* [meta-selinux][PATCH 0/2] policy upgrade and cleanup
@ 2016-03-21 4:26 Philip Tricca
2016-03-21 4:26 ` [meta-selinux][PATCH 1/2] refpolicy: Replace 2.2014120 with release 2.20151208 Philip Tricca
2016-03-21 4:26 ` [meta-selinux][PATCH 2/2] refpolicy: Remove 2.20140311 release Philip Tricca
0 siblings, 2 replies; 5+ messages in thread
From: Philip Tricca @ 2016-03-21 4:26 UTC (permalink / raw)
To: mark.hatle, Joe_MacDonald, yocto
By default we build *_git refpolicy packages. The release packages
have been lagging behind. The first patch replaces the 2.2014120
release with the latest (2.20151208). The second removes the old
2.20140311 release.
Philip Tricca (2):
refpolicy: Replace 2.2014120 with release 2.20151208.
refpolicy: Remove 2.20140311 release.
.../ftp-add-ftpd_t-to-mlsfilewrite.patch | 39 ----
.../refpolicy-2.20140311/poky-fc-clock.patch | 22 --
.../poky-fc-corecommands.patch | 24 ---
.../refpolicy-2.20140311/poky-fc-dmesg.patch | 20 --
.../refpolicy-2.20140311/poky-fc-fix-bind.patch | 30 ---
.../poky-fc-fix-real-path_login.patch | 37 ----
.../poky-fc-fix-real-path_resolv.conf.patch | 24 ---
.../poky-fc-fix-real-path_shadow.patch | 34 ---
.../poky-fc-fix-real-path_su.patch | 25 ---
.../refpolicy-2.20140311/poky-fc-fstools.patch | 65 ------
.../refpolicy-2.20140311/poky-fc-ftpwho-dir.patch | 27 ---
.../refpolicy-2.20140311/poky-fc-iptables.patch | 24 ---
.../refpolicy-2.20140311/poky-fc-mta.patch | 27 ---
.../refpolicy-2.20140311/poky-fc-netutils.patch | 24 ---
.../refpolicy-2.20140311/poky-fc-nscd.patch | 27 ---
.../refpolicy-2.20140311/poky-fc-rpm.patch | 25 ---
.../refpolicy-2.20140311/poky-fc-screen.patch | 27 ---
.../refpolicy-2.20140311/poky-fc-ssh.patch | 24 ---
.../refpolicy-2.20140311/poky-fc-su.patch | 23 ---
.../refpolicy-2.20140311/poky-fc-subs_dist.patch | 29 ---
.../refpolicy-2.20140311/poky-fc-sysnetwork.patch | 41 ----
.../refpolicy-2.20140311/poky-fc-udevd.patch | 35 ----
.../poky-fc-update-alternatives_hostname.patch | 23 ---
.../poky-fc-update-alternatives_sysklogd.patch | 59 ------
.../poky-fc-update-alternatives_sysvinit.patch | 53 -----
...poky-policy-add-rules-for-bsdpty_device_t.patch | 121 -----------
...ky-policy-add-rules-for-syslogd_t-symlink.patch | 30 ---
.../poky-policy-add-rules-for-tmp-symlink.patch | 99 ---------
...ky-policy-add-rules-for-var-cache-symlink.patch | 34 ---
...licy-add-rules-for-var-log-symlink-apache.patch | 31 ---
...rules-for-var-log-symlink-audisp_remote_t.patch | 29 ---
...poky-policy-add-rules-for-var-log-symlink.patch | 145 -------------
...ky-policy-add-syslogd_t-to-trusted-object.patch | 31 ---
...-policy-allow-nfsd-to-exec-shell-commands.patch | 58 ------
...-policy-allow-setfiles_t-to-read-symlinks.patch | 29 ---
.../poky-policy-allow-sysadm-to-run-rpcinfo.patch | 33 ---
.../poky-policy-don-t-audit-tty_device_t.patch | 35 ----
.../poky-policy-fix-dmesg-to-use-dev-kmsg.patch | 37 ----
.../poky-policy-fix-new-SELINUXMNT-in-sys.patch | 229 ---------------------
...poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch | 65 ------
...olicy-fix-setfiles-statvfs-get-file-count.patch | 31 ---
...ky-policy-fix-seutils-manage-config-files.patch | 43 ----
.../refpolicy-update-for_systemd.patch | 46 -----
.../ftp-add-ftpd_t-to-mlsfilewrite.patch | 39 ----
.../refpolicy-2.20141203/poky-fc-clock.patch | 22 --
.../poky-fc-corecommands.patch | 24 ---
.../refpolicy-2.20141203/poky-fc-dmesg.patch | 20 --
.../refpolicy-2.20141203/poky-fc-fix-bind.patch | 30 ---
.../poky-fc-fix-real-path_login.patch | 37 ----
.../poky-fc-fix-real-path_resolv.conf.patch | 24 ---
.../poky-fc-fix-real-path_shadow.patch | 34 ---
.../poky-fc-fix-real-path_su.patch | 25 ---
.../refpolicy-2.20141203/poky-fc-fstools.patch | 70 -------
.../refpolicy-2.20141203/poky-fc-ftpwho-dir.patch | 27 ---
.../refpolicy-2.20141203/poky-fc-iptables.patch | 24 ---
.../refpolicy-2.20141203/poky-fc-mta.patch | 27 ---
.../refpolicy-2.20141203/poky-fc-netutils.patch | 24 ---
.../refpolicy-2.20141203/poky-fc-nscd.patch | 27 ---
.../refpolicy-2.20141203/poky-fc-rpm.patch | 25 ---
.../refpolicy-2.20141203/poky-fc-screen.patch | 27 ---
.../refpolicy-2.20141203/poky-fc-ssh.patch | 24 ---
.../refpolicy-2.20141203/poky-fc-su.patch | 23 ---
.../refpolicy-2.20141203/poky-fc-subs_dist.patch | 29 ---
.../refpolicy-2.20141203/poky-fc-sysnetwork.patch | 46 -----
.../refpolicy-2.20141203/poky-fc-udevd.patch | 35 ----
.../poky-fc-update-alternatives_hostname.patch | 23 ---
.../poky-fc-update-alternatives_sysklogd.patch | 59 ------
.../poky-fc-update-alternatives_sysvinit.patch | 53 -----
...poky-policy-add-rules-for-bsdpty_device_t.patch | 121 -----------
...ky-policy-add-rules-for-syslogd_t-symlink.patch | 30 ---
.../poky-policy-add-rules-for-tmp-symlink.patch | 99 ---------
...ky-policy-add-rules-for-var-cache-symlink.patch | 34 ---
...licy-add-rules-for-var-log-symlink-apache.patch | 31 ---
...rules-for-var-log-symlink-audisp_remote_t.patch | 29 ---
...poky-policy-add-rules-for-var-log-symlink.patch | 145 -------------
...ky-policy-add-syslogd_t-to-trusted-object.patch | 31 ---
...-policy-allow-nfsd-to-exec-shell-commands.patch | 58 ------
...-policy-allow-setfiles_t-to-read-symlinks.patch | 30 ---
.../poky-policy-allow-sysadm-to-run-rpcinfo.patch | 33 ---
.../poky-policy-don-t-audit-tty_device_t.patch | 35 ----
.../poky-policy-fix-dmesg-to-use-dev-kmsg.patch | 37 ----
.../poky-policy-fix-new-SELINUXMNT-in-sys.patch | 229 ---------------------
...poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch | 65 ------
...olicy-fix-setfiles-statvfs-get-file-count.patch | 32 ---
...ky-policy-fix-seutils-manage-config-files.patch | 43 ----
.../refpolicy-update-for_systemd.patch | 29 ---
.../ftp-add-ftpd_t-to-mlsfilewrite.patch | 39 ++++
.../refpolicy-2.20151208/poky-fc-clock.patch | 22 ++
.../poky-fc-corecommands.patch | 24 +++
.../refpolicy-2.20151208/poky-fc-dmesg.patch | 20 ++
.../refpolicy-2.20151208/poky-fc-fix-bind.patch | 30 +++
.../poky-fc-fix-real-path_login.patch | 37 ++++
.../poky-fc-fix-real-path_resolv.conf.patch | 24 +++
.../poky-fc-fix-real-path_shadow.patch | 34 +++
.../poky-fc-fix-real-path_su.patch | 25 +++
.../refpolicy-2.20151208/poky-fc-fstools.patch | 70 +++++++
.../refpolicy-2.20151208/poky-fc-ftpwho-dir.patch | 27 +++
.../refpolicy-2.20151208/poky-fc-iptables.patch | 24 +++
.../refpolicy-2.20151208/poky-fc-mta.patch | 27 +++
.../refpolicy-2.20151208/poky-fc-netutils.patch | 24 +++
.../refpolicy-2.20151208/poky-fc-nscd.patch | 27 +++
.../refpolicy-2.20151208/poky-fc-rpm.patch | 25 +++
.../refpolicy-2.20151208/poky-fc-screen.patch | 27 +++
.../refpolicy-2.20151208/poky-fc-ssh.patch | 24 +++
.../refpolicy-2.20151208/poky-fc-su.patch | 23 +++
.../refpolicy-2.20151208/poky-fc-subs_dist.patch | 29 +++
.../refpolicy-2.20151208/poky-fc-sysnetwork.patch | 46 +++++
.../refpolicy-2.20151208/poky-fc-udevd.patch | 35 ++++
.../poky-fc-update-alternatives_hostname.patch | 23 +++
.../poky-fc-update-alternatives_sysklogd.patch | 59 ++++++
.../poky-fc-update-alternatives_sysvinit.patch | 53 +++++
...poky-policy-add-rules-for-bsdpty_device_t.patch | 121 +++++++++++
...ky-policy-add-rules-for-syslogd_t-symlink.patch | 30 +++
.../poky-policy-add-rules-for-tmp-symlink.patch | 99 +++++++++
...ky-policy-add-rules-for-var-cache-symlink.patch | 34 +++
...licy-add-rules-for-var-log-symlink-apache.patch | 31 +++
...rules-for-var-log-symlink-audisp_remote_t.patch | 29 +++
...poky-policy-add-rules-for-var-log-symlink.patch | 145 +++++++++++++
...ky-policy-add-syslogd_t-to-trusted-object.patch | 31 +++
...-policy-allow-nfsd-to-exec-shell-commands.patch | 58 ++++++
...-policy-allow-setfiles_t-to-read-symlinks.patch | 30 +++
.../poky-policy-allow-sysadm-to-run-rpcinfo.patch | 33 +++
.../poky-policy-don-t-audit-tty_device_t.patch | 35 ++++
.../poky-policy-fix-dmesg-to-use-dev-kmsg.patch | 37 ++++
.../poky-policy-fix-new-SELINUXMNT-in-sys.patch | 185 +++++++++++++++++
...poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch | 65 ++++++
...olicy-fix-setfiles-statvfs-get-file-count.patch | 32 +++
...ky-policy-fix-seutils-manage-config-files.patch | 43 ++++
.../refpolicy-update-for_systemd.patch | 29 +++
.../refpolicy/refpolicy-mcs_2.20140311.bb | 11 -
.../refpolicy/refpolicy-mcs_2.20141203.bb | 11 -
.../refpolicy/refpolicy-mcs_2.20151208.bb | 11 +
.../refpolicy/refpolicy-minimum_2.20140311.bb | 48 -----
.../refpolicy/refpolicy-minimum_2.20141203.bb | 48 -----
.../refpolicy/refpolicy-minimum_2.20151208.bb | 48 +++++
.../refpolicy/refpolicy-mls_2.20140311.bb | 10 -
.../refpolicy/refpolicy-mls_2.20141203.bb | 10 -
.../refpolicy/refpolicy-mls_2.20151208.bb | 10 +
.../refpolicy/refpolicy-standard_2.20140311.bb | 8 -
.../refpolicy/refpolicy-standard_2.20141203.bb | 8 -
.../refpolicy/refpolicy-standard_2.20151208.bb | 8 +
.../refpolicy/refpolicy-targeted_2.20140311.bb | 20 --
.../refpolicy/refpolicy-targeted_2.20141203.bb | 20 --
.../refpolicy/refpolicy-targeted_2.20151208.bb | 20 ++
.../refpolicy/refpolicy_2.20140311.inc | 60 ------
.../refpolicy/refpolicy_2.20141203.inc | 60 ------
.../refpolicy/refpolicy_2.20151208.inc | 60 ++++++
147 files changed, 2022 insertions(+), 4137 deletions(-)
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/ftp-add-ftpd_t-to-mlsfilewrite.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-clock.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-corecommands.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-dmesg.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-bind.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_login.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_resolv.conf.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_shadow.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_su.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fstools.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ftpwho-dir.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-iptables.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-mta.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-netutils.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-nscd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-rpm.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-screen.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ssh.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-su.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-subs_dist.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-sysnetwork.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-udevd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_hostname.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysklogd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysvinit.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-bsdpty_device_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-syslogd_t-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-tmp-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-cache-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-apache.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-syslogd_t-to-trusted-object.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-nfsd-to-exec-shell-commands.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-setfiles_t-to-read-symlinks.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-sysadm-to-run-rpcinfo.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-don-t-audit-tty_device_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-new-SELINUXMNT-in-sys.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-setfiles-statvfs-get-file-count.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-seutils-manage-config-files.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/ftp-add-ftpd_t-to-mlsfilewrite.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-clock.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-corecommands.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-dmesg.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-bind.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_login.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_resolv.conf.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_shadow.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_su.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fstools.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-ftpwho-dir.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-iptables.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-mta.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-netutils.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-nscd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-rpm.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-screen.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-ssh.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-su.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-subs_dist.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-sysnetwork.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-udevd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_hostname.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_sysklogd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_sysvinit.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-bsdpty_device_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-syslogd_t-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-tmp-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-cache-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink-apache.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-syslogd_t-to-trusted-object.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-nfsd-to-exec-shell-commands.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-setfiles_t-to-read-symlinks.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-sysadm-to-run-rpcinfo.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-don-t-audit-tty_device_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-new-SELINUXMNT-in-sys.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-setfiles-statvfs-get-file-count.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-seutils-manage-config-files.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/refpolicy-update-for_systemd.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/ftp-add-ftpd_t-to-mlsfilewrite.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-clock.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-corecommands.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-dmesg.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-bind.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_login.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_resolv.conf.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_shadow.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_su.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fstools.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-ftpwho-dir.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-iptables.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-mta.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-netutils.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-nscd.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-rpm.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-screen.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-ssh.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-su.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-subs_dist.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-sysnetwork.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-udevd.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_hostname.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_sysklogd.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_sysvinit.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-bsdpty_device_t.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-syslogd_t-symlink.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-tmp-symlink.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-cache-symlink.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink-apache.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-syslogd_t-to-trusted-object.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-nfsd-to-exec-shell-commands.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-setfiles_t-to-read-symlinks.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-sysadm-to-run-rpcinfo.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-don-t-audit-tty_device_t.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-new-SELINUXMNT-in-sys.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-setfiles-statvfs-get-file-count.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-seutils-manage-config-files.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/refpolicy-update-for_systemd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-mcs_2.20140311.bb
delete mode 100644 recipes-security/refpolicy/refpolicy-mcs_2.20141203.bb
create mode 100644 recipes-security/refpolicy/refpolicy-mcs_2.20151208.bb
delete mode 100644 recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb
delete mode 100644 recipes-security/refpolicy/refpolicy-minimum_2.20141203.bb
create mode 100644 recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
delete mode 100644 recipes-security/refpolicy/refpolicy-mls_2.20140311.bb
delete mode 100644 recipes-security/refpolicy/refpolicy-mls_2.20141203.bb
create mode 100644 recipes-security/refpolicy/refpolicy-mls_2.20151208.bb
delete mode 100644 recipes-security/refpolicy/refpolicy-standard_2.20140311.bb
delete mode 100644 recipes-security/refpolicy/refpolicy-standard_2.20141203.bb
create mode 100644 recipes-security/refpolicy/refpolicy-standard_2.20151208.bb
delete mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20140311.bb
delete mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20141203.bb
create mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20151208.bb
delete mode 100644 recipes-security/refpolicy/refpolicy_2.20140311.inc
delete mode 100644 recipes-security/refpolicy/refpolicy_2.20141203.inc
create mode 100644 recipes-security/refpolicy/refpolicy_2.20151208.inc
--
2.1.4
^ permalink raw reply [flat|nested] 5+ messages in thread
* [meta-selinux][PATCH 1/2] refpolicy: Replace 2.2014120 with release 2.20151208.
2016-03-21 4:26 [meta-selinux][PATCH 0/2] policy upgrade and cleanup Philip Tricca
@ 2016-03-21 4:26 ` Philip Tricca
2016-03-22 19:43 ` Stephen Smalley
2016-03-21 4:26 ` [meta-selinux][PATCH 2/2] refpolicy: Remove 2.20140311 release Philip Tricca
1 sibling, 1 reply; 5+ messages in thread
From: Philip Tricca @ 2016-03-21 4:26 UTC (permalink / raw)
To: mark.hatle, Joe_MacDonald, yocto
This was mostly straight forward. Had to refresh a single patch:
poky-policy-fix-new-SELINUXMNT-in-sys.patch
Signed-off-by: Philip Tricca <flihp@twobit.us>
---
.../ftp-add-ftpd_t-to-mlsfilewrite.patch | 39 ----
.../refpolicy-2.20141203/poky-fc-clock.patch | 22 --
.../poky-fc-corecommands.patch | 24 ---
.../refpolicy-2.20141203/poky-fc-dmesg.patch | 20 --
.../refpolicy-2.20141203/poky-fc-fix-bind.patch | 30 ---
.../poky-fc-fix-real-path_login.patch | 37 ----
.../poky-fc-fix-real-path_resolv.conf.patch | 24 ---
.../poky-fc-fix-real-path_shadow.patch | 34 ---
.../poky-fc-fix-real-path_su.patch | 25 ---
.../refpolicy-2.20141203/poky-fc-fstools.patch | 70 -------
.../refpolicy-2.20141203/poky-fc-ftpwho-dir.patch | 27 ---
.../refpolicy-2.20141203/poky-fc-iptables.patch | 24 ---
.../refpolicy-2.20141203/poky-fc-mta.patch | 27 ---
.../refpolicy-2.20141203/poky-fc-netutils.patch | 24 ---
.../refpolicy-2.20141203/poky-fc-nscd.patch | 27 ---
.../refpolicy-2.20141203/poky-fc-rpm.patch | 25 ---
.../refpolicy-2.20141203/poky-fc-screen.patch | 27 ---
.../refpolicy-2.20141203/poky-fc-ssh.patch | 24 ---
.../refpolicy-2.20141203/poky-fc-su.patch | 23 ---
.../refpolicy-2.20141203/poky-fc-subs_dist.patch | 29 ---
.../refpolicy-2.20141203/poky-fc-sysnetwork.patch | 46 -----
.../refpolicy-2.20141203/poky-fc-udevd.patch | 35 ----
.../poky-fc-update-alternatives_hostname.patch | 23 ---
.../poky-fc-update-alternatives_sysklogd.patch | 59 ------
.../poky-fc-update-alternatives_sysvinit.patch | 53 -----
...poky-policy-add-rules-for-bsdpty_device_t.patch | 121 -----------
...ky-policy-add-rules-for-syslogd_t-symlink.patch | 30 ---
.../poky-policy-add-rules-for-tmp-symlink.patch | 99 ---------
...ky-policy-add-rules-for-var-cache-symlink.patch | 34 ---
...licy-add-rules-for-var-log-symlink-apache.patch | 31 ---
...rules-for-var-log-symlink-audisp_remote_t.patch | 29 ---
...poky-policy-add-rules-for-var-log-symlink.patch | 145 -------------
...ky-policy-add-syslogd_t-to-trusted-object.patch | 31 ---
...-policy-allow-nfsd-to-exec-shell-commands.patch | 58 ------
...-policy-allow-setfiles_t-to-read-symlinks.patch | 30 ---
.../poky-policy-allow-sysadm-to-run-rpcinfo.patch | 33 ---
.../poky-policy-don-t-audit-tty_device_t.patch | 35 ----
.../poky-policy-fix-dmesg-to-use-dev-kmsg.patch | 37 ----
.../poky-policy-fix-new-SELINUXMNT-in-sys.patch | 229 ---------------------
...poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch | 65 ------
...olicy-fix-setfiles-statvfs-get-file-count.patch | 32 ---
...ky-policy-fix-seutils-manage-config-files.patch | 43 ----
.../refpolicy-update-for_systemd.patch | 29 ---
.../ftp-add-ftpd_t-to-mlsfilewrite.patch | 39 ++++
.../refpolicy-2.20151208/poky-fc-clock.patch | 22 ++
.../poky-fc-corecommands.patch | 24 +++
.../refpolicy-2.20151208/poky-fc-dmesg.patch | 20 ++
.../refpolicy-2.20151208/poky-fc-fix-bind.patch | 30 +++
.../poky-fc-fix-real-path_login.patch | 37 ++++
.../poky-fc-fix-real-path_resolv.conf.patch | 24 +++
.../poky-fc-fix-real-path_shadow.patch | 34 +++
.../poky-fc-fix-real-path_su.patch | 25 +++
.../refpolicy-2.20151208/poky-fc-fstools.patch | 70 +++++++
.../refpolicy-2.20151208/poky-fc-ftpwho-dir.patch | 27 +++
.../refpolicy-2.20151208/poky-fc-iptables.patch | 24 +++
.../refpolicy-2.20151208/poky-fc-mta.patch | 27 +++
.../refpolicy-2.20151208/poky-fc-netutils.patch | 24 +++
.../refpolicy-2.20151208/poky-fc-nscd.patch | 27 +++
.../refpolicy-2.20151208/poky-fc-rpm.patch | 25 +++
.../refpolicy-2.20151208/poky-fc-screen.patch | 27 +++
.../refpolicy-2.20151208/poky-fc-ssh.patch | 24 +++
.../refpolicy-2.20151208/poky-fc-su.patch | 23 +++
.../refpolicy-2.20151208/poky-fc-subs_dist.patch | 29 +++
.../refpolicy-2.20151208/poky-fc-sysnetwork.patch | 46 +++++
.../refpolicy-2.20151208/poky-fc-udevd.patch | 35 ++++
.../poky-fc-update-alternatives_hostname.patch | 23 +++
.../poky-fc-update-alternatives_sysklogd.patch | 59 ++++++
.../poky-fc-update-alternatives_sysvinit.patch | 53 +++++
...poky-policy-add-rules-for-bsdpty_device_t.patch | 121 +++++++++++
...ky-policy-add-rules-for-syslogd_t-symlink.patch | 30 +++
.../poky-policy-add-rules-for-tmp-symlink.patch | 99 +++++++++
...ky-policy-add-rules-for-var-cache-symlink.patch | 34 +++
...licy-add-rules-for-var-log-symlink-apache.patch | 31 +++
...rules-for-var-log-symlink-audisp_remote_t.patch | 29 +++
...poky-policy-add-rules-for-var-log-symlink.patch | 145 +++++++++++++
...ky-policy-add-syslogd_t-to-trusted-object.patch | 31 +++
...-policy-allow-nfsd-to-exec-shell-commands.patch | 58 ++++++
...-policy-allow-setfiles_t-to-read-symlinks.patch | 30 +++
.../poky-policy-allow-sysadm-to-run-rpcinfo.patch | 33 +++
.../poky-policy-don-t-audit-tty_device_t.patch | 35 ++++
.../poky-policy-fix-dmesg-to-use-dev-kmsg.patch | 37 ++++
.../poky-policy-fix-new-SELINUXMNT-in-sys.patch | 185 +++++++++++++++++
...poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch | 65 ++++++
...olicy-fix-setfiles-statvfs-get-file-count.patch | 32 +++
...ky-policy-fix-seutils-manage-config-files.patch | 43 ++++
.../refpolicy-update-for_systemd.patch | 29 +++
.../refpolicy/refpolicy-mcs_2.20141203.bb | 11 -
.../refpolicy/refpolicy-mcs_2.20151208.bb | 11 +
.../refpolicy/refpolicy-minimum_2.20141203.bb | 48 -----
.../refpolicy/refpolicy-minimum_2.20151208.bb | 48 +++++
.../refpolicy/refpolicy-mls_2.20141203.bb | 10 -
.../refpolicy/refpolicy-mls_2.20151208.bb | 10 +
.../refpolicy/refpolicy-standard_2.20141203.bb | 8 -
.../refpolicy/refpolicy-standard_2.20151208.bb | 8 +
.../refpolicy/refpolicy-targeted_2.20141203.bb | 20 --
.../refpolicy/refpolicy-targeted_2.20151208.bb | 20 ++
.../refpolicy/refpolicy_2.20141203.inc | 60 ------
.../refpolicy/refpolicy_2.20151208.inc | 60 ++++++
98 files changed, 2022 insertions(+), 2066 deletions(-)
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/ftp-add-ftpd_t-to-mlsfilewrite.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-clock.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-corecommands.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-dmesg.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-bind.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_login.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_resolv.conf.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_shadow.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_su.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fstools.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-ftpwho-dir.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-iptables.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-mta.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-netutils.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-nscd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-rpm.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-screen.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-ssh.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-su.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-subs_dist.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-sysnetwork.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-udevd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_hostname.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_sysklogd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_sysvinit.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-bsdpty_device_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-syslogd_t-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-tmp-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-cache-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink-apache.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-syslogd_t-to-trusted-object.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-nfsd-to-exec-shell-commands.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-setfiles_t-to-read-symlinks.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-sysadm-to-run-rpcinfo.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-don-t-audit-tty_device_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-new-SELINUXMNT-in-sys.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-setfiles-statvfs-get-file-count.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-seutils-manage-config-files.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20141203/refpolicy-update-for_systemd.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/ftp-add-ftpd_t-to-mlsfilewrite.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-clock.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-corecommands.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-dmesg.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-bind.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_login.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_resolv.conf.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_shadow.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_su.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fstools.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-ftpwho-dir.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-iptables.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-mta.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-netutils.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-nscd.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-rpm.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-screen.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-ssh.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-su.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-subs_dist.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-sysnetwork.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-udevd.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_hostname.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_sysklogd.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_sysvinit.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-bsdpty_device_t.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-syslogd_t-symlink.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-tmp-symlink.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-cache-symlink.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink-apache.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-syslogd_t-to-trusted-object.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-nfsd-to-exec-shell-commands.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-setfiles_t-to-read-symlinks.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-sysadm-to-run-rpcinfo.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-don-t-audit-tty_device_t.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-new-SELINUXMNT-in-sys.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-setfiles-statvfs-get-file-count.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-seutils-manage-config-files.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/refpolicy-update-for_systemd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-mcs_2.20141203.bb
create mode 100644 recipes-security/refpolicy/refpolicy-mcs_2.20151208.bb
delete mode 100644 recipes-security/refpolicy/refpolicy-minimum_2.20141203.bb
create mode 100644 recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
delete mode 100644 recipes-security/refpolicy/refpolicy-mls_2.20141203.bb
create mode 100644 recipes-security/refpolicy/refpolicy-mls_2.20151208.bb
delete mode 100644 recipes-security/refpolicy/refpolicy-standard_2.20141203.bb
create mode 100644 recipes-security/refpolicy/refpolicy-standard_2.20151208.bb
delete mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20141203.bb
create mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20151208.bb
delete mode 100644 recipes-security/refpolicy/refpolicy_2.20141203.inc
create mode 100644 recipes-security/refpolicy/refpolicy_2.20151208.inc
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-2.20141203/ftp-add-ftpd_t-to-mlsfilewrite.patch
deleted file mode 100644
index 49da4b6..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/ftp-add-ftpd_t-to-mlsfilewrite.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From e4e95b723d31c7b678a05cd81a96b10185978b4e Mon Sep 17 00:00:00 2001
-From: Roy Li <rongqing.li@windriver.com>
-Date: Mon, 10 Feb 2014 18:10:12 +0800
-Subject: [PATCH] ftp: add ftpd_t to mls_file_write_all_levels
-
-Proftpd will create file under /var/run, but its mls is in high, and
-can not write to lowlevel
-
-Upstream-Status: Pending
-
-type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm="proftpd" name="/" dev="tmpfs" ino=5853 scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
-type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
-type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null)
-
-root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name
- allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
-root@localhost:~#
-
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
----
- policy/modules/contrib/ftp.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
-index 544c512..12a31dd 100644
---- a/policy/modules/contrib/ftp.te
-+++ b/policy/modules/contrib/ftp.te
-@@ -144,6 +144,8 @@ role ftpdctl_roles types ftpdctl_t;
- type ftpdctl_tmp_t;
- files_tmp_file(ftpdctl_tmp_t)
-
-+mls_file_write_all_levels(ftpd_t)
-+
- type sftpd_t;
- domain_type(sftpd_t)
- role system_r types sftpd_t;
---
-1.7.10.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-clock.patch
deleted file mode 100644
index 3ff8f55..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-clock.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for clock
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/clock.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
-index c5e05ca..a74c40c 100644
---- a/policy/modules/system/clock.fc
-+++ b/policy/modules/system/clock.fc
-@@ -2,4 +2,5 @@
- /etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0)
-
- /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
-+/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0)
-
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-corecommands.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-corecommands.patch
deleted file mode 100644
index 24b67c3..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-corecommands.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for corecommands
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/kernel/corecommands.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index f051c4a..ab624f3 100644
---- a/policy/modules/kernel/corecommands.fc
-+++ b/policy/modules/kernel/corecommands.fc
-@@ -153,6 +153,7 @@ ifdef(`distro_gentoo',`
- /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
- /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
- /sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
-
- #
- # /opt
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-dmesg.patch
deleted file mode 100644
index db4c4d4..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-dmesg.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for dmesg
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/admin/dmesg.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
-index d6cc2d9..7f3e5b0 100644
---- a/policy/modules/admin/dmesg.fc
-+++ b/policy/modules/admin/dmesg.fc
-@@ -1,2 +1,3 @@
-
- /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
-+/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0)
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-bind.patch
deleted file mode 100644
index 59ba5bc..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-bind.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From e438a9466a615db3f63421157d5ee3bd6d055403 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:09:11 +0800
-Subject: [PATCH] refpolicy: fix real path for bind.
