aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--README16
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-clock.patch20
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-corecommands.patch24
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-dmesg.patch18
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_login.patch37
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_shadow.patch34
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fstools.patch75
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ftpwho-dir.patch27
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-iptables.patch24
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-mta.patch27
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-netutils.patch24
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-nscd.patch25
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-rpm.patch23
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-screen.patch23
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-su.patch20
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-subs_dist.patch33
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-sysnetwork.patch48
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-udevd.patch38
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_bash.patch24
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_hostname.patch21
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch62
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysvinit.patch57
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-syslogd_t-symlink.patch30
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch31
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch29
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch185
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-nfsd-to-exec-shell-commands.patch60
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-setfiles_t-to-read-symlinks.patch30
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-dmesg-to-use-dev-kmsg.patch37
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-new-SELINUXMNT-in-sys.patch259
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-setfiles-statvfs-get-file-count.patch32
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch36
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0001-fix-update-alternatives-for-sysvinit.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch)51
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch (renamed from recipes-security/refpolicy/refpolicy-minimum/0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch)17
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch31
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch (renamed from recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch)11
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch)49
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch (renamed from recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch)34
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch27
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch (renamed from recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch)39
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch30
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch (renamed from recipes-security/refpolicy/refpolicy-minimum/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch)9
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch)24
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch92
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0007-fc-login-apply-login-context-to-login.shadow.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch)22
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch (renamed from recipes-security/refpolicy/refpolicy-minimum/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch)33
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0008-fc-bind-fix-real-path-for-bind.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-bind.patch)25
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch (renamed from recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch)34
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch28
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0009-refpolicy-minimum-systemd-fix-for-syslog.patch (renamed from recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch)13
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch24
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch)21
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch)35
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch28
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch29
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0015-fc-su-apply-policy-to-su-alternatives.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch)18
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0016-fc-fstools-fix-real-path-for-fstools.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch)58
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-syslogd_t-to-trusted-object.patch)18
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch100
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch33
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-cache-symlink.patch)18
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch)69
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-bsdpty_device_t.patch)60
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-don-t-audit-tty_device_t.patch)18
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch29
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch)96
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch126
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-sysadm-to-run-rpcinfo.patch)24
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-seutils-manage-config-files.patch)28
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch33
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch25
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/ftp-add-ftpd_t-to-mlsfilewrite.patch)26
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0032-policy-module-init-update-for-systemd-related-allow-.patch (renamed from recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch)16
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0033-refpolicy-minimum-make-sysadmin-module-optional.patch (renamed from recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch)28
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch33
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch36
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch53
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch68
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch31
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch54
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch57
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch121
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch27
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch96
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch30
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch37
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_resolv.conf.patch)26
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch92
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch27
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch103
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0008-fc-bind-fix-real-path-for-bind.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch)25
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch110
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch28
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch70
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch24
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ssh.patch)21
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch48
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch28
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch29
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_su.patch)20
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch76
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch)18
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch100
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch33
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch)18
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-tmp-symlink.patch)71
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch)60
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch)18
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch29
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch)96
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch126
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch)24
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch)28
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch33
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch25
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch (renamed from recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch)26
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/refpolicy-update-for_systemd.patch)23
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch (renamed from recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module_2.20170204.patch)53
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch)24
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch19
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch15
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch50
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch27
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch27
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch25
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch23
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch23
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch32
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch27
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_bash.patch12
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch19
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch29
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch29
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch88
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch81
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch30
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch22
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch253
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch31
-rw-r--r--recipes-security/refpolicy/refpolicy-mcs_2.20190201.bb (renamed from recipes-security/refpolicy/refpolicy-mcs_2.20170204.bb)0
-rw-r--r--recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch47
-rw-r--r--recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb (renamed from recipes-security/refpolicy/refpolicy-minimum_2.20170204.bb)39
-rw-r--r--recipes-security/refpolicy/refpolicy-minimum_git.bb22
-rw-r--r--recipes-security/refpolicy/refpolicy-mls_2.20190201.bb (renamed from recipes-security/refpolicy/refpolicy-mls_2.20170204.bb)0
-rw-r--r--recipes-security/refpolicy/refpolicy-standard_2.20190201.bb (renamed from recipes-security/refpolicy/refpolicy-standard_2.20170204.bb)0
-rw-r--r--recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch46
-rw-r--r--recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition_2.20170204.patch46
-rw-r--r--recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch222
-rw-r--r--recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user_2.20170204.patch222
-rw-r--r--recipes-security/refpolicy/refpolicy-targeted_2.20170204.bb29
-rw-r--r--recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb35
-rw-r--r--recipes-security/refpolicy/refpolicy-targeted_git.bb22
-rw-r--r--recipes-security/refpolicy/refpolicy_2.20170204.inc58
-rw-r--r--recipes-security/refpolicy/refpolicy_2.20190201.inc7
-rw-r--r--recipes-security/refpolicy/refpolicy_common.inc48
-rw-r--r--recipes-security/refpolicy/refpolicy_git.inc55
156 files changed, 3145 insertions, 3748 deletions
diff --git a/README b/README
index 806d9c3..20e94ca 100644
--- a/README
+++ b/README
@@ -16,20 +16,8 @@ of this layer, as well as instructions for submitting patches.
Dependencies
------------
-This layer depends on the openembedded-core metadata.
-
-This layer also optionally depends on the following layers:
-
-URI: git://github.com/openembedded/meta-oe.git
-branch: master
-revision: HEAD
-layers: meta-oe
- meta-networking
- meta-python
-
-URI: git://git.yoctoproject.org/meta-virtualization
-branch: master
-revision: HEAD
+This layer depends on the openembedded-core metadata and the meta-python and
+meta-oe layers from the meta-openembedded repository.
Maintenance
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-clock.patch
deleted file mode 100644
index b2102af..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-clock.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for clock
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/clock.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/system/clock.fc
-+++ b/policy/modules/system/clock.fc
-@@ -1,6 +1,7 @@
-
- /etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0)
-
- /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
-+/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0)
-
- /usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-corecommands.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-corecommands.patch
deleted file mode 100644
index 3739059..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-corecommands.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for corecommands
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/corecommands.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/kernel/corecommands.fc
-+++ b/policy/modules/kernel/corecommands.fc
-@@ -154,10 +154,11 @@ ifdef(`distro_gentoo',`
- /sbin -d gen_context(system_u:object_r:bin_t,s0)
- /sbin/.* gen_context(system_u:object_r:bin_t,s0)
- /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
- /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
- /sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
-
- #
- # /opt
- #
- /opt/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-dmesg.patch
deleted file mode 100644
index 2a567da..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-dmesg.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for dmesg
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/admin/dmesg.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/admin/dmesg.fc
-+++ b/policy/modules/admin/dmesg.fc
-@@ -1,4 +1,5 @@
-
- /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
-+/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0)
-
- /usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_login.patch
deleted file mode 100644
index dfb7544..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_login.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Subject: [PATCH] fix real path for login commands.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/authlogin.fc | 7 ++++---
- 1 files changed, 4 insertions(+), 3 deletions(-)
-
---- a/policy/modules/system/authlogin.fc
-+++ b/policy/modules/system/authlogin.fc
-@@ -1,19 +1,21 @@
-
- /bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
-+/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0)
-+/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0)
-
- /etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
- /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
- /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
- /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
- /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
-
- /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
- /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
--/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
--/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
--/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-+/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-+/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
-+/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
- ifdef(`distro_suse', `
- /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
- ')
-
- /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_shadow.patch
deleted file mode 100644
index 9819c1d..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_shadow.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Subject: [PATCH] fix real path for shadow commands.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/admin/usermanage.fc | 6 ++++++
- 1 file changed, 6 insertions(+)
-
---- a/policy/modules/admin/usermanage.fc
-+++ b/policy/modules/admin/usermanage.fc
-@@ -6,15 +6,21 @@ ifdef(`distro_debian',`
- /etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0)
- ')
-
- /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
- /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
-+/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
- /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
-+/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
- /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
- /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
-+/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0)
-+/usr/bin/passwd\.tinylogin -- gen_context(system_u:object_r:passwd_exec_t,s0)
- /usr/bin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-+/sbin/vigr\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/bin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-+/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-
- /usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0)
-
- /usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
- /usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fstools.patch
deleted file mode 100644
index 66bef0f..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fstools.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From b420621f7bacdb803bfd104686e9b1785d7a6309 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Mon, 27 Jan 2014 03:54:01 -0500
-Subject: [PATCH] refpolicy: fix real path for fstools
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
----
- policy/modules/system/fstools.fc | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
---- a/policy/modules/system/fstools.fc
-+++ b/policy/modules/system/fstools.fc
-@@ -1,19 +1,23 @@
- /sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/blkid/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/blockdev/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/fdisk/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/hdparm/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -22,20 +26,22 @@
- /sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/mkswap/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/swapoff/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -83,10 +89,11 @@
- /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ftpwho-dir.patch
deleted file mode 100644
index d58de6a..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ftpwho-dir.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-fix ftpwho install dir
-
-Upstream-Status: Pending
-
-ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it
-
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/ftp.fc | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/policy/modules/contrib/ftp.fc
-+++ b/policy/modules/contrib/ftp.fc
-@@ -10,11 +10,11 @@
- /usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
