@@ -1,6 +1,8 @@
- /sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/blkid/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/blockdev/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -9,9 +11,12 @@
- /sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/fdisk/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/hdparm/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -24,6 +29,7 @@
- /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/mkswap/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -32,8 +38,10 @@
- /sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/swapoff/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -45,6 +53,7 @@
-
- /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-ftpwho-dir.patch
deleted file mode 100644
index a7d434f..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-ftpwho-dir.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-fix ftpwho install dir
-
-Upstream-Status: Pending
-
-ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it
-
-Signed-off-by: Roy Li <rongqing.li at windriver.com>
----
- policy/modules/contrib/ftp.fc | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/modules/contrib/ftp.fc b/policy/modules/contrib/ftp.fc
-index ddb75c1..26fec47 100644
---- a/policy/modules/contrib/ftp.fc
-+++ b/policy/modules/contrib/ftp.fc
-@@ -9,7 +9,7 @@
-
- /usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
-
--/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
-+/usr/bin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
- /usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
- /usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
- /usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
---
-1.7.10.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-iptables.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-iptables.patch
deleted file mode 100644
index 89b1547..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-iptables.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for iptables
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/system/iptables.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 14cffd2..84ac92b 100644
---- a/policy/modules/system/iptables.fc
-+++ b/policy/modules/system/iptables.fc
-@@ -13,6 +13,7 @@
- /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-
- /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-mta.patch
deleted file mode 100644
index bbd83ec..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-mta.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From c0bb2996db4f55f3987967bacfb99805fc45d027 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang at windriver.com>
-Date: Thu, 22 Aug 2013 19:21:55 +0800
-Subject: [PATCH] refpolicy: fix real path for mta
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/contrib/mta.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc
-index f42896c..0d4bcef 100644
---- a/policy/modules/contrib/mta.fc
-+++ b/policy/modules/contrib/mta.fc
-@@ -22,6 +22,7 @@ HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
- /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/usr/sbin/msmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
- /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-netutils.patch
deleted file mode 100644
index b45d03e..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-netutils.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for netutils
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/admin/netutils.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
-index 407078f..f2ed3dc 100644
---- a/policy/modules/admin/netutils.fc
-+++ b/policy/modules/admin/netutils.fc
-@@ -3,6 +3,7 @@
- /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-
- /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
-+/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
-
- /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
- /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-nscd.patch
deleted file mode 100644
index 1db328c..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-nscd.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 642fab321a5f1f40495b4ca07f1fca4145024986 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang at windriver.com>
-Date: Thu, 22 Aug 2013 19:25:36 +0800
-Subject: [PATCH] refpolicy: fix real path for nscd
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/contrib/nscd.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/contrib/nscd.fc b/policy/modules/contrib/nscd.fc
-index ba64485..61a6f24 100644
---- a/policy/modules/contrib/nscd.fc
-+++ b/policy/modules/contrib/nscd.fc
-@@ -1,6 +1,7 @@
- /etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
-
- /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
-+/usr/bin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
-
- /var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
-
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-rpm.patch
deleted file mode 100644
index 7ba3380..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-rpm.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 3ecbd842d51a8e70b3403e857a24203285d4983b Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan at windriver.com>
-Date: Mon, 27 Jan 2014 01:13:06 -0500
-Subject: [PATCH] refpolicy: fix real path for cpio
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
----
- policy/modules/contrib/rpm.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc
-index ebe91fc..539063c 100644
---- a/policy/modules/contrib/rpm.fc
-+++ b/policy/modules/contrib/rpm.fc
-@@ -58,4 +58,5 @@ ifdef(`distro_redhat',`
-
- ifdef(`enable_mls',`
- /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
- ')
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-screen.patch
deleted file mode 100644
index 3218194..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-screen.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 3615e2d67f402a37ae7333e62b54f1d9d0a3bfd1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang at windriver.com>
-Date: Thu, 22 Aug 2013 19:27:19 +0800
-Subject: [PATCH] refpolicy: fix real path for screen
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/contrib/screen.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc
-index e7c2cf7..49ddca2 100644
---- a/policy/modules/contrib/screen.fc
-+++ b/policy/modules/contrib/screen.fc
-@@ -3,6 +3,7 @@ HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
- HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
-
- /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
-+/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0)
- /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
-
- /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-ssh.patch
deleted file mode 100644
index 9aeb3a2..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-ssh.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for ssh
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/services/ssh.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 078bcd7..9717428 100644
---- a/policy/modules/services/ssh.fc
-+++ b/policy/modules/services/ssh.fc
-@@ -6,6 +6,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
- /etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-
- /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
-+/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
- /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
- /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
-
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-su.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-su.patch
deleted file mode 100644
index 358e4ef..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-su.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for su
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/admin/su.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
-index 688abc2..a563687 100644
---- a/policy/modules/admin/su.fc
-+++ b/policy/modules/admin/su.fc
-@@ -1,5 +1,6 @@
-
- /bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
-+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
-
- /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
- /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-subs_dist.patch
deleted file mode 100644
index cfec7d9..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-subs_dist.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-Subject: [PATCH] fix file_contexts.subs_dist for poky
-
-This file is used for Linux distros to define specific pathes
-mapping to the pathes in file_contexts.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald at mentor.com>
----
- config/file_contexts.subs_dist | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
---- a/config/file_contexts.subs_dist
-+++ b/config/file_contexts.subs_dist
-@@ -19,3 +19,13 @@
- /usr/local/lib64 /usr/lib
- /usr/local/lib /usr/lib
- /var/run/lock /var/lock
-+/var/volatile/log /var/log
-+/var/volatile/run /var/run
-+/var/volatile/cache /var/cache
-+/var/volatile/tmp /var/tmp
-+/var/volatile/lock /var/lock
-+/var/volatile/run/lock /var/lock
-+/www /var/www
-+/usr/lib/busybox/bin /bin
-+/usr/lib/busybox/sbin /sbin
-+/usr/lib/busybox/usr /usr
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-sysnetwork.patch
deleted file mode 100644
index 64f497d..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-sysnetwork.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 56ec3e527f2a03d217d5f07ebb708e6e26fa26ff Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang at windriver.com>
-Date: Tue, 9 Jun 2015 21:22:52 +0530
-Subject: [PATCH] refpolicy: fix real path for sysnetwork
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
-Signed-off-by: Shrikant Bobade <Shrikant_Bobade at mentor.com>
----
- policy/modules/system/sysnetwork.fc | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index fbb935c..a194622 100644
---- a/policy/modules/system/sysnetwork.fc
-+++ b/policy/modules/system/sysnetwork.fc
-@@ -4,6 +4,7 @@
- #
- /bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-
- #
- # /dev
-@@ -43,7 +44,9 @@ ifdef(`distro_redhat',`
- /sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-@@ -51,6 +54,7 @@ ifdef(`distro_redhat',`
- /sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-udevd.patch
deleted file mode 100644
index c6c19be..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-udevd.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 025bd3c77d3eeb0e316413bf7e6353f1ccd7f6b2 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan at windriver.com>
-Date: Sat, 25 Jan 2014 23:40:05 -0500
-Subject: [PATCH] refpolicy: fix real path for udevd/udevadm
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
----
- policy/modules/system/udev.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 40928d8..491bb23 100644
---- a/policy/modules/system/udev.fc
-+++ b/policy/modules/system/udev.fc
-@@ -10,6 +10,7 @@
- /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
-
- /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-
- ifdef(`distro_debian',`
- /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
-@@ -27,6 +28,7 @@ ifdef(`distro_redhat',`
- ')
-
- /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
-
- /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_hostname.patch
deleted file mode 100644
index cedb5b5..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_hostname.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang at windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 3/4] fix update-alternatives for hostname
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/system/hostname.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
-index 9dfecf7..4003b6d 100644
---- a/policy/modules/system/hostname.fc
-+++ b/policy/modules/system/hostname.fc
-@@ -1,2 +1,3 @@
-
- /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
-+/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_sysklogd.patch
deleted file mode 100644
index 868ee6b..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_sysklogd.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 4964fa5593349916d8f5c69edb0b16f611586098 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang at windriver.com>
-Date: Thu, 22 Aug 2013 13:39:41 +0800
-Subject: [PATCH 2/4] fix update-alternatives for sysklogd
-
-/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow rule
-for syslogd_t to read syslog_conf_t lnk_file is needed.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/system/logging.fc | 4 ++++
- policy/modules/system/logging.te | 1 +
- 2 files changed, 5 insertions(+)
-
-diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index b50c5fe..c005f33 100644
---- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
-@@ -2,19 +2,23 @@
-
- /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
-+/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
- /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
-
- /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
- /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
- /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
- /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
- /sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
-+/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
- /sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
- /sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-
- /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 87e3db2..2914b0b 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -371,6 +371,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
- allow syslogd_t self:tcp_socket create_stream_socket_perms;
-
- allow syslogd_t syslog_conf_t:file read_file_perms;
-+allow syslogd_t syslog_conf_t:lnk_file read_file_perms;
-
- # Create and bind to /dev/log or /var/run/log.
- allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_sysvinit.patch
deleted file mode 100644
index 3a617d8..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_sysvinit.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang at windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 1/4] fix update-alternatives for sysvinit
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/contrib/shutdown.fc | 1 +
- policy/modules/kernel/corecommands.fc | 1 +
- policy/modules/system/init.fc | 1 +
- 3 files changed, 3 insertions(+)
-
-diff --git a/policy/modules/contrib/shutdown.fc b/policy/modules/contrib/shutdown.fc
-index a91f33b..90e51e0 100644
---- a/policy/modules/contrib/shutdown.fc
-+++ b/policy/modules/contrib/shutdown.fc
-@@ -3,6 +3,7 @@
- /lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
- /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-+/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
- /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
-diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index bcfdba7..87502a3 100644
---- a/policy/modules/kernel/corecommands.fc
-+++ b/policy/modules/kernel/corecommands.fc
-@@ -10,6 +10,7 @@
- /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
-+/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0)
- /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
-diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index bc0ffc8..020b9fe 100644
---- a/policy/modules/system/init.fc
-+++ b/policy/modules/system/init.fc
-@@ -30,6 +30,7 @@ ifdef(`distro_gentoo', `
- # /sbin
- #
- /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
-+/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0)
- # because nowadays, /sbin/init is often a symlink to /sbin/upstart
- /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
-
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-bsdpty_device_t.patch
deleted file mode 100644
index 9a3322f..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-bsdpty_device_t.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-From c0b65c327b9354ee5c403cbde428e762ce3f327e Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang at windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices.