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/contrib/bind.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc
-index 2b9a3a1..fd45d53 100644
---- a/policy/modules/contrib/bind.fc
-+++ b/policy/modules/contrib/bind.fc
-@@ -1,8 +1,10 @@
- /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-
- /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
- /etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0)
-+/etc/bind/rndc\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
- /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
- /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
- /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_login.patch
deleted file mode 100644
index 427181e..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_login.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Subject: [PATCH] fix real path for login commands.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/authlogin.fc | 7 ++++---
- 1 files changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..c8dd17f 100644
---- a/policy/modules/system/authlogin.fc
-+++ b/policy/modules/system/authlogin.fc
-@@ -1,5 +1,7 @@
-
- /bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
-+/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0)
-+/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0)
-
- /etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
- /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
-@@ -9,9 +11,9 @@
-
- /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
- /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
--/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
--/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
--/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-+/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-+/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
-+/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
- ifdef(`distro_suse', `
- /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
- ')
---
-1.7.5.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_resolv.conf.patch
deleted file mode 100644
index 80cca67..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_resolv.conf.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] fix real path for resolv.conf
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/sysnetwork.fc | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
-
-diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 346a7cc..dec8632 100644
---- a/policy/modules/system/sysnetwork.fc
-+++ b/policy/modules/system/sysnetwork.fc
-@@ -24,6 +24,7 @@ ifdef(`distro_debian',`
- /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
-+/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
-
- /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
---
-1.7.5.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_shadow.patch
deleted file mode 100644
index 29ac2c3..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_shadow.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Subject: [PATCH] fix real path for shadow commands.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/admin/usermanage.fc | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
-index f82f0ce..841ba9b 100644
---- a/policy/modules/admin/usermanage.fc
-+++ b/policy/modules/admin/usermanage.fc
-@@ -4,11 +4,17 @@ ifdef(`distro_gentoo',`
-
- /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
- /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
-+/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
- /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
-+/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
- /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
- /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
-+/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0)
-+/usr/bin/passwd\.tinylogin -- gen_context(system_u:object_r:passwd_exec_t,s0)
- /usr/bin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-+/sbin/vigr\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/bin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-+/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-
- /usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0)
-
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_su.patch
deleted file mode 100644
index b0392ce..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fix-real-path_su.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 4affa5e9797f5d51597c9b8e0f2503883c766699 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Thu, 13 Feb 2014 00:33:07 -0500
-Subject: [PATCH] fix real path for su.shadow command
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
----
- policy/modules/admin/su.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
-index a563687..0f43827 100644
---- a/policy/modules/admin/su.fc
-+++ b/policy/modules/admin/su.fc
-@@ -4,3 +4,5 @@
-
- /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
- /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
-+
-+/bin/su.shadow -- gen_context(system_u:object_r:su_exec_t,s0)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fstools.patch
deleted file mode 100644
index 9c45694..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-fstools.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From b420621f7bacdb803bfd104686e9b1785d7a6309 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Mon, 27 Jan 2014 03:54:01 -0500
-Subject: [PATCH] refpolicy: fix real path for fstools
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
----
- policy/modules/system/fstools.fc | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index d10368d..f22761a 100644
---- a/policy/modules/system/fstools.fc
-+++ b/policy/modules/system/fstools.fc
-@@ -1,6 +1,8 @@
- /sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/blkid/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/blockdev/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -9,9 +11,12 @@
- /sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/fdisk/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/hdparm/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -24,6 +29,7 @@
- /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/mkswap/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -32,8 +38,10 @@
- /sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/swapoff/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -45,6 +53,7 @@
-
- /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-ftpwho-dir.patch
deleted file mode 100644
index a7d434f..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-ftpwho-dir.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-fix ftpwho install dir
-
-Upstream-Status: Pending
-
-ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it
-
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
----
- policy/modules/contrib/ftp.fc | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/modules/contrib/ftp.fc b/policy/modules/contrib/ftp.fc
-index ddb75c1..26fec47 100644
---- a/policy/modules/contrib/ftp.fc
-+++ b/policy/modules/contrib/ftp.fc
-@@ -9,7 +9,7 @@
-
- /usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
-
--/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
-+/usr/bin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
- /usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
- /usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
- /usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
---
-1.7.10.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-iptables.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-iptables.patch
deleted file mode 100644
index 89b1547..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-iptables.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for iptables
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/iptables.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 14cffd2..84ac92b 100644
---- a/policy/modules/system/iptables.fc
-+++ b/policy/modules/system/iptables.fc
-@@ -13,6 +13,7 @@
- /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-
- /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-mta.patch
deleted file mode 100644
index bbd83ec..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-mta.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From c0bb2996db4f55f3987967bacfb99805fc45d027 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:21:55 +0800
-Subject: [PATCH] refpolicy: fix real path for mta
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/contrib/mta.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc
-index f42896c..0d4bcef 100644
---- a/policy/modules/contrib/mta.fc
-+++ b/policy/modules/contrib/mta.fc
-@@ -22,6 +22,7 @@ HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
- /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/usr/sbin/msmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
- /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-netutils.patch
deleted file mode 100644
index b45d03e..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-netutils.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for netutils
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/admin/netutils.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
-index 407078f..f2ed3dc 100644
---- a/policy/modules/admin/netutils.fc
-+++ b/policy/modules/admin/netutils.fc
-@@ -3,6 +3,7 @@
- /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-
- /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
-+/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
-
- /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
- /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-nscd.patch
deleted file mode 100644
index 1db328c..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-nscd.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 642fab321a5f1f40495b4ca07f1fca4145024986 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:25:36 +0800
-Subject: [PATCH] refpolicy: fix real path for nscd
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/contrib/nscd.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/contrib/nscd.fc b/policy/modules/contrib/nscd.fc
-index ba64485..61a6f24 100644
---- a/policy/modules/contrib/nscd.fc
-+++ b/policy/modules/contrib/nscd.fc
-@@ -1,6 +1,7 @@
- /etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
-
- /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
-+/usr/bin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
-
- /var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
-
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-rpm.patch
deleted file mode 100644
index 7ba3380..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-rpm.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 3ecbd842d51a8e70b3403e857a24203285d4983b Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Mon, 27 Jan 2014 01:13:06 -0500
-Subject: [PATCH] refpolicy: fix real path for cpio
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
----
- policy/modules/contrib/rpm.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc
-index ebe91fc..539063c 100644
---- a/policy/modules/contrib/rpm.fc
-+++ b/policy/modules/contrib/rpm.fc
-@@ -58,4 +58,5 @@ ifdef(`distro_redhat',`
-
- ifdef(`enable_mls',`
- /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
- ')
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-screen.patch
deleted file mode 100644
index 3218194..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-screen.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 3615e2d67f402a37ae7333e62b54f1d9d0a3bfd1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:27:19 +0800
-Subject: [PATCH] refpolicy: fix real path for screen
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/contrib/screen.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc
-index e7c2cf7..49ddca2 100644
---- a/policy/modules/contrib/screen.fc
-+++ b/policy/modules/contrib/screen.fc
-@@ -3,6 +3,7 @@ HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
- HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
-
- /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
-+/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0)
- /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
-
- /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-ssh.patch
deleted file mode 100644
index 9aeb3a2..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-ssh.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for ssh
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/services/ssh.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 078bcd7..9717428 100644
---- a/policy/modules/services/ssh.fc
-+++ b/policy/modules/services/ssh.fc
-@@ -6,6 +6,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
- /etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-
- /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
-+/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
- /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
- /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
-
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-su.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-su.patch
deleted file mode 100644
index 358e4ef..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-su.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for su
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/admin/su.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
-index 688abc2..a563687 100644
---- a/policy/modules/admin/su.fc
-+++ b/policy/modules/admin/su.fc
-@@ -1,5 +1,6 @@
-
- /bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
-+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
-
- /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
- /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-subs_dist.patch
deleted file mode 100644
index cfec7d9..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-subs_dist.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-Subject: [PATCH] fix file_contexts.subs_dist for poky
-
-This file is used for Linux distros to define specific pathes
-mapping to the pathes in file_contexts.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- config/file_contexts.subs_dist | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
---- a/config/file_contexts.subs_dist
-+++ b/config/file_contexts.subs_dist
-@@ -19,3 +19,13 @@
- /usr/local/lib64 /usr/lib
- /usr/local/lib /usr/lib
- /var/run/lock /var/lock
-+/var/volatile/log /var/log
-+/var/volatile/run /var/run
-+/var/volatile/cache /var/cache
-+/var/volatile/tmp /var/tmp
-+/var/volatile/lock /var/lock
-+/var/volatile/run/lock /var/lock
-+/www /var/www
-+/usr/lib/busybox/bin /bin
-+/usr/lib/busybox/sbin /sbin
-+/usr/lib/busybox/usr /usr
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-sysnetwork.patch
deleted file mode 100644
index 64f497d..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-sysnetwork.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 56ec3e527f2a03d217d5f07ebb708e6e26fa26ff Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Tue, 9 Jun 2015 21:22:52 +0530
-Subject: [PATCH] refpolicy: fix real path for sysnetwork
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
----
- policy/modules/system/sysnetwork.fc | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index fbb935c..a194622 100644
---- a/policy/modules/system/sysnetwork.fc
-+++ b/policy/modules/system/sysnetwork.fc
-@@ -4,6 +4,7 @@
- #
- /bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-
- #
- # /dev
-@@ -43,7 +44,9 @@ ifdef(`distro_redhat',`
- /sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-@@ -51,6 +54,7 @@ ifdef(`distro_redhat',`
- /sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-udevd.patch
deleted file mode 100644
index c6c19be..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-udevd.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 025bd3c77d3eeb0e316413bf7e6353f1ccd7f6b2 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Sat, 25 Jan 2014 23:40:05 -0500
-Subject: [PATCH] refpolicy: fix real path for udevd/udevadm
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
----
- policy/modules/system/udev.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 40928d8..491bb23 100644
---- a/policy/modules/system/udev.fc
-+++ b/policy/modules/system/udev.fc
-@@ -10,6 +10,7 @@
- /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
-
- /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-
- ifdef(`distro_debian',`
- /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
-@@ -27,6 +28,7 @@ ifdef(`distro_redhat',`
- ')
-
- /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
-
- /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_hostname.patch
deleted file mode 100644
index cedb5b5..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_hostname.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 3/4] fix update-alternatives for hostname
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/hostname.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
-index 9dfecf7..4003b6d 100644
---- a/policy/modules/system/hostname.fc
-+++ b/policy/modules/system/hostname.fc
-@@ -1,2 +1,3 @@
-
- /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
-+/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_sysklogd.patch
deleted file mode 100644
index 868ee6b..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_sysklogd.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 4964fa5593349916d8f5c69edb0b16f611586098 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:39:41 +0800
-Subject: [PATCH 2/4] fix update-alternatives for sysklogd
-
-/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow rule
-for syslogd_t to read syslog_conf_t lnk_file is needed.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/logging.fc | 4 ++++
- policy/modules/system/logging.te | 1 +
- 2 files changed, 5 insertions(+)
-
-diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index b50c5fe..c005f33 100644
---- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
-@@ -2,19 +2,23 @@
-
- /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
-+/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
- /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
-
- /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
- /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
- /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
- /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
- /sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
-+/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
- /sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
- /sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-
- /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 87e3db2..2914b0b 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -371,6 +371,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
- allow syslogd_t self:tcp_socket create_stream_socket_perms;
-
- allow syslogd_t syslog_conf_t:file read_file_perms;
-+allow syslogd_t syslog_conf_t:lnk_file read_file_perms;
-
- # Create and bind to /dev/log or /var/run/log.
- allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_sysvinit.patch
deleted file mode 100644
index 3a617d8..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-fc-update-alternatives_sysvinit.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 1/4] fix update-alternatives for sysvinit
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/contrib/shutdown.fc | 1 +
- policy/modules/kernel/corecommands.fc | 1 +
- policy/modules/system/init.fc | 1 +
- 3 files changed, 3 insertions(+)
-
-diff --git a/policy/modules/contrib/shutdown.fc b/policy/modules/contrib/shutdown.fc
-index a91f33b..90e51e0 100644
---- a/policy/modules/contrib/shutdown.fc
-+++ b/policy/modules/contrib/shutdown.fc
-@@ -3,6 +3,7 @@
- /lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
- /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-+/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
- /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
-diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index bcfdba7..87502a3 100644
---- a/policy/modules/kernel/corecommands.fc
-+++ b/policy/modules/kernel/corecommands.fc
-@@ -10,6 +10,7 @@
- /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
-+/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0)
- /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
-diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index bc0ffc8..020b9fe 100644
---- a/policy/modules/system/init.fc
-+++ b/policy/modules/system/init.fc
-@@ -30,6 +30,7 @@ ifdef(`distro_gentoo', `
- # /sbin
- #
- /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
-+/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0)
- # because nowadays, /sbin/init is often a symlink to /sbin/upstart
- /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
-
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-bsdpty_device_t.patch
deleted file mode 100644
index 9a3322f..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-bsdpty_device_t.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-From c0b65c327b9354ee5c403cbde428e762ce3f327e Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices.