-
- /usr/lib/systemd/system/proftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0)
- /usr/lib/systemd/system/vsftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0)
-
--/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
-+/usr/bin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
- /usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
- /usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
- /usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
- /usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-iptables.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-iptables.patch
deleted file mode 100644
index 9e1196a..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-iptables.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for iptables
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/iptables.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/system/iptables.fc
-+++ b/policy/modules/system/iptables.fc
-@@ -14,10 +14,11 @@
- /sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-
- /usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
- /usr/lib/systemd/system/[^/]*ebtables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
- /usr/lib/systemd/system/[^/]*ip6tables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
- /usr/lib/systemd/system/[^/]*iptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-mta.patch
deleted file mode 100644
index 5d2b0cf..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-mta.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From c0bb2996db4f55f3987967bacfb99805fc45d027 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:21:55 +0800
-Subject: [PATCH] refpolicy: fix real path for mta
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/mta.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/contrib/mta.fc
-+++ b/policy/modules/contrib/mta.fc
-@@ -20,10 +20,11 @@ HOME_DIR/\.maildir(/.*)? gen_context(sys
- /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
- /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/usr/sbin/msmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
- /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
-
- /var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-netutils.patch
deleted file mode 100644
index b41e6e4..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-netutils.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for netutils
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/admin/netutils.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/admin/netutils.fc
-+++ b/policy/modules/admin/netutils.fc
-@@ -1,10 +1,11 @@
- /bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
- /bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
- /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-
- /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
-+/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
-
- /usr/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
- /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
- /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
- /usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-nscd.patch
deleted file mode 100644
index 0adf7c2..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-nscd.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 642fab321a5f1f40495b4ca07f1fca4145024986 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:25:36 +0800
-Subject: [PATCH] refpolicy: fix real path for nscd
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/nscd.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/contrib/nscd.fc
-+++ b/policy/modules/contrib/nscd.fc
-@@ -1,8 +1,9 @@
- /etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
-
- /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
-+/usr/bin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
-
- /var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
-
- /var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-rpm.patch
deleted file mode 100644
index 9de7532..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-rpm.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From 3ecbd842d51a8e70b3403e857a24203285d4983b Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Mon, 27 Jan 2014 01:13:06 -0500
-Subject: [PATCH] refpolicy: fix real path for cpio
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/rpm.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/contrib/rpm.fc
-+++ b/policy/modules/contrib/rpm.fc
-@@ -61,6 +61,7 @@ ifdef(`distro_redhat',`
- /run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
- /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
-
- ifdef(`enable_mls',`
- /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
- ')
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-screen.patch
deleted file mode 100644
index 8ea210e..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-screen.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From 3615e2d67f402a37ae7333e62b54f1d9d0a3bfd1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:27:19 +0800
-Subject: [PATCH] refpolicy: fix real path for screen
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/screen.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/contrib/screen.fc
-+++ b/policy/modules/contrib/screen.fc
-@@ -4,6 +4,7 @@ HOME_DIR/\.tmux\.conf -- gen_context(sys
-
- /run/screen(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0)
- /run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0)
-
- /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
-+/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0)
- /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-su.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-su.patch
deleted file mode 100644
index e3d156e..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-su.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for su
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/admin/su.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/admin/su.fc
-+++ b/policy/modules/admin/su.fc
-@@ -1,6 +1,7 @@
-
- /bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
-+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
-
- /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
- /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
- /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-subs_dist.patch
deleted file mode 100644
index c5fdc51..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-subs_dist.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Subject: [PATCH] fix file_contexts.subs_dist for poky
-
-This file is used for Linux distros to define specific pathes
-mapping to the pathes in file_contexts.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- config/file_contexts.subs_dist | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
---- a/config/file_contexts.subs_dist
-+++ b/config/file_contexts.subs_dist
-@@ -21,5 +21,17 @@
-
- # backward compatibility
- # not for refpolicy intern, but for /var/run using applications,
- # like systemd tmpfiles or systemd socket configurations
- /var/run /run
-+
-+# Yocto compatibility
-+/var/volatile/log /var/log
-+/var/volatile/run /var/run
-+/var/volatile/cache /var/cache
-+/var/volatile/tmp /var/tmp
-+/var/volatile/lock /var/lock
-+/var/volatile/run/lock /var/lock
-+/www /var/www
-+/usr/lib/busybox/bin /bin
-+/usr/lib/busybox/sbin /sbin
-+/usr/lib/busybox/usr /usr
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-sysnetwork.patch
deleted file mode 100644
index fa369ca..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-sysnetwork.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 56ec3e527f2a03d217d5f07ebb708e6e26fa26ff Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Tue, 9 Jun 2015 21:22:52 +0530
-Subject: [PATCH] refpolicy: fix real path for sysnetwork
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/sysnetwork.fc | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/policy/modules/system/sysnetwork.fc
-+++ b/policy/modules/system/sysnetwork.fc
-@@ -2,10 +2,11 @@
- #
- # /bin
- #
- /bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-
- #
- # /dev
- #
- ifdef(`distro_debian',`
-@@ -43,17 +44,19 @@ ifdef(`distro_redhat',`
- /sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-
- #
- # /usr
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-udevd.patch
deleted file mode 100644
index 8e2cb1b..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-udevd.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 025bd3c77d3eeb0e316413bf7e6353f1ccd7f6b2 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Sat, 25 Jan 2014 23:40:05 -0500
-Subject: [PATCH] refpolicy: fix real path for udevd/udevadm
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
----
- policy/modules/system/udev.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/policy/modules/system/udev.fc
-+++ b/policy/modules/system/udev.fc
-@@ -8,10 +8,11 @@
-
- /etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
- /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
-
- /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-
- ifdef(`distro_debian',`
- /bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
- /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
- ')
-@@ -26,10 +27,11 @@ ifdef(`distro_debian',`
- ifdef(`distro_redhat',`
- /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
- ')
-
- /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
-
- /usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
- /usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
- /usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
- /usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_bash.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_bash.patch
deleted file mode 100644
index e0fdba1..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_bash.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001
-From: Mark Hatle <mark.hatle@windriver.com>
-Date: Thu, 14 Sep 2017 15:02:23 -0500
-Subject: [PATCH 3/4] fix update-alternatives for hostname
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
----
- policy/modules/system/corecommands.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-Index: refpolicy/policy/modules/kernel/corecommands.fc
-===================================================================
---- refpolicy.orig/policy/modules/kernel/corecommands.fc
-+++ refpolicy/policy/modules/kernel/corecommands.fc
-@@ -6,6 +6,7 @@
- /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/bin/bash\.bash -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_hostname.patch
deleted file mode 100644
index 038cb1f..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_hostname.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 3/4] fix update-alternatives for hostname
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/hostname.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/system/hostname.fc
-+++ b/policy/modules/system/hostname.fc
-@@ -1,4 +1,5 @@
-
- /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
-+/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0)
-
- /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
deleted file mode 100644
index e9a0464..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 4964fa5593349916d8f5c69edb0b16f611586098 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:39:41 +0800
-Subject: [PATCH 2/4] fix update-alternatives for sysklogd
-
-/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow rule
-for syslogd_t to read syslog_conf_t lnk_file is needed.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/logging.fc | 3 +++
- policy/modules/system/logging.te | 2 ++
- 2 files changed, 5 insertions(+)
-
---- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
-@@ -1,9 +1,10 @@
- /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
-
- /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
-+/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
- /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
-
- /usr/bin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
-@@ -27,14 +28,16 @@
- /usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
- /usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
- /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
- /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
- /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
-+/usr/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
- /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
- /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/usr/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-
- /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
- /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -390,10 +390,12 @@ allow syslogd_t self:unix_dgram_socket s
- allow syslogd_t self:fifo_file rw_fifo_file_perms;
- allow syslogd_t self:udp_socket create_socket_perms;
- allow syslogd_t self:tcp_socket create_stream_socket_perms;
-
- allow syslogd_t syslog_conf_t:file read_file_perms;
-+allow syslogd_t syslog_conf_t:lnk_file read_file_perms;
-+allow syslogd_t syslog_conf_t:dir list_dir_perms;
-
- # Create and bind to /dev/log or /var/run/log.
- allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
- files_pid_filetrans(syslogd_t, devlog_t, sock_file)
- init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysvinit.patch
deleted file mode 100644
index d8c1642..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysvinit.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 1/4] fix update-alternatives for sysvinit
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/shutdown.fc | 1 +
- policy/modules/kernel/corecommands.fc | 1 +
- policy/modules/system/init.fc | 1 +
- 3 files changed, 3 insertions(+)
-
---- a/policy/modules/contrib/shutdown.fc
-+++ b/policy/modules/contrib/shutdown.fc
-@@ -1,10 +1,11 @@
- /etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0)
-
- /lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
- /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-+/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
- /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
- /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
---- a/policy/modules/kernel/corecommands.fc
-+++ b/policy/modules/kernel/corecommands.fc
-@@ -8,10 +8,11 @@
- /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
-+/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0)
- /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
-
---- a/policy/modules/system/init.fc
-+++ b/policy/modules/system/init.fc
-@@ -30,10 +30,11 @@ ifdef(`distro_gentoo', `
-
- #
- # /sbin
- #
- /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
-+/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0)
- # because nowadays, /sbin/init is often a symlink to /sbin/upstart
- /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
-
- ifdef(`distro_gentoo', `
- /sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-syslogd_t-symlink.patch
deleted file mode 100644
index e90aab5..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-syslogd_t-symlink.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Subject: [PATCH] add rules for the symlink of /var/log - syslogd_t
-
-We have added rules for the symlink of /var/log in logging.if,
-while syslogd_t uses /var/log but does not use the
-interfaces in logging.if. So still need add a individual rule for
-syslogd_t.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/logging.te | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -404,10 +404,12 @@ rw_fifo_files_pattern(syslogd_t, var_log
- files_search_spool(syslogd_t)
-
- # Allow access for syslog-ng
- allow syslogd_t var_log_t:dir { create setattr };
-
-+allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
-+
- # manage temporary files
- manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
- manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
- files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
deleted file mode 100644
index fb912b5..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From ed2b0a00e2fb78056041b03c7e198e8f5adaf939 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:36:44 +0800
-Subject: [PATCH 3/6] add rules for the symlink of /var/log - apache2
-
-We have added rules for the symlink of /var/log in logging.if,
-while apache.te uses /var/log but does not use the interfaces in
-logging.if. So still need add a individual rule for apache.te.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/apache.te | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/contrib/apache.te
-+++ b/policy/modules/contrib/apache.te
-@@ -407,10 +407,11 @@ allow httpd_t httpd_lock_t:file manage_f
- files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
-
- manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
- manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
- logging_log_filetrans(httpd_t, httpd_log_t, file)
-
- allow httpd_t httpd_modules_t:dir list_dir_perms;
- mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
- read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
deleted file mode 100644
index 2e8e1f2..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-Subject: [PATCH] add rules for the symlink of /var/log - audisp_remote_t
-
-We have added rules for the symlink of /var/log in logging.if,
-while audisp_remote_t uses /var/log but does not use the
-interfaces in logging.if. So still need add a individual rule for
-audisp_remote_t.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/logging.te | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -278,10 +278,11 @@ optional_policy(`
-
- allow audisp_remote_t self:capability { setuid setpcap };
- allow audisp_remote_t self:process { getcap setcap };
- allow audisp_remote_t self:tcp_socket create_socket_perms;
- allow audisp_remote_t var_log_t:dir search_dir_perms;
-+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
-
- manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
- manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
- files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch
deleted file mode 100644
index a7161d5..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-From 03cb6534f75812f3a33ac768fe83861e0805b0e0 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 2/6] add rules for the symlink of /var/log
-
-/var/log is a symlink in poky, so we need allow rules for files to read
-lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/logging.fc | 1 +
- policy/modules/system/logging.if | 14 +++++++++++++-
- policy/modules/system/logging.te | 1 +
- 3 files changed, 15 insertions(+), 1 deletion(-)
-
---- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
-@@ -49,10 +49,11 @@ ifdef(`distro_suse', `
-
- /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
- /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-
- /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
-+/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
- /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
- /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
---- a/policy/modules/system/logging.if
-+++ b/policy/modules/system/logging.if
-@@ -134,16 +134,17 @@ interface(`logging_set_audit_parameters'
- ## </param>
- ## <rolecap/>
- #
- interface(`logging_read_audit_log',`
- gen_require(`
-- type auditd_log_t;
-+ type auditd_log_t, var_log_t;
- ')
-
- files_search_var($1)
- read_files_pattern($1, auditd_log_t, auditd_log_t)
- allow $1 auditd_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
- ## <summary>
- ## Execute auditctl in the auditctl domain.