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/kernel/terminal.if | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 771bce1..7519d0e 100644
---- a/policy/modules/kernel/terminal.if
-+++ b/policy/modules/kernel/terminal.if
-@@ -531,9 +531,11 @@ interface(`term_dontaudit_manage_pty_dirs',`
- interface(`term_dontaudit_getattr_generic_ptys',`
- gen_require(`
- type devpts_t;
-+ type bsdpty_device_t;
- ')
-
- dontaudit $1 devpts_t:chr_file getattr;
-+ dontaudit $1 bsdpty_device_t:chr_file getattr;
- ')
- ########################################
- ## <summary>
-@@ -549,11 +551,13 @@ interface(`term_dontaudit_getattr_generic_ptys',`
- interface(`term_ioctl_generic_ptys',`
- gen_require(`
- type devpts_t;
-+ type bsdpty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir search;
- allow $1 devpts_t:chr_file ioctl;
-+ allow $1 bsdpty_device_t:chr_file ioctl;
- ')
-
- ########################################
-@@ -571,9 +575,11 @@ interface(`term_ioctl_generic_ptys',`
- interface(`term_setattr_generic_ptys',`
- gen_require(`
- type devpts_t;
-+ type bsdpty_device_t;
- ')
-
- allow $1 devpts_t:chr_file setattr;
-+ allow $1 bsdpty_device_t:chr_file setattr;
- ')
-
- ########################################
-@@ -591,9 +597,11 @@ interface(`term_setattr_generic_ptys',`
- interface(`term_dontaudit_setattr_generic_ptys',`
- gen_require(`
- type devpts_t;
-+ type bsdpty_device_t;
- ')
-
- dontaudit $1 devpts_t:chr_file setattr;
-+ dontaudit $1 bsdpty_device_t:chr_file setattr;
- ')
-
- ########################################
-@@ -611,11 +619,13 @@ interface(`term_dontaudit_setattr_generic_ptys',`
- interface(`term_use_generic_ptys',`
- gen_require(`
- type devpts_t;
-+ type bsdpty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir list_dir_perms;
- allow $1 devpts_t:chr_file { rw_term_perms lock append };
-+ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
- ')
-
- ########################################
-@@ -633,9 +643,11 @@ interface(`term_use_generic_ptys',`
- interface(`term_dontaudit_use_generic_ptys',`
- gen_require(`
- type devpts_t;
-+ type bsdpty_device_t;
- ')
-
- dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
-+ dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl };
- ')
-
- #######################################
-@@ -651,10 +663,12 @@ interface(`term_dontaudit_use_generic_ptys',`
- interface(`term_setattr_controlling_term',`
- gen_require(`
- type devtty_t;
-+ type bsdpty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devtty_t:chr_file setattr;
-+ allow $1 bsdpty_device_t:chr_file setattr;
- ')
-
- ########################################
-@@ -671,10 +685,12 @@ interface(`term_setattr_controlling_term',`
- interface(`term_use_controlling_term',`
- gen_require(`
- type devtty_t;
-+ type bsdpty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devtty_t:chr_file { rw_term_perms lock append };
-+ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
- ')
-
- #######################################
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-syslogd_t-symlink.patch
deleted file mode 100644
index aa9734a..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-syslogd_t-symlink.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Subject: [PATCH] add rules for the symlink of /var/log - syslogd_t
-
-We have added rules for the symlink of /var/log in logging.if,
-while syslogd_t uses /var/log but does not use the
-interfaces in logging.if. So still need add a individual rule for
-syslogd_t.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/system/logging.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 2ad9ea5..70427d8 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -384,6 +384,8 @@ rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
- # Allow access for syslog-ng
- allow syslogd_t var_log_t:dir { create setattr };
-
-+allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
-+
- # manage temporary files
- manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
- manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-tmp-symlink.patch
deleted file mode 100644
index 210c297..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-tmp-symlink.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang at windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] add rules for the symlink of /tmp
-
-/tmp is a symlink in poky, so we need allow rules for files to read
-lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/kernel/files.fc | 1 +
- policy/modules/kernel/files.if | 8 ++++++++
- 2 files changed, 9 insertions(+), 0 deletions(-)
-
-diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 8796ca3..a0db748 100644
---- a/policy/modules/kernel/files.fc
-+++ b/policy/modules/kernel/files.fc
-@@ -185,6 +185,7 @@ ifdef(`distro_debian',`
- # /tmp
- #
- /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-+/tmp -l gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
- /tmp/.* <<none>>
- /tmp/\.journal <<none>>
-
-diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index e1e814d..a7384b0 100644
---- a/policy/modules/kernel/files.if
-+++ b/policy/modules/kernel/files.if
-@@ -4199,6 +4199,7 @@ interface(`files_search_tmp',`
- ')
-
- allow $1 tmp_t:dir search_dir_perms;
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4235,6 +4236,7 @@ interface(`files_list_tmp',`
- ')
-
- allow $1 tmp_t:dir list_dir_perms;
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4271,6 +4273,7 @@ interface(`files_delete_tmp_dir_entry',`
- ')
-
- allow $1 tmp_t:dir del_entry_dir_perms;
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4289,6 +4292,7 @@ interface(`files_read_generic_tmp_files',`
- ')
-
- read_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4307,6 +4311,7 @@ interface(`files_manage_generic_tmp_dirs',`
- ')
-
- manage_dirs_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4325,6 +4330,7 @@ interface(`files_manage_generic_tmp_files',`
- ')
-
- manage_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4361,6 +4367,7 @@ interface(`files_rw_generic_tmp_sockets',`
- ')
-
- rw_sock_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4550,6 +4557,7 @@ interface(`files_tmp_filetrans',`
- ')
-
- filetrans_pattern($1, tmp_t, $2, $3, $4)
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
---
-1.7.5.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-cache-symlink.patch
deleted file mode 100644
index 18a92dd..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-cache-symlink.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From bad816bc752369a6c1bf40231c505d21d95cab08 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang at windriver.com>
-Date: Fri, 23 Aug 2013 11:20:00 +0800
-Subject: [PATCH 4/6] add rules for the subdir symlinks in /var/
-
-Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
-/var for poky, so we need allow rules for all domains to read these
-symlinks. Domains still need their practical allow rules to read the
-contents, so this is still a secure relax.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/kernel/domain.te | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..9ffe6b0 100644
---- a/policy/modules/kernel/domain.te
-+++ b/policy/modules/kernel/domain.te
-@@ -104,6 +104,9 @@ term_use_controlling_term(domain)
- # list the root directory
- files_list_root(domain)
-
-+# Yocto/oe-core use some var volatile links
-+files_read_var_symlinks(domain)
-+
- ifdef(`hide_broken_symptoms',`
- # This check is in the general socket
- # listen code, before protocol-specific
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink-apache.patch
deleted file mode 100644
index 8bc40c4..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink-apache.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From ed2b0a00e2fb78056041b03c7e198e8f5adaf939 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang at windriver.com>
-Date: Thu, 22 Aug 2013 19:36:44 +0800
-Subject: [PATCH 3/6] add rules for the symlink of /var/log - apache2
-
-We have added rules for the symlink of /var/log in logging.if,
-while apache.te uses /var/log but does not use the interfaces in
-logging.if. So still need add a individual rule for apache.te.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/contrib/apache.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
-index ec8bd13..06f2e95 100644
---- a/policy/modules/contrib/apache.te
-+++ b/policy/modules/contrib/apache.te
-@@ -400,6 +400,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
- logging_log_filetrans(httpd_t, httpd_log_t, file)
-
- allow httpd_t httpd_modules_t:dir list_dir_perms;
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
deleted file mode 100644
index cbf0f7d..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-Subject: [PATCH] add rules for the symlink of /var/log - audisp_remote_t
-
-We have added rules for the symlink of /var/log in logging.if,
-while audisp_remote_t uses /var/log but does not use the
-interfaces in logging.if. So still need add a individual rule for
-audisp_remote_t.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/system/logging.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 8426a49..2ad9ea5 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -262,6 +262,7 @@ allow audisp_remote_t self:capability { setuid setpcap };
- allow audisp_remote_t self:process { getcap setcap };
- allow audisp_remote_t self:tcp_socket create_socket_perms;
- allow audisp_remote_t var_log_t:dir search_dir_perms;
-+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
-
- manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
- manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink.patch
deleted file mode 100644
index b06f3ef..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-From 03cb6534f75812f3a33ac768fe83861e0805b0e0 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang at windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 2/6] add rules for the symlink of /var/log
-
-/var/log is a symlink in poky, so we need allow rules for files to read
-lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/system/logging.fc | 1 +
- policy/modules/system/logging.if | 14 +++++++++++++-
- policy/modules/system/logging.te | 1 +
- 3 files changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index c005f33..9529e40 100644
---- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
-@@ -41,6 +41,7 @@ ifdef(`distro_suse', `
- /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-
- /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
-+/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
- /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
- /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..9a6f599 100644
---- a/policy/modules/system/logging.if
-+++ b/policy/modules/system/logging.if
-@@ -136,12 +136,13 @@ interface(`logging_set_audit_parameters',`
- #
- interface(`logging_read_audit_log',`
- gen_require(`
-- type auditd_log_t;
-+ type auditd_log_t, var_log_t;
- ')
-
- files_search_var($1)
- read_files_pattern($1, auditd_log_t, auditd_log_t)
- allow $1 auditd_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -626,6 +627,7 @@ interface(`logging_search_logs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir search_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- #######################################
-@@ -663,6 +665,7 @@ interface(`logging_list_logs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- #######################################
-@@ -682,6 +685,7 @@ interface(`logging_rw_generic_log_dirs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir rw_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- #######################################
-@@ -793,10 +797,12 @@ interface(`logging_append_all_logs',`
- interface(`logging_read_all_logs',`
- gen_require(`
- attribute logfile;
-+ type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 logfile:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- read_files_pattern($1, logfile, logfile)
- ')
-
-@@ -815,10 +821,12 @@ interface(`logging_read_all_logs',`
- interface(`logging_exec_all_logs',`
- gen_require(`
- attribute logfile;
-+ type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 logfile:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- can_exec($1, logfile)
- ')
-
-@@ -880,6 +888,7 @@ interface(`logging_read_generic_logs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- read_files_pattern($1, var_log_t, var_log_t)
- ')
-
-@@ -900,6 +909,7 @@ interface(`logging_write_generic_logs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- write_files_pattern($1, var_log_t, var_log_t)
- ')
-
-@@ -938,6 +948,7 @@ interface(`logging_rw_generic_logs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- rw_files_pattern($1, var_log_t, var_log_t)
- ')
-
-@@ -960,6 +971,7 @@ interface(`logging_manage_generic_logs',`
-
- files_search_var($1)
- manage_files_pattern($1, var_log_t, var_log_t)
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 2ab0a49..2795d89 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -139,6 +139,7 @@ allow auditd_t auditd_etc_t:file read_file_perms;
- manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
- manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
- allow auditd_t var_log_t:dir search_dir_perms;
-+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
-
- manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
- manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-syslogd_t-to-trusted-object.patch
deleted file mode 100644
index 92b1592..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-syslogd_t-to-trusted-object.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 27e62a5d9ab9993760369ccdad83673e9148cbb2 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang at windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 1/6] Add the syslogd_t to trusted object
-
-We add the syslogd_t to trusted object, because other process need
-to have the right to connectto/sendto /dev/log.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Roy.Li <rongqing.li at windriver.com>
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/system/logging.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 2914b0b..2ab0a49 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -450,6 +450,7 @@ fs_getattr_all_fs(syslogd_t)
- fs_search_auto_mountpoints(syslogd_t)
-
- mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
-+mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log
-
- term_write_console(syslogd_t)
- # Allow syslog to a terminal
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-nfsd-to-exec-shell-commands.patch
deleted file mode 100644
index e77a730..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-nfsd-to-exec-shell-commands.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang at windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] allow nfsd to exec shell commands.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/contrib/rpc.te | 2 +-
- policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
- 2 files changed, 19 insertions(+), 1 deletions(-)
-
-diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
-index 9566932..5605205 100644
---- a/policy/modules/contrib/rpc.te
-+++ b/policy/modules/contrib/rpc.te
-@@ -203,7 +203,7 @@ kernel_read_network_state(nfsd_t)
- kernel_dontaudit_getattr_core_if(nfsd_t)
- kernel_setsched(nfsd_t)
- kernel_request_load_module(nfsd_t)
--# kernel_mounton_proc(nfsd_t)
-+kernel_mounton_proc(nfsd_t)
-
- corenet_sendrecv_nfs_server_packets(nfsd_t)
- corenet_tcp_bind_nfs_port(nfsd_t)
-diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..8a669c5 100644
---- a/policy/modules/kernel/kernel.if
-+++ b/policy/modules/kernel/kernel.if
-@@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',`
-
- ########################################
- ## <summary>
-+## Mounton a proc filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`kernel_mounton_proc',`
-+ gen_require(`
-+ type proc_t;
-+ ')
-+
-+ allow $1 proc_t:dir mounton;
-+')
-+
-+########################################
-+## <summary>
- ## Get the attributes of the proc filesystem.
- ## </summary>
- ## <param name="domain">
---
-1.7.5.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-setfiles_t-to-read-symlinks.patch
deleted file mode 100644
index 9ef61b4..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-setfiles_t-to-read-symlinks.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 87b6daf87a07350a58c1724db8fc0a99b849818a Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang at windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] fix setfiles_t to read symlinks
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
-Signed-off-by: Shrikant Bobade <Shrikant_Bobade at mentor.com>
----
- policy/modules/system/selinuxutil.te | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 9058dd8..f998491 100644
---- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -552,6 +552,9 @@ files_relabel_all_files(setfiles_t)
- files_read_usr_symlinks(setfiles_t)
- files_dontaudit_read_all_symlinks(setfiles_t)
-
-+# needs to be able to read symlinks to make restorecon on symlink working
-+files_read_all_symlinks(setfiles_t)
-+
- fs_getattr_all_xattr_fs(setfiles_t)
- fs_list_all(setfiles_t)
- fs_search_auto_mountpoints(setfiles_t)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-sysadm-to-run-rpcinfo.patch
deleted file mode 100644
index ec3dbf4..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-sysadm-to-run-rpcinfo.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 7005533d61770fed5a3312aa9dfd1c18dae88c16 Mon Sep 17 00:00:00 2001
-From: Roy Li <rongqing.li at windriver.com>
-Date: Sat, 15 Feb 2014 09:45:00 +0800
-Subject: [PATCH] allow sysadm to run rpcinfo
-
-Upstream-Status: Pending
-
-type=AVC msg=audit(1392427946.976:264): avc: denied { connectto } for pid=2111 comm="rpcinfo" path="/run/rpcbind.sock" scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tclass=unix_stream_socket
-type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null)
-
-Signed-off-by: Roy Li <rongqing.li at windriver.com>
----
- policy/modules/roles/sysadm.te | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 1767217..5502c6a 100644
---- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -413,6 +413,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ rpcbind_stream_connect(sysadm_t)
-+')
-+
-+optional_policy(`
- vmware_role(sysadm_r, sysadm_t)
- ')
-
---
-1.7.10.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-don-t-audit-tty_device_t.patch
deleted file mode 100644
index 82370d8..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-don-t-audit-tty_device_t.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 29a0d287880f8f83cf4337a3db7c8b94c0c36e1d Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang at windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 6/6] don't audit tty_device_t in term_dontaudit_use_console.