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/kernel/terminal.if | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 771bce1..7519d0e 100644
---- a/policy/modules/kernel/terminal.if
-+++ b/policy/modules/kernel/terminal.if
-@@ -531,9 +531,11 @@ interface(`term_dontaudit_manage_pty_dirs',`
- interface(`term_dontaudit_getattr_generic_ptys',`
- gen_require(`
- type devpts_t;
-+ type bsdpty_device_t;
- ')
-
- dontaudit $1 devpts_t:chr_file getattr;
-+ dontaudit $1 bsdpty_device_t:chr_file getattr;
- ')
- ########################################
- ## <summary>
-@@ -549,11 +551,13 @@ interface(`term_dontaudit_getattr_generic_ptys',`
- interface(`term_ioctl_generic_ptys',`
- gen_require(`
- type devpts_t;
-+ type bsdpty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir search;
- allow $1 devpts_t:chr_file ioctl;
-+ allow $1 bsdpty_device_t:chr_file ioctl;
- ')
-
- ########################################
-@@ -571,9 +575,11 @@ interface(`term_ioctl_generic_ptys',`
- interface(`term_setattr_generic_ptys',`
- gen_require(`
- type devpts_t;
-+ type bsdpty_device_t;
- ')
-
- allow $1 devpts_t:chr_file setattr;
-+ allow $1 bsdpty_device_t:chr_file setattr;
- ')
-
- ########################################
-@@ -591,9 +597,11 @@ interface(`term_setattr_generic_ptys',`
- interface(`term_dontaudit_setattr_generic_ptys',`
- gen_require(`
- type devpts_t;
-+ type bsdpty_device_t;
- ')
-
- dontaudit $1 devpts_t:chr_file setattr;
-+ dontaudit $1 bsdpty_device_t:chr_file setattr;
- ')
-
- ########################################
-@@ -611,11 +619,13 @@ interface(`term_dontaudit_setattr_generic_ptys',`
- interface(`term_use_generic_ptys',`
- gen_require(`
- type devpts_t;
-+ type bsdpty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir list_dir_perms;
- allow $1 devpts_t:chr_file { rw_term_perms lock append };
-+ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
- ')
-
- ########################################
-@@ -633,9 +643,11 @@ interface(`term_use_generic_ptys',`
- interface(`term_dontaudit_use_generic_ptys',`
- gen_require(`
- type devpts_t;
-+ type bsdpty_device_t;
- ')
-
- dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
-+ dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl };
- ')
-
- #######################################
-@@ -651,10 +663,12 @@ interface(`term_dontaudit_use_generic_ptys',`
- interface(`term_setattr_controlling_term',`
- gen_require(`
- type devtty_t;
-+ type bsdpty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devtty_t:chr_file setattr;
-+ allow $1 bsdpty_device_t:chr_file setattr;
- ')
-
- ########################################
-@@ -671,10 +685,12 @@ interface(`term_setattr_controlling_term',`
- interface(`term_use_controlling_term',`
- gen_require(`
- type devtty_t;
-+ type bsdpty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devtty_t:chr_file { rw_term_perms lock append };
-+ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
- ')
-
- #######################################
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-syslogd_t-symlink.patch
deleted file mode 100644
index aa9734a..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-syslogd_t-symlink.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Subject: [PATCH] add rules for the symlink of /var/log - syslogd_t
-
-We have added rules for the symlink of /var/log in logging.if,
-while syslogd_t uses /var/log but does not use the
-interfaces in logging.if. So still need add a individual rule for
-syslogd_t.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/logging.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 2ad9ea5..70427d8 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -384,6 +384,8 @@ rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
- # Allow access for syslog-ng
- allow syslogd_t var_log_t:dir { create setattr };
-
-+allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
-+
- # manage temporary files
- manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
- manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-tmp-symlink.patch
deleted file mode 100644
index 210c297..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-tmp-symlink.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] add rules for the symlink of /tmp
-
-/tmp is a symlink in poky, so we need allow rules for files to read
-lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/kernel/files.fc | 1 +
- policy/modules/kernel/files.if | 8 ++++++++
- 2 files changed, 9 insertions(+), 0 deletions(-)
-
-diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 8796ca3..a0db748 100644
---- a/policy/modules/kernel/files.fc
-+++ b/policy/modules/kernel/files.fc
-@@ -185,6 +185,7 @@ ifdef(`distro_debian',`
- # /tmp
- #
- /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-+/tmp -l gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
- /tmp/.* <<none>>
- /tmp/\.journal <<none>>
-
-diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index e1e814d..a7384b0 100644
---- a/policy/modules/kernel/files.if
-+++ b/policy/modules/kernel/files.if
-@@ -4199,6 +4199,7 @@ interface(`files_search_tmp',`
- ')
-
- allow $1 tmp_t:dir search_dir_perms;
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4235,6 +4236,7 @@ interface(`files_list_tmp',`
- ')
-
- allow $1 tmp_t:dir list_dir_perms;
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4271,6 +4273,7 @@ interface(`files_delete_tmp_dir_entry',`
- ')
-
- allow $1 tmp_t:dir del_entry_dir_perms;
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4289,6 +4292,7 @@ interface(`files_read_generic_tmp_files',`
- ')
-
- read_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4307,6 +4311,7 @@ interface(`files_manage_generic_tmp_dirs',`
- ')
-
- manage_dirs_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4325,6 +4330,7 @@ interface(`files_manage_generic_tmp_files',`
- ')
-
- manage_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4361,6 +4367,7 @@ interface(`files_rw_generic_tmp_sockets',`
- ')
-
- rw_sock_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4550,6 +4557,7 @@ interface(`files_tmp_filetrans',`
- ')
-
- filetrans_pattern($1, tmp_t, $2, $3, $4)
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
---
-1.7.5.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-cache-symlink.patch
deleted file mode 100644
index 18a92dd..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-cache-symlink.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From bad816bc752369a6c1bf40231c505d21d95cab08 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 23 Aug 2013 11:20:00 +0800
-Subject: [PATCH 4/6] add rules for the subdir symlinks in /var/
-
-Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
-/var for poky, so we need allow rules for all domains to read these
-symlinks. Domains still need their practical allow rules to read the
-contents, so this is still a secure relax.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/kernel/domain.te | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..9ffe6b0 100644
---- a/policy/modules/kernel/domain.te
-+++ b/policy/modules/kernel/domain.te
-@@ -104,6 +104,9 @@ term_use_controlling_term(domain)
- # list the root directory
- files_list_root(domain)
-
-+# Yocto/oe-core use some var volatile links
-+files_read_var_symlinks(domain)
-+
- ifdef(`hide_broken_symptoms',`
- # This check is in the general socket
- # listen code, before protocol-specific
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink-apache.patch
deleted file mode 100644
index 8bc40c4..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink-apache.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From ed2b0a00e2fb78056041b03c7e198e8f5adaf939 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:36:44 +0800
-Subject: [PATCH 3/6] add rules for the symlink of /var/log - apache2
-
-We have added rules for the symlink of /var/log in logging.if,
-while apache.te uses /var/log but does not use the interfaces in
-logging.if. So still need add a individual rule for apache.te.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/contrib/apache.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
-index ec8bd13..06f2e95 100644
---- a/policy/modules/contrib/apache.te
-+++ b/policy/modules/contrib/apache.te
-@@ -400,6 +400,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
- logging_log_filetrans(httpd_t, httpd_log_t, file)
-
- allow httpd_t httpd_modules_t:dir list_dir_perms;
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
deleted file mode 100644
index cbf0f7d..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-Subject: [PATCH] add rules for the symlink of /var/log - audisp_remote_t
-
-We have added rules for the symlink of /var/log in logging.if,
-while audisp_remote_t uses /var/log but does not use the
-interfaces in logging.if. So still need add a individual rule for
-audisp_remote_t.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/logging.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 8426a49..2ad9ea5 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -262,6 +262,7 @@ allow audisp_remote_t self:capability { setuid setpcap };
- allow audisp_remote_t self:process { getcap setcap };
- allow audisp_remote_t self:tcp_socket create_socket_perms;
- allow audisp_remote_t var_log_t:dir search_dir_perms;
-+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
-
- manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
- manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink.patch
deleted file mode 100644
index b06f3ef..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-rules-for-var-log-symlink.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-From 03cb6534f75812f3a33ac768fe83861e0805b0e0 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 2/6] add rules for the symlink of /var/log
-
-/var/log is a symlink in poky, so we need allow rules for files to read
-lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/logging.fc | 1 +
- policy/modules/system/logging.if | 14 +++++++++++++-
- policy/modules/system/logging.te | 1 +
- 3 files changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index c005f33..9529e40 100644
---- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
-@@ -41,6 +41,7 @@ ifdef(`distro_suse', `
- /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-
- /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
-+/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
- /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
- /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..9a6f599 100644
---- a/policy/modules/system/logging.if
-+++ b/policy/modules/system/logging.if
-@@ -136,12 +136,13 @@ interface(`logging_set_audit_parameters',`
- #
- interface(`logging_read_audit_log',`
- gen_require(`
-- type auditd_log_t;
-+ type auditd_log_t, var_log_t;
- ')
-
- files_search_var($1)
- read_files_pattern($1, auditd_log_t, auditd_log_t)
- allow $1 auditd_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -626,6 +627,7 @@ interface(`logging_search_logs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir search_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- #######################################
-@@ -663,6 +665,7 @@ interface(`logging_list_logs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- #######################################
-@@ -682,6 +685,7 @@ interface(`logging_rw_generic_log_dirs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir rw_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- #######################################
-@@ -793,10 +797,12 @@ interface(`logging_append_all_logs',`
- interface(`logging_read_all_logs',`
- gen_require(`
- attribute logfile;
-+ type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 logfile:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- read_files_pattern($1, logfile, logfile)
- ')
-
-@@ -815,10 +821,12 @@ interface(`logging_read_all_logs',`
- interface(`logging_exec_all_logs',`
- gen_require(`
- attribute logfile;
-+ type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 logfile:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- can_exec($1, logfile)
- ')
-
-@@ -880,6 +888,7 @@ interface(`logging_read_generic_logs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- read_files_pattern($1, var_log_t, var_log_t)
- ')
-
-@@ -900,6 +909,7 @@ interface(`logging_write_generic_logs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- write_files_pattern($1, var_log_t, var_log_t)
- ')
-
-@@ -938,6 +948,7 @@ interface(`logging_rw_generic_logs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- rw_files_pattern($1, var_log_t, var_log_t)
- ')
-
-@@ -960,6 +971,7 @@ interface(`logging_manage_generic_logs',`
-
- files_search_var($1)
- manage_files_pattern($1, var_log_t, var_log_t)
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 2ab0a49..2795d89 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -139,6 +139,7 @@ allow auditd_t auditd_etc_t:file read_file_perms;
- manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
- manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
- allow auditd_t var_log_t:dir search_dir_perms;
-+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
-
- manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
- manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-syslogd_t-to-trusted-object.patch
deleted file mode 100644
index 92b1592..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-add-syslogd_t-to-trusted-object.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 27e62a5d9ab9993760369ccdad83673e9148cbb2 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 1/6] Add the syslogd_t to trusted object
-
-We add the syslogd_t to trusted object, because other process need
-to have the right to connectto/sendto /dev/log.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Roy.Li <rongqing.li@windriver.com>
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/logging.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 2914b0b..2ab0a49 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -450,6 +450,7 @@ fs_getattr_all_fs(syslogd_t)
- fs_search_auto_mountpoints(syslogd_t)
-
- mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
-+mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log
-
- term_write_console(syslogd_t)
- # Allow syslog to a terminal
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-nfsd-to-exec-shell-commands.patch
deleted file mode 100644
index e77a730..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-nfsd-to-exec-shell-commands.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] allow nfsd to exec shell commands.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/contrib/rpc.te | 2 +-
- policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
- 2 files changed, 19 insertions(+), 1 deletions(-)
-
-diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
-index 9566932..5605205 100644
---- a/policy/modules/contrib/rpc.te
-+++ b/policy/modules/contrib/rpc.te
-@@ -203,7 +203,7 @@ kernel_read_network_state(nfsd_t)
- kernel_dontaudit_getattr_core_if(nfsd_t)
- kernel_setsched(nfsd_t)
- kernel_request_load_module(nfsd_t)
--# kernel_mounton_proc(nfsd_t)
-+kernel_mounton_proc(nfsd_t)
-
- corenet_sendrecv_nfs_server_packets(nfsd_t)
- corenet_tcp_bind_nfs_port(nfsd_t)
-diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..8a669c5 100644
---- a/policy/modules/kernel/kernel.if
-+++ b/policy/modules/kernel/kernel.if
-@@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',`
-
- ########################################
- ## <summary>
-+## Mounton a proc filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`kernel_mounton_proc',`
-+ gen_require(`
-+ type proc_t;
-+ ')
-+
-+ allow $1 proc_t:dir mounton;
-+')
-+
-+########################################
-+## <summary>
- ## Get the attributes of the proc filesystem.
- ## </summary>
- ## <param name="domain">
---
-1.7.5.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-setfiles_t-to-read-symlinks.patch
deleted file mode 100644
index 9ef61b4..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-setfiles_t-to-read-symlinks.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 87b6daf87a07350a58c1724db8fc0a99b849818a Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] fix setfiles_t to read symlinks
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
----
- policy/modules/system/selinuxutil.te | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 9058dd8..f998491 100644
---- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -552,6 +552,9 @@ files_relabel_all_files(setfiles_t)
- files_read_usr_symlinks(setfiles_t)
- files_dontaudit_read_all_symlinks(setfiles_t)
-
-+# needs to be able to read symlinks to make restorecon on symlink working
-+files_read_all_symlinks(setfiles_t)
-+
- fs_getattr_all_xattr_fs(setfiles_t)
- fs_list_all(setfiles_t)
- fs_search_auto_mountpoints(setfiles_t)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-sysadm-to-run-rpcinfo.patch
deleted file mode 100644
index ec3dbf4..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-allow-sysadm-to-run-rpcinfo.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 7005533d61770fed5a3312aa9dfd1c18dae88c16 Mon Sep 17 00:00:00 2001
-From: Roy Li <rongqing.li@windriver.com>
-Date: Sat, 15 Feb 2014 09:45:00 +0800
-Subject: [PATCH] allow sysadm to run rpcinfo
-
-Upstream-Status: Pending
-
-type=AVC msg=audit(1392427946.976:264): avc: denied { connectto } for pid=2111 comm="rpcinfo" path="/run/rpcbind.sock" scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tclass=unix_stream_socket
-type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null)
-
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
----
- policy/modules/roles/sysadm.te | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 1767217..5502c6a 100644
---- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -413,6 +413,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ rpcbind_stream_connect(sysadm_t)
-+')
-+
-+optional_policy(`
- vmware_role(sysadm_r, sysadm_t)
- ')
-
---
-1.7.10.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-don-t-audit-tty_device_t.patch
deleted file mode 100644
index 82370d8..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-don-t-audit-tty_device_t.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 29a0d287880f8f83cf4337a3db7c8b94c0c36e1d Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 6/6] don't audit tty_device_t in term_dontaudit_use_console.
-
-We should also not audit terminal to rw tty_device_t and fds in
-term_dontaudit_use_console.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/kernel/terminal.if | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 7519d0e..45de1ac 100644
---- a/policy/modules/kernel/terminal.if
-+++ b/policy/modules/kernel/terminal.if
-@@ -299,9 +299,12 @@ interface(`term_use_console',`
- interface(`term_dontaudit_use_console',`
- gen_require(`
- type console_device_t;
-+ type tty_device_t;
- ')
-
-+ init_dontaudit_use_fds($1)
- dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
-+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
- ')
-
- ########################################
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
deleted file mode 100644
index d6c8dbf..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 2f5981f2244289a1cc79748e9ffdaaea168b1df2 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 23 Aug 2013 16:36:09 +0800
-Subject: [PATCH] fix dmesg to use /dev/kmsg as default input
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/admin/dmesg.if | 1 +
- policy/modules/admin/dmesg.te | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
-index e1973c7..739a4bc 100644
---- a/policy/modules/admin/dmesg.if
-+++ b/policy/modules/admin/dmesg.if
-@@ -37,4 +37,5 @@ interface(`dmesg_exec',`
-
- corecmd_search_bin($1)
- can_exec($1, dmesg_exec_t)
-+ dev_read_kmsg($1)
- ')
-diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
-index 72bc6d8..c591aea 100644
---- a/policy/modules/admin/dmesg.te
-+++ b/policy/modules/admin/dmesg.te
-@@ -28,6 +28,8 @@ kernel_read_proc_symlinks(dmesg_t)
-
- dev_read_sysfs(dmesg_t)
-
-+dev_read_kmsg(dmesg_t)
-+
- fs_search_auto_mountpoints(dmesg_t)
-
- term_dontaudit_use_console(dmesg_t)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-new-SELINUXMNT-in-sys.patch
deleted file mode 100644
index 302a38f..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-new-SELINUXMNT-in-sys.patch
+++ /dev/null
@@ -1,229 +0,0 @@
-From 0bd1187768c79ccf7d0563fa8e2bc01494fef167 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] fix for new SELINUXMNT in /sys
-
-SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
-add rules to access sysfs.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/selinux.if | 34 ++++++++++++++++++++++++++++++++--
- 1 file changed, 32 insertions(+), 2 deletions(-)
-
---- a/policy/modules/kernel/selinux.if
-+++ b/policy/modules/kernel/selinux.if
-@@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',`
- type security_t;
- ')
-
-+ # SELINUXMNT is now /sys/fs/selinux, so we should add rules to
-+ # access sysfs
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- # starting in libselinux 2.0.5, init_selinuxmnt() will
- # attempt to short circuit by checking if SELINUXMNT
- # (/selinux) is already a selinuxfs
-@@ -84,6 +88,7 @@ interface(`selinux_dontaudit_get_fs_moun
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- # starting in libselinux 2.0.5, init_selinuxmnt() will
- # attempt to short circuit by checking if SELINUXMNT
- # (/selinux) is already a selinuxfs
-@@ -109,6 +114,8 @@ interface(`selinux_mount_fs',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- allow $1 security_t:filesystem mount;
- ')
-
-@@ -128,6 +135,8 @@ interface(`selinux_remount_fs',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- allow $1 security_t:filesystem remount;
- ')
-
-@@ -146,6 +155,8 @@ interface(`selinux_unmount_fs',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- allow $1 security_t:filesystem unmount;
- ')
-
-@@ -164,6 +175,8 @@ interface(`selinux_getattr_fs',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- allow $1 security_t:filesystem getattr;
- ')
-
-@@ -183,6 +196,7 @@ interface(`selinux_dontaudit_getattr_fs'
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:filesystem getattr;
- ')
-
-@@ -202,6 +216,7 @@ interface(`selinux_dontaudit_getattr_dir
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:dir getattr;
- ')
-
-@@ -220,6 +235,7 @@ interface(`selinux_search_fs',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir search_dir_perms;
- ')
-@@ -239,6 +255,7 @@ interface(`selinux_dontaudit_search_fs',
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:dir search_dir_perms;
- ')
-
-@@ -258,6 +275,7 @@ interface(`selinux_dontaudit_read_fs',`
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:dir search_dir_perms;
- dontaudit $1 security_t:file read_file_perms;
- ')
-@@ -279,6 +297,7 @@ interface(`selinux_get_enforce_mode',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file read_file_perms;
-@@ -313,6 +332,7 @@ interface(`selinux_set_enforce_mode',`
- bool secure_mode_policyload;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -345,6 +365,7 @@ interface(`selinux_load_policy',`
- bool secure_mode_policyload;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -375,6 +396,7 @@ interface(`selinux_read_policy',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file read_file_perms;
-@@ -440,8 +462,8 @@ interface(`selinux_set_generic_booleans'
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
--
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-
-@@ -482,8 +504,8 @@ interface(`selinux_set_all_booleans',`
- bool secure_mode_policyload;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
--
- allow $1 security_t:dir list_dir_perms;
- allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
- allow $1 secure_mode_policyload_t:file read_file_perms;
-@@ -528,6 +550,7 @@ interface(`selinux_set_parameters',`
- attribute can_setsecparam;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -552,6 +575,7 @@ interface(`selinux_validate_context',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -574,6 +598,7 @@ interface(`selinux_dontaudit_validate_co
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:dir list_dir_perms;
- dontaudit $1 security_t:file rw_file_perms;
- dontaudit $1 security_t:security check_context;
-@@ -595,6 +620,7 @@ interface(`selinux_compute_access_vector
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -617,6 +643,7 @@ interface(`selinux_compute_create_contex
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -639,6 +666,7 @@ interface(`selinux_compute_member',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -669,6 +697,7 @@ interface(`selinux_compute_relabel_conte
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -690,6 +719,7 @@ interface(`selinux_compute_user_contexts
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
deleted file mode 100644
index f04ebec..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 054a2d81a42bc127d29a916c64b43ad5a7c97f21 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 23 Aug 2013 12:01:53 +0800
-Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t.
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/rpc.te | 5 +++++
- policy/modules/contrib/rpcbind.te | 5 +++++
- policy/modules/kernel/filesystem.te | 1 +
- policy/modules/kernel/kernel.te | 2 ++
- 4 files changed, 13 insertions(+)
-
---- a/policy/modules/contrib/rpc.te
-+++ b/policy/modules/contrib/rpc.te
-@@ -263,6 +263,11 @@ tunable_policy(`nfs_export_all_ro',`
-
- optional_policy(`
- mount_exec(nfsd_t)
-+ # Should domtrans to mount_t while mounting nfsd_fs_t.
-+ mount_domtrans(nfsd_t)
-+ # nfsd_t need to chdir to /var/lib/nfs and read files.
-+ files_list_var(nfsd_t)
-+ rpc_read_nfs_state_data(nfsd_t)
- ')
-
- ########################################
---- a/policy/modules/contrib/rpcbind.te
-+++ b/policy/modules/contrib/rpcbind.te
-@@ -70,6 +70,11 @@ logging_send_syslog_msg(rpcbind_t)
-
- miscfiles_read_localization(rpcbind_t)
-
-+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
-+# because the are running in different level. So add rules to allow this.
-+mls_socket_read_all_levels(rpcbind_t)
-+mls_socket_write_all_levels(rpcbind_t)
-+
- ifdef(`distro_debian',`
- term_dontaudit_use_unallocated_ttys(rpcbind_t)
- ')
---- a/policy/modules/kernel/filesystem.te
-+++ b/policy/modules/kernel/filesystem.te
-@@ -119,6 +119,7 @@ genfscon mvfs / gen_context(system_u:obj
-
- type nfsd_fs_t;
- fs_type(nfsd_fs_t)
-+files_mountpoint(nfsd_fs_t)
- genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
-
- type oprofilefs_t;
---- a/policy/modules/kernel/kernel.te
-+++ b/policy/modules/kernel/kernel.te
-@@ -293,6 +293,8 @@ mls_process_read_up(kernel_t)
- mls_process_write_down(kernel_t)
- mls_file_write_all_levels(kernel_t)
- mls_file_read_all_levels(kernel_t)
-+mls_socket_write_all_levels(kernel_t)
-+mls_fd_use_all_levels(kernel_t)
-
- ifdef(`distro_redhat',`
- # Bugzilla 222337
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-setfiles-statvfs-get-file-count.patch
deleted file mode 100644
index 0b8cc5d..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-setfiles-statvfs-get-file-count.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From f4e034d6996c5b1f88a9262828dac2ad6ee09b7b Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 23 Aug 2013 14:38:53 +0800
-Subject: [PATCH] fix setfiles statvfs to get file count
-
-New setfiles will read /proc/mounts and use statvfs in
-file_system_count() to get file count of filesystems.
-
-Upstream-Status: pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
----
- policy/modules/system/selinuxutil.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index f998491..1a4e565 100644
---- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -555,7 +555,7 @@ files_dontaudit_read_all_symlinks(setfiles_t)
- # needs to be able to read symlinks to make restorecon on symlink working
- files_read_all_symlinks(setfiles_t)
-
--fs_getattr_all_xattr_fs(setfiles_t)
-+fs_getattr_all_fs(setfiles_t)
- fs_list_all(setfiles_t)
- fs_search_auto_mountpoints(setfiles_t)
- fs_relabelfrom_noxattr_fs(setfiles_t)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-seutils-manage-config-files.patch
deleted file mode 100644
index be33bf1..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/poky-policy-fix-seutils-manage-config-files.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From be8e015aec19553d3753af132861d24da9ed0265 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/selinuxutil.if | 1 +
- policy/modules/system/userdomain.if | 4 ++++
- 2 files changed, 5 insertions(+)
-
-diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..db03ca1 100644
---- a/policy/modules/system/selinuxutil.if
-+++ b/policy/modules/system/selinuxutil.if
-@@ -680,6 +680,7 @@ interface(`seutil_manage_config',`
- ')
-
- files_search_etc($1)
-+ manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
- manage_files_pattern($1, selinux_config_t, selinux_config_t)
- read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
- ')
-diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index b4a691d..20c8bf8 100644
---- a/policy/modules/system/userdomain.if
-+++ b/policy/modules/system/userdomain.if
-@@ -1277,6 +1277,10 @@ template(`userdom_security_admin_template',`
- logging_read_audit_config($1)
-
- seutil_manage_bin_policy($1)
-+ seutil_manage_default_contexts($1)
-+ seutil_manage_file_contexts($1)
-+ seutil_manage_module_store($1)
-+ seutil_manage_config($1)
- seutil_run_checkpolicy($1, $2)
- seutil_run_loadpolicy($1, $2)
- seutil_run_semanage($1, $2)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20141203/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-2.20141203/refpolicy-update-for_systemd.patch
deleted file mode 100644
index 2ae4185..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20141203/refpolicy-update-for_systemd.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 07553727dca51631c93bca482442da8d0c50ac94 Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade@mentor.com>
-Date: Fri, 12 Jun 2015 19:37:52 +0530
-Subject: [PATCH] refpolicy: update for systemd related allow rules
-
-It provide, the systemd support related allow rules
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
----
- policy/modules/system/init.te | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index c8f007d..a9675f6 100644
---- a/policy/modules/system/init.te
-+++ b/policy/modules/system/init.te
-@@ -929,3 +929,8 @@ optional_policy(`
- optional_policy(`
- zebra_read_config(initrc_t)
- ')
-+
-+# systemd related allow rules
-+allow kernel_t init_t:process dyntransition;
-+allow devpts_t device_t:filesystem associate;
-+allow init_t self:capability2 block_suspend;
-\ No newline at end of file
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-2.20151208/ftp-add-ftpd_t-to-mlsfilewrite.patch
new file mode 100644
index 0000000..49da4b6
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/ftp-add-ftpd_t-to-mlsfilewrite.patch
@@ -0,0 +1,39 @@
+From e4e95b723d31c7b678a05cd81a96b10185978b4e Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li@windriver.com>
+Date: Mon, 10 Feb 2014 18:10:12 +0800
+Subject: [PATCH] ftp: add ftpd_t to mls_file_write_all_levels
+
+Proftpd will create file under /var/run, but its mls is in high, and
+can not write to lowlevel
+
+Upstream-Status: Pending
+
+type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm="proftpd" name="/" dev="tmpfs" ino=5853 scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
+type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
+type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null)
+
+root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name
+ allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
+root@localhost:~#
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+---
+ policy/modules/contrib/ftp.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
+index 544c512..12a31dd 100644
+--- a/policy/modules/contrib/ftp.te
++++ b/policy/modules/contrib/ftp.te
+@@ -144,6 +144,8 @@ role ftpdctl_roles types ftpdctl_t;
+ type ftpdctl_tmp_t;
+ files_tmp_file(ftpdctl_tmp_t)
+
++mls_file_write_all_levels(ftpd_t)
++
+ type sftpd_t;
+ domain_type(sftpd_t)
+ role system_r types sftpd_t;
+--
+1.7.10.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-clock.patch
new file mode 100644
index 0000000..3ff8f55
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-clock.patch
@@ -0,0 +1,22 @@
+Subject: [PATCH] refpolicy: fix real path for clock
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/clock.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
+index c5e05ca..a74c40c 100644
+--- a/policy/modules/system/clock.fc
++++ b/policy/modules/system/clock.fc
+@@ -2,4 +2,5 @@
+ /etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0)
+
+ /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
++/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+
+--
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-corecommands.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-corecommands.patch
new file mode 100644
index 0000000..24b67c3
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-corecommands.patch
@@ -0,0 +1,24 @@
+Subject: [PATCH] refpolicy: fix real path for corecommands
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/kernel/corecommands.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
+index f051c4a..ab624f3 100644
+--- a/policy/modules/kernel/corecommands.fc
++++ b/policy/modules/kernel/corecommands.fc
+@@ -153,6 +153,7 @@ ifdef(`distro_gentoo',`
+ /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
+ /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
+ /sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+ #
+ # /opt
+--
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-dmesg.patch
new file mode 100644
index 0000000..db4c4d4
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-dmesg.patch
@@ -0,0 +1,20 @@
+Subject: [PATCH] refpolicy: fix real path for dmesg
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/admin/dmesg.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
+index d6cc2d9..7f3e5b0 100644
+--- a/policy/modules/admin/dmesg.fc
++++ b/policy/modules/admin/dmesg.fc
+@@ -1,2 +1,3 @@
+
+ /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
++/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+--
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-bind.patch
new file mode 100644
index 0000000..59ba5bc
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-bind.patch
@@ -0,0 +1,30 @@
+From e438a9466a615db3f63421157d5ee3bd6d055403 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 19:09:11 +0800
+Subject: [PATCH] refpolicy: fix real path for bind.