-@@ -665,10 +666,11 @@ interface(`logging_search_logs',`
- type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 var_log_t:dir search_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- #######################################
- ## <summary>
- ## Do not audit attempts to search the var log directory.
-@@ -702,10 +704,11 @@ interface(`logging_list_logs',`
- type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 var_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- #######################################
- ## <summary>
- ## Read and write the generic log directory (/var/log).
-@@ -721,10 +724,11 @@ interface(`logging_rw_generic_log_dirs',
- type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 var_log_t:dir rw_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- #######################################
- ## <summary>
- ## Search through all log dirs.
-@@ -832,14 +836,16 @@ interface(`logging_append_all_logs',`
- ## <rolecap/>
- #
- interface(`logging_read_all_logs',`
- gen_require(`
- attribute logfile;
-+ type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 logfile:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- read_files_pattern($1, logfile, logfile)
- ')
-
- ########################################
- ## <summary>
-@@ -854,14 +860,16 @@ interface(`logging_read_all_logs',`
- # cjp: not sure why this is needed. This was added
- # because of logrotate.
- interface(`logging_exec_all_logs',`
- gen_require(`
- attribute logfile;
-+ type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 logfile:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- can_exec($1, logfile)
- ')
-
- ########################################
- ## <summary>
-@@ -919,10 +927,11 @@ interface(`logging_read_generic_logs',`
- type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 var_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- read_files_pattern($1, var_log_t, var_log_t)
- ')
-
- ########################################
- ## <summary>
-@@ -939,10 +948,11 @@ interface(`logging_write_generic_logs',`
- type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 var_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- write_files_pattern($1, var_log_t, var_log_t)
- ')
-
- ########################################
- ## <summary>
-@@ -977,10 +987,11 @@ interface(`logging_rw_generic_logs',`
- type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 var_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- rw_files_pattern($1, var_log_t, var_log_t)
- ')
-
- ########################################
- ## <summary>
-@@ -999,10 +1010,11 @@ interface(`logging_manage_generic_logs',
- type var_log_t;
- ')
-
- files_search_var($1)
- manage_files_pattern($1, var_log_t, var_log_t)
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
- ## <summary>
- ## All of the rules required to administrate
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -151,10 +151,11 @@ allow auditd_t auditd_etc_t:file read_fi
-
- manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
- allow auditd_t auditd_log_t:dir setattr;
- manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
- allow auditd_t var_log_t:dir search_dir_perms;
-+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
-
- manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
- manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
- files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-nfsd-to-exec-shell-commands.patch
deleted file mode 100644
index ca2796f..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-nfsd-to-exec-shell-commands.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] allow nfsd to exec shell commands.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/rpc.te | 2 +-
- policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
- 2 files changed, 19 insertions(+), 1 deletions(-)
-
---- a/policy/modules/contrib/rpc.te
-+++ b/policy/modules/contrib/rpc.te
-@@ -222,11 +222,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
-
- kernel_read_network_state(nfsd_t)
- kernel_dontaudit_getattr_core_if(nfsd_t)
- kernel_setsched(nfsd_t)
- kernel_request_load_module(nfsd_t)
--# kernel_mounton_proc(nfsd_t)
-+kernel_mounton_proc(nfsd_t)
-
- corenet_sendrecv_nfs_server_packets(nfsd_t)
- corenet_tcp_bind_nfs_port(nfsd_t)
- corenet_udp_bind_nfs_port(nfsd_t)
-
---- a/policy/modules/kernel/kernel.if
-+++ b/policy/modules/kernel/kernel.if
-@@ -844,10 +844,28 @@ interface(`kernel_unmount_proc',`
- allow $1 proc_t:filesystem unmount;
- ')
-
- ########################################
- ## <summary>
-+## Mounton a proc filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`kernel_mounton_proc',`
-+ gen_require(`
-+ type proc_t;
-+ ')
-+
-+ allow $1 proc_t:dir mounton;
-+')
-+
-+########################################
-+## <summary>
- ## Get the attributes of the proc filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-setfiles_t-to-read-symlinks.patch
deleted file mode 100644
index d28bde0..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-setfiles_t-to-read-symlinks.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 87b6daf87a07350a58c1724db8fc0a99b849818a Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] fix setfiles_t to read symlinks
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/selinuxutil.te | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -553,10 +553,13 @@ files_read_etc_files(setfiles_t)
- files_list_all(setfiles_t)
- files_relabel_all_files(setfiles_t)
- files_read_usr_symlinks(setfiles_t)
- files_dontaudit_read_all_symlinks(setfiles_t)
-
-+# needs to be able to read symlinks to make restorecon on symlink working
-+files_read_all_symlinks(setfiles_t)
-+
- fs_getattr_all_xattr_fs(setfiles_t)
- fs_list_all(setfiles_t)
- fs_search_auto_mountpoints(setfiles_t)
- fs_relabelfrom_noxattr_fs(setfiles_t)
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
deleted file mode 100644
index 8443e31..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 2f5981f2244289a1cc79748e9ffdaaea168b1df2 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 23 Aug 2013 16:36:09 +0800
-Subject: [PATCH] fix dmesg to use /dev/kmsg as default input
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/admin/dmesg.if | 1 +
- policy/modules/admin/dmesg.te | 2 ++
- 2 files changed, 3 insertions(+)
-
---- a/policy/modules/admin/dmesg.if
-+++ b/policy/modules/admin/dmesg.if
-@@ -35,6 +35,7 @@ interface(`dmesg_exec',`
- type dmesg_exec_t;
- ')
-
- corecmd_search_bin($1)
- can_exec($1, dmesg_exec_t)
-+ dev_read_kmsg($1)
- ')
---- a/policy/modules/admin/dmesg.te
-+++ b/policy/modules/admin/dmesg.te
-@@ -28,10 +28,12 @@ kernel_read_proc_symlinks(dmesg_t)
- # for when /usr is not mounted:
- kernel_dontaudit_search_unlabeled(dmesg_t)
-
- dev_read_sysfs(dmesg_t)
-
-+dev_read_kmsg(dmesg_t)
-+
- fs_search_auto_mountpoints(dmesg_t)
-
- term_dontaudit_use_console(dmesg_t)
-
- domain_use_interactive_fds(dmesg_t)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-new-SELINUXMNT-in-sys.patch
deleted file mode 100644
index 58903ce..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-new-SELINUXMNT-in-sys.patch
+++ /dev/null
@@ -1,259 +0,0 @@
-From 0bd1187768c79ccf7d0563fa8e2bc01494fef167 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] fix for new SELINUXMNT in /sys
-
-SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
-add rules to access sysfs.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/selinux.if | 34 ++++++++++++++++++++++++++++++++--
- 1 file changed, 32 insertions(+), 2 deletions(-)
-
---- a/policy/modules/kernel/selinux.if
-+++ b/policy/modules/kernel/selinux.if
-@@ -56,10 +56,14 @@ interface(`selinux_labeled_boolean',`
- interface(`selinux_get_fs_mount',`
- gen_require(`
- type security_t;
- ')
-
-+ # SELINUXMNT is now /sys/fs/selinux, so we should add rules to
-+ # access sysfs
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- # starting in libselinux 2.0.5, init_selinuxmnt() will
- # attempt to short circuit by checking if SELINUXMNT
- # (/selinux) is already a selinuxfs
- allow $1 security_t:filesystem getattr;
-
-@@ -86,10 +90,11 @@ interface(`selinux_get_fs_mount',`
- interface(`selinux_dontaudit_get_fs_mount',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- # starting in libselinux 2.0.5, init_selinuxmnt() will
- # attempt to short circuit by checking if SELINUXMNT
- # (/selinux) is already a selinuxfs
- dontaudit $1 security_t:filesystem getattr;
-
-@@ -115,10 +120,12 @@ interface(`selinux_dontaudit_get_fs_moun
- interface(`selinux_mount_fs',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- allow $1 security_t:filesystem mount;
- ')
-
- ########################################
- ## <summary>
-@@ -134,10 +141,12 @@ interface(`selinux_mount_fs',`
- interface(`selinux_remount_fs',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- allow $1 security_t:filesystem remount;
- ')
-
- ########################################
- ## <summary>
-@@ -152,10 +161,12 @@ interface(`selinux_remount_fs',`
- interface(`selinux_unmount_fs',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- allow $1 security_t:filesystem unmount;
- ')
-
- ########################################
- ## <summary>
-@@ -170,10 +181,12 @@ interface(`selinux_unmount_fs',`
- interface(`selinux_getattr_fs',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- allow $1 security_t:filesystem getattr;
-
- dev_getattr_sysfs($1)
- dev_search_sysfs($1)
- ')
-@@ -192,10 +205,11 @@ interface(`selinux_getattr_fs',`
- interface(`selinux_dontaudit_getattr_fs',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:filesystem getattr;
-
- dev_dontaudit_getattr_sysfs($1)
- dev_dontaudit_search_sysfs($1)
- ')
-@@ -214,10 +228,11 @@ interface(`selinux_dontaudit_getattr_fs'
- interface(`selinux_dontaudit_getattr_dir',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:dir getattr;
- ')
-
- ########################################
- ## <summary>
-@@ -232,10 +247,11 @@ interface(`selinux_dontaudit_getattr_dir
- interface(`selinux_search_fs',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir search_dir_perms;
- ')
-
- ########################################
-@@ -251,10 +267,11 @@ interface(`selinux_search_fs',`
- interface(`selinux_dontaudit_search_fs',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:dir search_dir_perms;
- ')
-
- ########################################
- ## <summary>
-@@ -270,10 +287,11 @@ interface(`selinux_dontaudit_search_fs',
- interface(`selinux_dontaudit_read_fs',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:dir search_dir_perms;
- dontaudit $1 security_t:file read_file_perms;
- ')
-
- ########################################
-@@ -291,10 +309,11 @@ interface(`selinux_dontaudit_read_fs',`