-
-We should also not audit terminal to rw tty_device_t and fds in
-term_dontaudit_use_console.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/kernel/terminal.if | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 7519d0e..45de1ac 100644
---- a/policy/modules/kernel/terminal.if
-+++ b/policy/modules/kernel/terminal.if
-@@ -299,9 +299,12 @@ interface(`term_use_console',`
- interface(`term_dontaudit_use_console',`
- gen_require(`
- type console_device_t;
-+ type tty_device_t;
- ')
-
-+ init_dontaudit_use_fds($1)
- dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
-+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
- ')
-
- ########################################
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
deleted file mode 100644
index d6c8dbf..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 2f5981f2244289a1cc79748e9ffdaaea168b1df2 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang at windriver.com>
-Date: Fri, 23 Aug 2013 16:36:09 +0800
-Subject: [PATCH] fix dmesg to use /dev/kmsg as default input
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/admin/dmesg.if | 1 +
- policy/modules/admin/dmesg.te | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
-index e1973c7..739a4bc 100644
---- a/policy/modules/admin/dmesg.if
-+++ b/policy/modules/admin/dmesg.if
-@@ -37,4 +37,5 @@ interface(`dmesg_exec',`
-
- corecmd_search_bin($1)
- can_exec($1, dmesg_exec_t)
-+ dev_read_kmsg($1)
- ')
-diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
-index 72bc6d8..c591aea 100644
---- a/policy/modules/admin/dmesg.te
-+++ b/policy/modules/admin/dmesg.te
-@@ -28,6 +28,8 @@ kernel_read_proc_symlinks(dmesg_t)
-
- dev_read_sysfs(dmesg_t)
-
-+dev_read_kmsg(dmesg_t)
-+
- fs_search_auto_mountpoints(dmesg_t)
-
- term_dontaudit_use_console(dmesg_t)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-new-SELINUXMNT-in-sys.patch
deleted file mode 100644
index 302a38f..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-new-SELINUXMNT-in-sys.patch
+++ /dev/null
@@ -1,229 +0,0 @@
-From 0bd1187768c79ccf7d0563fa8e2bc01494fef167 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang at windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] fix for new SELINUXMNT in /sys
-
-SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
-add rules to access sysfs.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald at mentor.com>
----
- policy/modules/kernel/selinux.if | 34 ++++++++++++++++++++++++++++++++--
- 1 file changed, 32 insertions(+), 2 deletions(-)
-
---- a/policy/modules/kernel/selinux.if
-+++ b/policy/modules/kernel/selinux.if
-@@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',`
- type security_t;
- ')
-
-+ # SELINUXMNT is now /sys/fs/selinux, so we should add rules to
-+ # access sysfs
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- # starting in libselinux 2.0.5, init_selinuxmnt() will
- # attempt to short circuit by checking if SELINUXMNT
- # (/selinux) is already a selinuxfs
-@@ -84,6 +88,7 @@ interface(`selinux_dontaudit_get_fs_moun
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- # starting in libselinux 2.0.5, init_selinuxmnt() will
- # attempt to short circuit by checking if SELINUXMNT
- # (/selinux) is already a selinuxfs
-@@ -109,6 +114,8 @@ interface(`selinux_mount_fs',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- allow $1 security_t:filesystem mount;
- ')
-
-@@ -128,6 +135,8 @@ interface(`selinux_remount_fs',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- allow $1 security_t:filesystem remount;
- ')
-
-@@ -146,6 +155,8 @@ interface(`selinux_unmount_fs',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- allow $1 security_t:filesystem unmount;
- ')
-
-@@ -164,6 +175,8 @@ interface(`selinux_getattr_fs',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- allow $1 security_t:filesystem getattr;
- ')
-
-@@ -183,6 +196,7 @@ interface(`selinux_dontaudit_getattr_fs'
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:filesystem getattr;
- ')
-
-@@ -202,6 +216,7 @@ interface(`selinux_dontaudit_getattr_dir
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:dir getattr;
- ')
-
-@@ -220,6 +235,7 @@ interface(`selinux_search_fs',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir search_dir_perms;
- ')
-@@ -239,6 +255,7 @@ interface(`selinux_dontaudit_search_fs',
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:dir search_dir_perms;
- ')
-
-@@ -258,6 +275,7 @@ interface(`selinux_dontaudit_read_fs',`
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:dir search_dir_perms;
- dontaudit $1 security_t:file read_file_perms;
- ')
-@@ -279,6 +297,7 @@ interface(`selinux_get_enforce_mode',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file read_file_perms;
-@@ -313,6 +332,7 @@ interface(`selinux_set_enforce_mode',`
- bool secure_mode_policyload;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -345,6 +365,7 @@ interface(`selinux_load_policy',`
- bool secure_mode_policyload;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -375,6 +396,7 @@ interface(`selinux_read_policy',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file read_file_perms;
-@@ -440,8 +462,8 @@ interface(`selinux_set_generic_booleans'
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
--
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-
-@@ -482,8 +504,8 @@ interface(`selinux_set_all_booleans',`
- bool secure_mode_policyload;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
--
- allow $1 security_t:dir list_dir_perms;
- allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
- allow $1 secure_mode_policyload_t:file read_file_perms;
-@@ -528,6 +550,7 @@ interface(`selinux_set_parameters',`
- attribute can_setsecparam;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -552,6 +575,7 @@ interface(`selinux_validate_context',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -574,6 +598,7 @@ interface(`selinux_dontaudit_validate_co
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:dir list_dir_perms;
- dontaudit $1 security_t:file rw_file_perms;
- dontaudit $1 security_t:security check_context;
-@@ -595,6 +620,7 @@ interface(`selinux_compute_access_vector
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -617,6 +643,7 @@ interface(`selinux_compute_create_contex
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -639,6 +666,7 @@ interface(`selinux_compute_member',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -669,6 +697,7 @@ interface(`selinux_compute_relabel_conte
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -690,6 +719,7 @@ interface(`selinux_compute_user_contexts
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
deleted file mode 100644
index f04ebec..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 054a2d81a42bc127d29a916c64b43ad5a7c97f21 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang at windriver.com>
-Date: Fri, 23 Aug 2013 12:01:53 +0800
-Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t.
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald at mentor.com>
----
- policy/modules/contrib/rpc.te | 5 +++++
- policy/modules/contrib/rpcbind.te | 5 +++++
- policy/modules/kernel/filesystem.te | 1 +
- policy/modules/kernel/kernel.te | 2 ++
- 4 files changed, 13 insertions(+)
-
---- a/policy/modules/contrib/rpc.te
-+++ b/policy/modules/contrib/rpc.te
-@@ -263,6 +263,11 @@ tunable_policy(`nfs_export_all_ro',`
-
- optional_policy(`
- mount_exec(nfsd_t)
-+ # Should domtrans to mount_t while mounting nfsd_fs_t.
-+ mount_domtrans(nfsd_t)
-+ # nfsd_t need to chdir to /var/lib/nfs and read files.
-+ files_list_var(nfsd_t)
-+ rpc_read_nfs_state_data(nfsd_t)
- ')
-
- ########################################
---- a/policy/modules/contrib/rpcbind.te
-+++ b/policy/modules/contrib/rpcbind.te
-@@ -70,6 +70,11 @@ logging_send_syslog_msg(rpcbind_t)
-
- miscfiles_read_localization(rpcbind_t)
-
-+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
-+# because the are running in different level. So add rules to allow this.
-+mls_socket_read_all_levels(rpcbind_t)
-+mls_socket_write_all_levels(rpcbind_t)
-+
- ifdef(`distro_debian',`
- term_dontaudit_use_unallocated_ttys(rpcbind_t)
- ')
---- a/policy/modules/kernel/filesystem.te
-+++ b/policy/modules/kernel/filesystem.te
-@@ -119,6 +119,7 @@ genfscon mvfs / gen_context(system_u:obj
-
- type nfsd_fs_t;
- fs_type(nfsd_fs_t)
-+files_mountpoint(nfsd_fs_t)
- genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
-
- type oprofilefs_t;
---- a/policy/modules/kernel/kernel.te
-+++ b/policy/modules/kernel/kernel.te
-@@ -293,6 +293,8 @@ mls_process_read_up(kernel_t)
- mls_process_write_down(kernel_t)
- mls_file_write_all_levels(kernel_t)
- mls_file_read_all_levels(kernel_t)
-+mls_socket_write_all_levels(kernel_t)
-+mls_fd_use_all_levels(kernel_t)
-
- ifdef(`distro_redhat',`
- # Bugzilla 222337
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-setfiles-statvfs-get-file-count.patch
deleted file mode 100644
index 0b8cc5d..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-setfiles-statvfs-get-file-count.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From f4e034d6996c5b1f88a9262828dac2ad6ee09b7b Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang at windriver.com>
-Date: Fri, 23 Aug 2013 14:38:53 +0800
-Subject: [PATCH] fix setfiles statvfs to get file count
-
-New setfiles will read /proc/mounts and use statvfs in
-file_system_count() to get file count of filesystems.