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/bind.fc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc
+index 2b9a3a1..fd45d53 100644
+--- a/policy/modules/contrib/bind.fc
++++ b/policy/modules/contrib/bind.fc
+@@ -1,8 +1,10 @@
+ /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+
+ /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+ /etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0)
++/etc/bind/rndc\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+ /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+ /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+ /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_login.patch
new file mode 100644
index 0000000..427181e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_login.patch
@@ -0,0 +1,37 @@
+Subject: [PATCH] fix real path for login commands.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/authlogin.fc | 7 ++++---
+ 1 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
+index 28ad538..c8dd17f 100644
+--- a/policy/modules/system/authlogin.fc
++++ b/policy/modules/system/authlogin.fc
+@@ -1,5 +1,7 @@
+
+ /bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
++/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0)
++/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0)
+
+ /etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+ /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+@@ -9,9 +11,9 @@
+
+ /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
+ /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
+-/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+-/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
+-/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
++/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
++/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
++/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ ifdef(`distro_suse', `
+ /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ ')
+--
+1.7.5.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_resolv.conf.patch
new file mode 100644
index 0000000..80cca67
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_resolv.conf.patch
@@ -0,0 +1,24 @@
+Subject: [PATCH] fix real path for resolv.conf
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/sysnetwork.fc | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
+index 346a7cc..dec8632 100644
+--- a/policy/modules/system/sysnetwork.fc
++++ b/policy/modules/system/sysnetwork.fc
+@@ -24,6 +24,7 @@ ifdef(`distro_debian',`
+ /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
++/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+
+ /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
+--
+1.7.5.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_shadow.patch
new file mode 100644
index 0000000..29ac2c3
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_shadow.patch
@@ -0,0 +1,34 @@
+Subject: [PATCH] fix real path for shadow commands.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/admin/usermanage.fc | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
+index f82f0ce..841ba9b 100644
+--- a/policy/modules/admin/usermanage.fc
++++ b/policy/modules/admin/usermanage.fc
+@@ -4,11 +4,17 @@ ifdef(`distro_gentoo',`
+
+ /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
+ /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
++/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
+ /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
++/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
+ /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
+ /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
++/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0)
++/usr/bin/passwd\.tinylogin -- gen_context(system_u:object_r:passwd_exec_t,s0)
+ /usr/bin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
++/sbin/vigr\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/bin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
++/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+
+ /usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0)
+
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_su.patch
new file mode 100644
index 0000000..b0392ce
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_su.patch
@@ -0,0 +1,25 @@
+From 4affa5e9797f5d51597c9b8e0f2503883c766699 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Thu, 13 Feb 2014 00:33:07 -0500
+Subject: [PATCH] fix real path for su.shadow command
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+---
+ policy/modules/admin/su.fc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
+index a563687..0f43827 100644
+--- a/policy/modules/admin/su.fc
++++ b/policy/modules/admin/su.fc
+@@ -4,3 +4,5 @@
+
+ /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
+ /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
++
++/bin/su.shadow -- gen_context(system_u:object_r:su_exec_t,s0)
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fstools.patch
new file mode 100644
index 0000000..9c45694
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fstools.patch
@@ -0,0 +1,70 @@
+From b420621f7bacdb803bfd104686e9b1785d7a6309 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Mon, 27 Jan 2014 03:54:01 -0500
+Subject: [PATCH] refpolicy: fix real path for fstools
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+---
+ policy/modules/system/fstools.fc | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
+index d10368d..f22761a 100644
+--- a/policy/modules/system/fstools.fc
++++ b/policy/modules/system/fstools.fc
+@@ -1,6 +1,8 @@
+ /sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/blkid/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/blockdev/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -9,9 +11,12 @@
+ /sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/fdisk/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/hdparm/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -24,6 +29,7 @@
+ /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/mkswap/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -32,8 +38,10 @@
+ /sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/swapoff/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -45,6 +53,7 @@
+
+ /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-ftpwho-dir.patch
new file mode 100644
index 0000000..a7d434f
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-ftpwho-dir.patch
@@ -0,0 +1,27 @@
+fix ftpwho install dir
+
+Upstream-Status: Pending
+
+ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+---
+ policy/modules/contrib/ftp.fc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/contrib/ftp.fc b/policy/modules/contrib/ftp.fc
+index ddb75c1..26fec47 100644
+--- a/policy/modules/contrib/ftp.fc
++++ b/policy/modules/contrib/ftp.fc
+@@ -9,7 +9,7 @@
+
+ /usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+
+-/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
++/usr/bin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+ /usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+ /usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+ /usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+--
+1.7.10.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-iptables.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-iptables.patch
new file mode 100644
index 0000000..89b1547
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-iptables.patch
@@ -0,0 +1,24 @@
+Subject: [PATCH] refpolicy: fix real path for iptables
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/iptables.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
+index 14cffd2..84ac92b 100644
+--- a/policy/modules/system/iptables.fc
++++ b/policy/modules/system/iptables.fc
+@@ -13,6 +13,7 @@
+ /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
+ /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+--
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-mta.patch
new file mode 100644
index 0000000..bbd83ec
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-mta.patch
@@ -0,0 +1,27 @@
+From c0bb2996db4f55f3987967bacfb99805fc45d027 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 19:21:55 +0800
+Subject: [PATCH] refpolicy: fix real path for mta
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/mta.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc
+index f42896c..0d4bcef 100644
+--- a/policy/modules/contrib/mta.fc
++++ b/policy/modules/contrib/mta.fc
+@@ -22,6 +22,7 @@ HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+ /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+ /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+ /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++/usr/sbin/msmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+ /usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+ /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-netutils.patch
new file mode 100644
index 0000000..b45d03e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-netutils.patch
@@ -0,0 +1,24 @@
+Subject: [PATCH] refpolicy: fix real path for netutils
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/admin/netutils.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
+index 407078f..f2ed3dc 100644
+--- a/policy/modules/admin/netutils.fc
++++ b/policy/modules/admin/netutils.fc
+@@ -3,6 +3,7 @@
+ /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+
+ /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
++/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
+
+ /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+ /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+--
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-nscd.patch
new file mode 100644
index 0000000..1db328c
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-nscd.patch
@@ -0,0 +1,27 @@
+From 642fab321a5f1f40495b4ca07f1fca4145024986 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 19:25:36 +0800
+Subject: [PATCH] refpolicy: fix real path for nscd
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/nscd.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/nscd.fc b/policy/modules/contrib/nscd.fc
+index ba64485..61a6f24 100644
+--- a/policy/modules/contrib/nscd.fc
++++ b/policy/modules/contrib/nscd.fc
+@@ -1,6 +1,7 @@
+ /etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
+
+ /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
++/usr/bin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
+
+ /var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-rpm.patch
new file mode 100644
index 0000000..7ba3380
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-rpm.patch
@@ -0,0 +1,25 @@
+From 3ecbd842d51a8e70b3403e857a24203285d4983b Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Mon, 27 Jan 2014 01:13:06 -0500
+Subject: [PATCH] refpolicy: fix real path for cpio
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+---
+ policy/modules/contrib/rpm.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc
+index ebe91fc..539063c 100644
+--- a/policy/modules/contrib/rpm.fc
++++ b/policy/modules/contrib/rpm.fc
+@@ -58,4 +58,5 @@ ifdef(`distro_redhat',`
+
+ ifdef(`enable_mls',`
+ /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ ')
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-screen.patch
new file mode 100644
index 0000000..3218194
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-screen.patch
@@ -0,0 +1,27 @@
+From 3615e2d67f402a37ae7333e62b54f1d9d0a3bfd1 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 19:27:19 +0800
+Subject: [PATCH] refpolicy: fix real path for screen
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/screen.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc
+index e7c2cf7..49ddca2 100644
+--- a/policy/modules/contrib/screen.fc
++++ b/policy/modules/contrib/screen.fc
+@@ -3,6 +3,7 @@ HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
+ HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
+
+ /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
++/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0)
+ /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
+
+ /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-ssh.patch
new file mode 100644
index 0000000..9aeb3a2
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-ssh.patch
@@ -0,0 +1,24 @@
+Subject: [PATCH] refpolicy: fix real path for ssh
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/services/ssh.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
+index 078bcd7..9717428 100644
+--- a/policy/modules/services/ssh.fc
++++ b/policy/modules/services/ssh.fc
+@@ -6,6 +6,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+ /etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+
+ /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
++/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
+ /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
+ /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
+
+--
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-su.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-su.patch
new file mode 100644
index 0000000..358e4ef
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-su.patch
@@ -0,0 +1,23 @@
+Subject: [PATCH] refpolicy: fix real path for su
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/admin/su.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
+index 688abc2..a563687 100644
+--- a/policy/modules/admin/su.fc
++++ b/policy/modules/admin/su.fc
+@@ -1,5 +1,6 @@
+
+ /bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
++/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
+
+ /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
+ /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
+--
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-subs_dist.patch
new file mode 100644
index 0000000..cfec7d9
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-subs_dist.patch
@@ -0,0 +1,29 @@
+Subject: [PATCH] fix file_contexts.subs_dist for poky
+
+This file is used for Linux distros to define specific pathes
+mapping to the pathes in file_contexts.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ config/file_contexts.subs_dist | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/config/file_contexts.subs_dist
++++ b/config/file_contexts.subs_dist
+@@ -19,3 +19,13 @@
+ /usr/local/lib64 /usr/lib
+ /usr/local/lib /usr/lib
+ /var/run/lock /var/lock
++/var/volatile/log /var/log
++/var/volatile/run /var/run
++/var/volatile/cache /var/cache
++/var/volatile/tmp /var/tmp
++/var/volatile/lock /var/lock
++/var/volatile/run/lock /var/lock
++/www /var/www
++/usr/lib/busybox/bin /bin
++/usr/lib/busybox/sbin /sbin
++/usr/lib/busybox/usr /usr
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-sysnetwork.patch
new file mode 100644
index 0000000..64f497d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-sysnetwork.patch
@@ -0,0 +1,46 @@
+From 56ec3e527f2a03d217d5f07ebb708e6e26fa26ff Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Tue, 9 Jun 2015 21:22:52 +0530
+Subject: [PATCH] refpolicy: fix real path for sysnetwork
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+---
+ policy/modules/system/sysnetwork.fc | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
+index fbb935c..a194622 100644
+--- a/policy/modules/system/sysnetwork.fc
++++ b/policy/modules/system/sysnetwork.fc
+@@ -4,6 +4,7 @@
+ #
+ /bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+
+ #
+ # /dev
+@@ -43,7 +44,9 @@ ifdef(`distro_redhat',`
+ /sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+@@ -51,6 +54,7 @@ ifdef(`distro_redhat',`
+ /sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-udevd.patch
new file mode 100644
index 0000000..c6c19be
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-udevd.patch
@@ -0,0 +1,35 @@
+From 025bd3c77d3eeb0e316413bf7e6353f1ccd7f6b2 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Sat, 25 Jan 2014 23:40:05 -0500
+Subject: [PATCH] refpolicy: fix real path for udevd/udevadm
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+---
+ policy/modules/system/udev.fc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
+index 40928d8..491bb23 100644
+--- a/policy/modules/system/udev.fc
++++ b/policy/modules/system/udev.fc
+@@ -10,6 +10,7 @@
+ /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
+ /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
++/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+ ifdef(`distro_debian',`
+ /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
+@@ -27,6 +28,7 @@ ifdef(`distro_redhat',`
+ ')
+
+ /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+ /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_hostname.patch
new file mode 100644
index 0000000..cedb5b5
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_hostname.patch
@@ -0,0 +1,23 @@
+From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 3/4] fix update-alternatives for hostname
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/hostname.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
+index 9dfecf7..4003b6d 100644
+--- a/policy/modules/system/hostname.fc
++++ b/policy/modules/system/hostname.fc
+@@ -1,2 +1,3 @@
+
+ /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
++/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0)
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_sysklogd.patch
new file mode 100644
index 0000000..868ee6b
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_sysklogd.patch
@@ -0,0 +1,59 @@
+From 4964fa5593349916d8f5c69edb0b16f611586098 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:39:41 +0800
+Subject: [PATCH 2/4] fix update-alternatives for sysklogd
+
+/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow rule
+for syslogd_t to read syslog_conf_t lnk_file is needed.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/logging.fc | 4 ++++
+ policy/modules/system/logging.te | 1 +
+ 2 files changed, 5 insertions(+)
+
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index b50c5fe..c005f33 100644
+--- a/policy/modules/system/logging.fc
++++ b/policy/modules/system/logging.fc
+@@ -2,19 +2,23 @@
+
+ /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
++/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+ /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
+
+ /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
+ /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
+ /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
+ /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
+ /sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
++/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+ /sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+ /sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+ /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 87e3db2..2914b0b 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -371,6 +371,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
+ allow syslogd_t self:tcp_socket create_stream_socket_perms;
+
+ allow syslogd_t syslog_conf_t:file read_file_perms;
++allow syslogd_t syslog_conf_t:lnk_file read_file_perms;
+
+ # Create and bind to /dev/log or /var/run/log.
+ allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_sysvinit.patch
new file mode 100644
index 0000000..3a617d8
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_sysvinit.patch
@@ -0,0 +1,53 @@
+From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 1/4] fix update-alternatives for sysvinit
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/shutdown.fc | 1 +
+ policy/modules/kernel/corecommands.fc | 1 +
+ policy/modules/system/init.fc | 1 +
+ 3 files changed, 3 insertions(+)
+
+diff --git a/policy/modules/contrib/shutdown.fc b/policy/modules/contrib/shutdown.fc
+index a91f33b..90e51e0 100644
+--- a/policy/modules/contrib/shutdown.fc
++++ b/policy/modules/contrib/shutdown.fc
+@@ -3,6 +3,7 @@
+ /lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+ /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
++/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+ /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
+index bcfdba7..87502a3 100644
+--- a/policy/modules/kernel/corecommands.fc
++++ b/policy/modules/kernel/corecommands.fc
+@@ -10,6 +10,7 @@
+ /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
++/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0)
+ /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
+diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
+index bc0ffc8..020b9fe 100644
+--- a/policy/modules/system/init.fc
++++ b/policy/modules/system/init.fc
+@@ -30,6 +30,7 @@ ifdef(`distro_gentoo', `
+ # /sbin
+ #
+ /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
++/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0)
+ # because nowadays, /sbin/init is often a symlink to /sbin/upstart
+ /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
+
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-bsdpty_device_t.patch
new file mode 100644
index 0000000..9a3322f
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-bsdpty_device_t.patch
@@ -0,0 +1,121 @@
+From c0b65c327b9354ee5c403cbde428e762ce3f327e Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices.
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/kernel/terminal.if | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index 771bce1..7519d0e 100644
+--- a/policy/modules/kernel/terminal.if
++++ b/policy/modules/kernel/terminal.if
+@@ -531,9 +531,11 @@ interface(`term_dontaudit_manage_pty_dirs',`
+ interface(`term_dontaudit_getattr_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ dontaudit $1 devpts_t:chr_file getattr;
++ dontaudit $1 bsdpty_device_t:chr_file getattr;
+ ')
+ ########################################
+ ## <summary>
+@@ -549,11 +551,13 @@ interface(`term_dontaudit_getattr_generic_ptys',`
+ interface(`term_ioctl_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir search;
+ allow $1 devpts_t:chr_file ioctl;
++ allow $1 bsdpty_device_t:chr_file ioctl;
+ ')
+
+ ########################################
+@@ -571,9 +575,11 @@ interface(`term_ioctl_generic_ptys',`
+ interface(`term_setattr_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ allow $1 devpts_t:chr_file setattr;
++ allow $1 bsdpty_device_t:chr_file setattr;
+ ')
+
+ ########################################
+@@ -591,9 +597,11 @@ interface(`term_setattr_generic_ptys',`
+ interface(`term_dontaudit_setattr_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ dontaudit $1 devpts_t:chr_file setattr;
++ dontaudit $1 bsdpty_device_t:chr_file setattr;
+ ')
+
+ ########################################
+@@ -611,11 +619,13 @@ interface(`term_dontaudit_setattr_generic_ptys',`
+ interface(`term_use_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir list_dir_perms;
+ allow $1 devpts_t:chr_file { rw_term_perms lock append };
++ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
+ ')
+
+ ########################################
+@@ -633,9 +643,11 @@ interface(`term_use_generic_ptys',`
+ interface(`term_dontaudit_use_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
++ dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl };
+ ')
+
+ #######################################
+@@ -651,10 +663,12 @@ interface(`term_dontaudit_use_generic_ptys',`
+ interface(`term_setattr_controlling_term',`
+ gen_require(`
+ type devtty_t;
++ type bsdpty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devtty_t:chr_file setattr;
++ allow $1 bsdpty_device_t:chr_file setattr;
+ ')
+
+ ########################################
+@@ -671,10 +685,12 @@ interface(`term_setattr_controlling_term',`
+ interface(`term_use_controlling_term',`
+ gen_require(`
+ type devtty_t;
++ type bsdpty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devtty_t:chr_file { rw_term_perms lock append };
++ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
+ ')
+
+ #######################################
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-syslogd_t-symlink.patch
new file mode 100644
index 0000000..aa9734a
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-syslogd_t-symlink.patch
@@ -0,0 +1,30 @@
+Subject: [PATCH] add rules for the symlink of /var/log - syslogd_t
+
+We have added rules for the symlink of /var/log in logging.if,
+while syslogd_t uses /var/log but does not use the
+interfaces in logging.if. So still need add a individual rule for
+syslogd_t.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/logging.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 2ad9ea5..70427d8 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -384,6 +384,8 @@ rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
+ # Allow access for syslog-ng
+ allow syslogd_t var_log_t:dir { create setattr };
+
++allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
++
+ # manage temporary files
+ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+ manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+--
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-tmp-symlink.patch
new file mode 100644
index 0000000..210c297
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-tmp-symlink.patch
@@ -0,0 +1,99 @@
+From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] add rules for the symlink of /tmp
+
+/tmp is a symlink in poky, so we need allow rules for files to read
+lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/kernel/files.fc | 1 +
+ policy/modules/kernel/files.if | 8 ++++++++
+ 2 files changed, 9 insertions(+), 0 deletions(-)
+
+diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
+index 8796ca3..a0db748 100644
+--- a/policy/modules/kernel/files.fc
++++ b/policy/modules/kernel/files.fc
+@@ -185,6 +185,7 @@ ifdef(`distro_debian',`
+ # /tmp
+ #
+ /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
++/tmp -l gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+ /tmp/.* <<none>>
+ /tmp/\.journal <<none>>
+
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index e1e814d..a7384b0 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -4199,6 +4199,7 @@ interface(`files_search_tmp',`
+ ')
+
+ allow $1 tmp_t:dir search_dir_perms;
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4235,6 +4236,7 @@ interface(`files_list_tmp',`
+ ')
+
+ allow $1 tmp_t:dir list_dir_perms;
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4271,6 +4273,7 @@ interface(`files_delete_tmp_dir_entry',`
+ ')
+
+ allow $1 tmp_t:dir del_entry_dir_perms;
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4289,6 +4292,7 @@ interface(`files_read_generic_tmp_files',`
+ ')
+
+ read_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4307,6 +4311,7 @@ interface(`files_manage_generic_tmp_dirs',`
+ ')
+
+ manage_dirs_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4325,6 +4330,7 @@ interface(`files_manage_generic_tmp_files',`
+ ')
+
+ manage_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4361,6 +4367,7 @@ interface(`files_rw_generic_tmp_sockets',`
+ ')
+
+ rw_sock_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4550,6 +4557,7 @@ interface(`files_tmp_filetrans',`
+ ')
+
+ filetrans_pattern($1, tmp_t, $2, $3, $4)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+--
+1.7.5.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-cache-symlink.patch
new file mode 100644
index 0000000..18a92dd
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-cache-symlink.patch
@@ -0,0 +1,34 @@
+From bad816bc752369a6c1bf40231c505d21d95cab08 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Fri, 23 Aug 2013 11:20:00 +0800
+Subject: [PATCH 4/6] add rules for the subdir symlinks in /var/
+
+Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
+/var for poky, so we need allow rules for all domains to read these
+symlinks. Domains still need their practical allow rules to read the
+contents, so this is still a secure relax.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/kernel/domain.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
+index cf04cb5..9ffe6b0 100644
+--- a/policy/modules/kernel/domain.te
++++ b/policy/modules/kernel/domain.te
+@@ -104,6 +104,9 @@ term_use_controlling_term(domain)
+ # list the root directory
+ files_list_root(domain)
+
++# Yocto/oe-core use some var volatile links
++files_read_var_symlinks(domain)
++
+ ifdef(`hide_broken_symptoms',`
+ # This check is in the general socket
+ # listen code, before protocol-specific
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink-apache.patch
new file mode 100644
index 0000000..8bc40c4
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink-apache.patch
@@ -0,0 +1,31 @@
+From ed2b0a00e2fb78056041b03c7e198e8f5adaf939 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 19:36:44 +0800
+Subject: [PATCH 3/6] add rules for the symlink of /var/log - apache2
+
+We have added rules for the symlink of /var/log in logging.if,
+while apache.te uses /var/log but does not use the interfaces in
+logging.if. So still need add a individual rule for apache.te.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/apache.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
+index ec8bd13..06f2e95 100644
+--- a/policy/modules/contrib/apache.te
++++ b/policy/modules/contrib/apache.te
+@@ -400,6 +400,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
++read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
+ logging_log_filetrans(httpd_t, httpd_log_t, file)
+
+ allow httpd_t httpd_modules_t:dir list_dir_perms;
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
new file mode 100644
index 0000000..cbf0f7d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
@@ -0,0 +1,29 @@
+Subject: [PATCH] add rules for the symlink of /var/log - audisp_remote_t
+
+We have added rules for the symlink of /var/log in logging.if,
+while audisp_remote_t uses /var/log but does not use the
+interfaces in logging.if. So still need add a individual rule for
+audisp_remote_t.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/logging.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 8426a49..2ad9ea5 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -262,6 +262,7 @@ allow audisp_remote_t self:capability { setuid setpcap };
+ allow audisp_remote_t self:process { getcap setcap };
+ allow audisp_remote_t self:tcp_socket create_socket_perms;
+ allow audisp_remote_t var_log_t:dir search_dir_perms;
++allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+ manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+--
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink.patch
new file mode 100644
index 0000000..b06f3ef
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink.patch
@@ -0,0 +1,145 @@
+From 03cb6534f75812f3a33ac768fe83861e0805b0e0 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 2/6] add rules for the symlink of /var/log
+
+/var/log is a symlink in poky, so we need allow rules for files to read
+lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/logging.fc | 1 +
+ policy/modules/system/logging.if | 14 +++++++++++++-
+ policy/modules/system/logging.te | 1 +
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index c005f33..9529e40 100644
+--- a/policy/modules/system/logging.fc
++++ b/policy/modules/system/logging.fc
+@@ -41,6 +41,7 @@ ifdef(`distro_suse', `
+ /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+ /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
++/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+ /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
+index 4e94884..9a6f599 100644
+--- a/policy/modules/system/logging.if
++++ b/policy/modules/system/logging.if
+@@ -136,12 +136,13 @@ interface(`logging_set_audit_parameters',`
+ #
+ interface(`logging_read_audit_log',`
+ gen_require(`
+- type auditd_log_t;
++ type auditd_log_t, var_log_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, auditd_log_t, auditd_log_t)
+ allow $1 auditd_log_t:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -626,6 +627,7 @@ interface(`logging_search_logs',`
+
+ files_search_var($1)
+ allow $1 var_log_t:dir search_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+
+ #######################################
+@@ -663,6 +665,7 @@ interface(`logging_list_logs',`
+
+ files_search_var($1)
+ allow $1 var_log_t:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+
+ #######################################
+@@ -682,6 +685,7 @@ interface(`logging_rw_generic_log_dirs',`
+
+ files_search_var($1)
+ allow $1 var_log_t:dir rw_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+
+ #######################################
+@@ -793,10 +797,12 @@ interface(`logging_append_all_logs',`
+ interface(`logging_read_all_logs',`
+ gen_require(`
+ attribute logfile;
++ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 logfile:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, logfile, logfile)
+ ')
+
+@@ -815,10 +821,12 @@ interface(`logging_read_all_logs',`
+ interface(`logging_exec_all_logs',`
+ gen_require(`
+ attribute logfile;
++ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 logfile:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ can_exec($1, logfile)
+ ')
+
+@@ -880,6 +888,7 @@ interface(`logging_read_generic_logs',`
+
+ files_search_var($1)
+ allow $1 var_log_t:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, var_log_t, var_log_t)
+ ')
+
+@@ -900,6 +909,7 @@ interface(`logging_write_generic_logs',`
+
+ files_search_var($1)
+ allow $1 var_log_t:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ write_files_pattern($1, var_log_t, var_log_t)
+ ')
+
+@@ -938,6 +948,7 @@ interface(`logging_rw_generic_logs',`
+
+ files_search_var($1)
+ allow $1 var_log_t:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ rw_files_pattern($1, var_log_t, var_log_t)
+ ')
+
+@@ -960,6 +971,7 @@ interface(`logging_manage_generic_logs',`
+
+ files_search_var($1)
+ manage_files_pattern($1, var_log_t, var_log_t)
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 2ab0a49..2795d89 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -139,6 +139,7 @@ allow auditd_t auditd_etc_t:file read_file_perms;
+ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t var_log_t:dir search_dir_perms;
++allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
+
+ manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+ manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-syslogd_t-to-trusted-object.patch
new file mode 100644
index 0000000..92b1592
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-syslogd_t-to-trusted-object.patch
@@ -0,0 +1,31 @@
+From 27e62a5d9ab9993760369ccdad83673e9148cbb2 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 1/6] Add the syslogd_t to trusted object
+
+We add the syslogd_t to trusted object, because other process need
+to have the right to connectto/sendto /dev/log.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Roy.Li <rongqing.li@windriver.com>
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/logging.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 2914b0b..2ab0a49 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -450,6 +450,7 @@ fs_getattr_all_fs(syslogd_t)
+ fs_search_auto_mountpoints(syslogd_t)
+
+ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
++mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log
+
+ term_write_console(syslogd_t)
+ # Allow syslog to a terminal
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-nfsd-to-exec-shell-commands.patch
new file mode 100644
index 0000000..e77a730
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-nfsd-to-exec-shell-commands.patch
@@ -0,0 +1,58 @@
+From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] allow nfsd to exec shell commands.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/rpc.te | 2 +-
+ policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletions(-)
+
+diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
+index 9566932..5605205 100644
+--- a/policy/modules/contrib/rpc.te
++++ b/policy/modules/contrib/rpc.te
+@@ -203,7 +203,7 @@ kernel_read_network_state(nfsd_t)
+ kernel_dontaudit_getattr_core_if(nfsd_t)
+ kernel_setsched(nfsd_t)
+ kernel_request_load_module(nfsd_t)
+-# kernel_mounton_proc(nfsd_t)
++kernel_mounton_proc(nfsd_t)
+
+ corenet_sendrecv_nfs_server_packets(nfsd_t)
+ corenet_tcp_bind_nfs_port(nfsd_t)
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index 649e458..8a669c5 100644
+--- a/policy/modules/kernel/kernel.if
++++ b/policy/modules/kernel/kernel.if
+@@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',`
+
+ ########################################
+ ## <summary>
++## Mounton a proc filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_mounton_proc',`
++ gen_require(`
++ type proc_t;
++ ')
++
++ allow $1 proc_t:dir mounton;
++')
++
++########################################
++## <summary>
+ ## Get the attributes of the proc filesystem.