- interface(`selinux_get_enforce_mode',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file read_file_perms;
- ')
-
-@@ -359,10 +378,11 @@ interface(`selinux_load_policy',`
- interface(`selinux_read_policy',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file read_file_perms;
- allow $1 security_t:security read_policy;
- ')
-@@ -424,10 +444,11 @@ interface(`selinux_set_boolean',`
- interface(`selinux_set_generic_booleans',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
-
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-
-@@ -461,10 +482,11 @@ interface(`selinux_set_all_booleans',`
- type security_t, secure_mode_policyload_t;
- attribute boolean_type;
- bool secure_mode_policyload;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
-
- allow $1 security_t:dir list_dir_perms;
- allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
- allow $1 secure_mode_policyload_t:file read_file_perms;
-@@ -520,10 +542,11 @@ interface(`selinux_set_parameters',`
- interface(`selinux_validate_context',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
- allow $1 security_t:security check_context;
- ')
-@@ -542,10 +565,11 @@ interface(`selinux_validate_context',`
- interface(`selinux_dontaudit_validate_context',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:dir list_dir_perms;
- dontaudit $1 security_t:file rw_file_perms;
- dontaudit $1 security_t:security check_context;
- ')
-
-@@ -563,10 +587,11 @@ interface(`selinux_dontaudit_validate_co
- interface(`selinux_compute_access_vector',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
- allow $1 security_t:security compute_av;
- ')
-@@ -658,10 +683,17 @@ interface(`selinux_compute_relabel_conte
- interface(`selinux_compute_user_contexts',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
-+ dev_getattr_sysfs_dirs($1)
-+ dev_getattr_sysfs_dirs($1)
-+ dev_getattr_sysfs_dirs($1)
-+ dev_getattr_sysfs_dirs($1)
-+ dev_getattr_sysfs_dirs($1)
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
- allow $1 security_t:security compute_user;
- ')
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-setfiles-statvfs-get-file-count.patch
deleted file mode 100644
index 1cfd80b..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-setfiles-statvfs-get-file-count.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From f4e034d6996c5b1f88a9262828dac2ad6ee09b7b Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 23 Aug 2013 14:38:53 +0800
-Subject: [PATCH] fix setfiles statvfs to get file count
-
-New setfiles will read /proc/mounts and use statvfs in
-file_system_count() to get file count of filesystems.
-
-Upstream-Status: pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/selinuxutil.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -556,11 +556,11 @@ files_read_usr_symlinks(setfiles_t)
- files_dontaudit_read_all_symlinks(setfiles_t)
-
- # needs to be able to read symlinks to make restorecon on symlink working
- files_read_all_symlinks(setfiles_t)
-
--fs_getattr_all_xattr_fs(setfiles_t)
-+fs_getattr_all_fs(setfiles_t)
- fs_list_all(setfiles_t)
- fs_search_auto_mountpoints(setfiles_t)
- fs_relabelfrom_noxattr_fs(setfiles_t)
-
- mls_file_read_all_levels(setfiles_t)
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
new file mode 100644
index 0000000..2692ffa
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
@@ -0,0 +1,36 @@
+From 49dd08e69938debc792ac9c3ac3e81a38929d11f Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 16:14:09 -0400
+Subject: [PATCH 01/34] fc/subs/volatile: alias common /var/volatile paths
+
+Ensure /var/volatile paths get the appropriate base file context.
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ config/file_contexts.subs_dist | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
+index 346d920e..be532d7f 100644
+--- a/config/file_contexts.subs_dist
++++ b/config/file_contexts.subs_dist
+@@ -31,3 +31,13 @@
+ # not for refpolicy intern, but for /var/run using applications,
+ # like systemd tmpfiles or systemd socket configurations
+ /var/run /run
++
++# volatile aliases
++# ensure the policy applied to the base filesystem objects are reflected in the
++# volatile hierarchy.
++/var/volatile/log /var/log
++/var/volatile/run /var/run
++/var/volatile/cache /var/cache
++/var/volatile/tmp /var/tmp
++/var/volatile/lock /var/lock
++/var/volatile/run/lock /var/lock
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0001-fix-update-alternatives-for-sysvinit.patch
index 3f6a5c8..62e7da1 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0001-fix-update-alternatives-for-sysvinit.patch
@@ -1,34 +1,34 @@
-From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
+From 83508f3365277c0ef8c570e744879b904de64cd7 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 1/4] fix update-alternatives for sysvinit
+Subject: [PATCH] fix update-alternatives for sysvinit
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/contrib/shutdown.fc | 1 +
- policy/modules/kernel/corecommands.fc | 1 +
- policy/modules/system/init.fc | 1 +
+ policy/modules/admin/shutdown.fc | 1 +
+ policy/modules/kernel/corecommands.fc | 1 +
+ policy/modules/system/init.fc | 1 +
3 files changed, 3 insertions(+)
---- a/policy/modules/contrib/shutdown.fc
-+++ b/policy/modules/contrib/shutdown.fc
-@@ -3,7 +3,8 @@
- /usr/bin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
+diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc
+index 03a2230c..2ba049ff 100644
+--- a/policy/modules/admin/shutdown.fc
++++ b/policy/modules/admin/shutdown.fc
+@@ -5,5 +5,6 @@
/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0)
/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
+diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
+index cf3848db..86920167 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
-@@ -144,10 +144,11 @@ ifdef(`distro_gentoo',`
- /usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
- /usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+@@ -149,6 +149,7 @@ ifdef(`distro_gentoo',`
/usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
/usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
@@ -36,19 +36,18 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
/usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
+diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
+index 11a6ce93..93e9d2b4 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
-@@ -40,10 +40,11 @@ ifdef(`distro_gentoo', `
-
- /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
- /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
-
- /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
+@@ -23,6 +23,7 @@ ifdef(`distro_gentoo',`
+ # /usr
+ #
+ /usr/bin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
+/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0)
- /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
- /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
-
- ifdef(`distro_gentoo', `
- /usr/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0)
+ /usr/bin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
+ /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
+ /usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
index 23bc397..f92ddb8 100644
--- a/recipes-security/refpolicy/refpolicy-minimum/0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
@@ -1,7 +1,7 @@
-From edbc234baecfbf5b8e2dbadc976750071d5e7f7f Mon Sep 17 00:00:00 2001
+From aa79b5e7803232a4e57e2cf60613f6fb7dcfc025 Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 26 Aug 2016 17:51:44 +0530
-Subject: [PATCH 2/9] refpolicy-minimum: audit: logging: getty: audit related
+Subject: [PATCH 1/9] refpolicy-minimum: audit: logging: getty: audit related
allow rules
add allow rules for audit.log file & resolve dependent avc denials.
@@ -22,16 +22,17 @@ volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/getty.te | 3 +++
policy/modules/system/logging.te | 8 ++++++++
2 files changed, 11 insertions(+)
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index f6743ea..84eaf77 100644
+index 6d3c4284..423db0cc 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
-@@ -139,3 +139,6 @@ optional_policy(`
+@@ -129,3 +129,6 @@ optional_policy(`
optional_policy(`
udev_read_db(getty_t)
')
@@ -39,10 +40,10 @@ index f6743ea..84eaf77 100644
+allow getty_t tmpfs_t:dir search;
+allow getty_t tmpfs_t:file { open write lock };
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 9b18aad..fdf86ef 100644
+index 63e92a8e..8ab46925 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -238,6 +238,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms;
+@@ -249,6 +249,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms;
allow audisp_t self:unix_dgram_socket create_socket_perms;
allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
@@ -50,7 +51,7 @@ index 9b18aad..fdf86ef 100644
manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
-@@ -569,3 +570,10 @@ optional_policy(`
+@@ -620,3 +621,10 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -63,5 +64,5 @@ index 9b18aad..fdf86ef 100644
+allow klogd_t initrc_t:unix_dgram_socket sendto;
\ No newline at end of file
--
-1.9.1
+2.19.1
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
new file mode 100644
index 0000000..a963751
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
@@ -0,0 +1,31 @@
+From c02445a1073ca6fcb42c771c233ab8aa822cbdda Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 20:48:10 -0400
+Subject: [PATCH 02/34] fc/subs/busybox: set aliases for bin, sbin and usr
+
+The objects in /usr/lib/busybox/* should have the same policy applied as
+the corresponding objects in the / hierarchy.
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ config/file_contexts.subs_dist | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
+index be532d7f..04fca3c3 100644
+--- a/config/file_contexts.subs_dist
++++ b/config/file_contexts.subs_dist
+@@ -41,3 +41,10 @@
+ /var/volatile/tmp /var/tmp
+ /var/volatile/lock /var/lock
+ /var/volatile/run/lock /var/lock
++
++# busybox aliases
++# quickly match up the busybox built-in tree to the base filesystem tree
++/usr/lib/busybox/bin /bin
++/usr/lib/busybox/sbin /sbin
++/usr/lib/busybox/usr /usr
++
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
index 3623215..37423ec 100644
--- a/recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
@@ -1,7 +1,7 @@
-From 0e99f9e7c6d69d5f784fe7352c9507791d8cbef9 Mon Sep 17 00:00:00 2001
+From d8fe68150ae85657b2091bc193b11bd77f7b1f31 Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 26 Aug 2016 17:53:46 +0530
-Subject: [PATCH 4/9] refpolicy-minimum: locallogin: add allow rules for type
+Subject: [PATCH 2/9] refpolicy-minimum: locallogin: add allow rules for type
local_login_t
add allow rules for locallogin module avc denials.