-
-Upstream-Status: pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
-Signed-off-by: Shrikant Bobade <Shrikant_Bobade at mentor.com>
----
- policy/modules/system/selinuxutil.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index f998491..1a4e565 100644
---- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -555,7 +555,7 @@ files_dontaudit_read_all_symlinks(setfiles_t)
- # needs to be able to read symlinks to make restorecon on symlink working
- files_read_all_symlinks(setfiles_t)
-
--fs_getattr_all_xattr_fs(setfiles_t)
-+fs_getattr_all_fs(setfiles_t)
- fs_list_all(setfiles_t)
- fs_search_auto_mountpoints(setfiles_t)
- fs_relabelfrom_noxattr_fs(setfiles_t)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-seutils-manage-config-files.patch
deleted file mode 100644
index be33bf1..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-seutils-manage-config-files.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From be8e015aec19553d3753af132861d24da9ed0265 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang at windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
----
- policy/modules/system/selinuxutil.if | 1 +
- policy/modules/system/userdomain.if | 4 ++++
- 2 files changed, 5 insertions(+)
-
-diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..db03ca1 100644
---- a/policy/modules/system/selinuxutil.if
-+++ b/policy/modules/system/selinuxutil.if
-@@ -680,6 +680,7 @@ interface(`seutil_manage_config',`
- ')
-
- files_search_etc($1)
-+ manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
- manage_files_pattern($1, selinux_config_t, selinux_config_t)
- read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
- ')
-diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index b4a691d..20c8bf8 100644
---- a/policy/modules/system/userdomain.if
-+++ b/policy/modules/system/userdomain.if
-@@ -1277,6 +1277,10 @@ template(`userdom_security_admin_template',`
- logging_read_audit_config($1)
-
- seutil_manage_bin_policy($1)
-+ seutil_manage_default_contexts($1)
-+ seutil_manage_file_contexts($1)
-+ seutil_manage_module_store($1)
-+ seutil_manage_config($1)
- seutil_run_checkpolicy($1, $2)
- seutil_run_loadpolicy($1, $2)
- seutil_run_semanage($1, $2)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-2.20141203/refpolicy-update-for_systemd.patch
deleted file mode 100644
index 2ae4185..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/refpolicy-update-for_systemd.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 07553727dca51631c93bca482442da8d0c50ac94 Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade at mentor.com>
-Date: Fri, 12 Jun 2015 19:37:52 +0530
-Subject: [PATCH] refpolicy: update for systemd related allow rules
-
-It provide, the systemd support related allow rules
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade at mentor.com>
----
- policy/modules/system/init.te | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index c8f007d..a9675f6 100644
---- a/policy/modules/system/init.te
-+++ b/policy/modules/system/init.te
-@@ -929,3 +929,8 @@ optional_policy(`
- optional_policy(`
- zebra_read_config(initrc_t)
- ')
-+
-+# systemd related allow rules
-+allow kernel_t init_t:process dyntransition;
-+allow devpts_t device_t:filesystem associate;
-+allow init_t self:capability2 block_suspend;
-\ No newline at end of file
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-2.20151208/ftp-add-ftpd_t-to-mlsfilewrite.patch
new file mode 100644
index 0000000..49da4b6
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/ftp-add-ftpd_t-to-mlsfilewrite.patch
@@ -0,0 +1,39 @@
+From e4e95b723d31c7b678a05cd81a96b10185978b4e Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li at windriver.com>
+Date: Mon, 10 Feb 2014 18:10:12 +0800
+Subject: [PATCH] ftp: add ftpd_t to mls_file_write_all_levels
+
+Proftpd will create file under /var/run, but its mls is in high, and
+can not write to lowlevel
+
+Upstream-Status: Pending
+
+type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm="proftpd" name="/" dev="tmpfs" ino=5853 scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
+type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
+type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null)
+
+root at localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name
+ allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
+root at localhost:~#
+
+Signed-off-by: Roy Li <rongqing.li at windriver.com>
+---
+ policy/modules/contrib/ftp.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
+index 544c512..12a31dd 100644
+--- a/policy/modules/contrib/ftp.te
++++ b/policy/modules/contrib/ftp.te
+@@ -144,6 +144,8 @@ role ftpdctl_roles types ftpdctl_t;
+ type ftpdctl_tmp_t;
+ files_tmp_file(ftpdctl_tmp_t)
+
++mls_file_write_all_levels(ftpd_t)
++
+ type sftpd_t;
+ domain_type(sftpd_t)
+ role system_r types sftpd_t;
+--
+1.7.10.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-clock.patch
new file mode 100644
index 0000000..3ff8f55
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-clock.patch
@@ -0,0 +1,22 @@
+Subject: [PATCH] refpolicy: fix real path for clock
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/system/clock.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
+index c5e05ca..a74c40c 100644
+--- a/policy/modules/system/clock.fc
++++ b/policy/modules/system/clock.fc
+@@ -2,4 +2,5 @@
+ /etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0)
+
+ /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
++/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+
+--
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-corecommands.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-corecommands.patch
new file mode 100644
index 0000000..24b67c3
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-corecommands.patch
@@ -0,0 +1,24 @@
+Subject: [PATCH] refpolicy: fix real path for corecommands
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/kernel/corecommands.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
+index f051c4a..ab624f3 100644
+--- a/policy/modules/kernel/corecommands.fc
++++ b/policy/modules/kernel/corecommands.fc
+@@ -153,6 +153,7 @@ ifdef(`distro_gentoo',`
+ /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
+ /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
+ /sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+ #
+ # /opt
+--
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-dmesg.patch
new file mode 100644
index 0000000..db4c4d4
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-dmesg.patch
@@ -0,0 +1,20 @@
+Subject: [PATCH] refpolicy: fix real path for dmesg
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/admin/dmesg.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
+index d6cc2d9..7f3e5b0 100644
+--- a/policy/modules/admin/dmesg.fc
++++ b/policy/modules/admin/dmesg.fc
+@@ -1,2 +1,3 @@
+
+ /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
++/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+--
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-bind.patch
new file mode 100644
index 0000000..59ba5bc
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-bind.patch
@@ -0,0 +1,30 @@
+From e438a9466a615db3f63421157d5ee3bd6d055403 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang at windriver.com>
+Date: Thu, 22 Aug 2013 19:09:11 +0800
+Subject: [PATCH] refpolicy: fix real path for bind.
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/contrib/bind.fc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc
+index 2b9a3a1..fd45d53 100644
+--- a/policy/modules/contrib/bind.fc
++++ b/policy/modules/contrib/bind.fc
+@@ -1,8 +1,10 @@
+ /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+
+ /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+ /etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0)
++/etc/bind/rndc\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+ /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+ /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+ /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_login.patch
new file mode 100644
index 0000000..427181e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_login.patch
@@ -0,0 +1,37 @@
+Subject: [PATCH] fix real path for login commands.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/system/authlogin.fc | 7 ++++---
+ 1 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
+index 28ad538..c8dd17f 100644
+--- a/policy/modules/system/authlogin.fc
++++ b/policy/modules/system/authlogin.fc
+@@ -1,5 +1,7 @@
+
+ /bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
++/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0)
++/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0)
+
+ /etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+ /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+@@ -9,9 +11,9 @@
+
+ /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
+ /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
+-/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+-/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
+-/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
++/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
++/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
++/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ ifdef(`distro_suse', `
+ /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ ')
+--
+1.7.5.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_resolv.conf.patch
new file mode 100644
index 0000000..80cca67
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_resolv.conf.patch
@@ -0,0 +1,24 @@
+Subject: [PATCH] fix real path for resolv.conf
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/system/sysnetwork.fc | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
+index 346a7cc..dec8632 100644
+--- a/policy/modules/system/sysnetwork.fc
++++ b/policy/modules/system/sysnetwork.fc
+@@ -24,6 +24,7 @@ ifdef(`distro_debian',`
+ /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
++/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+
+ /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
+--
+1.7.5.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_shadow.patch
new file mode 100644
index 0000000..29ac2c3
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_shadow.patch
@@ -0,0 +1,34 @@
+Subject: [PATCH] fix real path for shadow commands.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/admin/usermanage.fc | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
+index f82f0ce..841ba9b 100644
+--- a/policy/modules/admin/usermanage.fc
++++ b/policy/modules/admin/usermanage.fc
+@@ -4,11 +4,17 @@ ifdef(`distro_gentoo',`
+
+ /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
+ /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
++/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
+ /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
++/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
+ /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
+ /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
++/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0)
++/usr/bin/passwd\.tinylogin -- gen_context(system_u:object_r:passwd_exec_t,s0)
+ /usr/bin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
++/sbin/vigr\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/bin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
++/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+
+ /usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0)
+
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_su.patch
new file mode 100644
index 0000000..b0392ce
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_su.patch
@@ -0,0 +1,25 @@
+From 4affa5e9797f5d51597c9b8e0f2503883c766699 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan at windriver.com>
+Date: Thu, 13 Feb 2014 00:33:07 -0500
+Subject: [PATCH] fix real path for su.shadow command
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
+---
+ policy/modules/admin/su.fc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
+index a563687..0f43827 100644
+--- a/policy/modules/admin/su.fc
++++ b/policy/modules/admin/su.fc
+@@ -4,3 +4,5 @@
+
+ /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
+ /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
++
++/bin/su.shadow -- gen_context(system_u:object_r:su_exec_t,s0)
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fstools.patch
new file mode 100644
index 0000000..9c45694
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fstools.patch
@@ -0,0 +1,70 @@
+From b420621f7bacdb803bfd104686e9b1785d7a6309 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan at windriver.com>
+Date: Mon, 27 Jan 2014 03:54:01 -0500
+Subject: [PATCH] refpolicy: fix real path for fstools
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald at mentor.com>
+Signed-off-by: Shrikant Bobade <shrikant_bobade at mentor.com>
+---
+ policy/modules/system/fstools.fc | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
+index d10368d..f22761a 100644
+--- a/policy/modules/system/fstools.fc
++++ b/policy/modules/system/fstools.fc
+@@ -1,6 +1,8 @@
+ /sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/blkid/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/blockdev/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -9,9 +11,12 @@
+ /sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/fdisk/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/hdparm/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -24,6 +29,7 @@
+ /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/mkswap/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -32,8 +38,10 @@
+ /sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/swapoff/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -45,6 +53,7 @@
+
+ /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-ftpwho-dir.patch
new file mode 100644
index 0000000..a7d434f
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-ftpwho-dir.patch
@@ -0,0 +1,27 @@
+fix ftpwho install dir
+
+Upstream-Status: Pending
+
+ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it
+
+Signed-off-by: Roy Li <rongqing.li at windriver.com>
+---
+ policy/modules/contrib/ftp.fc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/contrib/ftp.fc b/policy/modules/contrib/ftp.fc
+index ddb75c1..26fec47 100644
+--- a/policy/modules/contrib/ftp.fc
++++ b/policy/modules/contrib/ftp.fc
+@@ -9,7 +9,7 @@
+
+ /usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+
+-/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
++/usr/bin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+ /usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+ /usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+ /usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+--
+1.7.10.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-iptables.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-iptables.patch
new file mode 100644
index 0000000..89b1547
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-iptables.patch
@@ -0,0 +1,24 @@
+Subject: [PATCH] refpolicy: fix real path for iptables
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/system/iptables.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
+index 14cffd2..84ac92b 100644
+--- a/policy/modules/system/iptables.fc
++++ b/policy/modules/system/iptables.fc
+@@ -13,6 +13,7 @@
+ /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
+ /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+--
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-mta.patch
new file mode 100644
index 0000000..bbd83ec
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-mta.patch
@@ -0,0 +1,27 @@
+From c0bb2996db4f55f3987967bacfb99805fc45d027 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang at windriver.com>
+Date: Thu, 22 Aug 2013 19:21:55 +0800
+Subject: [PATCH] refpolicy: fix real path for mta
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/contrib/mta.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc
+index f42896c..0d4bcef 100644