+ ## </summary>
+ ## <param name="domain">
+--
+1.7.5.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-setfiles_t-to-read-symlinks.patch
new file mode 100644
index 0000000..9ef61b4
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-setfiles_t-to-read-symlinks.patch
@@ -0,0 +1,30 @@
+From 87b6daf87a07350a58c1724db8fc0a99b849818a Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] fix setfiles_t to read symlinks
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+---
+ policy/modules/system/selinuxutil.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index 9058dd8..f998491 100644
+--- a/policy/modules/system/selinuxutil.te
++++ b/policy/modules/system/selinuxutil.te
+@@ -552,6 +552,9 @@ files_relabel_all_files(setfiles_t)
+ files_read_usr_symlinks(setfiles_t)
+ files_dontaudit_read_all_symlinks(setfiles_t)
+
++# needs to be able to read symlinks to make restorecon on symlink working
++files_read_all_symlinks(setfiles_t)
++
+ fs_getattr_all_xattr_fs(setfiles_t)
+ fs_list_all(setfiles_t)
+ fs_search_auto_mountpoints(setfiles_t)
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-sysadm-to-run-rpcinfo.patch
new file mode 100644
index 0000000..ec3dbf4
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-sysadm-to-run-rpcinfo.patch
@@ -0,0 +1,33 @@
+From 7005533d61770fed5a3312aa9dfd1c18dae88c16 Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li@windriver.com>
+Date: Sat, 15 Feb 2014 09:45:00 +0800
+Subject: [PATCH] allow sysadm to run rpcinfo
+
+Upstream-Status: Pending
+
+type=AVC msg=audit(1392427946.976:264): avc: denied { connectto } for pid=2111 comm="rpcinfo" path="/run/rpcbind.sock" scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tclass=unix_stream_socket
+type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null)
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+---
+ policy/modules/roles/sysadm.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 1767217..5502c6a 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -413,6 +413,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rpcbind_stream_connect(sysadm_t)
++')
++
++optional_policy(`
+ vmware_role(sysadm_r, sysadm_t)
+ ')
+
+--
+1.7.10.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-don-t-audit-tty_device_t.patch
new file mode 100644
index 0000000..82370d8
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-don-t-audit-tty_device_t.patch
@@ -0,0 +1,35 @@
+From 29a0d287880f8f83cf4337a3db7c8b94c0c36e1d Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 6/6] don't audit tty_device_t in term_dontaudit_use_console.
+
+We should also not audit terminal to rw tty_device_t and fds in
+term_dontaudit_use_console.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/kernel/terminal.if | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index 7519d0e..45de1ac 100644
+--- a/policy/modules/kernel/terminal.if
++++ b/policy/modules/kernel/terminal.if
+@@ -299,9 +299,12 @@ interface(`term_use_console',`
+ interface(`term_dontaudit_use_console',`
+ gen_require(`
+ type console_device_t;
++ type tty_device_t;
+ ')
+
++ init_dontaudit_use_fds($1)
+ dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
++ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
+ ')
+
+ ########################################
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
new file mode 100644
index 0000000..d6c8dbf
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
@@ -0,0 +1,37 @@
+From 2f5981f2244289a1cc79748e9ffdaaea168b1df2 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Fri, 23 Aug 2013 16:36:09 +0800
+Subject: [PATCH] fix dmesg to use /dev/kmsg as default input
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/admin/dmesg.if | 1 +
+ policy/modules/admin/dmesg.te | 2 ++
+ 2 files changed, 3 insertions(+)
+
+diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
+index e1973c7..739a4bc 100644
+--- a/policy/modules/admin/dmesg.if
++++ b/policy/modules/admin/dmesg.if
+@@ -37,4 +37,5 @@ interface(`dmesg_exec',`
+
+ corecmd_search_bin($1)
+ can_exec($1, dmesg_exec_t)
++ dev_read_kmsg($1)
+ ')
+diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
+index 72bc6d8..c591aea 100644
+--- a/policy/modules/admin/dmesg.te
++++ b/policy/modules/admin/dmesg.te
+@@ -28,6 +28,8 @@ kernel_read_proc_symlinks(dmesg_t)
+
+ dev_read_sysfs(dmesg_t)
+
++dev_read_kmsg(dmesg_t)
++
+ fs_search_auto_mountpoints(dmesg_t)
+
+ term_dontaudit_use_console(dmesg_t)
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-new-SELINUXMNT-in-sys.patch
new file mode 100644
index 0000000..7e92b64
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-new-SELINUXMNT-in-sys.patch
@@ -0,0 +1,185 @@
+From 0bd1187768c79ccf7d0563fa8e2bc01494fef167 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] fix for new SELINUXMNT in /sys
+
+SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
+add rules to access sysfs.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/selinux.if | 34 ++++++++++++++++++++++++++++++++--
+ 1 file changed, 32 insertions(+), 2 deletions(-)
+
+Index: refpolicy/policy/modules/kernel/selinux.if
+===================================================================
+--- refpolicy.orig/policy/modules/kernel/selinux.if
++++ refpolicy/policy/modules/kernel/selinux.if
+@@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',`
+ type security_t;
+ ')
+
++ # SELINUXMNT is now /sys/fs/selinux, so we should add rules to
++ # access sysfs
++ dev_getattr_sysfs_dirs($1)
++ dev_search_sysfs($1)
+ # starting in libselinux 2.0.5, init_selinuxmnt() will
+ # attempt to short circuit by checking if SELINUXMNT
+ # (/selinux) is already a selinuxfs
+@@ -88,6 +92,7 @@ interface(`selinux_dontaudit_get_fs_moun
+ type security_t;
+ ')
+
++ dev_dontaudit_search_sysfs($1)
+ # starting in libselinux 2.0.5, init_selinuxmnt() will
+ # attempt to short circuit by checking if SELINUXMNT
+ # (/selinux) is already a selinuxfs
+@@ -117,6 +122,8 @@ interface(`selinux_mount_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
++ dev_search_sysfs($1)
+ allow $1 security_t:filesystem mount;
+ ')
+
+@@ -136,6 +143,8 @@ interface(`selinux_remount_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
++ dev_search_sysfs($1)
+ allow $1 security_t:filesystem remount;
+ ')
+
+@@ -154,6 +163,8 @@ interface(`selinux_unmount_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
++ dev_search_sysfs($1)
+ allow $1 security_t:filesystem unmount;
+ ')
+
+@@ -172,6 +183,8 @@ interface(`selinux_getattr_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
++ dev_search_sysfs($1)
+ allow $1 security_t:filesystem getattr;
+
+ dev_getattr_sysfs($1)
+@@ -194,6 +207,7 @@ interface(`selinux_dontaudit_getattr_fs'
+ type security_t;
+ ')
+
++ dev_dontaudit_search_sysfs($1)
+ dontaudit $1 security_t:filesystem getattr;
+
+ dev_dontaudit_getattr_sysfs($1)
+@@ -216,6 +230,7 @@ interface(`selinux_dontaudit_getattr_dir
+ type security_t;
+ ')
+
++ dev_dontaudit_search_sysfs($1)
+ dontaudit $1 security_t:dir getattr;
+ ')
+
+@@ -234,6 +249,7 @@ interface(`selinux_search_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:dir search_dir_perms;
+ ')
+@@ -253,6 +269,7 @@ interface(`selinux_dontaudit_search_fs',
+ type security_t;
+ ')
+
++ dev_dontaudit_search_sysfs($1)
+ dontaudit $1 security_t:dir search_dir_perms;
+ ')
+
+@@ -272,6 +289,7 @@ interface(`selinux_dontaudit_read_fs',`
+ type security_t;
+ ')
+
++ dev_dontaudit_search_sysfs($1)
+ dontaudit $1 security_t:dir search_dir_perms;
+ dontaudit $1 security_t:file read_file_perms;
+ ')
+@@ -293,6 +311,7 @@ interface(`selinux_get_enforce_mode',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file read_file_perms;
+@@ -361,6 +380,7 @@ interface(`selinux_read_policy',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file read_file_perms;
+@@ -426,6 +446,7 @@ interface(`selinux_set_generic_booleans'
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
+
+ allow $1 security_t:dir list_dir_perms;
+@@ -463,6 +484,7 @@ interface(`selinux_set_all_booleans',`
+ bool secure_mode_policyload;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
+
+ allow $1 security_t:dir list_dir_perms;
+@@ -522,6 +544,7 @@ interface(`selinux_validate_context',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+@@ -544,6 +567,7 @@ interface(`selinux_dontaudit_validate_co
+ type security_t;
+ ')
+
++ dev_dontaudit_search_sysfs($1)
+ dontaudit $1 security_t:dir list_dir_perms;
+ dontaudit $1 security_t:file rw_file_perms;
+ dontaudit $1 security_t:security check_context;
+@@ -565,6 +589,7 @@ interface(`selinux_compute_access_vector
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+@@ -660,6 +685,13 @@ interface(`selinux_compute_user_contexts
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_dirs($1)
++ dev_getattr_sysfs_dirs($1)
++ dev_getattr_sysfs_dirs($1)
++ dev_getattr_sysfs_dirs($1)
++ dev_getattr_sysfs_dirs($1)
++ dev_getattr_sysfs_dirs($1)
++ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
new file mode 100644
index 0000000..f04ebec
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
@@ -0,0 +1,65 @@
+From 054a2d81a42bc127d29a916c64b43ad5a7c97f21 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Fri, 23 Aug 2013 12:01:53 +0800
+Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t.
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/contrib/rpc.te | 5 +++++
+ policy/modules/contrib/rpcbind.te | 5 +++++
+ policy/modules/kernel/filesystem.te | 1 +
+ policy/modules/kernel/kernel.te | 2 ++
+ 4 files changed, 13 insertions(+)
+
+--- a/policy/modules/contrib/rpc.te
++++ b/policy/modules/contrib/rpc.te
+@@ -263,6 +263,11 @@ tunable_policy(`nfs_export_all_ro',`
+
+ optional_policy(`
+ mount_exec(nfsd_t)
++ # Should domtrans to mount_t while mounting nfsd_fs_t.
++ mount_domtrans(nfsd_t)
++ # nfsd_t need to chdir to /var/lib/nfs and read files.
++ files_list_var(nfsd_t)
++ rpc_read_nfs_state_data(nfsd_t)
+ ')
+
+ ########################################
+--- a/policy/modules/contrib/rpcbind.te
++++ b/policy/modules/contrib/rpcbind.te
+@@ -70,6 +70,11 @@ logging_send_syslog_msg(rpcbind_t)
+
+ miscfiles_read_localization(rpcbind_t)
+
++# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
++# because the are running in different level. So add rules to allow this.
++mls_socket_read_all_levels(rpcbind_t)
++mls_socket_write_all_levels(rpcbind_t)
++
+ ifdef(`distro_debian',`
+ term_dontaudit_use_unallocated_ttys(rpcbind_t)
+ ')
+--- a/policy/modules/kernel/filesystem.te
++++ b/policy/modules/kernel/filesystem.te
+@@ -119,6 +119,7 @@ genfscon mvfs / gen_context(system_u:obj
+
+ type nfsd_fs_t;
+ fs_type(nfsd_fs_t)
++files_mountpoint(nfsd_fs_t)
+ genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
+
+ type oprofilefs_t;
+--- a/policy/modules/kernel/kernel.te
++++ b/policy/modules/kernel/kernel.te
+@@ -293,6 +293,8 @@ mls_process_read_up(kernel_t)
+ mls_process_write_down(kernel_t)
+ mls_file_write_all_levels(kernel_t)
+ mls_file_read_all_levels(kernel_t)
++mls_socket_write_all_levels(kernel_t)
++mls_fd_use_all_levels(kernel_t)
+
+ ifdef(`distro_redhat',`
+ # Bugzilla 222337
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-setfiles-statvfs-get-file-count.patch
new file mode 100644
index 0000000..0b8cc5d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-setfiles-statvfs-get-file-count.patch
@@ -0,0 +1,32 @@
+From f4e034d6996c5b1f88a9262828dac2ad6ee09b7b Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Fri, 23 Aug 2013 14:38:53 +0800
+Subject: [PATCH] fix setfiles statvfs to get file count
+
+New setfiles will read /proc/mounts and use statvfs in
+file_system_count() to get file count of filesystems.
+
+Upstream-Status: pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+---
+ policy/modules/system/selinuxutil.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index f998491..1a4e565 100644
+--- a/policy/modules/system/selinuxutil.te
++++ b/policy/modules/system/selinuxutil.te
+@@ -555,7 +555,7 @@ files_dontaudit_read_all_symlinks(setfiles_t)
+ # needs to be able to read symlinks to make restorecon on symlink working
+ files_read_all_symlinks(setfiles_t)
+
+-fs_getattr_all_xattr_fs(setfiles_t)
++fs_getattr_all_fs(setfiles_t)
+ fs_list_all(setfiles_t)
+ fs_search_auto_mountpoints(setfiles_t)
+ fs_relabelfrom_noxattr_fs(setfiles_t)
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-seutils-manage-config-files.patch
new file mode 100644
index 0000000..be33bf1
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-seutils-manage-config-files.patch
@@ -0,0 +1,43 @@
+From be8e015aec19553d3753af132861d24da9ed0265 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/selinuxutil.if | 1 +
+ policy/modules/system/userdomain.if | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
+index 3822072..db03ca1 100644
+--- a/policy/modules/system/selinuxutil.if
++++ b/policy/modules/system/selinuxutil.if
+@@ -680,6 +680,7 @@ interface(`seutil_manage_config',`
+ ')
+
+ files_search_etc($1)
++ manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
+ manage_files_pattern($1, selinux_config_t, selinux_config_t)
+ read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
+ ')
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index b4a691d..20c8bf8 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -1277,6 +1277,10 @@ template(`userdom_security_admin_template',`
+ logging_read_audit_config($1)
+
+ seutil_manage_bin_policy($1)
++ seutil_manage_default_contexts($1)
++ seutil_manage_file_contexts($1)
++ seutil_manage_module_store($1)
++ seutil_manage_config($1)
+ seutil_run_checkpolicy($1, $2)
+ seutil_run_loadpolicy($1, $2)
+ seutil_run_semanage($1, $2)
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-2.20151208/refpolicy-update-for_systemd.patch
new file mode 100644
index 0000000..2ae4185
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/refpolicy-update-for_systemd.patch
@@ -0,0 +1,29 @@
+From 07553727dca51631c93bca482442da8d0c50ac94 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 12 Jun 2015 19:37:52 +0530
+Subject: [PATCH] refpolicy: update for systemd related allow rules
+
+It provide, the systemd support related allow rules
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+---
+ policy/modules/system/init.te | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index c8f007d..a9675f6 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -929,3 +929,8 @@ optional_policy(`
+ optional_policy(`
+ zebra_read_config(initrc_t)
+ ')
++
++# systemd related allow rules
++allow kernel_t init_t:process dyntransition;
++allow devpts_t device_t:filesystem associate;
++allow init_t self:capability2 block_suspend;
+\ No newline at end of file
+--
+1.7.9.5
+
diff --git a/recipes-security/refpolicy/refpolicy-mcs_2.20141203.bb b/recipes-security/refpolicy/refpolicy-mcs_2.20141203.bb
deleted file mode 100644
index 062727b..0000000
--- a/recipes-security/refpolicy/refpolicy-mcs_2.20141203.bb
+++ /dev/null
@@ -1,11 +0,0 @@
-SUMMARY = "MCS (Multi Category Security) variant of the SELinux policy"
-DESCRIPTION = "\
-This is the reference policy for SE Linux built with MCS support. \
-An MCS policy is the same as an MLS policy but with only one sensitivity \
-level. This is useful on systems where a hierarchical policy (MLS) isn't \
-needed (pretty much all systems) but the non-hierarchical categories are. \
-"
-
-POLICY_TYPE = "mcs"
-
-include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy-mcs_2.20151208.bb b/recipes-security/refpolicy/refpolicy-mcs_2.20151208.bb
new file mode 100644
index 0000000..062727b
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-mcs_2.20151208.bb
@@ -0,0 +1,11 @@
+SUMMARY = "MCS (Multi Category Security) variant of the SELinux policy"
+DESCRIPTION = "\
+This is the reference policy for SE Linux built with MCS support. \
+An MCS policy is the same as an MLS policy but with only one sensitivity \
+level. This is useful on systems where a hierarchical policy (MLS) isn't \
+needed (pretty much all systems) but the non-hierarchical categories are. \
+"
+
+POLICY_TYPE = "mcs"
+
+include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20141203.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20141203.bb
deleted file mode 100644
index b275821..0000000
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20141203.bb
+++ /dev/null
@@ -1,48 +0,0 @@
-include refpolicy-targeted_${PV}.bb
-
-SUMMARY = "SELinux minimum policy"
-DESCRIPTION = "\
-This is a minimum reference policy with just core policy modules, and \
-could be used as a base for customizing targeted policy. \
-Pretty much everything runs as initrc_t or unconfined_t so all of the \
-domains are unconfined. \
-"
-
-POLICY_NAME = "minimum"
-
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:${THISDIR}/refpolicy-${PV}:${THISDIR}/refpolicy-targeted:"
-
-CORE_POLICY_MODULES = "unconfined \
- selinuxutil storage sysnetwork \
- application libraries miscfiles logging userdomain \
- init mount modutils getty authlogin locallogin \
- "
-
-# nscd caches libc-issued requests to the name service.
-# Without nscd.pp, commands want to use these caches will be blocked.