@@ -26,15 +26,16 @@ type=AVC msg=audit(): avc: denied { lock } for pid=353 comm="login" path=
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/locallogin.te | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 53923f8..09ec33f 100644
+index 4c679ff3..75750e4c 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
-@@ -274,3 +274,13 @@ optional_policy(`
+@@ -288,3 +288,13 @@ optional_policy(`
optional_policy(`
nscd_use(sulogin_t)
')
@@ -49,5 +50,5 @@ index 53923f8..09ec33f 100644
+allow local_login_t tmpfs_t:dir { add_name write search};
+allow local_login_t tmpfs_t:file { create open read write lock };
--
-1.9.1
+2.19.1
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch
index 737c0a2..ad94252 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch
@@ -1,33 +1,33 @@
-From 4964fa5593349916d8f5c69edb0b16f611586098 Mon Sep 17 00:00:00 2001
+From fdbd4461bbd6ce8a7f2b2702f7801ed07c41d5a9 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:39:41 +0800
-Subject: [PATCH 2/4] fix update-alternatives for sysklogd
+Subject: [PATCH 03/34] fc/sysklogd: apply policy to sysklogd symlink
-/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow rule
-for syslogd_t to read syslog_conf_t lnk_file is needed.
+/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow
+rule for syslogd_t to read syslog_conf_t lnk_file is needed.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/system/logging.fc | 4 ++++
- policy/modules/system/logging.te | 1 +
- 2 files changed, 5 insertions(+)
+ policy/modules/system/logging.fc | 3 +++
+ policy/modules/system/logging.te | 1 +
+ 2 files changed, 4 insertions(+)
-Index: refpolicy/policy/modules/system/logging.fc
-===================================================================
---- refpolicy.orig/policy/modules/system/logging.fc
-+++ refpolicy/policy/modules/system/logging.fc
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index 6693d87b..0cf108e0 100644
+--- a/policy/modules/system/logging.fc
++++ b/policy/modules/system/logging.fc
@@ -2,6 +2,7 @@
- /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
-+/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
- /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
-@@ -30,10 +31,12 @@
+ /etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
++/etc/syslog\.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/rsyslog\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+ /etc/systemd/journal.*\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
+@@ -32,10 +33,12 @@
/usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
/usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
@@ -40,11 +40,11 @@ Index: refpolicy/policy/modules/system/logging.fc
/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-Index: refpolicy/policy/modules/system/logging.te
-===================================================================
---- refpolicy.orig/policy/modules/system/logging.te
-+++ refpolicy/policy/modules/system/logging.te
-@@ -396,6 +396,7 @@ allow syslogd_t self:udp_socket create_s
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index adc628f8..07ed546d 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -399,6 +399,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
allow syslogd_t syslog_conf_t:file read_file_perms;
@@ -52,3 +52,6 @@ Index: refpolicy/policy/modules/system/logging.te
allow syslogd_t syslog_conf_t:dir list_dir_perms;
# Create and bind to /dev/log or /var/run/log.
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
index b5ca0f8..ed470e4 100644
--- a/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
@@ -1,7 +1,7 @@
-From 17507a42ce91376b00069ff22b43786894910ed6 Mon Sep 17 00:00:00 2001
+From 53aaf2acb8bc3fb115e5d5327f6e7a994cfbf0bd Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 26 Aug 2016 17:51:32 +0530
-Subject: [PATCH 1/9] refpolicy-minimum: systemd:unconfined:lib: add systemd
+Subject: [PATCH 3/9] refpolicy-minimum: systemd:unconfined:lib: add systemd
services allow rules
systemd allow rules for systemd service file operations: start, stop, restart
@@ -24,18 +24,19 @@ unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/system/init.te | 6 +++++-
+ policy/modules/system/init.te | 4 +++
policy/modules/system/libraries.te | 3 +++
- policy/modules/system/systemd.if | 40 +++++++++++++++++++++++++++++++++++++
- policy/modules/system/unconfined.te | 6 ++++++
- 4 files changed, 54 insertions(+), 1 deletion(-)
+ policy/modules/system/systemd.if | 39 +++++++++++++++++++++++++++++
+ policy/modules/system/unconfined.te | 6 +++++
+ 4 files changed, 52 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index d710fb0..f9d7114 100644
+index 8352428a..15745c83 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
-@@ -1114,3 +1114,7 @@ optional_policy(`
+@@ -1425,3 +1425,7 @@ optional_policy(`
allow kernel_t init_t:process dyntransition;
allow devpts_t device_t:filesystem associate;
allow init_t self:capability2 block_suspend;
@@ -44,10 +45,10 @@ index d710fb0..f9d7114 100644
+allow initrc_t init_t:system { start status };
+allow initrc_t init_var_run_t:service { start status };
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 0f5cd56..df98fe9 100644
+index 422b0ea1..80b0c9a5 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
-@@ -144,3 +144,6 @@ optional_policy(`
+@@ -145,3 +145,6 @@ optional_policy(`
optional_policy(`
unconfined_domain(ldconfig_t)
')
@@ -55,15 +56,14 @@ index 0f5cd56..df98fe9 100644
+# systemd: init domain to start lib domain service
+systemd_service_lib_function(lib_t)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 3cd6670..822c03d 100644
+index 8d2bb8da..8fc61843 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
-@@ -171,3 +171,43 @@ interface(`systemd_start_power_units',`
+@@ -887,3 +887,42 @@ interface(`systemd_getattr_updated_runtime',`
- allow $1 power_unit_t:service start;
+ getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
')
+
-+
+########################################
+## <summary>
+## Allow specified domain to start stop reset systemd service
@@ -103,10 +103,10 @@ index 3cd6670..822c03d 100644
+
+')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 99cab31..87a1b03 100644
+index 12cc0d7c..c09e94a5 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
-@@ -220,3 +220,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
+@@ -240,3 +240,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
optional_policy(`
unconfined_dbus_chat(unconfined_execmem_t)
')
@@ -117,5 +117,5 @@ index 99cab31..87a1b03 100644
+
+allow unconfined_t init_t:system reload;
--
-1.9.1
+2.19.1
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
new file mode 100644
index 0000000..77c6829
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
@@ -0,0 +1,27 @@
+From 85f5825111d4c6d6b276ed07fec2292804b97a39 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 04/34] fc/hostname: apply policy to common yocto hostname
+ alternatives
+
+Upstream-Status: Inappropriate [only for Yocto]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/hostname.fc | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
+index 83ddeb57..653e038d 100644
+--- a/policy/modules/system/hostname.fc
++++ b/policy/modules/system/hostname.fc
+@@ -1 +1,5 @@
++/usr/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0)
++/usr/bin/hostname\.coreutils -- gen_context(system_u:object_r:hostname_exec_t,s0)
++/usr/lib/busybox/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
++
+ /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
index 35a8e1b..98b6156 100644
--- a/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
@@ -1,7 +1,7 @@
-From edae03ea521a501a2b3229383609f1aec85575c1 Mon Sep 17 00:00:00 2001
+From 5694d5bdc5ff824c4d5848dcd61cf021305b5e00 Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 26 Aug 2016 17:53:37 +0530
-Subject: [PATCH 3/9] refpolicy-minimum: systemd: mount: logging: authlogin:
+Subject: [PATCH 4/9] refpolicy-minimum: systemd: mount: logging: authlogin:
add allow rules
add allow rules for avc denails for systemd, mount, logging & authlogin
@@ -30,28 +30,29 @@ tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/authlogin.te | 2 ++
policy/modules/system/logging.te | 7 ++++++-
policy/modules/system/mount.te | 3 +++
- policy/modules/system/systemd.te | 6 ++++++
- 4 files changed, 17 insertions(+), 1 deletion(-)
+ policy/modules/system/systemd.te | 5 +++++
+ 4 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index f80dfcb..5fab54a 100644
+index 345e07f3..39f860e0 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
-@@ -464,3 +464,5 @@ optional_policy(`
+@@ -472,3 +472,5 @@ optional_policy(`
samba_read_var_files(nsswitch_domain)
samba_dontaudit_write_var_files(nsswitch_domain)
')
+
+allow chkpwd_t proc_t:filesystem getattr;
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index fdf86ef..107db03 100644
+index 8ab46925..520f7da6 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -576,4 +576,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append };
+@@ -627,4 +627,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append };
allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
allow auditd_t initrc_t:unix_dgram_socket sendto;
@@ -64,10 +65,10 @@ index fdf86ef..107db03 100644
+allow syslogd_t self:shm { read unix_read unix_write write };
+allow syslogd_t tmpfs_t:file { read write };
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 1c2fc33..b699309 100644
+index 3dcb8493..a87d0e82 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
-@@ -229,3 +229,6 @@ optional_policy(`
+@@ -231,3 +231,6 @@ optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
unconfined_domain(unconfined_mount_t)
')
@@ -75,19 +76,21 @@ index 1c2fc33..b699309 100644
+allow mount_t proc_t:filesystem getattr;
+allow mount_t initrc_t:udp_socket { read write };
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index fdb9fef..734d455 100644
+index a6f09dfd..68b80de3 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
-@@ -262,3 +262,9 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
- files_relabel_non_security_dirs(systemd_tmpfiles_t)
- files_relabel_non_security_files(systemd_tmpfiles_t)
- ')
-+
+@@ -993,6 +993,11 @@ allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
+ allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
+ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
+
+allow systemd_tmpfiles_t init_t:dir search;
+allow systemd_tmpfiles_t proc_t:filesystem getattr;
+allow systemd_tmpfiles_t init_t:file read;
+allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
-+allow systemd_tmpfiles_t self:capability net_admin;
++
+ kernel_getattr_proc(systemd_tmpfiles_t)
+ kernel_read_kernel_sysctls(systemd_tmpfiles_t)
+ kernel_read_network_state(systemd_tmpfiles_t)
--
-1.9.1
+2.19.1
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
new file mode 100644
index 0000000..60d585b
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
@@ -0,0 +1,30 @@
+From ed53bb0452aab6aee11c6d6442b8524d3b27fa6f Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 21:37:32 -0400
+Subject: [PATCH 05/34] fc/bash: apply /usr/bin/bash context to /bin/bash.bash
+
+We include /bin/bash.bash as a valid alias for /bin/bash, so ensure we apply
+the proper context to the target for our policy.