+--- a/policy/modules/contrib/mta.fc
++++ b/policy/modules/contrib/mta.fc
+@@ -22,6 +22,7 @@ HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+ /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+ /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+ /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++/usr/sbin/msmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+ /usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+ /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-netutils.patch
new file mode 100644
index 0000000..b45d03e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-netutils.patch
@@ -0,0 +1,24 @@
+Subject: [PATCH] refpolicy: fix real path for netutils
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/admin/netutils.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
+index 407078f..f2ed3dc 100644
+--- a/policy/modules/admin/netutils.fc
++++ b/policy/modules/admin/netutils.fc
+@@ -3,6 +3,7 @@
+ /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+
+ /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
++/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
+
+ /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+ /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+--
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-nscd.patch
new file mode 100644
index 0000000..1db328c
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-nscd.patch
@@ -0,0 +1,27 @@
+From 642fab321a5f1f40495b4ca07f1fca4145024986 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang at windriver.com>
+Date: Thu, 22 Aug 2013 19:25:36 +0800
+Subject: [PATCH] refpolicy: fix real path for nscd
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/contrib/nscd.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/nscd.fc b/policy/modules/contrib/nscd.fc
+index ba64485..61a6f24 100644
+--- a/policy/modules/contrib/nscd.fc
++++ b/policy/modules/contrib/nscd.fc
+@@ -1,6 +1,7 @@
+ /etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
+
+ /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
++/usr/bin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
+
+ /var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-rpm.patch
new file mode 100644
index 0000000..7ba3380
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-rpm.patch
@@ -0,0 +1,25 @@
+From 3ecbd842d51a8e70b3403e857a24203285d4983b Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan at windriver.com>
+Date: Mon, 27 Jan 2014 01:13:06 -0500
+Subject: [PATCH] refpolicy: fix real path for cpio
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
+---
+ policy/modules/contrib/rpm.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc
+index ebe91fc..539063c 100644
+--- a/policy/modules/contrib/rpm.fc
++++ b/policy/modules/contrib/rpm.fc
+@@ -58,4 +58,5 @@ ifdef(`distro_redhat',`
+
+ ifdef(`enable_mls',`
+ /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ ')
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-screen.patch
new file mode 100644
index 0000000..3218194
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-screen.patch
@@ -0,0 +1,27 @@
+From 3615e2d67f402a37ae7333e62b54f1d9d0a3bfd1 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang at windriver.com>
+Date: Thu, 22 Aug 2013 19:27:19 +0800
+Subject: [PATCH] refpolicy: fix real path for screen
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/contrib/screen.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc
+index e7c2cf7..49ddca2 100644
+--- a/policy/modules/contrib/screen.fc
++++ b/policy/modules/contrib/screen.fc
+@@ -3,6 +3,7 @@ HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
+ HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
+
+ /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
++/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0)
+ /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
+
+ /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-ssh.patch
new file mode 100644
index 0000000..9aeb3a2
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-ssh.patch
@@ -0,0 +1,24 @@
+Subject: [PATCH] refpolicy: fix real path for ssh
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/services/ssh.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
+index 078bcd7..9717428 100644
+--- a/policy/modules/services/ssh.fc
++++ b/policy/modules/services/ssh.fc
+@@ -6,6 +6,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+ /etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+
+ /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
++/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
+ /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
+ /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
+
+--
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-su.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-su.patch
new file mode 100644
index 0000000..358e4ef
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-su.patch
@@ -0,0 +1,23 @@
+Subject: [PATCH] refpolicy: fix real path for su
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/admin/su.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
+index 688abc2..a563687 100644
+--- a/policy/modules/admin/su.fc
++++ b/policy/modules/admin/su.fc
+@@ -1,5 +1,6 @@
+
+ /bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
++/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
+
+ /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
+ /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
+--
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-subs_dist.patch
new file mode 100644
index 0000000..cfec7d9
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-subs_dist.patch
@@ -0,0 +1,29 @@
+Subject: [PATCH] fix file_contexts.subs_dist for poky
+
+This file is used for Linux distros to define specific pathes
+mapping to the pathes in file_contexts.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald at mentor.com>
+---
+ config/file_contexts.subs_dist | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/config/file_contexts.subs_dist
++++ b/config/file_contexts.subs_dist
+@@ -19,3 +19,13 @@
+ /usr/local/lib64 /usr/lib
+ /usr/local/lib /usr/lib
+ /var/run/lock /var/lock
++/var/volatile/log /var/log
++/var/volatile/run /var/run
++/var/volatile/cache /var/cache
++/var/volatile/tmp /var/tmp
++/var/volatile/lock /var/lock
++/var/volatile/run/lock /var/lock
++/www /var/www
++/usr/lib/busybox/bin /bin
++/usr/lib/busybox/sbin /sbin
++/usr/lib/busybox/usr /usr
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-sysnetwork.patch
new file mode 100644
index 0000000..64f497d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-sysnetwork.patch
@@ -0,0 +1,46 @@
+From 56ec3e527f2a03d217d5f07ebb708e6e26fa26ff Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang at windriver.com>
+Date: Tue, 9 Jun 2015 21:22:52 +0530
+Subject: [PATCH] refpolicy: fix real path for sysnetwork
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+Signed-off-by: Shrikant Bobade <Shrikant_Bobade at mentor.com>
+---
+ policy/modules/system/sysnetwork.fc | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
+index fbb935c..a194622 100644
+--- a/policy/modules/system/sysnetwork.fc
++++ b/policy/modules/system/sysnetwork.fc
+@@ -4,6 +4,7 @@
+ #
+ /bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+
+ #
+ # /dev
+@@ -43,7 +44,9 @@ ifdef(`distro_redhat',`
+ /sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+@@ -51,6 +54,7 @@ ifdef(`distro_redhat',`
+ /sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-udevd.patch
new file mode 100644
index 0000000..c6c19be
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-udevd.patch
@@ -0,0 +1,35 @@
+From 025bd3c77d3eeb0e316413bf7e6353f1ccd7f6b2 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan at windriver.com>
+Date: Sat, 25 Jan 2014 23:40:05 -0500
+Subject: [PATCH] refpolicy: fix real path for udevd/udevadm
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
+---
+ policy/modules/system/udev.fc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
+index 40928d8..491bb23 100644
+--- a/policy/modules/system/udev.fc
++++ b/policy/modules/system/udev.fc
+@@ -10,6 +10,7 @@
+ /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
+ /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
++/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+ ifdef(`distro_debian',`
+ /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
+@@ -27,6 +28,7 @@ ifdef(`distro_redhat',`
+ ')
+
+ /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+ /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_hostname.patch
new file mode 100644
index 0000000..cedb5b5
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_hostname.patch
@@ -0,0 +1,23 @@
+From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang at windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 3/4] fix update-alternatives for hostname
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/system/hostname.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
+index 9dfecf7..4003b6d 100644
+--- a/policy/modules/system/hostname.fc
++++ b/policy/modules/system/hostname.fc
+@@ -1,2 +1,3 @@
+
+ /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
++/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0)
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_sysklogd.patch
new file mode 100644
index 0000000..868ee6b
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_sysklogd.patch
@@ -0,0 +1,59 @@
+From 4964fa5593349916d8f5c69edb0b16f611586098 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang at windriver.com>
+Date: Thu, 22 Aug 2013 13:39:41 +0800
+Subject: [PATCH 2/4] fix update-alternatives for sysklogd
+
+/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow rule
+for syslogd_t to read syslog_conf_t lnk_file is needed.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/system/logging.fc | 4 ++++
+ policy/modules/system/logging.te | 1 +
+ 2 files changed, 5 insertions(+)
+
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index b50c5fe..c005f33 100644
+--- a/policy/modules/system/logging.fc
++++ b/policy/modules/system/logging.fc
+@@ -2,19 +2,23 @@
+
+ /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
++/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+ /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
+
+ /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
+ /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
+ /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
+ /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
+ /sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
++/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+ /sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+ /sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+ /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 87e3db2..2914b0b 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -371,6 +371,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
+ allow syslogd_t self:tcp_socket create_stream_socket_perms;
+
+ allow syslogd_t syslog_conf_t:file read_file_perms;
++allow syslogd_t syslog_conf_t:lnk_file read_file_perms;
+
+ # Create and bind to /dev/log or /var/run/log.
+ allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_sysvinit.patch
new file mode 100644
index 0000000..3a617d8
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_sysvinit.patch
@@ -0,0 +1,53 @@
+From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang at windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 1/4] fix update-alternatives for sysvinit
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/contrib/shutdown.fc | 1 +
+ policy/modules/kernel/corecommands.fc | 1 +
+ policy/modules/system/init.fc | 1 +
+ 3 files changed, 3 insertions(+)
+
+diff --git a/policy/modules/contrib/shutdown.fc b/policy/modules/contrib/shutdown.fc
+index a91f33b..90e51e0 100644
+--- a/policy/modules/contrib/shutdown.fc
++++ b/policy/modules/contrib/shutdown.fc
+@@ -3,6 +3,7 @@
+ /lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+ /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
++/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+ /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
+index bcfdba7..87502a3 100644
+--- a/policy/modules/kernel/corecommands.fc
++++ b/policy/modules/kernel/corecommands.fc
+@@ -10,6 +10,7 @@
+ /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
++/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0)
+ /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
+diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
+index bc0ffc8..020b9fe 100644
+--- a/policy/modules/system/init.fc
++++ b/policy/modules/system/init.fc
+@@ -30,6 +30,7 @@ ifdef(`distro_gentoo', `
+ # /sbin
+ #
+ /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
++/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0)
+ # because nowadays, /sbin/init is often a symlink to /sbin/upstart
+ /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
+
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-bsdpty_device_t.patch
new file mode 100644
index 0000000..9a3322f
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-bsdpty_device_t.patch
@@ -0,0 +1,121 @@
+From c0b65c327b9354ee5c403cbde428e762ce3f327e Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang at windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices.
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/kernel/terminal.if | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index 771bce1..7519d0e 100644
+--- a/policy/modules/kernel/terminal.if
++++ b/policy/modules/kernel/terminal.if
+@@ -531,9 +531,11 @@ interface(`term_dontaudit_manage_pty_dirs',`
+ interface(`term_dontaudit_getattr_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ dontaudit $1 devpts_t:chr_file getattr;
++ dontaudit $1 bsdpty_device_t:chr_file getattr;
+ ')
+ ########################################
+ ## <summary>
+@@ -549,11 +551,13 @@ interface(`term_dontaudit_getattr_generic_ptys',`
+ interface(`term_ioctl_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir search;
+ allow $1 devpts_t:chr_file ioctl;
++ allow $1 bsdpty_device_t:chr_file ioctl;
+ ')
+
+ ########################################
+@@ -571,9 +575,11 @@ interface(`term_ioctl_generic_ptys',`
+ interface(`term_setattr_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ allow $1 devpts_t:chr_file setattr;
++ allow $1 bsdpty_device_t:chr_file setattr;
+ ')
+
+ ########################################
+@@ -591,9 +597,11 @@ interface(`term_setattr_generic_ptys',`
+ interface(`term_dontaudit_setattr_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ dontaudit $1 devpts_t:chr_file setattr;
++ dontaudit $1 bsdpty_device_t:chr_file setattr;
+ ')
+
+ ########################################
+@@ -611,11 +619,13 @@ interface(`term_dontaudit_setattr_generic_ptys',`
+ interface(`term_use_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir list_dir_perms;
+ allow $1 devpts_t:chr_file { rw_term_perms lock append };
++ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
+ ')
+
+ ########################################
+@@ -633,9 +643,11 @@ interface(`term_use_generic_ptys',`
+ interface(`term_dontaudit_use_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
++ dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl };
+ ')
+
+ #######################################
+@@ -651,10 +663,12 @@ interface(`term_dontaudit_use_generic_ptys',`
+ interface(`term_setattr_controlling_term',`
+ gen_require(`
+ type devtty_t;
++ type bsdpty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devtty_t:chr_file setattr;
++ allow $1 bsdpty_device_t:chr_file setattr;
+ ')
+
+ ########################################
+@@ -671,10 +685,12 @@ interface(`term_setattr_controlling_term',`
+ interface(`term_use_controlling_term',`
+ gen_require(`
+ type devtty_t;
++ type bsdpty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devtty_t:chr_file { rw_term_perms lock append };
++ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
+ ')
+