-EXTRA_POLICY_MODULES += "nscd"
-
-# pam_mail module enables checking and display of mailbox status upon
-# "login", so "login" process will access to /var/spool/mail.
-EXTRA_POLICY_MODULES += "mta"
-
-POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
-
-# re-write the same func from refpolicy_common.inc
-prepare_policy_store () {
- oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
-
- # Prepare to create policy store
- mkdir -p ${D}${sysconfdir}/selinux/
- mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy
- mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
- mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
- touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
- for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
- bzip2 -f $i && mv -f $i.bz2 $i
- done
- cp base.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
- for i in ${POLICY_MODULES_MIN}; do
- cp ${i}.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i.pp`
- done
-}
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
new file mode 100644
index 0000000..b275821
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
@@ -0,0 +1,48 @@
+include refpolicy-targeted_${PV}.bb
+
+SUMMARY = "SELinux minimum policy"
+DESCRIPTION = "\
+This is a minimum reference policy with just core policy modules, and \
+could be used as a base for customizing targeted policy. \
+Pretty much everything runs as initrc_t or unconfined_t so all of the \
+domains are unconfined. \
+"
+
+POLICY_NAME = "minimum"
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:${THISDIR}/refpolicy-${PV}:${THISDIR}/refpolicy-targeted:"
+
+CORE_POLICY_MODULES = "unconfined \
+ selinuxutil storage sysnetwork \
+ application libraries miscfiles logging userdomain \
+ init mount modutils getty authlogin locallogin \
+ "
+
+# nscd caches libc-issued requests to the name service.
+# Without nscd.pp, commands want to use these caches will be blocked.
+EXTRA_POLICY_MODULES += "nscd"
+
+# pam_mail module enables checking and display of mailbox status upon
+# "login", so "login" process will access to /var/spool/mail.
+EXTRA_POLICY_MODULES += "mta"
+
+POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
+
+# re-write the same func from refpolicy_common.inc
+prepare_policy_store () {
+ oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
+
+ # Prepare to create policy store
+ mkdir -p ${D}${sysconfdir}/selinux/
+ mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy
+ mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
+ mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
+ touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
+ for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
+ bzip2 -f $i && mv -f $i.bz2 $i
+ done
+ cp base.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
+ for i in ${POLICY_MODULES_MIN}; do
+ cp ${i}.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i.pp`
+ done
+}
diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20141203.bb b/recipes-security/refpolicy/refpolicy-mls_2.20141203.bb
deleted file mode 100644
index 7388232..0000000
--- a/recipes-security/refpolicy/refpolicy-mls_2.20141203.bb
+++ /dev/null
@@ -1,10 +0,0 @@
-SUMMARY = "MLS (Multi Level Security) variant of the SELinux policy"
-DESCRIPTION = "\
-This is the reference policy for SE Linux built with MLS support. \
-It allows giving data labels such as \"Top Secret\" and preventing \
-such data from leaking to processes or files with lower classification. \
-"
-
-POLICY_TYPE = "mls"
-
-include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20151208.bb b/recipes-security/refpolicy/refpolicy-mls_2.20151208.bb
new file mode 100644
index 0000000..7388232
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-mls_2.20151208.bb
@@ -0,0 +1,10 @@
+SUMMARY = "MLS (Multi Level Security) variant of the SELinux policy"
+DESCRIPTION = "\
+This is the reference policy for SE Linux built with MLS support. \
+It allows giving data labels such as \"Top Secret\" and preventing \
+such data from leaking to processes or files with lower classification. \
+"
+
+POLICY_TYPE = "mls"
+
+include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20141203.bb b/recipes-security/refpolicy/refpolicy-standard_2.20141203.bb
deleted file mode 100644
index 3674fdd..0000000
--- a/recipes-security/refpolicy/refpolicy-standard_2.20141203.bb
+++ /dev/null
@@ -1,8 +0,0 @@
-SUMMARY = "Standard variants of the SELinux policy"
-DESCRIPTION = "\
-This is the reference policy for SELinux built with type enforcement \
-only."
-
-POLICY_TYPE = "standard"
-
-include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20151208.bb b/recipes-security/refpolicy/refpolicy-standard_2.20151208.bb
new file mode 100644
index 0000000..3674fdd
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-standard_2.20151208.bb
@@ -0,0 +1,8 @@
+SUMMARY = "Standard variants of the SELinux policy"
+DESCRIPTION = "\
+This is the reference policy for SELinux built with type enforcement \
+only."
+
+POLICY_TYPE = "standard"
+
+include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20141203.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20141203.bb
deleted file mode 100644
index b169604..0000000
--- a/recipes-security/refpolicy/refpolicy-targeted_2.20141203.bb
+++ /dev/null
@@ -1,20 +0,0 @@
-SUMMARY = "SELinux targeted policy"
-DESCRIPTION = "\
-This is the targeted variant of the SELinux reference policy. Most service \
-domains are locked down. Users and admins will login in with unconfined_t \
-domain, so they have the same access to the system as if SELinux was not \
-enabled. \
-"
-
-FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
-
-POLICY_NAME = "targeted"
-POLICY_TYPE = "mcs"
-POLICY_MLS_SENS = "0"
-
-include refpolicy_${PV}.inc
-
-SRC_URI += " \
- file://refpolicy-fix-optional-issue-on-sysadm-module.patch \
- file://refpolicy-unconfined_u-default-user.patch \
- "
diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20151208.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20151208.bb
new file mode 100644
index 0000000..b169604
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-targeted_2.20151208.bb
@@ -0,0 +1,20 @@
+SUMMARY = "SELinux targeted policy"
+DESCRIPTION = "\
+This is the targeted variant of the SELinux reference policy. Most service \
+domains are locked down. Users and admins will login in with unconfined_t \
+domain, so they have the same access to the system as if SELinux was not \
+enabled. \
+"
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
+
+POLICY_NAME = "targeted"
+POLICY_TYPE = "mcs"
+POLICY_MLS_SENS = "0"
+
+include refpolicy_${PV}.inc
+
+SRC_URI += " \
+ file://refpolicy-fix-optional-issue-on-sysadm-module.patch \
+ file://refpolicy-unconfined_u-default-user.patch \
+ "
diff --git a/recipes-security/refpolicy/refpolicy_2.20141203.inc b/recipes-security/refpolicy/refpolicy_2.20141203.inc
deleted file mode 100644
index d58ddea..0000000
--- a/recipes-security/refpolicy/refpolicy_2.20141203.inc
+++ /dev/null
@@ -1,60 +0,0 @@
-SRC_URI = "https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2;"
-SRC_URI[md5sum] = "69594ede341987904dc2a8b7f2129a93"
-SRC_URI[sha256sum] = "f438209c430d8a2d4ddcbe4bdd3edb46f6af7dc4913637af0b73c635e40c1522"
-
-FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20141203:"
-
-# Fix file contexts for Poky
-SRC_URI += "file://poky-fc-subs_dist.patch \
- file://poky-fc-update-alternatives_sysvinit.patch \
- file://poky-fc-update-alternatives_sysklogd.patch \
- file://poky-fc-update-alternatives_hostname.patch \
- file://poky-fc-fix-real-path_resolv.conf.patch \
- file://poky-fc-fix-real-path_login.patch \
- file://poky-fc-fix-real-path_shadow.patch \
- file://poky-fc-fix-bind.patch \
- file://poky-fc-clock.patch \
- file://poky-fc-corecommands.patch \
- file://poky-fc-dmesg.patch \
- file://poky-fc-fstools.patch \
- file://poky-fc-iptables.patch \
- file://poky-fc-mta.patch \
- file://poky-fc-netutils.patch \
- file://poky-fc-nscd.patch \
- file://poky-fc-screen.patch \
- file://poky-fc-ssh.patch \
- file://poky-fc-su.patch \
- file://poky-fc-sysnetwork.patch \
- file://poky-fc-udevd.patch \
- file://poky-fc-rpm.patch \
- file://poky-fc-ftpwho-dir.patch \
- file://poky-fc-fix-real-path_su.patch \
- file://refpolicy-update-for_systemd.patch \
- "
-
-# Specific policy for Poky
-SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
- file://poky-policy-add-rules-for-var-log-symlink.patch \
- file://poky-policy-add-rules-for-var-log-symlink-apache.patch \
- file://poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch \
- file://poky-policy-add-rules-for-syslogd_t-symlink.patch \
- file://poky-policy-add-rules-for-var-cache-symlink.patch \
- file://poky-policy-add-rules-for-tmp-symlink.patch \
- file://poky-policy-add-rules-for-bsdpty_device_t.patch \
- file://poky-policy-don-t-audit-tty_device_t.patch \
- file://poky-policy-allow-nfsd-to-exec-shell-commands.patch \
- file://poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch \
- file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \
- file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \
- file://poky-policy-allow-sysadm-to-run-rpcinfo.patch \
- "
-
-# Other policy fixes
-SRC_URI += " \
- file://poky-policy-fix-seutils-manage-config-files.patch \
- file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \
- file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
- file://ftp-add-ftpd_t-to-mlsfilewrite.patch \
- "
-
-include refpolicy_common.inc
diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc b/recipes-security/refpolicy/refpolicy_2.20151208.inc
new file mode 100644
index 0000000..ce90b13
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc
@@ -0,0 +1,60 @@
+SRC_URI = "https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2;"
+SRC_URI[md5sum] = "7b1ca12e9ea0254508391559cb8f2c41"
+SRC_URI[sha256sum] = "2dd2f45a7132137afe8302805c3b7839739759b9ab73dd1815c01afe34ac99de"
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20151208:"
+
+# Fix file contexts for Poky
+SRC_URI += "file://poky-fc-subs_dist.patch \
+ file://poky-fc-update-alternatives_sysvinit.patch \
+ file://poky-fc-update-alternatives_sysklogd.patch \
+ file://poky-fc-update-alternatives_hostname.patch \
+ file://poky-fc-fix-real-path_resolv.conf.patch \
+ file://poky-fc-fix-real-path_login.patch \
+ file://poky-fc-fix-real-path_shadow.patch \
+ file://poky-fc-fix-bind.patch \
+ file://poky-fc-clock.patch \
+ file://poky-fc-corecommands.patch \
+ file://poky-fc-dmesg.patch \
+ file://poky-fc-fstools.patch \
+ file://poky-fc-iptables.patch \
+ file://poky-fc-mta.patch \
+ file://poky-fc-netutils.patch \
+ file://poky-fc-nscd.patch \
+ file://poky-fc-screen.patch \
+ file://poky-fc-ssh.patch \
+ file://poky-fc-su.patch \
+ file://poky-fc-sysnetwork.patch \
+ file://poky-fc-udevd.patch \
+ file://poky-fc-rpm.patch \
+ file://poky-fc-ftpwho-dir.patch \
+ file://poky-fc-fix-real-path_su.patch \
+ file://refpolicy-update-for_systemd.patch \
+ "
+
+# Specific policy for Poky
+SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
+ file://poky-policy-add-rules-for-var-log-symlink.patch \
+ file://poky-policy-add-rules-for-var-log-symlink-apache.patch \
+ file://poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch \
+ file://poky-policy-add-rules-for-syslogd_t-symlink.patch \
+ file://poky-policy-add-rules-for-var-cache-symlink.patch \
+ file://poky-policy-add-rules-for-tmp-symlink.patch \
+ file://poky-policy-add-rules-for-bsdpty_device_t.patch \
+ file://poky-policy-don-t-audit-tty_device_t.patch \
+ file://poky-policy-allow-nfsd-to-exec-shell-commands.patch \
+ file://poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch \
+ file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \
+ file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \
+ file://poky-policy-allow-sysadm-to-run-rpcinfo.patch \
+ "
+
+# Other policy fixes
+SRC_URI += " \
+ file://poky-policy-fix-seutils-manage-config-files.patch \
+ file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \
+ file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
+ file://ftp-add-ftpd_t-to-mlsfilewrite.patch \
+ "
+
+include refpolicy_common.inc
--
2.1.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [meta-selinux][PATCH 2/2] refpolicy: Remove 2.20140311 release.
2016-03-21 4:26 [meta-selinux][PATCH 0/2] policy upgrade and cleanup Philip Tricca
2016-03-21 4:26 ` [meta-selinux][PATCH 1/2] refpolicy: Replace 2.2014120 with release 2.20151208 Philip Tricca
@ 2016-03-21 4:26 ` Philip Tricca
1 sibling, 0 replies; 5+ messages in thread
From: Philip Tricca @ 2016-03-21 4:26 UTC (permalink / raw)
To: mark.hatle, Joe_MacDonald, yocto
Signed-off-by: Philip Tricca <flihp@twobit.us>
---
.../ftp-add-ftpd_t-to-mlsfilewrite.patch | 39 ----
.../refpolicy-2.20140311/poky-fc-clock.patch | 22 --
.../poky-fc-corecommands.patch | 24 ---
.../refpolicy-2.20140311/poky-fc-dmesg.patch | 20 --
.../refpolicy-2.20140311/poky-fc-fix-bind.patch | 30 ---
.../poky-fc-fix-real-path_login.patch | 37 ----
.../poky-fc-fix-real-path_resolv.conf.patch | 24 ---
.../poky-fc-fix-real-path_shadow.patch | 34 ---
.../poky-fc-fix-real-path_su.patch | 25 ---
.../refpolicy-2.20140311/poky-fc-fstools.patch | 65 ------
.../refpolicy-2.20140311/poky-fc-ftpwho-dir.patch | 27 ---
.../refpolicy-2.20140311/poky-fc-iptables.patch | 24 ---
.../refpolicy-2.20140311/poky-fc-mta.patch | 27 ---
.../refpolicy-2.20140311/poky-fc-netutils.patch | 24 ---
.../refpolicy-2.20140311/poky-fc-nscd.patch | 27 ---
.../refpolicy-2.20140311/poky-fc-rpm.patch | 25 ---
.../refpolicy-2.20140311/poky-fc-screen.patch | 27 ---
.../refpolicy-2.20140311/poky-fc-ssh.patch | 24 ---
.../refpolicy-2.20140311/poky-fc-su.patch | 23 ---
.../refpolicy-2.20140311/poky-fc-subs_dist.patch | 29 ---
.../refpolicy-2.20140311/poky-fc-sysnetwork.patch | 41 ----
.../refpolicy-2.20140311/poky-fc-udevd.patch | 35 ----
.../poky-fc-update-alternatives_hostname.patch | 23 ---
.../poky-fc-update-alternatives_sysklogd.patch | 59 ------
.../poky-fc-update-alternatives_sysvinit.patch | 53 -----
...poky-policy-add-rules-for-bsdpty_device_t.patch | 121 -----------
...ky-policy-add-rules-for-syslogd_t-symlink.patch | 30 ---
.../poky-policy-add-rules-for-tmp-symlink.patch | 99 ---------
...ky-policy-add-rules-for-var-cache-symlink.patch | 34 ---
...licy-add-rules-for-var-log-symlink-apache.patch | 31 ---
...rules-for-var-log-symlink-audisp_remote_t.patch | 29 ---
...poky-policy-add-rules-for-var-log-symlink.patch | 145 -------------
...ky-policy-add-syslogd_t-to-trusted-object.patch | 31 ---
...-policy-allow-nfsd-to-exec-shell-commands.patch | 58 ------
...-policy-allow-setfiles_t-to-read-symlinks.patch | 29 ---
.../poky-policy-allow-sysadm-to-run-rpcinfo.patch | 33 ---
.../poky-policy-don-t-audit-tty_device_t.patch | 35 ----
.../poky-policy-fix-dmesg-to-use-dev-kmsg.patch | 37 ----
.../poky-policy-fix-new-SELINUXMNT-in-sys.patch | 229 ---------------------
...poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch | 65 ------
...olicy-fix-setfiles-statvfs-get-file-count.patch | 31 ---
...ky-policy-fix-seutils-manage-config-files.patch | 43 ----
.../refpolicy-update-for_systemd.patch | 46 -----
.../refpolicy/refpolicy-mcs_2.20140311.bb | 11 -
.../refpolicy/refpolicy-minimum_2.20140311.bb | 48 -----
.../refpolicy/refpolicy-mls_2.20140311.bb | 10 -
.../refpolicy/refpolicy-standard_2.20140311.bb | 8 -
.../refpolicy/refpolicy-targeted_2.20140311.bb | 20 --
.../refpolicy/refpolicy_2.20140311.inc | 60 ------
49 files changed, 2071 deletions(-)
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/ftp-add-ftpd_t-to-mlsfilewrite.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-clock.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-corecommands.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-dmesg.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-bind.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_login.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_resolv.conf.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_shadow.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_su.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fstools.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ftpwho-dir.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-iptables.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-mta.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-netutils.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-nscd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-rpm.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-screen.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ssh.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-su.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-subs_dist.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-sysnetwork.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-udevd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_hostname.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysklogd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysvinit.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-bsdpty_device_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-syslogd_t-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-tmp-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-cache-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-apache.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-syslogd_t-to-trusted-object.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-nfsd-to-exec-shell-commands.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-setfiles_t-to-read-symlinks.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-sysadm-to-run-rpcinfo.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-don-t-audit-tty_device_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-new-SELINUXMNT-in-sys.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-setfiles-statvfs-get-file-count.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-seutils-manage-config-files.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-mcs_2.20140311.bb
delete mode 100644 recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb
delete mode 100644 recipes-security/refpolicy/refpolicy-mls_2.20140311.bb
delete mode 100644 recipes-security/refpolicy/refpolicy-standard_2.20140311.bb
delete mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20140311.bb
delete mode 100644 recipes-security/refpolicy/refpolicy_2.20140311.inc
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-2.20140311/ftp-add-ftpd_t-to-mlsfilewrite.patch
deleted file mode 100644
index 49da4b6..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/ftp-add-ftpd_t-to-mlsfilewrite.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From e4e95b723d31c7b678a05cd81a96b10185978b4e Mon Sep 17 00:00:00 2001
-From: Roy Li <rongqing.li@windriver.com>
-Date: Mon, 10 Feb 2014 18:10:12 +0800
-Subject: [PATCH] ftp: add ftpd_t to mls_file_write_all_levels
-
-Proftpd will create file under /var/run, but its mls is in high, and
-can not write to lowlevel
-
-Upstream-Status: Pending
-
-type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm="proftpd" name="/" dev="tmpfs" ino=5853 scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
-type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
-type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null)
-
-root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name
- allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
-root@localhost:~#
-
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
----
- policy/modules/contrib/ftp.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
-index 544c512..12a31dd 100644
---- a/policy/modules/contrib/ftp.te
-+++ b/policy/modules/contrib/ftp.te
-@@ -144,6 +144,8 @@ role ftpdctl_roles types ftpdctl_t;
- type ftpdctl_tmp_t;
- files_tmp_file(ftpdctl_tmp_t)
-
-+mls_file_write_all_levels(ftpd_t)
-+
- type sftpd_t;
- domain_type(sftpd_t)
- role system_r types sftpd_t;
---
-1.7.10.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-clock.patch
deleted file mode 100644
index 3ff8f55..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-clock.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for clock
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/clock.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
-index c5e05ca..a74c40c 100644
---- a/policy/modules/system/clock.fc
-+++ b/policy/modules/system/clock.fc
-@@ -2,4 +2,5 @@
- /etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0)
-
- /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
-+/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0)
-
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-corecommands.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-corecommands.patch
deleted file mode 100644
index 24b67c3..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-corecommands.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for corecommands
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/kernel/corecommands.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index f051c4a..ab624f3 100644
---- a/policy/modules/kernel/corecommands.fc
-+++ b/policy/modules/kernel/corecommands.fc
-@@ -153,6 +153,7 @@ ifdef(`distro_gentoo',`
- /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
- /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
- /sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
-
- #
- # /opt
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-dmesg.patch
deleted file mode 100644
index db4c4d4..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-dmesg.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for dmesg
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/admin/dmesg.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
-index d6cc2d9..7f3e5b0 100644
---- a/policy/modules/admin/dmesg.fc
-+++ b/policy/modules/admin/dmesg.fc
-@@ -1,2 +1,3 @@
-
- /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
-+/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0)
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-bind.patch
deleted file mode 100644
index 59ba5bc..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-bind.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From e438a9466a615db3f63421157d5ee3bd6d055403 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:09:11 +0800
-Subject: [PATCH] refpolicy: fix real path for bind.