+
+Upstream-Status: Inappropriate [only for Yocto]
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/corecommands.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
+index e7415cac..cf3848db 100644
+--- a/policy/modules/kernel/corecommands.fc
++++ b/policy/modules/kernel/corecommands.fc
+@@ -141,6 +141,7 @@ ifdef(`distro_gentoo',`
+ /usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/bash.bash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
index c88f2b2..7d7908f 100644
--- a/recipes-security/refpolicy/refpolicy-minimum/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
@@ -1,4 +1,4 @@
-From 07b7eb45458de8a6781019a927c66aabe736e03a Mon Sep 17 00:00:00 2001
+From bf8da1fd057ce11e8ce6e445ccd532fde11868a6 Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 26 Aug 2016 17:53:53 +0530
Subject: [PATCH 5/9] refpolicy-minimum: init: fix reboot with systemd as init
@@ -16,15 +16,16 @@ initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/init.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index f9d7114..19a7a20 100644
+index 15745c83..d6a0270a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
-@@ -1103,5 +1103,5 @@ allow devpts_t device_t:filesystem associate;
+@@ -1427,5 +1427,5 @@ allow devpts_t device_t:filesystem associate;
allow init_t self:capability2 block_suspend;
allow init_t self:capability2 audit_read;
@@ -32,5 +33,5 @@ index f9d7114..19a7a20 100644
+allow initrc_t init_t:system { start status reboot };
allow initrc_t init_var_run_t:service { start status };
--
-1.9.1
+2.19.1
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
index cd79f45..f318c23 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
@@ -1,24 +1,30 @@
-Subject: [PATCH] fix real path for resolv.conf
+From 8614bc85ab13b72f7f83892ffd227c73b3df42bc Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 4 Apr 2019 10:45:03 -0400
+Subject: [PATCH 06/34] fc/resolv.conf: label resolv.conf in var/run/ properly
-Upstream-Status: Inappropriate [only for Poky]
+Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/system/sysnetwork.fc | 1 +
+ policy/modules/system/sysnetwork.fc | 1 +
1 file changed, 1 insertion(+)
+diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
+index 1e5432a4..ac7c2dd1 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
-@@ -17,10 +17,11 @@ ifdef(`distro_debian',`
- /etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
+@@ -22,6 +22,7 @@ ifdef(`distro_debian',`
/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
-+/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
++/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
-
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
new file mode 100644
index 0000000..4f7d916
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
@@ -0,0 +1,92 @@
+From 853b6611e50369b386a77d5bd8a28eeb9ef4cb9b Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Wed, 3 Apr 2019 14:51:29 -0400
+Subject: [PATCH 6/9] refpolicy-minimum: systemd: mount: enable required
+ refpolicy booleans
+
+enable required refpolicy booleans for these modules
+
+i. mount: allow_mount_anyfile
+without enabling this boolean we are getting below avc denial
+
+audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media
+/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0
+tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0
+
+This avc can be allowed using the boolean 'allow_mount_anyfile'
+allow mount_t initrc_var_run_t:dir mounton;
+
+ii. systemd : systemd_tmpfiles_manage_all
+without enabling this boolean we are not getting access to mount systemd
+essential tmpfs during bootup, also not getting access to create audit.log
+
+audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name=
+"sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles
+_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0
+
+ ls /var/log
+ /var/log -> volatile/log
+:~#
+
+The old refpolicy included a pre-generated booleans.conf that could be
+patched. That's no longer the case so we're left with a few options,
+tweak the default directly or create a template booleans.conf file which
+will be updated during build time. Since this is intended to be applied
+only for specific configuraitons it seems like the same either way and
+this avoids us playing games to work around .gitignore.
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/booleans.conf | 9 +++++++++
+ policy/modules/system/mount.te | 2 +-
+ policy/modules/system/systemd.te | 2 +-
+ 3 files changed, 11 insertions(+), 2 deletions(-)
+ create mode 100644 policy/booleans.conf
+
+diff --git a/policy/booleans.conf b/policy/booleans.conf
+new file mode 100644
+index 00000000..850f56ed
+--- /dev/null
++++ b/policy/booleans.conf
+@@ -0,0 +1,9 @@
++#
++# Allow the mount command to mount any directory or file.
++#
++allow_mount_anyfile = true
++
++#
++# Enable support for systemd-tmpfiles to manage all non-security files.
++#
++systemd_tmpfiles_manage_all = true
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index a87d0e82..868052b7 100644
+--- a/policy/modules/system/mount.te
++++ b/policy/modules/system/mount.te
+@@ -10,7 +10,7 @@ policy_module(mount, 1.20.0)
+ ## Allow the mount command to mount any directory or file.
+ ## </p>
+ ## </desc>
+-gen_tunable(allow_mount_anyfile, false)
++gen_tunable(allow_mount_anyfile, true)
+
+ attribute_role mount_roles;
+ roleattribute system_r mount_roles;
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 68b80de3..a1ef6990 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -10,7 +10,7 @@ policy_module(systemd, 1.7.0)
+ ## Enable support for systemd-tmpfiles to manage all non-security files.
+ ## </p>
+ ## </desc>
+-gen_tunable(systemd_tmpfiles_manage_all, false)
++gen_tunable(systemd_tmpfiles_manage_all, true)
+
+ ## <desc>
+ ## <p>
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0007-fc-login-apply-login-context-to-login.shadow.patch
index 49f4960..8c71c90 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0007-fc-login-apply-login-context-to-login.shadow.patch
@@ -1,25 +1,27 @@
-Subject: [PATCH] fix real path for login commands.
+From c1f7e3033057dfb613bd92d723094b06c00e82f8 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 21:43:53 -0400
+Subject: [PATCH 07/34] fc/login: apply login context to login.shadow
Upstream-Status: Inappropriate [only for Poky]
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/system/authlogin.fc | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
+ policy/modules/system/authlogin.fc | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
+index e22945cd..a42bc0da 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
-@@ -3,10 +3,12 @@
- /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
- /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+@@ -5,6 +5,7 @@
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
/usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
+/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0)
-+/usr/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0)
/usr/bin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/usr/bin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
/usr/bin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
- /usr/bin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
- /usr/bin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch
index 2dd90fe..27cbc9f 100644
--- a/recipes-security/refpolicy/refpolicy-minimum/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch
@@ -1,4 +1,4 @@
-From 5a1cef9e4a9472982f6c68190f3aa20c73c8de1e Mon Sep 17 00:00:00 2001
+From 34630eecb211199c60c9b01fd77f0ede6e182712 Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 26 Aug 2016 17:54:09 +0530
Subject: [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal
@@ -38,28 +38,29 @@ See 'systemctl status avahi-daemon.service' for details.
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/system/init.te | 5 +++++
+ policy/modules/system/init.te | 2 ++
policy/modules/system/locallogin.te | 3 +++
policy/modules/system/systemd.if | 6 ++++--
- policy/modules/system/systemd.te | 3 ++-
- 4 files changed, 14 insertions(+), 3 deletions(-)
+ policy/modules/system/systemd.te | 2 +-
+ 4 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 19a7a20..cefa59d 100644
+index d6a0270a..035c7ad2 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
-@@ -1105,3 +1105,5 @@ allow init_t self:capability2 audit_read;
+@@ -1429,3 +1429,5 @@ allow init_t self:capability2 audit_read;
allow initrc_t init_t:system { start status reboot };
allow initrc_t init_var_run_t:service { start status };
+
+allow initrc_t init_var_run_t:service stop;
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 09ec33f..be25c82 100644
+index 75750e4c..2c2cfc7d 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
-@@ -284,3 +284,6 @@ allow local_login_t var_run_t:file { open read write lock};
+@@ -298,3 +298,6 @@ allow local_login_t var_run_t:file { open read write lock};
allow local_login_t var_run_t:sock_file write;
allow local_login_t tmpfs_t:dir { add_name write search};
allow local_login_t tmpfs_t:file { create open read write lock };
@@ -67,10 +68,10 @@ index 09ec33f..be25c82 100644
+allow local_login_t initrc_t:dbus send_msg;
+allow initrc_t local_login_t:dbus send_msg;
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 822c03d..8723527 100644
+index 8fc61843..1166505f 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
-@@ -205,9 +205,11 @@ interface(`systemd_service_file_operations',`
+@@ -920,9 +920,11 @@ interface(`systemd_service_file_operations',`
#
interface(`systemd_service_lib_function',`
gen_require(`
@@ -85,18 +86,18 @@ index 822c03d..8723527 100644
')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 70ccb0e..22021eb 100644
+index a1ef6990..a62c3c38 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
-@@ -265,6 +265,7 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
+@@ -995,7 +995,7 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
allow systemd_tmpfiles_t init_t:dir search;
allow systemd_tmpfiles_t proc_t:filesystem getattr;
-allow systemd_tmpfiles_t init_t:file read;
- allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
- allow systemd_tmpfiles_t self:capability net_admin;
-+
+allow systemd_tmpfiles_t init_t:file { open getattr read };
+ allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
+
+ kernel_getattr_proc(systemd_tmpfiles_t)
--
-1.9.1
+2.19.1
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0008-fc-bind-fix-real-path-for-bind.patch
index 3218c88..7a9f3f2 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-bind.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0008-fc-bind-fix-real-path-for-bind.patch
@@ -1,19 +1,21 @@
-From e438a9466a615db3f63421157d5ee3bd6d055403 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:09:11 +0800
-Subject: [PATCH] refpolicy: fix real path for bind.