+ #######################################
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-syslogd_t-symlink.patch
new file mode 100644
index 0000000..aa9734a
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-syslogd_t-symlink.patch
@@ -0,0 +1,30 @@
+Subject: [PATCH] add rules for the symlink of /var/log - syslogd_t
+
+We have added rules for the symlink of /var/log in logging.if,
+while syslogd_t uses /var/log but does not use the
+interfaces in logging.if. So still need add a individual rule for
+syslogd_t.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/system/logging.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 2ad9ea5..70427d8 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -384,6 +384,8 @@ rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
+ # Allow access for syslog-ng
+ allow syslogd_t var_log_t:dir { create setattr };
+
++allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
++
+ # manage temporary files
+ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+ manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+--
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-tmp-symlink.patch
new file mode 100644
index 0000000..210c297
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-tmp-symlink.patch
@@ -0,0 +1,99 @@
+From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang at windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] add rules for the symlink of /tmp
+
+/tmp is a symlink in poky, so we need allow rules for files to read
+lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/kernel/files.fc | 1 +
+ policy/modules/kernel/files.if | 8 ++++++++
+ 2 files changed, 9 insertions(+), 0 deletions(-)
+
+diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
+index 8796ca3..a0db748 100644
+--- a/policy/modules/kernel/files.fc
++++ b/policy/modules/kernel/files.fc
+@@ -185,6 +185,7 @@ ifdef(`distro_debian',`
+ # /tmp
+ #
+ /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
++/tmp -l gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+ /tmp/.* <<none>>
+ /tmp/\.journal <<none>>
+
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index e1e814d..a7384b0 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -4199,6 +4199,7 @@ interface(`files_search_tmp',`
+ ')
+
+ allow $1 tmp_t:dir search_dir_perms;
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4235,6 +4236,7 @@ interface(`files_list_tmp',`
+ ')
+
+ allow $1 tmp_t:dir list_dir_perms;
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4271,6 +4273,7 @@ interface(`files_delete_tmp_dir_entry',`
+ ')
+
+ allow $1 tmp_t:dir del_entry_dir_perms;
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4289,6 +4292,7 @@ interface(`files_read_generic_tmp_files',`
+ ')
+
+ read_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4307,6 +4311,7 @@ interface(`files_manage_generic_tmp_dirs',`
+ ')
+
+ manage_dirs_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4325,6 +4330,7 @@ interface(`files_manage_generic_tmp_files',`
+ ')
+
+ manage_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4361,6 +4367,7 @@ interface(`files_rw_generic_tmp_sockets',`
+ ')
+
+ rw_sock_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4550,6 +4557,7 @@ interface(`files_tmp_filetrans',`
+ ')
+
+ filetrans_pattern($1, tmp_t, $2, $3, $4)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+--
+1.7.5.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-cache-symlink.patch
new file mode 100644
index 0000000..18a92dd
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-cache-symlink.patch
@@ -0,0 +1,34 @@
+From bad816bc752369a6c1bf40231c505d21d95cab08 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang at windriver.com>
+Date: Fri, 23 Aug 2013 11:20:00 +0800
+Subject: [PATCH 4/6] add rules for the subdir symlinks in /var/
+
+Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
+/var for poky, so we need allow rules for all domains to read these
+symlinks. Domains still need their practical allow rules to read the
+contents, so this is still a secure relax.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/kernel/domain.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
+index cf04cb5..9ffe6b0 100644
+--- a/policy/modules/kernel/domain.te
++++ b/policy/modules/kernel/domain.te
+@@ -104,6 +104,9 @@ term_use_controlling_term(domain)
+ # list the root directory
+ files_list_root(domain)
+
++# Yocto/oe-core use some var volatile links
++files_read_var_symlinks(domain)
++
+ ifdef(`hide_broken_symptoms',`
+ # This check is in the general socket
+ # listen code, before protocol-specific
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink-apache.patch
new file mode 100644
index 0000000..8bc40c4
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink-apache.patch
@@ -0,0 +1,31 @@
+From ed2b0a00e2fb78056041b03c7e198e8f5adaf939 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang at windriver.com>
+Date: Thu, 22 Aug 2013 19:36:44 +0800
+Subject: [PATCH 3/6] add rules for the symlink of /var/log - apache2
+
+We have added rules for the symlink of /var/log in logging.if,
+while apache.te uses /var/log but does not use the interfaces in
+logging.if. So still need add a individual rule for apache.te.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/contrib/apache.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
+index ec8bd13..06f2e95 100644
+--- a/policy/modules/contrib/apache.te
++++ b/policy/modules/contrib/apache.te
+@@ -400,6 +400,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
++read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
+ logging_log_filetrans(httpd_t, httpd_log_t, file)
+
+ allow httpd_t httpd_modules_t:dir list_dir_perms;
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
new file mode 100644
index 0000000..cbf0f7d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
@@ -0,0 +1,29 @@
+Subject: [PATCH] add rules for the symlink of /var/log - audisp_remote_t
+
+We have added rules for the symlink of /var/log in logging.if,
+while audisp_remote_t uses /var/log but does not use the
+interfaces in logging.if. So still need add a individual rule for
+audisp_remote_t.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/system/logging.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 8426a49..2ad9ea5 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -262,6 +262,7 @@ allow audisp_remote_t self:capability { setuid setpcap };
+ allow audisp_remote_t self:process { getcap setcap };
+ allow audisp_remote_t self:tcp_socket create_socket_perms;
+ allow audisp_remote_t var_log_t:dir search_dir_perms;
++allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+ manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+--
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink.patch
new file mode 100644
index 0000000..b06f3ef
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink.patch
@@ -0,0 +1,145 @@
+From 03cb6534f75812f3a33ac768fe83861e0805b0e0 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang at windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 2/6] add rules for the symlink of /var/log
+
+/var/log is a symlink in poky, so we need allow rules for files to read
+lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/system/logging.fc | 1 +
+ policy/modules/system/logging.if | 14 +++++++++++++-
+ policy/modules/system/logging.te | 1 +
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index c005f33..9529e40 100644
+--- a/policy/modules/system/logging.fc
++++ b/policy/modules/system/logging.fc
+@@ -41,6 +41,7 @@ ifdef(`distro_suse', `
+ /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+ /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
++/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+ /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
+index 4e94884..9a6f599 100644
+--- a/policy/modules/system/logging.if
++++ b/policy/modules/system/logging.if
+@@ -136,12 +136,13 @@ interface(`logging_set_audit_parameters',`
+ #
+ interface(`logging_read_audit_log',`
+ gen_require(`
+- type auditd_log_t;
++ type auditd_log_t, var_log_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, auditd_log_t, auditd_log_t)
+ allow $1 auditd_log_t:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -626,6 +627,7 @@ interface(`logging_search_logs',`
+
+ files_search_var($1)
+ allow $1 var_log_t:dir search_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+
+ #######################################
+@@ -663,6 +665,7 @@ interface(`logging_list_logs',`
+
+ files_search_var($1)
+ allow $1 var_log_t:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+
+ #######################################
+@@ -682,6 +685,7 @@ interface(`logging_rw_generic_log_dirs',`
+
+ files_search_var($1)
+ allow $1 var_log_t:dir rw_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+
+ #######################################
+@@ -793,10 +797,12 @@ interface(`logging_append_all_logs',`
+ interface(`logging_read_all_logs',`
+ gen_require(`
+ attribute logfile;
++ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 logfile:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, logfile, logfile)
+ ')
+
+@@ -815,10 +821,12 @@ interface(`logging_read_all_logs',`
+ interface(`logging_exec_all_logs',`
+ gen_require(`
+ attribute logfile;
++ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 logfile:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ can_exec($1, logfile)
+ ')
+
+@@ -880,6 +888,7 @@ interface(`logging_read_generic_logs',`
+
+ files_search_var($1)
+ allow $1 var_log_t:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, var_log_t, var_log_t)
+ ')
+
+@@ -900,6 +909,7 @@ interface(`logging_write_generic_logs',`
+
+ files_search_var($1)
+ allow $1 var_log_t:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ write_files_pattern($1, var_log_t, var_log_t)
+ ')
+
+@@ -938,6 +948,7 @@ interface(`logging_rw_generic_logs',`
+
+ files_search_var($1)
+ allow $1 var_log_t:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ rw_files_pattern($1, var_log_t, var_log_t)
+ ')
+
+@@ -960,6 +971,7 @@ interface(`logging_manage_generic_logs',`
+
+ files_search_var($1)
+ manage_files_pattern($1, var_log_t, var_log_t)
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 2ab0a49..2795d89 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -139,6 +139,7 @@ allow auditd_t auditd_etc_t:file read_file_perms;
+ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t var_log_t:dir search_dir_perms;
++allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
+
+ manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+ manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-syslogd_t-to-trusted-object.patch
new file mode 100644
index 0000000..92b1592
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-syslogd_t-to-trusted-object.patch
@@ -0,0 +1,31 @@
+From 27e62a5d9ab9993760369ccdad83673e9148cbb2 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang at windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 1/6] Add the syslogd_t to trusted object
+
+We add the syslogd_t to trusted object, because other process need
+to have the right to connectto/sendto /dev/log.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Roy.Li <rongqing.li at windriver.com>
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/system/logging.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 2914b0b..2ab0a49 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -450,6 +450,7 @@ fs_getattr_all_fs(syslogd_t)
+ fs_search_auto_mountpoints(syslogd_t)
+
+ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
++mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log
+
+ term_write_console(syslogd_t)
+ # Allow syslog to a terminal
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-nfsd-to-exec-shell-commands.patch
new file mode 100644
index 0000000..e77a730
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-nfsd-to-exec-shell-commands.patch
@@ -0,0 +1,58 @@
+From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang at windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] allow nfsd to exec shell commands.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/contrib/rpc.te | 2 +-
+ policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletions(-)
+
+diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
+index 9566932..5605205 100644
+--- a/policy/modules/contrib/rpc.te
++++ b/policy/modules/contrib/rpc.te
+@@ -203,7 +203,7 @@ kernel_read_network_state(nfsd_t)
+ kernel_dontaudit_getattr_core_if(nfsd_t)
+ kernel_setsched(nfsd_t)
+ kernel_request_load_module(nfsd_t)
+-# kernel_mounton_proc(nfsd_t)
++kernel_mounton_proc(nfsd_t)
+
+ corenet_sendrecv_nfs_server_packets(nfsd_t)
+ corenet_tcp_bind_nfs_port(nfsd_t)
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index 649e458..8a669c5 100644
+--- a/policy/modules/kernel/kernel.if
++++ b/policy/modules/kernel/kernel.if
+@@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',`
+
+ ########################################
+ ## <summary>
++## Mounton a proc filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_mounton_proc',`
++ gen_require(`
++ type proc_t;
++ ')
++
++ allow $1 proc_t:dir mounton;
++')
++
++########################################
++## <summary>
+ ## Get the attributes of the proc filesystem.
+ ## </summary>
+ ## <param name="domain">
+--
+1.7.5.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-setfiles_t-to-read-symlinks.patch
new file mode 100644
index 0000000..9ef61b4
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-setfiles_t-to-read-symlinks.patch
@@ -0,0 +1,30 @@
+From 87b6daf87a07350a58c1724db8fc0a99b849818a Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang at windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] fix setfiles_t to read symlinks
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+Signed-off-by: Shrikant Bobade <Shrikant_Bobade at mentor.com>
+---
+ policy/modules/system/selinuxutil.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index 9058dd8..f998491 100644
+--- a/policy/modules/system/selinuxutil.te
++++ b/policy/modules/system/selinuxutil.te
+@@ -552,6 +552,9 @@ files_relabel_all_files(setfiles_t)
+ files_read_usr_symlinks(setfiles_t)
+ files_dontaudit_read_all_symlinks(setfiles_t)
+
++# needs to be able to read symlinks to make restorecon on symlink working
++files_read_all_symlinks(setfiles_t)
++
+ fs_getattr_all_xattr_fs(setfiles_t)
+ fs_list_all(setfiles_t)
+ fs_search_auto_mountpoints(setfiles_t)
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-sysadm-to-run-rpcinfo.patch
new file mode 100644
index 0000000..ec3dbf4
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-sysadm-to-run-rpcinfo.patch
@@ -0,0 +1,33 @@
+From 7005533d61770fed5a3312aa9dfd1c18dae88c16 Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li at windriver.com>
+Date: Sat, 15 Feb 2014 09:45:00 +0800
+Subject: [PATCH] allow sysadm to run rpcinfo
+
+Upstream-Status: Pending
+
+type=AVC msg=audit(1392427946.976:264): avc: denied { connectto } for pid=2111 comm="rpcinfo" path="/run/rpcbind.sock" scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tclass=unix_stream_socket
+type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null)
+
+Signed-off-by: Roy Li <rongqing.li at windriver.com>
+---
+ policy/modules/roles/sysadm.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 1767217..5502c6a 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -413,6 +413,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rpcbind_stream_connect(sysadm_t)
++')
++
++optional_policy(`
+ vmware_role(sysadm_r, sysadm_t)
+ ')
+
+--
+1.7.10.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-don-t-audit-tty_device_t.patch
new file mode 100644
index 0000000..82370d8
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-don-t-audit-tty_device_t.patch
@@ -0,0 +1,35 @@
+From 29a0d287880f8f83cf4337a3db7c8b94c0c36e1d Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang at windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 6/6] don't audit tty_device_t in term_dontaudit_use_console.