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/contrib/bind.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc
-index 2b9a3a1..fd45d53 100644
---- a/policy/modules/contrib/bind.fc
-+++ b/policy/modules/contrib/bind.fc
-@@ -1,8 +1,10 @@
- /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-
- /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
- /etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0)
-+/etc/bind/rndc\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
- /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
- /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
- /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_login.patch
deleted file mode 100644
index 427181e..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_login.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Subject: [PATCH] fix real path for login commands.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/authlogin.fc | 7 ++++---
- 1 files changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..c8dd17f 100644
---- a/policy/modules/system/authlogin.fc
-+++ b/policy/modules/system/authlogin.fc
-@@ -1,5 +1,7 @@
-
- /bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
-+/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0)
-+/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0)
-
- /etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
- /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
-@@ -9,9 +11,9 @@
-
- /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
- /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
--/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
--/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
--/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-+/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-+/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
-+/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
- ifdef(`distro_suse', `
- /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
- ')
---
-1.7.5.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_resolv.conf.patch
deleted file mode 100644
index 80cca67..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_resolv.conf.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] fix real path for resolv.conf
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/sysnetwork.fc | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
-
-diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 346a7cc..dec8632 100644
---- a/policy/modules/system/sysnetwork.fc
-+++ b/policy/modules/system/sysnetwork.fc
-@@ -24,6 +24,7 @@ ifdef(`distro_debian',`
- /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
-+/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
-
- /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
---
-1.7.5.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_shadow.patch
deleted file mode 100644
index 29ac2c3..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_shadow.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Subject: [PATCH] fix real path for shadow commands.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/admin/usermanage.fc | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
-index f82f0ce..841ba9b 100644
---- a/policy/modules/admin/usermanage.fc
-+++ b/policy/modules/admin/usermanage.fc
-@@ -4,11 +4,17 @@ ifdef(`distro_gentoo',`
-
- /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
- /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
-+/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
- /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
-+/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
- /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
- /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
-+/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0)
-+/usr/bin/passwd\.tinylogin -- gen_context(system_u:object_r:passwd_exec_t,s0)
- /usr/bin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-+/sbin/vigr\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/bin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-+/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-
- /usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0)
-
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_su.patch
deleted file mode 100644
index b0392ce..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_su.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 4affa5e9797f5d51597c9b8e0f2503883c766699 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Thu, 13 Feb 2014 00:33:07 -0500
-Subject: [PATCH] fix real path for su.shadow command
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
----
- policy/modules/admin/su.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
-index a563687..0f43827 100644
---- a/policy/modules/admin/su.fc
-+++ b/policy/modules/admin/su.fc
-@@ -4,3 +4,5 @@
-
- /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
- /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
-+
-+/bin/su.shadow -- gen_context(system_u:object_r:su_exec_t,s0)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fstools.patch
deleted file mode 100644
index 38c96c4..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fstools.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 7fdfd2ef8764ddfaeb43e53a756af83d42d8ac8b Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Mon, 27 Jan 2014 03:54:01 -0500
-Subject: [PATCH] refpolicy: fix real path for fstools
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/fstools.fc | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
---- a/policy/modules/system/fstools.fc
-+++ b/policy/modules/system/fstools.fc
-@@ -1,6 +1,8 @@
- /sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/blockdev\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -9,9 +11,11 @@
- /sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/hdparm\.hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -24,6 +28,7 @@
- /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -34,6 +39,7 @@
- /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -50,7 +56,12 @@
-
- /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-
- /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ftpwho-dir.patch
deleted file mode 100644
index a7d434f..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ftpwho-dir.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-fix ftpwho install dir
-
-Upstream-Status: Pending
-
-ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it
-
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
----
- policy/modules/contrib/ftp.fc | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/modules/contrib/ftp.fc b/policy/modules/contrib/ftp.fc
-index ddb75c1..26fec47 100644
---- a/policy/modules/contrib/ftp.fc
-+++ b/policy/modules/contrib/ftp.fc
-@@ -9,7 +9,7 @@
-
- /usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
-
--/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
-+/usr/bin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
- /usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
- /usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
- /usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
---
-1.7.10.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-iptables.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-iptables.patch
deleted file mode 100644
index 89b1547..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-iptables.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for iptables
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/iptables.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 14cffd2..84ac92b 100644
---- a/policy/modules/system/iptables.fc
-+++ b/policy/modules/system/iptables.fc
-@@ -13,6 +13,7 @@
- /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-
- /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-mta.patch
deleted file mode 100644
index bbd83ec..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-mta.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From c0bb2996db4f55f3987967bacfb99805fc45d027 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:21:55 +0800
-Subject: [PATCH] refpolicy: fix real path for mta
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/contrib/mta.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc
-index f42896c..0d4bcef 100644
---- a/policy/modules/contrib/mta.fc
-+++ b/policy/modules/contrib/mta.fc
-@@ -22,6 +22,7 @@ HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
- /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/usr/sbin/msmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
- /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-netutils.patch
deleted file mode 100644
index b45d03e..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-netutils.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for netutils
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/admin/netutils.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
-index 407078f..f2ed3dc 100644
---- a/policy/modules/admin/netutils.fc
-+++ b/policy/modules/admin/netutils.fc
-@@ -3,6 +3,7 @@
- /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-
- /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
-+/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
-
- /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
- /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-nscd.patch
deleted file mode 100644
index 1db328c..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-nscd.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 642fab321a5f1f40495b4ca07f1fca4145024986 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:25:36 +0800
-Subject: [PATCH] refpolicy: fix real path for nscd
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/contrib/nscd.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/contrib/nscd.fc b/policy/modules/contrib/nscd.fc
-index ba64485..61a6f24 100644
---- a/policy/modules/contrib/nscd.fc
-+++ b/policy/modules/contrib/nscd.fc
-@@ -1,6 +1,7 @@
- /etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
-
- /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
-+/usr/bin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
-
- /var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
-
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-rpm.patch
deleted file mode 100644
index 7ba3380..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-rpm.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 3ecbd842d51a8e70b3403e857a24203285d4983b Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Mon, 27 Jan 2014 01:13:06 -0500
-Subject: [PATCH] refpolicy: fix real path for cpio
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
----
- policy/modules/contrib/rpm.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc
-index ebe91fc..539063c 100644
---- a/policy/modules/contrib/rpm.fc
-+++ b/policy/modules/contrib/rpm.fc
-@@ -58,4 +58,5 @@ ifdef(`distro_redhat',`
-
- ifdef(`enable_mls',`
- /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
- ')
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-screen.patch
deleted file mode 100644
index 3218194..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-screen.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 3615e2d67f402a37ae7333e62b54f1d9d0a3bfd1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:27:19 +0800
-Subject: [PATCH] refpolicy: fix real path for screen
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/contrib/screen.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc
-index e7c2cf7..49ddca2 100644
---- a/policy/modules/contrib/screen.fc
-+++ b/policy/modules/contrib/screen.fc
-@@ -3,6 +3,7 @@ HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
- HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
-
- /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
-+/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0)
- /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
-
- /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ssh.patch
deleted file mode 100644
index 9aeb3a2..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ssh.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for ssh
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/services/ssh.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 078bcd7..9717428 100644
---- a/policy/modules/services/ssh.fc
-+++ b/policy/modules/services/ssh.fc
-@@ -6,6 +6,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
- /etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-
- /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
-+/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
- /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
- /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
-
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-su.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-su.patch
deleted file mode 100644
index 358e4ef..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-su.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for su
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/admin/su.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
-index 688abc2..a563687 100644
---- a/policy/modules/admin/su.fc
-+++ b/policy/modules/admin/su.fc
-@@ -1,5 +1,6 @@
-
- /bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
-+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
-
- /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
- /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-subs_dist.patch
deleted file mode 100644
index cfec7d9..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-subs_dist.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-Subject: [PATCH] fix file_contexts.subs_dist for poky
-
-This file is used for Linux distros to define specific pathes
-mapping to the pathes in file_contexts.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- config/file_contexts.subs_dist | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
---- a/config/file_contexts.subs_dist
-+++ b/config/file_contexts.subs_dist
-@@ -19,3 +19,13 @@
- /usr/local/lib64 /usr/lib
- /usr/local/lib /usr/lib
- /var/run/lock /var/lock
-+/var/volatile/log /var/log
-+/var/volatile/run /var/run
-+/var/volatile/cache /var/cache
-+/var/volatile/tmp /var/tmp
-+/var/volatile/lock /var/lock
-+/var/volatile/run/lock /var/lock
-+/www /var/www
-+/usr/lib/busybox/bin /bin
-+/usr/lib/busybox/sbin /sbin
-+/usr/lib/busybox/usr /usr
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-sysnetwork.patch
deleted file mode 100644
index e0af6a1..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-sysnetwork.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for sysnetwork
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/sysnetwork.fc | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index dec8632..2e602e4 100644
---- a/policy/modules/system/sysnetwork.fc
-+++ b/policy/modules/system/sysnetwork.fc
-@@ -3,6 +3,7 @@
- # /bin
- #
- /bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-
- #
- # /dev
-@@ -43,13 +44,16 @@ ifdef(`distro_redhat',`
- /sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-udevd.patch
deleted file mode 100644
index c6c19be..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-udevd.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 025bd3c77d3eeb0e316413bf7e6353f1ccd7f6b2 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Sat, 25 Jan 2014 23:40:05 -0500
-Subject: [PATCH] refpolicy: fix real path for udevd/udevadm
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
----
- policy/modules/system/udev.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 40928d8..491bb23 100644
---- a/policy/modules/system/udev.fc
-+++ b/policy/modules/system/udev.fc
-@@ -10,6 +10,7 @@
- /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
-
- /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-
- ifdef(`distro_debian',`
- /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
-@@ -27,6 +28,7 @@ ifdef(`distro_redhat',`
- ')
-
- /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
-
- /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_hostname.patch
deleted file mode 100644
index cedb5b5..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_hostname.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 3/4] fix update-alternatives for hostname
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/hostname.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
-index 9dfecf7..4003b6d 100644
---- a/policy/modules/system/hostname.fc
-+++ b/policy/modules/system/hostname.fc
-@@ -1,2 +1,3 @@
-
- /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
-+/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysklogd.patch
deleted file mode 100644
index 868ee6b..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysklogd.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 4964fa5593349916d8f5c69edb0b16f611586098 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:39:41 +0800
-Subject: [PATCH 2/4] fix update-alternatives for sysklogd
-
-/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow rule
-for syslogd_t to read syslog_conf_t lnk_file is needed.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/logging.fc | 4 ++++
- policy/modules/system/logging.te | 1 +
- 2 files changed, 5 insertions(+)
-
-diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index b50c5fe..c005f33 100644
---- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
-@@ -2,19 +2,23 @@
-
- /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
-+/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
- /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
-
- /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
- /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
- /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
- /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
- /sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
-+/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
- /sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
- /sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-
- /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 87e3db2..2914b0b 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -371,6 +371,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
- allow syslogd_t self:tcp_socket create_stream_socket_perms;
-
- allow syslogd_t syslog_conf_t:file read_file_perms;
-+allow syslogd_t syslog_conf_t:lnk_file read_file_perms;
-
- # Create and bind to /dev/log or /var/run/log.
- allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysvinit.patch
deleted file mode 100644
index 3a617d8..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysvinit.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 1/4] fix update-alternatives for sysvinit
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/contrib/shutdown.fc | 1 +
- policy/modules/kernel/corecommands.fc | 1 +
- policy/modules/system/init.fc | 1 +
- 3 files changed, 3 insertions(+)
-
-diff --git a/policy/modules/contrib/shutdown.fc b/policy/modules/contrib/shutdown.fc
-index a91f33b..90e51e0 100644
---- a/policy/modules/contrib/shutdown.fc
-+++ b/policy/modules/contrib/shutdown.fc
-@@ -3,6 +3,7 @@
- /lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
- /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-+/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
- /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
-diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index bcfdba7..87502a3 100644
---- a/policy/modules/kernel/corecommands.fc
-+++ b/policy/modules/kernel/corecommands.fc
-@@ -10,6 +10,7 @@
- /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
-+/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0)
- /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
-diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index bc0ffc8..020b9fe 100644
---- a/policy/modules/system/init.fc
-+++ b/policy/modules/system/init.fc
-@@ -30,6 +30,7 @@ ifdef(`distro_gentoo', `
- # /sbin
- #
- /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
-+/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0)
- # because nowadays, /sbin/init is often a symlink to /sbin/upstart
- /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
-
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-bsdpty_device_t.patch
deleted file mode 100644
index 9a3322f..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-bsdpty_device_t.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-From c0b65c327b9354ee5c403cbde428e762ce3f327e Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices.
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/kernel/terminal.if | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 771bce1..7519d0e 100644
---- a/policy/modules/kernel/terminal.if
-+++ b/policy/modules/kernel/terminal.if
-@@ -531,9 +531,11 @@ interface(`term_dontaudit_manage_pty_dirs',`
- interface(`term_dontaudit_getattr_generic_ptys',`
- gen_require(`
- type devpts_t;
-+ type bsdpty_device_t;
- ')
-
- dontaudit $1 devpts_t:chr_file getattr;
-+ dontaudit $1 bsdpty_device_t:chr_file getattr;
- ')
- ########################################
- ## <summary>
-@@ -549,11 +551,13 @@ interface(`term_dontaudit_getattr_generic_ptys',`
- interface(`term_ioctl_generic_ptys',`
- gen_require(`
- type devpts_t;
-+ type bsdpty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir search;
- allow $1 devpts_t:chr_file ioctl;
-+ allow $1 bsdpty_device_t:chr_file ioctl;
- ')
-
- ########################################
-@@ -571,9 +575,11 @@ interface(`term_ioctl_generic_ptys',`
- interface(`term_setattr_generic_ptys',`
- gen_require(`
- type devpts_t;
-+ type bsdpty_device_t;
- ')
-
- allow $1 devpts_t:chr_file setattr;
-+ allow $1 bsdpty_device_t:chr_file setattr;
- ')
-
- ########################################
-@@ -591,9 +597,11 @@ interface(`term_setattr_generic_ptys',`
- interface(`term_dontaudit_setattr_generic_ptys',`
- gen_require(`
- type devpts_t;
-+ type bsdpty_device_t;
- ')
-
- dontaudit $1 devpts_t:chr_file setattr;
-+ dontaudit $1 bsdpty_device_t:chr_file setattr;
- ')
-
- ########################################
-@@ -611,11 +619,13 @@ interface(`term_dontaudit_setattr_generic_ptys',`
- interface(`term_use_generic_ptys',`
- gen_require(`
- type devpts_t;
-+ type bsdpty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir list_dir_perms;
- allow $1 devpts_t:chr_file { rw_term_perms lock append };
-+ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
- ')
-
- ########################################
-@@ -633,9 +643,11 @@ interface(`term_use_generic_ptys',`
- interface(`term_dontaudit_use_generic_ptys',`
- gen_require(`
- type devpts_t;
-+ type bsdpty_device_t;
- ')
-
- dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
-+ dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl };
- ')
-
- #######################################
-@@ -651,10 +663,12 @@ interface(`term_dontaudit_use_generic_ptys',`
- interface(`term_setattr_controlling_term',`
- gen_require(`
- type devtty_t;
-+ type bsdpty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devtty_t:chr_file setattr;
-+ allow $1 bsdpty_device_t:chr_file setattr;
- ')
-
- ########################################
-@@ -671,10 +685,12 @@ interface(`term_setattr_controlling_term',`
- interface(`term_use_controlling_term',`
- gen_require(`
- type devtty_t;
-+ type bsdpty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devtty_t:chr_file { rw_term_perms lock append };
-+ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
- ')
-
- #######################################
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-syslogd_t-symlink.patch
deleted file mode 100644
index aa9734a..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-syslogd_t-symlink.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Subject: [PATCH] add rules for the symlink of /var/log - syslogd_t
-
-We have added rules for the symlink of /var/log in logging.if,
-while syslogd_t uses /var/log but does not use the
-interfaces in logging.if. So still need add a individual rule for
-syslogd_t.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/logging.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 2ad9ea5..70427d8 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -384,6 +384,8 @@ rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
- # Allow access for syslog-ng
- allow syslogd_t var_log_t:dir { create setattr };
-
-+allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
-+
- # manage temporary files
- manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
- manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-tmp-symlink.patch
deleted file mode 100644
index 210c297..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-tmp-symlink.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] add rules for the symlink of /tmp
-
-/tmp is a symlink in poky, so we need allow rules for files to read
-lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/kernel/files.fc | 1 +
- policy/modules/kernel/files.if | 8 ++++++++
- 2 files changed, 9 insertions(+), 0 deletions(-)
-
-diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 8796ca3..a0db748 100644
---- a/policy/modules/kernel/files.fc
-+++ b/policy/modules/kernel/files.fc
-@@ -185,6 +185,7 @@ ifdef(`distro_debian',`
- # /tmp
- #
- /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-+/tmp -l gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
- /tmp/.* <<none>>
- /tmp/\.journal <<none>>
-
-diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index e1e814d..a7384b0 100644
---- a/policy/modules/kernel/files.if
-+++ b/policy/modules/kernel/files.if
-@@ -4199,6 +4199,7 @@ interface(`files_search_tmp',`
- ')
-
- allow $1 tmp_t:dir search_dir_perms;
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4235,6 +4236,7 @@ interface(`files_list_tmp',`
- ')
-
- allow $1 tmp_t:dir list_dir_perms;
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4271,6 +4273,7 @@ interface(`files_delete_tmp_dir_entry',`
- ')
-
- allow $1 tmp_t:dir del_entry_dir_perms;
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4289,6 +4292,7 @@ interface(`files_read_generic_tmp_files',`
- ')
-
- read_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4307,6 +4311,7 @@ interface(`files_manage_generic_tmp_dirs',`
- ')
-
- manage_dirs_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4325,6 +4330,7 @@ interface(`files_manage_generic_tmp_files',`
- ')
-
- manage_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4361,6 +4367,7 @@ interface(`files_rw_generic_tmp_sockets',`
- ')
-
- rw_sock_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4550,6 +4557,7 @@ interface(`files_tmp_filetrans',`
- ')
-
- filetrans_pattern($1, tmp_t, $2, $3, $4)
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
---
-1.7.5.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-cache-symlink.patch
deleted file mode 100644
index 18a92dd..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-cache-symlink.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From bad816bc752369a6c1bf40231c505d21d95cab08 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 23 Aug 2013 11:20:00 +0800
-Subject: [PATCH 4/6] add rules for the subdir symlinks in /var/
-
-Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
-/var for poky, so we need allow rules for all domains to read these
-symlinks. Domains still need their practical allow rules to read the
-contents, so this is still a secure relax.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/kernel/domain.te | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..9ffe6b0 100644
---- a/policy/modules/kernel/domain.te
-+++ b/policy/modules/kernel/domain.te
-@@ -104,6 +104,9 @@ term_use_controlling_term(domain)
- # list the root directory
- files_list_root(domain)
-
-+# Yocto/oe-core use some var volatile links
-+files_read_var_symlinks(domain)
-+
- ifdef(`hide_broken_symptoms',`
- # This check is in the general socket
- # listen code, before protocol-specific
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-apache.patch
deleted file mode 100644
index 8bc40c4..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-apache.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From ed2b0a00e2fb78056041b03c7e198e8f5adaf939 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:36:44 +0800
-Subject: [PATCH 3/6] add rules for the symlink of /var/log - apache2
-
-We have added rules for the symlink of /var/log in logging.if,
-while apache.te uses /var/log but does not use the interfaces in
-logging.if. So still need add a individual rule for apache.te.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/contrib/apache.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
-index ec8bd13..06f2e95 100644
---- a/policy/modules/contrib/apache.te
-+++ b/policy/modules/contrib/apache.te
-@@ -400,6 +400,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
- logging_log_filetrans(httpd_t, httpd_log_t, file)
-
- allow httpd_t httpd_modules_t:dir list_dir_perms;
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
deleted file mode 100644
index cbf0f7d..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-Subject: [PATCH] add rules for the symlink of /var/log - audisp_remote_t
-
-We have added rules for the symlink of /var/log in logging.if,
-while audisp_remote_t uses /var/log but does not use the
-interfaces in logging.if. So still need add a individual rule for
-audisp_remote_t.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/logging.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 8426a49..2ad9ea5 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -262,6 +262,7 @@ allow audisp_remote_t self:capability { setuid setpcap };
- allow audisp_remote_t self:process { getcap setcap };
- allow audisp_remote_t self:tcp_socket create_socket_perms;
- allow audisp_remote_t var_log_t:dir search_dir_perms;
-+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
-
- manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
- manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
---
-1.7.11.7
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink.patch
deleted file mode 100644
index b06f3ef..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-From 03cb6534f75812f3a33ac768fe83861e0805b0e0 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 2/6] add rules for the symlink of /var/log
-
-/var/log is a symlink in poky, so we need allow rules for files to read
-lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/logging.fc | 1 +
- policy/modules/system/logging.if | 14 +++++++++++++-
- policy/modules/system/logging.te | 1 +
- 3 files changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index c005f33..9529e40 100644
---- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
-@@ -41,6 +41,7 @@ ifdef(`distro_suse', `
- /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-
- /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
-+/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
- /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
- /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..9a6f599 100644
---- a/policy/modules/system/logging.if
-+++ b/policy/modules/system/logging.if
-@@ -136,12 +136,13 @@ interface(`logging_set_audit_parameters',`
- #
- interface(`logging_read_audit_log',`
- gen_require(`
-- type auditd_log_t;
-+ type auditd_log_t, var_log_t;
- ')
-
- files_search_var($1)
- read_files_pattern($1, auditd_log_t, auditd_log_t)
- allow $1 auditd_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -626,6 +627,7 @@ interface(`logging_search_logs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir search_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- #######################################
-@@ -663,6 +665,7 @@ interface(`logging_list_logs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- #######################################
-@@ -682,6 +685,7 @@ interface(`logging_rw_generic_log_dirs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir rw_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- #######################################
-@@ -793,10 +797,12 @@ interface(`logging_append_all_logs',`
- interface(`logging_read_all_logs',`
- gen_require(`
- attribute logfile;
-+ type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 logfile:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- read_files_pattern($1, logfile, logfile)
- ')
-
-@@ -815,10 +821,12 @@ interface(`logging_read_all_logs',`
- interface(`logging_exec_all_logs',`
- gen_require(`
- attribute logfile;
-+ type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 logfile:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- can_exec($1, logfile)
- ')
-
-@@ -880,6 +888,7 @@ interface(`logging_read_generic_logs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- read_files_pattern($1, var_log_t, var_log_t)
- ')
-
-@@ -900,6 +909,7 @@ interface(`logging_write_generic_logs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- write_files_pattern($1, var_log_t, var_log_t)
- ')
-
-@@ -938,6 +948,7 @@ interface(`logging_rw_generic_logs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- rw_files_pattern($1, var_log_t, var_log_t)
- ')
-
-@@ -960,6 +971,7 @@ interface(`logging_manage_generic_logs',`
-
- files_search_var($1)
- manage_files_pattern($1, var_log_t, var_log_t)
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 2ab0a49..2795d89 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -139,6 +139,7 @@ allow auditd_t auditd_etc_t:file read_file_perms;
- manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
- manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
- allow auditd_t var_log_t:dir search_dir_perms;
-+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
-
- manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
- manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-syslogd_t-to-trusted-object.patch
deleted file mode 100644
index 92b1592..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-syslogd_t-to-trusted-object.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 27e62a5d9ab9993760369ccdad83673e9148cbb2 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 1/6] Add the syslogd_t to trusted object
-
-We add the syslogd_t to trusted object, because other process need
-to have the right to connectto/sendto /dev/log.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Roy.Li <rongqing.li@windriver.com>
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/logging.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 2914b0b..2ab0a49 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -450,6 +450,7 @@ fs_getattr_all_fs(syslogd_t)
- fs_search_auto_mountpoints(syslogd_t)
-
- mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
-+mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log
-
- term_write_console(syslogd_t)
- # Allow syslog to a terminal
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-nfsd-to-exec-shell-commands.patch
deleted file mode 100644
index e77a730..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-nfsd-to-exec-shell-commands.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] allow nfsd to exec shell commands.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/contrib/rpc.te | 2 +-
- policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
- 2 files changed, 19 insertions(+), 1 deletions(-)
-
-diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
-index 9566932..5605205 100644
---- a/policy/modules/contrib/rpc.te
-+++ b/policy/modules/contrib/rpc.te
-@@ -203,7 +203,7 @@ kernel_read_network_state(nfsd_t)
- kernel_dontaudit_getattr_core_if(nfsd_t)
- kernel_setsched(nfsd_t)
- kernel_request_load_module(nfsd_t)
--# kernel_mounton_proc(nfsd_t)
-+kernel_mounton_proc(nfsd_t)
-
- corenet_sendrecv_nfs_server_packets(nfsd_t)
- corenet_tcp_bind_nfs_port(nfsd_t)
-diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..8a669c5 100644
---- a/policy/modules/kernel/kernel.if
-+++ b/policy/modules/kernel/kernel.if
-@@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',`
-
- ########################################
- ## <summary>
-+## Mounton a proc filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`kernel_mounton_proc',`
-+ gen_require(`
-+ type proc_t;
-+ ')
-+
-+ allow $1 proc_t:dir mounton;
-+')
-+
-+########################################
-+## <summary>
- ## Get the attributes of the proc filesystem.
- ## </summary>
- ## <param name="domain">
---
-1.7.5.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-setfiles_t-to-read-symlinks.patch
deleted file mode 100644
index 71497fb..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-setfiles_t-to-read-symlinks.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] fix setfiles_t to read symlinks
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/selinuxutil.te | 3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
-
-diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..45ed81b 100644
---- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -553,6 +553,9 @@ files_list_all(setfiles_t)
- files_relabel_all_files(setfiles_t)
- files_read_usr_symlinks(setfiles_t)
-
-+# needs to be able to read symlinks to make restorecon on symlink working
-+files_read_all_symlinks(setfiles_t)
-+
- fs_getattr_xattr_fs(setfiles_t)
- fs_list_all(setfiles_t)
- fs_search_auto_mountpoints(setfiles_t)
---
-1.7.5.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-sysadm-to-run-rpcinfo.patch
deleted file mode 100644
index ec3dbf4..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-sysadm-to-run-rpcinfo.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 7005533d61770fed5a3312aa9dfd1c18dae88c16 Mon Sep 17 00:00:00 2001
-From: Roy Li <rongqing.li@windriver.com>
-Date: Sat, 15 Feb 2014 09:45:00 +0800
-Subject: [PATCH] allow sysadm to run rpcinfo
-
-Upstream-Status: Pending
-
-type=AVC msg=audit(1392427946.976:264): avc: denied { connectto } for pid=2111 comm="rpcinfo" path="/run/rpcbind.sock" scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tclass=unix_stream_socket
-type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null)
-
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
----
- policy/modules/roles/sysadm.te | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 1767217..5502c6a 100644
---- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -413,6 +413,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ rpcbind_stream_connect(sysadm_t)
-+')
-+
-+optional_policy(`
- vmware_role(sysadm_r, sysadm_t)
- ')
-
---
-1.7.10.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-don-t-audit-tty_device_t.patch
deleted file mode 100644
index 82370d8..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-don-t-audit-tty_device_t.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 29a0d287880f8f83cf4337a3db7c8b94c0c36e1d Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 6/6] don't audit tty_device_t in term_dontaudit_use_console.