+From 878b005462f7b2208427af60ed6b670dca697b6c Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 21:58:53 -0400
+Subject: [PATCH 08/34] fc/bind: fix real path for bind
-Upstream-Status: Inappropriate [configuration]
+Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/contrib/bind.fc | 2 ++
+ policy/modules/services/bind.fc | 2 ++
1 file changed, 2 insertions(+)
---- a/policy/modules/contrib/bind.fc
-+++ b/policy/modules/contrib/bind.fc
-@@ -1,10 +1,12 @@
+diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
+index b4879dc1..59498e25 100644
+--- a/policy/modules/services/bind.fc
++++ b/policy/modules/services/bind.fc
+@@ -1,8 +1,10 @@
/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
@@ -24,5 +26,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
- /etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
- /etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
index a7338e1..efe81a4 100644
--- a/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
@@ -1,4 +1,4 @@
-From ec96260a28f9aae44afc8eec0e089bf95a36b557 Mon Sep 17 00:00:00 2001
+From 6ac3c261a7cfc3a5d38ccc420f1ea371258c49fa Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 26 Aug 2016 17:54:17 +0530
Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files
@@ -31,17 +31,18 @@ See 'systemctl status systemd-tmpfiles-setup.service' for details.
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/kernel/files.if | 19 +++++++++++++++++++
- policy/modules/kernel/kernel.if | 23 +++++++++++++++++++++++
- policy/modules/system/systemd.te | 3 +++
- 3 files changed, 45 insertions(+)
+ policy/modules/kernel/kernel.if | 21 +++++++++++++++++++++
+ policy/modules/system/systemd.te | 2 ++
+ 3 files changed, 42 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 1cedea2..4ea7d55 100644
+index eb067ad3..ff74f55a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
-@@ -6729,3 +6729,22 @@ interface(`files_unconfined',`
+@@ -7076,3 +7076,22 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -65,14 +66,13 @@ index 1cedea2..4ea7d55 100644
+ allow $1 tmp_t:lnk_file getattr;
+')
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index f1130d1..4604441 100644
+index 1ad282aa..342eb033 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
-@@ -3323,3 +3323,26 @@ interface(`kernel_unconfined',`
- typeattribute $1 kern_unconfined;
- kernel_load_module($1)
+@@ -3584,3 +3584,24 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',`
+ allow $1 unlabeled_t:infiniband_endport manage_subnet;
')
-+
+
+########################################
+## <summary>
+## systemd tmp files access to kernel sysctl domain
@@ -94,18 +94,16 @@ index f1130d1..4604441 100644
+ allow $1 sysctl_kernel_t:file { open read };
+
+')
-+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 22021eb..8813664 100644
+index a62c3c38..9b696823 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
-@@ -269,3 +269,6 @@ allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
- allow systemd_tmpfiles_t self:capability net_admin;
+@@ -1121,3 +1121,5 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated
+
+ kernel_read_system_state(systemd_update_done_t)
- allow systemd_tmpfiles_t init_t:file { open getattr read };
-+
+systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t)
+systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t)
--
-1.9.1
+2.19.1
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch
new file mode 100644
index 0000000..6039f49
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch
@@ -0,0 +1,28 @@
+From d21287d2c0b63e19e1004f098a1934b6b02a0c05 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 21:59:18 -0400
+Subject: [PATCH 09/34] fc/hwclock: add hwclock alternatives
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/clock.fc | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
+index 30196589..e0dc4b6f 100644
+--- a/policy/modules/system/clock.fc
++++ b/policy/modules/system/clock.fc
+@@ -2,4 +2,7 @@
+
+ /usr/bin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+
+-/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
++/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0)
++/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
++/usr/lib/busybox/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
++/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
index b01947d..f67221a 100644
--- a/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
@@ -1,4 +1,4 @@
-From 9476fb0aad7caa725014e72cd009b78389ba66d5 Mon Sep 17 00:00:00 2001
+From 57d554187619e32ecf925ecb015a60f1fca26fb8 Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 26 Aug 2016 17:54:29 +0530
Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog
@@ -39,25 +39,26 @@ syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/getty.te | 1 +
policy/modules/system/logging.te | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index 84eaf77..2e53daf 100644
+index 423db0cc..9ab03956 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
-@@ -142,3 +142,4 @@ optional_policy(`
+@@ -132,3 +132,4 @@ optional_policy(`
allow getty_t tmpfs_t:dir search;
allow getty_t tmpfs_t:file { open write lock };
+allow getty_t initrc_t:unix_dgram_socket sendto;
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 107db03..95de86d 100644
+index 520f7da6..4e02dab8 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -581,4 +581,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto;
+@@ -632,4 +632,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto;
allow syslogd_t self:shm create;
allow syslogd_t self:sem { create read unix_write write };
allow syslogd_t self:shm { read unix_read unix_write write };
@@ -65,5 +66,5 @@ index 107db03..95de86d 100644
+allow syslogd_t tmpfs_t:file { read write create getattr append open };
+allow syslogd_t tmpfs_t:dir { search write add_name };
--
-1.9.1
+2.19.1
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
new file mode 100644
index 0000000..dc715c4
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
@@ -0,0 +1,24 @@
+From 0ee40e0a68645e23f59842929629a94ebe9873b4 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 08:26:55 -0400
+Subject: [PATCH 10/34] fc/dmesg: apply policy to dmesg alternatives
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/admin/dmesg.fc | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
+index e52fdfcf..85d15127 100644
+--- a/policy/modules/admin/dmesg.fc
++++ b/policy/modules/admin/dmesg.fc
+@@ -1 +1,3 @@
+-/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
++/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
++/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0)
++/usr/lib/busybox/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch
index f01e5aa..09576fa 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch
@@ -1,18 +1,20 @@
-Subject: [PATCH] refpolicy: fix real path for ssh
+From 10548eeaba694ff4320fdcbddc9e6cbb71856280 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 09:20:58 -0400
+Subject: [PATCH 11/34] fc/ssh: apply policy to ssh alternatives
-Upstream-Status: Inappropriate [configuration]
+Upstream-Status: Pending
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/services/ssh.fc | 1 +
+ policy/modules/services/ssh.fc | 1 +
1 file changed, 1 insertion(+)
+diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
+index 4ac3e733..1f453091 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
-@@ -2,10 +2,11 @@ HOME_DIR/\.ssh(/.*)? gen_context(syste
-
- /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
+@@ -4,6 +4,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
@@ -20,5 +22,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
/usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
-
- /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch
index 88c8c45..f02bd3a 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch
@@ -1,37 +1,48 @@
-From 56ec3e527f2a03d217d5f07ebb708e6e26fa26ff Mon Sep 17 00:00:00 2001
+From 457f278717ef53e19392c40ea8645ca216c0ae83 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Tue, 9 Jun 2015 21:22:52 +0530
-Subject: [PATCH] refpolicy: fix real path for sysnetwork
+Subject: [PATCH 12/34] fc/sysnetwork: apply policy to ip alternatives
-Upstream-Status: Inappropriate [configuration]
+Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/system/sysnetwork.fc | 3 +++
- 1 file changed, 3 insertions(+)
+ policy/modules/system/sysnetwork.fc | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
+index ac7c2dd1..4e441503 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
-@@ -54,17 +54,20 @@ ifdef(`distro_redhat',`
- /usr/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /usr/sbin/dhcp6c -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+@@ -60,6 +60,8 @@ ifdef(`distro_redhat',`
/usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+@@ -67,9 +69,17 @@ ifdef(`distro_redhat',`
/usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
/usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++#
++# /usr/lib/busybox
++#
++/usr/lib/busybox/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/lib/busybox/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/lib/busybox/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++
#
# /var
+ #
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
new file mode 100644
index 0000000..495b82f
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
@@ -0,0 +1,28 @@
+From e38e269b172ec75dcd218cfeac64271fbb3d17db Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 09:36:08 -0400
+Subject: [PATCH 13/34] fc/udev: apply policy to udevadm in libexec
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/udev.fc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
+index 009d821a..cc438609 100644
+--- a/policy/modules/system/udev.fc
++++ b/policy/modules/system/udev.fc
+@@ -28,6 +28,8 @@ ifdef(`distro_debian',`
+ /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
+
++/usr/libexec/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
++
+ ifdef(`distro_redhat',`
+ /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+ ')
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
new file mode 100644
index 0000000..6ffabe4
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
@@ -0,0 +1,29 @@
+From 8d730316e752601949346c9ebd4aff8a3cb2b1bf Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 09:54:07 -0400
+Subject: [PATCH 14/34] fc/rpm: apply rpm_exec policy to cpio binaries
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/admin/rpm.fc | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
+index 578d465c..f2b8003a 100644
+--- a/policy/modules/admin/rpm.fc
++++ b/policy/modules/admin/rpm.fc
+@@ -65,5 +65,8 @@ ifdef(`distro_redhat',`
+ /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
+
+ ifdef(`enable_mls',`
+-/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ ')
++
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0015-fc-su-apply-policy-to-su-alternatives.patch
index 41c32df..c0fbb69 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0015-fc-su-apply-policy-to-su-alternatives.patch
@@ -1,20 +1,26 @@
-From 4affa5e9797f5d51597c9b8e0f2503883c766699 Mon Sep 17 00:00:00 2001
+From d9f2d5857c1d558fa09f7e7864bba8427437bea6 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@windriver.com>
Date: Thu, 13 Feb 2014 00:33:07 -0500
-Subject: [PATCH] fix real path for su.shadow command
+Subject: [PATCH 15/34] fc/su: apply policy to su alternatives
-Upstream-Status: Inappropriate [only for Poky]
+Upstream-Status: Pending
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/admin/su.fc | 2 ++
+ policy/modules/admin/su.fc | 2 ++
1 file changed, 2 insertions(+)
+diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
+index 3375c969..435a6892 100644
--- a/policy/modules/admin/su.fc
+++ b/policy/modules/admin/su.fc
-@@ -1,3 +1,4 @@
+@@ -1,3 +1,5 @@
/usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
-+/usr/bin/su.shadow -- gen_context(system_u:object_r:su_exec_t,s0)
++/usr/bin/su\.shadow -- gen_context(system_u:object_r:su_exec_t,s0)
++/usr/bin/su\.util-linux -- gen_context(system_u:object_r:su_exec_t,s0)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0016-fc-fstools-fix-real-path-for-fstools.patch
index d887e96..34e9830 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0016-fc-fstools-fix-real-path-for-fstools.patch
@@ -1,55 +1,47 @@
-From b420621f7bacdb803bfd104686e9b1785d7a6309 Mon Sep 17 00:00:00 2001
+From 5d8f2e090c9dbb270156c2f76f1614b03f3b0191 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@windriver.com>
Date: Mon, 27 Jan 2014 03:54:01 -0500
-Subject: [PATCH] refpolicy: fix real path for fstools
+Subject: [PATCH 16/34] fc/fstools: fix real path for fstools
-Upstream-Status: Inappropriate [configuration]
+Upstream-Status: Pending
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/system/fstools.fc | 7 +++++++
- 1 file changed, 7 insertions(+)
+ policy/modules/system/fstools.fc | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
+index 8fbd5ce4..d719e22c 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
-@@ -55,10 +55,11 @@
- /usr/bin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-
+@@ -58,6 +58,7 @@
/usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/blkid/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/delpart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -68,14 +69,16 @@
- /usr/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -72,10 +73,12 @@
/usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/fdisk/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/hdparm/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/hdparm\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -84,21 +87,24 @@
- /usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -88,17 +91,20 @@
/usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/mkswap/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -62,9 +54,23 @@ Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/swapoff/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -108,6 +114,12 @@
+ /usr/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
++/usr/lib/busybox/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/lib/busybox/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/lib/busybox/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/lib/busybox/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/lib/busybox/sbin/swapon -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++
+ /var/swap -- gen_context(system_u:object_r:swapfile_t,s0)
+
+ /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch
index dc623d3..8455c08 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-syslogd_t-to-trusted-object.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch
@@ -1,7 +1,8 @@
-From 27e62a5d9ab9993760369ccdad83673e9148cbb2 Mon Sep 17 00:00:00 2001
+From 628281e2e192269468cbe2c2818b6cab40975532 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 1/6] Add the syslogd_t to trusted object
+Subject: [PATCH 17/34] policy/module/logging: Add the syslogd_t to trusted
+ object
We add the syslogd_t to trusted object, because other process need
to have the right to connectto/sendto /dev/log.