+
+We should also not audit terminal to rw tty_device_t and fds in
+term_dontaudit_use_console.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/kernel/terminal.if | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index 7519d0e..45de1ac 100644
+--- a/policy/modules/kernel/terminal.if
++++ b/policy/modules/kernel/terminal.if
+@@ -299,9 +299,12 @@ interface(`term_use_console',`
+ interface(`term_dontaudit_use_console',`
+ gen_require(`
+ type console_device_t;
++ type tty_device_t;
+ ')
+
++ init_dontaudit_use_fds($1)
+ dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
++ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
+ ')
+
+ ########################################
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
new file mode 100644
index 0000000..d6c8dbf
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
@@ -0,0 +1,37 @@
+From 2f5981f2244289a1cc79748e9ffdaaea168b1df2 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang at windriver.com>
+Date: Fri, 23 Aug 2013 16:36:09 +0800
+Subject: [PATCH] fix dmesg to use /dev/kmsg as default input
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/admin/dmesg.if | 1 +
+ policy/modules/admin/dmesg.te | 2 ++
+ 2 files changed, 3 insertions(+)
+
+diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
+index e1973c7..739a4bc 100644
+--- a/policy/modules/admin/dmesg.if
++++ b/policy/modules/admin/dmesg.if
+@@ -37,4 +37,5 @@ interface(`dmesg_exec',`
+
+ corecmd_search_bin($1)
+ can_exec($1, dmesg_exec_t)
++ dev_read_kmsg($1)
+ ')
+diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
+index 72bc6d8..c591aea 100644
+--- a/policy/modules/admin/dmesg.te
++++ b/policy/modules/admin/dmesg.te
+@@ -28,6 +28,8 @@ kernel_read_proc_symlinks(dmesg_t)
+
+ dev_read_sysfs(dmesg_t)
+
++dev_read_kmsg(dmesg_t)
++
+ fs_search_auto_mountpoints(dmesg_t)
+
+ term_dontaudit_use_console(dmesg_t)
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-new-SELINUXMNT-in-sys.patch
new file mode 100644
index 0000000..7e92b64
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-new-SELINUXMNT-in-sys.patch
@@ -0,0 +1,185 @@
+From 0bd1187768c79ccf7d0563fa8e2bc01494fef167 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang at windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] fix for new SELINUXMNT in /sys
+
+SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
+add rules to access sysfs.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald at mentor.com>
+---
+ policy/modules/kernel/selinux.if | 34 ++++++++++++++++++++++++++++++++--
+ 1 file changed, 32 insertions(+), 2 deletions(-)
+
+Index: refpolicy/policy/modules/kernel/selinux.if
+===================================================================
+--- refpolicy.orig/policy/modules/kernel/selinux.if
++++ refpolicy/policy/modules/kernel/selinux.if
+@@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',`
+ type security_t;
+ ')
+
++ # SELINUXMNT is now /sys/fs/selinux, so we should add rules to
++ # access sysfs
++ dev_getattr_sysfs_dirs($1)
++ dev_search_sysfs($1)
+ # starting in libselinux 2.0.5, init_selinuxmnt() will
+ # attempt to short circuit by checking if SELINUXMNT
+ # (/selinux) is already a selinuxfs
+@@ -88,6 +92,7 @@ interface(`selinux_dontaudit_get_fs_moun
+ type security_t;
+ ')
+
++ dev_dontaudit_search_sysfs($1)
+ # starting in libselinux 2.0.5, init_selinuxmnt() will
+ # attempt to short circuit by checking if SELINUXMNT
+ # (/selinux) is already a selinuxfs
+@@ -117,6 +122,8 @@ interface(`selinux_mount_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
++ dev_search_sysfs($1)
+ allow $1 security_t:filesystem mount;
+ ')
+
+@@ -136,6 +143,8 @@ interface(`selinux_remount_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
++ dev_search_sysfs($1)
+ allow $1 security_t:filesystem remount;
+ ')
+
+@@ -154,6 +163,8 @@ interface(`selinux_unmount_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
++ dev_search_sysfs($1)
+ allow $1 security_t:filesystem unmount;
+ ')
+
+@@ -172,6 +183,8 @@ interface(`selinux_getattr_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
++ dev_search_sysfs($1)
+ allow $1 security_t:filesystem getattr;
+
+ dev_getattr_sysfs($1)
+@@ -194,6 +207,7 @@ interface(`selinux_dontaudit_getattr_fs'
+ type security_t;
+ ')
+
++ dev_dontaudit_search_sysfs($1)
+ dontaudit $1 security_t:filesystem getattr;
+
+ dev_dontaudit_getattr_sysfs($1)
+@@ -216,6 +230,7 @@ interface(`selinux_dontaudit_getattr_dir
+ type security_t;
+ ')
+
++ dev_dontaudit_search_sysfs($1)
+ dontaudit $1 security_t:dir getattr;
+ ')
+
+@@ -234,6 +249,7 @@ interface(`selinux_search_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:dir search_dir_perms;
+ ')
+@@ -253,6 +269,7 @@ interface(`selinux_dontaudit_search_fs',
+ type security_t;
+ ')
+
++ dev_dontaudit_search_sysfs($1)
+ dontaudit $1 security_t:dir search_dir_perms;
+ ')
+
+@@ -272,6 +289,7 @@ interface(`selinux_dontaudit_read_fs',`
+ type security_t;
+ ')
+
++ dev_dontaudit_search_sysfs($1)
+ dontaudit $1 security_t:dir search_dir_perms;
+ dontaudit $1 security_t:file read_file_perms;
+ ')
+@@ -293,6 +311,7 @@ interface(`selinux_get_enforce_mode',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file read_file_perms;
+@@ -361,6 +380,7 @@ interface(`selinux_read_policy',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file read_file_perms;
+@@ -426,6 +446,7 @@ interface(`selinux_set_generic_booleans'
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
+
+ allow $1 security_t:dir list_dir_perms;
+@@ -463,6 +484,7 @@ interface(`selinux_set_all_booleans',`
+ bool secure_mode_policyload;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
+
+ allow $1 security_t:dir list_dir_perms;
+@@ -522,6 +544,7 @@ interface(`selinux_validate_context',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+@@ -544,6 +567,7 @@ interface(`selinux_dontaudit_validate_co
+ type security_t;
+ ')
+
++ dev_dontaudit_search_sysfs($1)
+ dontaudit $1 security_t:dir list_dir_perms;
+ dontaudit $1 security_t:file rw_file_perms;
+ dontaudit $1 security_t:security check_context;
+@@ -565,6 +589,7 @@ interface(`selinux_compute_access_vector
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+@@ -660,6 +685,13 @@ interface(`selinux_compute_user_contexts
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
++ dev_getattr_sysfs_dirs($1)
++ dev_getattr_sysfs_dirs($1)
++ dev_getattr_sysfs_dirs($1)
++ dev_getattr_sysfs_dirs($1)
++ dev_getattr_sysfs_dirs($1)
++ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
new file mode 100644
index 0000000..f04ebec
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
@@ -0,0 +1,65 @@
+From 054a2d81a42bc127d29a916c64b43ad5a7c97f21 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang at windriver.com>
+Date: Fri, 23 Aug 2013 12:01:53 +0800
+Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t.
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald at mentor.com>
+---
+ policy/modules/contrib/rpc.te | 5 +++++
+ policy/modules/contrib/rpcbind.te | 5 +++++
+ policy/modules/kernel/filesystem.te | 1 +
+ policy/modules/kernel/kernel.te | 2 ++
+ 4 files changed, 13 insertions(+)
+
+--- a/policy/modules/contrib/rpc.te
++++ b/policy/modules/contrib/rpc.te
+@@ -263,6 +263,11 @@ tunable_policy(`nfs_export_all_ro',`
+
+ optional_policy(`
+ mount_exec(nfsd_t)
++ # Should domtrans to mount_t while mounting nfsd_fs_t.
++ mount_domtrans(nfsd_t)
++ # nfsd_t need to chdir to /var/lib/nfs and read files.
++ files_list_var(nfsd_t)
++ rpc_read_nfs_state_data(nfsd_t)
+ ')
+
+ ########################################
+--- a/policy/modules/contrib/rpcbind.te
++++ b/policy/modules/contrib/rpcbind.te
+@@ -70,6 +70,11 @@ logging_send_syslog_msg(rpcbind_t)
+
+ miscfiles_read_localization(rpcbind_t)
+
++# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
++# because the are running in different level. So add rules to allow this.
++mls_socket_read_all_levels(rpcbind_t)
++mls_socket_write_all_levels(rpcbind_t)
++
+ ifdef(`distro_debian',`
+ term_dontaudit_use_unallocated_ttys(rpcbind_t)
+ ')
+--- a/policy/modules/kernel/filesystem.te
++++ b/policy/modules/kernel/filesystem.te
+@@ -119,6 +119,7 @@ genfscon mvfs / gen_context(system_u:obj
+
+ type nfsd_fs_t;
+ fs_type(nfsd_fs_t)
++files_mountpoint(nfsd_fs_t)
+ genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
+
+ type oprofilefs_t;
+--- a/policy/modules/kernel/kernel.te
++++ b/policy/modules/kernel/kernel.te
+@@ -293,6 +293,8 @@ mls_process_read_up(kernel_t)
+ mls_process_write_down(kernel_t)
+ mls_file_write_all_levels(kernel_t)
+ mls_file_read_all_levels(kernel_t)
++mls_socket_write_all_levels(kernel_t)
++mls_fd_use_all_levels(kernel_t)
+
+ ifdef(`distro_redhat',`
+ # Bugzilla 222337
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-setfiles-statvfs-get-file-count.patch
new file mode 100644
index 0000000..0b8cc5d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-setfiles-statvfs-get-file-count.patch
@@ -0,0 +1,32 @@
+From f4e034d6996c5b1f88a9262828dac2ad6ee09b7b Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang at windriver.com>
+Date: Fri, 23 Aug 2013 14:38:53 +0800
+Subject: [PATCH] fix setfiles statvfs to get file count
+
+New setfiles will read /proc/mounts and use statvfs in
+file_system_count() to get file count of filesystems.
+
+Upstream-Status: pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+Signed-off-by: Shrikant Bobade <Shrikant_Bobade at mentor.com>
+---
+ policy/modules/system/selinuxutil.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index f998491..1a4e565 100644
+--- a/policy/modules/system/selinuxutil.te
++++ b/policy/modules/system/selinuxutil.te
+@@ -555,7 +555,7 @@ files_dontaudit_read_all_symlinks(setfiles_t)
+ # needs to be able to read symlinks to make restorecon on symlink working
+ files_read_all_symlinks(setfiles_t)
+
+-fs_getattr_all_xattr_fs(setfiles_t)
++fs_getattr_all_fs(setfiles_t)
+ fs_list_all(setfiles_t)
+ fs_search_auto_mountpoints(setfiles_t)
+ fs_relabelfrom_noxattr_fs(setfiles_t)
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-seutils-manage-config-files.patch
new file mode 100644
index 0000000..be33bf1
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-seutils-manage-config-files.patch
@@ -0,0 +1,43 @@
+From be8e015aec19553d3753af132861d24da9ed0265 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang at windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/system/selinuxutil.if | 1 +
+ policy/modules/system/userdomain.if | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
+index 3822072..db03ca1 100644
+--- a/policy/modules/system/selinuxutil.if
++++ b/policy/modules/system/selinuxutil.if
+@@ -680,6 +680,7 @@ interface(`seutil_manage_config',`
+ ')
+
+ files_search_etc($1)
++ manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
+ manage_files_pattern($1, selinux_config_t, selinux_config_t)
+ read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
+ ')
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index b4a691d..20c8bf8 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -1277,6 +1277,10 @@ template(`userdom_security_admin_template',`
+ logging_read_audit_config($1)
+
+ seutil_manage_bin_policy($1)
++ seutil_manage_default_contexts($1)
++ seutil_manage_file_contexts($1)
++ seutil_manage_module_store($1)
++ seutil_manage_config($1)
+ seutil_run_checkpolicy($1, $2)
+ seutil_run_loadpolicy($1, $2)
+ seutil_run_semanage($1, $2)
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-2.20151208/refpolicy-update-for_systemd.patch
new file mode 100644
index 0000000..2ae4185
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/refpolicy-update-for_systemd.patch
@@ -0,0 +1,29 @@
+From 07553727dca51631c93bca482442da8d0c50ac94 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade at mentor.com>
+Date: Fri, 12 Jun 2015 19:37:52 +0530
+Subject: [PATCH] refpolicy: update for systemd related allow rules
+
+It provide, the systemd support related allow rules
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade at mentor.com>
+---
+ policy/modules/system/init.te | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index c8f007d..a9675f6 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -929,3 +929,8 @@ optional_policy(`
+ optional_policy(`
+ zebra_read_config(initrc_t)
+ ')
++
++# systemd related allow rules
++allow kernel_t init_t:process dyntransition;
++allow devpts_t device_t:filesystem associate;
++allow init_t self:capability2 block_suspend;
+\ No newline at end of file
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-mcs_2.20141203.bb b/recipes-security/refpolicy/refpolicy-mcs_2.20141203.bb
deleted file mode 100644
index 062727b..0000000
--- a/recipes-security/refpolicy/refpolicy-mcs_2.20141203.bb
+++ /dev/null
@@ -1,11 +0,0 @@
-SUMMARY = "MCS (Multi Category Security) variant of the SELinux policy"
-DESCRIPTION = "\
-This is the reference policy for SE Linux built with MCS support. \
-An MCS policy is the same as an MLS policy but with only one sensitivity \
-level. This is useful on systems where a hierarchical policy (MLS) isn't \
-needed (pretty much all systems) but the non-hierarchical categories are. \
-"
-
-POLICY_TYPE = "mcs"
-
-include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy-mcs_2.20151208.bb b/recipes-security/refpolicy/refpolicy-mcs_2.20151208.bb
new file mode 100644
index 0000000..062727b
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-mcs_2.20151208.bb
@@ -0,0 +1,11 @@
+SUMMARY = "MCS (Multi Category Security) variant of the SELinux policy"
+DESCRIPTION = "\
+This is the reference policy for SE Linux built with MCS support. \
+An MCS policy is the same as an MLS policy but with only one sensitivity \
+level. This is useful on systems where a hierarchical policy (MLS) isn't \
+needed (pretty much all systems) but the non-hierarchical categories are. \
+"
+
+POLICY_TYPE = "mcs"
+
+include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20141203.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20141203.bb
deleted file mode 100644
index b275821..0000000
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20141203.bb
+++ /dev/null
@@ -1,48 +0,0 @@
-include refpolicy-targeted_${PV}.bb
-
-SUMMARY = "SELinux minimum policy"
-DESCRIPTION = "\
-This is a minimum reference policy with just core policy modules, and \
-could be used as a base for customizing targeted policy. \
-Pretty much everything runs as initrc_t or unconfined_t so all of the \
-domains are unconfined. \
-"
-
-POLICY_NAME = "minimum"
-
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:${THISDIR}/refpolicy-${PV}:${THISDIR}/refpolicy-targeted:"
-
-CORE_POLICY_MODULES = "unconfined \
- selinuxutil storage sysnetwork \
- application libraries miscfiles logging userdomain \
- init mount modutils getty authlogin locallogin \
- "
-
-# nscd caches libc-issued requests to the name service.