-
-We should also not audit terminal to rw tty_device_t and fds in
-term_dontaudit_use_console.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/kernel/terminal.if | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 7519d0e..45de1ac 100644
---- a/policy/modules/kernel/terminal.if
-+++ b/policy/modules/kernel/terminal.if
-@@ -299,9 +299,12 @@ interface(`term_use_console',`
- interface(`term_dontaudit_use_console',`
- gen_require(`
- type console_device_t;
-+ type tty_device_t;
- ')
-
-+ init_dontaudit_use_fds($1)
- dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
-+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
- ')
-
- ########################################
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
deleted file mode 100644
index d6c8dbf..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 2f5981f2244289a1cc79748e9ffdaaea168b1df2 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 23 Aug 2013 16:36:09 +0800
-Subject: [PATCH] fix dmesg to use /dev/kmsg as default input
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/admin/dmesg.if | 1 +
- policy/modules/admin/dmesg.te | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
-index e1973c7..739a4bc 100644
---- a/policy/modules/admin/dmesg.if
-+++ b/policy/modules/admin/dmesg.if
-@@ -37,4 +37,5 @@ interface(`dmesg_exec',`
-
- corecmd_search_bin($1)
- can_exec($1, dmesg_exec_t)
-+ dev_read_kmsg($1)
- ')
-diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
-index 72bc6d8..c591aea 100644
---- a/policy/modules/admin/dmesg.te
-+++ b/policy/modules/admin/dmesg.te
-@@ -28,6 +28,8 @@ kernel_read_proc_symlinks(dmesg_t)
-
- dev_read_sysfs(dmesg_t)
-
-+dev_read_kmsg(dmesg_t)
-+
- fs_search_auto_mountpoints(dmesg_t)
-
- term_dontaudit_use_console(dmesg_t)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-new-SELINUXMNT-in-sys.patch
deleted file mode 100644
index 302a38f..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-new-SELINUXMNT-in-sys.patch
+++ /dev/null
@@ -1,229 +0,0 @@
-From 0bd1187768c79ccf7d0563fa8e2bc01494fef167 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] fix for new SELINUXMNT in /sys
-
-SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
-add rules to access sysfs.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/selinux.if | 34 ++++++++++++++++++++++++++++++++--
- 1 file changed, 32 insertions(+), 2 deletions(-)
-
---- a/policy/modules/kernel/selinux.if
-+++ b/policy/modules/kernel/selinux.if
-@@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',`
- type security_t;
- ')
-
-+ # SELINUXMNT is now /sys/fs/selinux, so we should add rules to
-+ # access sysfs
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- # starting in libselinux 2.0.5, init_selinuxmnt() will
- # attempt to short circuit by checking if SELINUXMNT
- # (/selinux) is already a selinuxfs
-@@ -84,6 +88,7 @@ interface(`selinux_dontaudit_get_fs_moun
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- # starting in libselinux 2.0.5, init_selinuxmnt() will
- # attempt to short circuit by checking if SELINUXMNT
- # (/selinux) is already a selinuxfs
-@@ -109,6 +114,8 @@ interface(`selinux_mount_fs',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- allow $1 security_t:filesystem mount;
- ')
-
-@@ -128,6 +135,8 @@ interface(`selinux_remount_fs',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- allow $1 security_t:filesystem remount;
- ')
-
-@@ -146,6 +155,8 @@ interface(`selinux_unmount_fs',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- allow $1 security_t:filesystem unmount;
- ')
-
-@@ -164,6 +175,8 @@ interface(`selinux_getattr_fs',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- allow $1 security_t:filesystem getattr;
- ')
-
-@@ -183,6 +196,7 @@ interface(`selinux_dontaudit_getattr_fs'
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:filesystem getattr;
- ')
-
-@@ -202,6 +216,7 @@ interface(`selinux_dontaudit_getattr_dir
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:dir getattr;
- ')
-
-@@ -220,6 +235,7 @@ interface(`selinux_search_fs',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir search_dir_perms;
- ')
-@@ -239,6 +255,7 @@ interface(`selinux_dontaudit_search_fs',
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:dir search_dir_perms;
- ')
-
-@@ -258,6 +275,7 @@ interface(`selinux_dontaudit_read_fs',`
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:dir search_dir_perms;
- dontaudit $1 security_t:file read_file_perms;
- ')
-@@ -279,6 +297,7 @@ interface(`selinux_get_enforce_mode',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file read_file_perms;
-@@ -313,6 +332,7 @@ interface(`selinux_set_enforce_mode',`
- bool secure_mode_policyload;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -345,6 +365,7 @@ interface(`selinux_load_policy',`
- bool secure_mode_policyload;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -375,6 +396,7 @@ interface(`selinux_read_policy',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file read_file_perms;
-@@ -440,8 +462,8 @@ interface(`selinux_set_generic_booleans'
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
--
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-
-@@ -482,8 +504,8 @@ interface(`selinux_set_all_booleans',`
- bool secure_mode_policyload;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
--
- allow $1 security_t:dir list_dir_perms;
- allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
- allow $1 secure_mode_policyload_t:file read_file_perms;
-@@ -528,6 +550,7 @@ interface(`selinux_set_parameters',`
- attribute can_setsecparam;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -552,6 +575,7 @@ interface(`selinux_validate_context',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -574,6 +598,7 @@ interface(`selinux_dontaudit_validate_co
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:dir list_dir_perms;
- dontaudit $1 security_t:file rw_file_perms;
- dontaudit $1 security_t:security check_context;
-@@ -595,6 +620,7 @@ interface(`selinux_compute_access_vector
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -617,6 +643,7 @@ interface(`selinux_compute_create_contex
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -639,6 +666,7 @@ interface(`selinux_compute_member',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -669,6 +697,7 @@ interface(`selinux_compute_relabel_conte
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -690,6 +719,7 @@ interface(`selinux_compute_user_contexts
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
deleted file mode 100644
index f04ebec..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 054a2d81a42bc127d29a916c64b43ad5a7c97f21 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 23 Aug 2013 12:01:53 +0800
-Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t.
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/rpc.te | 5 +++++
- policy/modules/contrib/rpcbind.te | 5 +++++
- policy/modules/kernel/filesystem.te | 1 +
- policy/modules/kernel/kernel.te | 2 ++
- 4 files changed, 13 insertions(+)
-
---- a/policy/modules/contrib/rpc.te
-+++ b/policy/modules/contrib/rpc.te
-@@ -263,6 +263,11 @@ tunable_policy(`nfs_export_all_ro',`
-
- optional_policy(`
- mount_exec(nfsd_t)
-+ # Should domtrans to mount_t while mounting nfsd_fs_t.
-+ mount_domtrans(nfsd_t)
-+ # nfsd_t need to chdir to /var/lib/nfs and read files.
-+ files_list_var(nfsd_t)
-+ rpc_read_nfs_state_data(nfsd_t)
- ')
-
- ########################################
---- a/policy/modules/contrib/rpcbind.te
-+++ b/policy/modules/contrib/rpcbind.te
-@@ -70,6 +70,11 @@ logging_send_syslog_msg(rpcbind_t)
-
- miscfiles_read_localization(rpcbind_t)
-
-+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
-+# because the are running in different level. So add rules to allow this.
-+mls_socket_read_all_levels(rpcbind_t)
-+mls_socket_write_all_levels(rpcbind_t)
-+
- ifdef(`distro_debian',`
- term_dontaudit_use_unallocated_ttys(rpcbind_t)
- ')
---- a/policy/modules/kernel/filesystem.te
-+++ b/policy/modules/kernel/filesystem.te
-@@ -119,6 +119,7 @@ genfscon mvfs / gen_context(system_u:obj
-
- type nfsd_fs_t;
- fs_type(nfsd_fs_t)
-+files_mountpoint(nfsd_fs_t)
- genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
-
- type oprofilefs_t;
---- a/policy/modules/kernel/kernel.te
-+++ b/policy/modules/kernel/kernel.te
-@@ -293,6 +293,8 @@ mls_process_read_up(kernel_t)
- mls_process_write_down(kernel_t)
- mls_file_write_all_levels(kernel_t)
- mls_file_read_all_levels(kernel_t)
-+mls_socket_write_all_levels(kernel_t)
-+mls_fd_use_all_levels(kernel_t)
-
- ifdef(`distro_redhat',`
- # Bugzilla 222337
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-setfiles-statvfs-get-file-count.patch
deleted file mode 100644
index 90efbd8..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-setfiles-statvfs-get-file-count.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 4d2c4c358602b246881210889756f229730505d3 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 23 Aug 2013 14:38:53 +0800
-Subject: [PATCH] fix setfiles statvfs to get file count
-
-New setfiles will read /proc/mounts and use statvfs in
-file_system_count() to get file count of filesystems.
-
-Upstream-Status: pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/selinuxutil.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 45ed81b..12c3d2e 100644
---- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -556,7 +556,7 @@ files_read_usr_symlinks(setfiles_t)
- # needs to be able to read symlinks to make restorecon on symlink working
- files_read_all_symlinks(setfiles_t)
-
--fs_getattr_xattr_fs(setfiles_t)
-+fs_getattr_all_fs(setfiles_t)
- fs_list_all(setfiles_t)
- fs_search_auto_mountpoints(setfiles_t)
- fs_relabelfrom_noxattr_fs(setfiles_t)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-seutils-manage-config-files.patch
deleted file mode 100644
index be33bf1..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-seutils-manage-config-files.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From be8e015aec19553d3753af132861d24da9ed0265 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/system/selinuxutil.if | 1 +
- policy/modules/system/userdomain.if | 4 ++++
- 2 files changed, 5 insertions(+)
-
-diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..db03ca1 100644
---- a/policy/modules/system/selinuxutil.if
-+++ b/policy/modules/system/selinuxutil.if
-@@ -680,6 +680,7 @@ interface(`seutil_manage_config',`
- ')
-
- files_search_etc($1)
-+ manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
- manage_files_pattern($1, selinux_config_t, selinux_config_t)
- read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
- ')
-diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index b4a691d..20c8bf8 100644
---- a/policy/modules/system/userdomain.if
-+++ b/policy/modules/system/userdomain.if
-@@ -1277,6 +1277,10 @@ template(`userdom_security_admin_template',`
- logging_read_audit_config($1)
-
- seutil_manage_bin_policy($1)
-+ seutil_manage_default_contexts($1)
-+ seutil_manage_file_contexts($1)
-+ seutil_manage_module_store($1)
-+ seutil_manage_config($1)
- seutil_run_checkpolicy($1, $2)
- seutil_run_loadpolicy($1, $2)
- seutil_run_semanage($1, $2)
---
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
deleted file mode 100644
index 80b420c..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-refpolicy: update for systemd
-
-It provides the systemd support for refpolicy
-and related allow rules.
-The restorecon provides systemd init labeled
-as init_exec_t.
-
-Upstream-Status: Pending
-
-
-Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
-
---- a/policy/modules/contrib/shutdown.fc
-+++ b/policy/modules/contrib/shutdown.fc
-@@ -5,6 +5,9 @@
- /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
- /sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
-+# systemd support
-+/bin/systemctl -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-+
- /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
- /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
---- a/policy/modules/system/init.fc
-+++ b/policy/modules/system/init.fc
-@@ -31,6 +31,8 @@
- #
- /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
- /sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0)
-+# systemd support
-+/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
- # because nowadays, /sbin/init is often a symlink to /sbin/upstart
- /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
-
---- a/policy/modules/system/init.te
-+++ b/policy/modules/system/init.te
-@@ -913,3 +913,8 @@
- optional_policy(`
- zebra_read_config(initrc_t)
- ')
-+
-+# systemd related allow rules
-+allow kernel_t init_t:process dyntransition;
-+allow devpts_t device_t:filesystem associate;
-+allow init_t self:capability2 block_suspend;
diff --git a/recipes-security/refpolicy/refpolicy-mcs_2.20140311.bb b/recipes-security/refpolicy/refpolicy-mcs_2.20140311.bb
deleted file mode 100644
index 062727b..0000000
--- a/recipes-security/refpolicy/refpolicy-mcs_2.20140311.bb
+++ /dev/null
@@ -1,11 +0,0 @@
-SUMMARY = "MCS (Multi Category Security) variant of the SELinux policy"
-DESCRIPTION = "\
-This is the reference policy for SE Linux built with MCS support. \
-An MCS policy is the same as an MLS policy but with only one sensitivity \
-level. This is useful on systems where a hierarchical policy (MLS) isn't \
-needed (pretty much all systems) but the non-hierarchical categories are. \
-"
-
-POLICY_TYPE = "mcs"
-
-include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb
deleted file mode 100644
index b275821..0000000
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb
+++ /dev/null
@@ -1,48 +0,0 @@
-include refpolicy-targeted_${PV}.bb
-
-SUMMARY = "SELinux minimum policy"
-DESCRIPTION = "\
-This is a minimum reference policy with just core policy modules, and \
-could be used as a base for customizing targeted policy. \
-Pretty much everything runs as initrc_t or unconfined_t so all of the \
-domains are unconfined. \
-"
-
-POLICY_NAME = "minimum"
-
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:${THISDIR}/refpolicy-${PV}:${THISDIR}/refpolicy-targeted:"
-
-CORE_POLICY_MODULES = "unconfined \
- selinuxutil storage sysnetwork \
- application libraries miscfiles logging userdomain \
- init mount modutils getty authlogin locallogin \
- "
-
-# nscd caches libc-issued requests to the name service.
-# Without nscd.pp, commands want to use these caches will be blocked.
-EXTRA_POLICY_MODULES += "nscd"
-
-# pam_mail module enables checking and display of mailbox status upon
-# "login", so "login" process will access to /var/spool/mail.
-EXTRA_POLICY_MODULES += "mta"
-
-POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
-
-# re-write the same func from refpolicy_common.inc
-prepare_policy_store () {
- oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
-
- # Prepare to create policy store
- mkdir -p ${D}${sysconfdir}/selinux/
- mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy
- mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
- mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
- touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
- for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
- bzip2 -f $i && mv -f $i.bz2 $i
- done
- cp base.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
- for i in ${POLICY_MODULES_MIN}; do
- cp ${i}.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i.pp`
- done
-}
diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20140311.bb b/recipes-security/refpolicy/refpolicy-mls_2.20140311.bb
deleted file mode 100644
index 7388232..0000000
--- a/recipes-security/refpolicy/refpolicy-mls_2.20140311.bb
+++ /dev/null
@@ -1,10 +0,0 @@
-SUMMARY = "MLS (Multi Level Security) variant of the SELinux policy"
-DESCRIPTION = "\
-This is the reference policy for SE Linux built with MLS support. \
-It allows giving data labels such as \"Top Secret\" and preventing \
-such data from leaking to processes or files with lower classification. \
-"
-
-POLICY_TYPE = "mls"
-
-include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20140311.bb b/recipes-security/refpolicy/refpolicy-standard_2.20140311.bb
deleted file mode 100644
index 3674fdd..0000000
--- a/recipes-security/refpolicy/refpolicy-standard_2.20140311.bb
+++ /dev/null
@@ -1,8 +0,0 @@
-SUMMARY = "Standard variants of the SELinux policy"
-DESCRIPTION = "\
-This is the reference policy for SELinux built with type enforcement \
-only."
-
-POLICY_TYPE = "standard"
-
-include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20140311.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20140311.bb
deleted file mode 100644
index b169604..0000000
--- a/recipes-security/refpolicy/refpolicy-targeted_2.20140311.bb
+++ /dev/null
@@ -1,20 +0,0 @@
-SUMMARY = "SELinux targeted policy"
-DESCRIPTION = "\
-This is the targeted variant of the SELinux reference policy. Most service \
-domains are locked down. Users and admins will login in with unconfined_t \
-domain, so they have the same access to the system as if SELinux was not \
-enabled. \
-"
-
-FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
-
-POLICY_NAME = "targeted"
-POLICY_TYPE = "mcs"
-POLICY_MLS_SENS = "0"
-
-include refpolicy_${PV}.inc
-
-SRC_URI += " \
- file://refpolicy-fix-optional-issue-on-sysadm-module.patch \
- file://refpolicy-unconfined_u-default-user.patch \
- "
diff --git a/recipes-security/refpolicy/refpolicy_2.20140311.inc b/recipes-security/refpolicy/refpolicy_2.20140311.inc
deleted file mode 100644
index 557b4ab..0000000
--- a/recipes-security/refpolicy/refpolicy_2.20140311.inc
+++ /dev/null
@@ -1,60 +0,0 @@
-SRC_URI = "https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2;"
-SRC_URI[md5sum] = "418f8d2a6ada3a299816153e70970449"
-SRC_URI[sha256sum] = "f69437db95548c78a5dec44c236397146b144153149009ea554d2e536e5436f7"
-
-FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20140311:"
-
-# Fix file contexts for Poky
-SRC_URI += "file://poky-fc-subs_dist.patch \
- file://poky-fc-update-alternatives_sysvinit.patch \
- file://poky-fc-update-alternatives_sysklogd.patch \
- file://poky-fc-update-alternatives_hostname.patch \
- file://poky-fc-fix-real-path_resolv.conf.patch \
- file://poky-fc-fix-real-path_login.patch \
- file://poky-fc-fix-real-path_shadow.patch \
- file://poky-fc-fix-bind.patch \
- file://poky-fc-clock.patch \
- file://poky-fc-corecommands.patch \
- file://poky-fc-dmesg.patch \
- file://poky-fc-fstools.patch \
- file://poky-fc-iptables.patch \
- file://poky-fc-mta.patch \
- file://poky-fc-netutils.patch \
- file://poky-fc-nscd.patch \
- file://poky-fc-screen.patch \
- file://poky-fc-ssh.patch \
- file://poky-fc-su.patch \
- file://poky-fc-sysnetwork.patch \
- file://poky-fc-udevd.patch \
- file://poky-fc-rpm.patch \
- file://poky-fc-ftpwho-dir.patch \
- file://poky-fc-fix-real-path_su.patch \
- file://refpolicy-update-for_systemd.patch \
- "
-
-# Specific policy for Poky
-SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
- file://poky-policy-add-rules-for-var-log-symlink.patch \
- file://poky-policy-add-rules-for-var-log-symlink-apache.patch \
- file://poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch \
- file://poky-policy-add-rules-for-syslogd_t-symlink.patch \
- file://poky-policy-add-rules-for-var-cache-symlink.patch \
- file://poky-policy-add-rules-for-tmp-symlink.patch \
- file://poky-policy-add-rules-for-bsdpty_device_t.patch \
- file://poky-policy-don-t-audit-tty_device_t.patch \
- file://poky-policy-allow-nfsd-to-exec-shell-commands.patch \
- file://poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch \
- file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \
- file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \
- file://poky-policy-allow-sysadm-to-run-rpcinfo.patch \
- "
-
-# Other policy fixes
-SRC_URI += " \
- file://poky-policy-fix-seutils-manage-config-files.patch \
- file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \
- file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
- file://ftp-add-ftpd_t-to-mlsfilewrite.patch \
- "
-
-include refpolicy_common.inc
--
2.1.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [meta-selinux][PATCH 1/2] refpolicy: Replace 2.2014120 with release 2.20151208.
2016-03-21 4:26 ` [meta-selinux][PATCH 1/2] refpolicy: Replace 2.2014120 with release 2.20151208 Philip Tricca
@ 2016-03-22 19:43 ` Stephen Smalley
2016-03-29 1:45 ` Philip Tricca
0 siblings, 1 reply; 5+ messages in thread
From: Stephen Smalley @ 2016-03-22 19:43 UTC (permalink / raw)
To: Philip Tricca, mark.hatle, Joe_MacDonald, yocto
On 03/21/2016 12:26 AM, Philip Tricca wrote:
> This was mostly straight forward. Had to refresh a single patch:
> poky-policy-fix-new-SELINUXMNT-in-sys.patch
Can we drop that one? Doesn't upstream already include rules for the
change from /selinux to /sys/fs/selinux, since that has been the default
for Linux 3.0 and later?
Also, refpolicy-update-for_systemd.patch seems suspect, given that
upstream refpolicy already includes systemd support (but you need to
build with SYSTEMD=y, which can be done now via POLICY_SYSTEMD=y in your
local.conf or elsewhere). The only bit I see in that patch that isn't
already in refpolicy is
allow devpts device_t:filesystem associate;
which ought to be rewritten as
dev_associate(devpts_t)
and upstreamed to refpolicy terminal.te if needed.
I assume that is from creating the /dvv/pts mount point and
automatically trying to label it according to file_contexts, but the
type in file_contexts is really for the devpts mount, not the mount point.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [meta-selinux][PATCH 1/2] refpolicy: Replace 2.2014120 with release 2.20151208.
2016-03-22 19:43 ` Stephen Smalley
@ 2016-03-29 1:45 ` Philip Tricca
0 siblings, 0 replies; 5+ messages in thread
From: Philip Tricca @ 2016-03-29 1:45 UTC (permalink / raw)
To: Stephen Smalley; +Cc: yocto
On 03/22/2016 12:43 PM, Stephen Smalley wrote:
> On 03/21/2016 12:26 AM, Philip Tricca wrote:
>> This was mostly straight forward. Had to refresh a single patch:
>> poky-policy-fix-new-SELINUXMNT-in-sys.patch
>
> Can we drop that one? Doesn't upstream already include rules for the
> change from /selinux to /sys/fs/selinux, since that has been the default
> for Linux 3.0 and later?
I'm trying to make as few changes as possible with this though you're
likely right. These are also marked as specific to Poky and I've been
testing only the minimal oe-selinux.conf. The patches aren't applied
using any logic that looks at the distro so I'm not even sure how
specific they are to poky even.
> Also, refpolicy-update-for_systemd.patch seems suspect, given that
> upstream refpolicy already includes systemd support (but you need to
> build with SYSTEMD=y, which can be done now via POLICY_SYSTEMD=y in your
> local.conf or elsewhere). The only bit I see in that patch that isn't
> already in refpolicy is
> allow devpts device_t:filesystem associate;
> which ought to be rewritten as
> dev_associate(devpts_t)
> and upstreamed to refpolicy terminal.te if needed.
>
> I assume that is from creating the /dvv/pts mount point and
> automatically trying to label it according to file_contexts, but the
> type in file_contexts is really for the devpts mount, not the mount point.
Long story short it looks like these patch queues need a scrub. This is
useful information though to get the task started. I'll merge this as it
is and take on the patch scrub on next.
Philip
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-03-29 1:45 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-03-21 4:26 [meta-selinux][PATCH 0/2] policy upgrade and cleanup Philip Tricca
2016-03-21 4:26 ` [meta-selinux][PATCH 1/2] refpolicy: Replace 2.2014120 with release 2.20151208 Philip Tricca
2016-03-22 19:43 ` Stephen Smalley
2016-03-29 1:45 ` Philip Tricca
2016-03-21 4:26 ` [meta-selinux][PATCH 2/2] refpolicy: Remove 2.20140311 release Philip Tricca
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.