-# Without nscd.pp, commands want to use these caches will be blocked.
-EXTRA_POLICY_MODULES += "nscd"
-
-# pam_mail module enables checking and display of mailbox status upon
-# "login", so "login" process will access to /var/spool/mail.
-EXTRA_POLICY_MODULES += "mta"
-
-POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
-
-# re-write the same func from refpolicy_common.inc
-prepare_policy_store () {
- oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
-
- # Prepare to create policy store
- mkdir -p ${D}${sysconfdir}/selinux/
- mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy
- mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
- mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
- touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
- for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
- bzip2 -f $i && mv -f $i.bz2 $i
- done
- cp base.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
- for i in ${POLICY_MODULES_MIN}; do
- cp ${i}.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i.pp`
- done
-}
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
new file mode 100644
index 0000000..b275821
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
@@ -0,0 +1,48 @@
+include refpolicy-targeted_${PV}.bb
+
+SUMMARY = "SELinux minimum policy"
+DESCRIPTION = "\
+This is a minimum reference policy with just core policy modules, and \
+could be used as a base for customizing targeted policy. \
+Pretty much everything runs as initrc_t or unconfined_t so all of the \
+domains are unconfined. \
+"
+
+POLICY_NAME = "minimum"
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:${THISDIR}/refpolicy-${PV}:${THISDIR}/refpolicy-targeted:"
+
+CORE_POLICY_MODULES = "unconfined \
+ selinuxutil storage sysnetwork \
+ application libraries miscfiles logging userdomain \
+ init mount modutils getty authlogin locallogin \
+ "
+
+# nscd caches libc-issued requests to the name service.
+# Without nscd.pp, commands want to use these caches will be blocked.
+EXTRA_POLICY_MODULES += "nscd"
+
+# pam_mail module enables checking and display of mailbox status upon
+# "login", so "login" process will access to /var/spool/mail.
+EXTRA_POLICY_MODULES += "mta"
+
+POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
+
+# re-write the same func from refpolicy_common.inc
+prepare_policy_store () {
+ oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
+
+ # Prepare to create policy store
+ mkdir -p ${D}${sysconfdir}/selinux/
+ mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy
+ mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
+ mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
+ touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
+ for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
+ bzip2 -f $i && mv -f $i.bz2 $i
+ done
+ cp base.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
+ for i in ${POLICY_MODULES_MIN}; do
+ cp ${i}.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i.pp`
+ done
+}
diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20141203.bb b/recipes-security/refpolicy/refpolicy-mls_2.20141203.bb
deleted file mode 100644
index 7388232..0000000
--- a/recipes-security/refpolicy/refpolicy-mls_2.20141203.bb
+++ /dev/null
@@ -1,10 +0,0 @@
-SUMMARY = "MLS (Multi Level Security) variant of the SELinux policy"
-DESCRIPTION = "\
-This is the reference policy for SE Linux built with MLS support. \
-It allows giving data labels such as \"Top Secret\" and preventing \
-such data from leaking to processes or files with lower classification. \
-"
-
-POLICY_TYPE = "mls"
-
-include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20151208.bb b/recipes-security/refpolicy/refpolicy-mls_2.20151208.bb
new file mode 100644
index 0000000..7388232
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-mls_2.20151208.bb
@@ -0,0 +1,10 @@
+SUMMARY = "MLS (Multi Level Security) variant of the SELinux policy"
+DESCRIPTION = "\
+This is the reference policy for SE Linux built with MLS support. \
+It allows giving data labels such as \"Top Secret\" and preventing \
+such data from leaking to processes or files with lower classification. \
+"
+
+POLICY_TYPE = "mls"
+
+include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20141203.bb b/recipes-security/refpolicy/refpolicy-standard_2.20141203.bb
deleted file mode 100644
index 3674fdd..0000000
--- a/recipes-security/refpolicy/refpolicy-standard_2.20141203.bb
+++ /dev/null
@@ -1,8 +0,0 @@
-SUMMARY = "Standard variants of the SELinux policy"
-DESCRIPTION = "\
-This is the reference policy for SELinux built with type enforcement \
-only."
-
-POLICY_TYPE = "standard"
-
-include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20151208.bb b/recipes-security/refpolicy/refpolicy-standard_2.20151208.bb
new file mode 100644
index 0000000..3674fdd
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-standard_2.20151208.bb
@@ -0,0 +1,8 @@
+SUMMARY = "Standard variants of the SELinux policy"
+DESCRIPTION = "\
+This is the reference policy for SELinux built with type enforcement \
+only."
+
+POLICY_TYPE = "standard"
+
+include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20141203.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20141203.bb
deleted file mode 100644
index b169604..0000000
--- a/recipes-security/refpolicy/refpolicy-targeted_2.20141203.bb
+++ /dev/null
@@ -1,20 +0,0 @@
-SUMMARY = "SELinux targeted policy"
-DESCRIPTION = "\
-This is the targeted variant of the SELinux reference policy. Most service \
-domains are locked down. Users and admins will login in with unconfined_t \
-domain, so they have the same access to the system as if SELinux was not \
-enabled. \
-"
-
-FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
-
-POLICY_NAME = "targeted"
-POLICY_TYPE = "mcs"
-POLICY_MLS_SENS = "0"
-
-include refpolicy_${PV}.inc
-
-SRC_URI += " \
- file://refpolicy-fix-optional-issue-on-sysadm-module.patch \
- file://refpolicy-unconfined_u-default-user.patch \
- "
diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20151208.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20151208.bb
new file mode 100644
index 0000000..b169604
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-targeted_2.20151208.bb
@@ -0,0 +1,20 @@
+SUMMARY = "SELinux targeted policy"
+DESCRIPTION = "\
+This is the targeted variant of the SELinux reference policy. Most service \
+domains are locked down. Users and admins will login in with unconfined_t \
+domain, so they have the same access to the system as if SELinux was not \
+enabled. \
+"
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
+
+POLICY_NAME = "targeted"
+POLICY_TYPE = "mcs"
+POLICY_MLS_SENS = "0"
+
+include refpolicy_${PV}.inc
+
+SRC_URI += " \
+ file://refpolicy-fix-optional-issue-on-sysadm-module.patch \
+ file://refpolicy-unconfined_u-default-user.patch \
+ "
diff --git a/recipes-security/refpolicy/refpolicy_2.20141203.inc b/recipes-security/refpolicy/refpolicy_2.20141203.inc
deleted file mode 100644
index d58ddea..0000000
--- a/recipes-security/refpolicy/refpolicy_2.20141203.inc
+++ /dev/null
@@ -1,60 +0,0 @@
-SRC_URI = "https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2;"
-SRC_URI[md5sum] = "69594ede341987904dc2a8b7f2129a93"
-SRC_URI[sha256sum] = "f438209c430d8a2d4ddcbe4bdd3edb46f6af7dc4913637af0b73c635e40c1522"
-
-FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20141203:"
-
-# Fix file contexts for Poky
-SRC_URI += "file://poky-fc-subs_dist.patch \
- file://poky-fc-update-alternatives_sysvinit.patch \
- file://poky-fc-update-alternatives_sysklogd.patch \
- file://poky-fc-update-alternatives_hostname.patch \
- file://poky-fc-fix-real-path_resolv.conf.patch \
- file://poky-fc-fix-real-path_login.patch \
- file://poky-fc-fix-real-path_shadow.patch \
- file://poky-fc-fix-bind.patch \
- file://poky-fc-clock.patch \
- file://poky-fc-corecommands.patch \
- file://poky-fc-dmesg.patch \
- file://poky-fc-fstools.patch \
- file://poky-fc-iptables.patch \
- file://poky-fc-mta.patch \
- file://poky-fc-netutils.patch \
- file://poky-fc-nscd.patch \
- file://poky-fc-screen.patch \
- file://poky-fc-ssh.patch \
- file://poky-fc-su.patch \
- file://poky-fc-sysnetwork.patch \
- file://poky-fc-udevd.patch \
- file://poky-fc-rpm.patch \
- file://poky-fc-ftpwho-dir.patch \
- file://poky-fc-fix-real-path_su.patch \
- file://refpolicy-update-for_systemd.patch \
- "
-
-# Specific policy for Poky
-SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
- file://poky-policy-add-rules-for-var-log-symlink.patch \
- file://poky-policy-add-rules-for-var-log-symlink-apache.patch \
- file://poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch \
- file://poky-policy-add-rules-for-syslogd_t-symlink.patch \
- file://poky-policy-add-rules-for-var-cache-symlink.patch \
- file://poky-policy-add-rules-for-tmp-symlink.patch \
- file://poky-policy-add-rules-for-bsdpty_device_t.patch \
- file://poky-policy-don-t-audit-tty_device_t.patch \
- file://poky-policy-allow-nfsd-to-exec-shell-commands.patch \
- file://poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch \
- file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \
- file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \
- file://poky-policy-allow-sysadm-to-run-rpcinfo.patch \
- "
-
-# Other policy fixes
-SRC_URI += " \
- file://poky-policy-fix-seutils-manage-config-files.patch \
- file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \
- file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
- file://ftp-add-ftpd_t-to-mlsfilewrite.patch \
- "
-
-include refpolicy_common.inc
diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc b/recipes-security/refpolicy/refpolicy_2.20151208.inc
new file mode 100644
index 0000000..ce90b13
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc
@@ -0,0 +1,60 @@
+SRC_URI = "https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2;"
+SRC_URI[md5sum] = "7b1ca12e9ea0254508391559cb8f2c41"
+SRC_URI[sha256sum] = "2dd2f45a7132137afe8302805c3b7839739759b9ab73dd1815c01afe34ac99de"
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20151208:"
+
+# Fix file contexts for Poky
+SRC_URI += "file://poky-fc-subs_dist.patch \
+ file://poky-fc-update-alternatives_sysvinit.patch \
+ file://poky-fc-update-alternatives_sysklogd.patch \
+ file://poky-fc-update-alternatives_hostname.patch \
+ file://poky-fc-fix-real-path_resolv.conf.patch \
+ file://poky-fc-fix-real-path_login.patch \
+ file://poky-fc-fix-real-path_shadow.patch \
+ file://poky-fc-fix-bind.patch \
+ file://poky-fc-clock.patch \
+ file://poky-fc-corecommands.patch \
+ file://poky-fc-dmesg.patch \
+ file://poky-fc-fstools.patch \
+ file://poky-fc-iptables.patch \
+ file://poky-fc-mta.patch \
+ file://poky-fc-netutils.patch \
+ file://poky-fc-nscd.patch \
+ file://poky-fc-screen.patch \
+ file://poky-fc-ssh.patch \
+ file://poky-fc-su.patch \
+ file://poky-fc-sysnetwork.patch \
+ file://poky-fc-udevd.patch \
+ file://poky-fc-rpm.patch \
+ file://poky-fc-ftpwho-dir.patch \
+ file://poky-fc-fix-real-path_su.patch \
+ file://refpolicy-update-for_systemd.patch \
+ "
+
+# Specific policy for Poky
+SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
+ file://poky-policy-add-rules-for-var-log-symlink.patch \
+ file://poky-policy-add-rules-for-var-log-symlink-apache.patch \
+ file://poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch \
+ file://poky-policy-add-rules-for-syslogd_t-symlink.patch \
+ file://poky-policy-add-rules-for-var-cache-symlink.patch \
+ file://poky-policy-add-rules-for-tmp-symlink.patch \
+ file://poky-policy-add-rules-for-bsdpty_device_t.patch \
+ file://poky-policy-don-t-audit-tty_device_t.patch \
+ file://poky-policy-allow-nfsd-to-exec-shell-commands.patch \
+ file://poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch \
+ file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \
+ file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \
+ file://poky-policy-allow-sysadm-to-run-rpcinfo.patch \
+ "
+
+# Other policy fixes
+SRC_URI += " \
+ file://poky-policy-fix-seutils-manage-config-files.patch \
+ file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \
+ file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
+ file://ftp-add-ftpd_t-to-mlsfilewrite.patch \
+ "
+
+include refpolicy_common.inc
--
2.1.4
More information about the yocto
mailing list