@@ -12,14 +13,14 @@ Signed-off-by: Roy.Li <rongqing.li@windriver.com>
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/system/logging.te | 1 +
+ policy/modules/system/logging.te | 1 +
1 file changed, 1 insertion(+)
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 07ed546d..a7b69932 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -477,10 +477,11 @@ files_var_lib_filetrans(syslogd_t, syslo
-
- fs_getattr_all_fs(syslogd_t)
+@@ -501,6 +501,7 @@ fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
@@ -27,5 +28,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
term_write_console(syslogd_t)
# Allow syslog to a terminal
- term_write_unallocated_ttys(syslogd_t)
-
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
new file mode 100644
index 0000000..b253f84
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
@@ -0,0 +1,100 @@
+From 0036dfb42db831e2dd6c6dc71c093e983a30dbd6 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 18/34] policy/module/logging: add rules for the symlink of
+ /var/log
+
+/var/log is a symlink in poky, so we need allow rules for files to read
+lnk_file while doing search/list/delete/rw... in /var/log/ directory.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/logging.fc | 1 +
+ policy/modules/system/logging.if | 6 ++++++
+ policy/modules/system/logging.te | 2 ++
+ 3 files changed, 9 insertions(+)
+
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index 0cf108e0..5bec7e99 100644
+--- a/policy/modules/system/logging.fc
++++ b/policy/modules/system/logging.fc
+@@ -55,6 +55,7 @@ ifdef(`distro_suse', `
+ /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+ /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
++/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+ /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
+diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
+index 16091eb6..e83cb5b5 100644
+--- a/policy/modules/system/logging.if
++++ b/policy/modules/system/logging.if
+@@ -948,10 +948,12 @@ interface(`logging_append_all_inherited_logs',`
+ interface(`logging_read_all_logs',`
+ gen_require(`
+ attribute logfile;
++ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 logfile:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, logfile, logfile)
+ ')
+
+@@ -970,10 +972,12 @@ interface(`logging_read_all_logs',`
+ interface(`logging_exec_all_logs',`
+ gen_require(`
+ attribute logfile;
++ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 logfile:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ can_exec($1, logfile)
+ ')
+
+@@ -1075,6 +1079,7 @@ interface(`logging_read_generic_logs',`
+
+ files_search_var($1)
+ allow $1 var_log_t:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, var_log_t, var_log_t)
+ ')
+
+@@ -1176,6 +1181,7 @@ interface(`logging_manage_generic_logs',`
+
+ files_search_var($1)
+ manage_files_pattern($1, var_log_t, var_log_t)
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index a7b69932..fa5664b0 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -161,6 +161,7 @@ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t auditd_log_t:dir setattr;
+ manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t var_log_t:dir search_dir_perms;
++allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
+
+ manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+ manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+@@ -288,6 +289,7 @@ allow audisp_remote_t self:capability { setpcap setuid };
+ allow audisp_remote_t self:process { getcap setcap };
+ allow audisp_remote_t self:tcp_socket create_socket_perms;
+ allow audisp_remote_t var_log_t:dir search_dir_perms;
++allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+ manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch
new file mode 100644
index 0000000..588c5c6
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch
@@ -0,0 +1,33 @@
+From 51e282aa2730e4c6e038d42a84a561c080f41187 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 10:33:18 -0400
+Subject: [PATCH 19/34] policy/module/logging: add rules for syslogd symlink of
+ /var/log
+
+We have added rules for the symlink of /var/log in logging.if, while
+syslogd_t uses /var/log but does not use the interfaces in logging.if. So
+still need add a individual rule for syslogd_t.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/logging.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index fa5664b0..63e92a8e 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -417,6 +417,7 @@ files_search_spool(syslogd_t)
+
+ # Allow access for syslog-ng
+ allow syslogd_t var_log_t:dir { create setattr };
++allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
+
+ # for systemd but can not be conditional
+ files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
index b828b7a..3d55476 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-cache-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
@@ -1,7 +1,8 @@
-From bad816bc752369a6c1bf40231c505d21d95cab08 Mon Sep 17 00:00:00 2001
+From 6a0b9c735253a2596bfb2a453694e620a1fdc50b Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Fri, 23 Aug 2013 11:20:00 +0800
-Subject: [PATCH 4/6] add rules for the subdir symlinks in /var/
+Subject: [PATCH 20/34] policy/module/logging: add domain rules for the subdir
+ symlinks in /var/
Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
/var for poky, so we need allow rules for all domains to read these
@@ -13,14 +14,14 @@ Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/kernel/domain.te | 3 +++
+ policy/modules/kernel/domain.te | 3 +++
1 file changed, 3 insertions(+)
+diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
+index 1a55e3d2..babb794f 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
-@@ -108,10 +108,13 @@ dev_rw_zero(domain)
- term_use_controlling_term(domain)
-
+@@ -110,6 +110,9 @@ term_use_controlling_term(domain)
# list the root directory
files_list_root(domain)
@@ -30,5 +31,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
ifdef(`hide_broken_symptoms',`
# This check is in the general socket
# listen code, before protocol-specific
- # listen function is called, so bad calls
- # to listen on UDP sockets should be silenced
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch
index d3c1ee5..2546457 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch
@@ -1,7 +1,7 @@
-From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
+From 437bb5a3318fd0fb268f6e015564b006135368d1 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] add rules for the symlink of /tmp
+Subject: [PATCH 21/34] policy/module/files: add rules for the symlink of /tmp
/tmp is a symlink in poky, so we need allow rules for files to read
lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
@@ -11,15 +11,15 @@ Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/kernel/files.fc | 1 +
- policy/modules/kernel/files.if | 8 ++++++++
+ policy/modules/kernel/files.fc | 1 +
+ policy/modules/kernel/files.if | 8 ++++++++
2 files changed, 9 insertions(+)
+diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
+index c3496c21..05b1734b 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
-@@ -172,10 +172,11 @@ HOME_ROOT/lost\+found/.* <<none>>
-
- #
+@@ -176,6 +176,7 @@ HOME_ROOT/lost\+found/.* <<none>>
# /tmp
#
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
@@ -27,13 +27,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
/tmp/.* <<none>>
/tmp/\.journal <<none>>
- /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
- /tmp/lost\+found/.* <<none>>
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index f1c94411..eb067ad3 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
-@@ -4579,10 +4579,11 @@ interface(`files_search_tmp',`
- gen_require(`
- type tmp_t;
+@@ -4350,6 +4350,7 @@ interface(`files_search_tmp',`
')
allow $1 tmp_t:dir search_dir_perms;
@@ -41,11 +39,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Do not audit attempts to search the tmp directory (/tmp).
-@@ -4615,10 +4616,11 @@ interface(`files_list_tmp',`
- gen_require(`
- type tmp_t;
+@@ -4386,6 +4387,7 @@ interface(`files_list_tmp',`
')
allow $1 tmp_t:dir list_dir_perms;
@@ -53,11 +47,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Do not audit listing of the tmp directory (/tmp).
-@@ -4651,10 +4653,11 @@ interface(`files_delete_tmp_dir_entry',`
- gen_require(`
- type tmp_t;
+@@ -4422,6 +4424,7 @@ interface(`files_delete_tmp_dir_entry',`
')
allow $1 tmp_t:dir del_entry_dir_perms;
@@ -65,11 +55,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Read files in the tmp directory (/tmp).
-@@ -4669,10 +4672,11 @@ interface(`files_read_generic_tmp_files'
- gen_require(`
- type tmp_t;
+@@ -4440,6 +4443,7 @@ interface(`files_read_generic_tmp_files',`
')
read_files_pattern($1, tmp_t, tmp_t)
@@ -77,11 +63,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Manage temporary directories in /tmp.
-@@ -4687,10 +4691,11 @@ interface(`files_manage_generic_tmp_dirs
- gen_require(`
- type tmp_t;
+@@ -4458,6 +4462,7 @@ interface(`files_manage_generic_tmp_dirs',`
')
manage_dirs_pattern($1, tmp_t, tmp_t)
@@ -89,11 +71,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Manage temporary files and directories in /tmp.
-@@ -4705,10 +4710,11 @@ interface(`files_manage_generic_tmp_file
- gen_require(`
- type tmp_t;
+@@ -4476,6 +4481,7 @@ interface(`files_manage_generic_tmp_files',`
')
manage_files_pattern($1, tmp_t, tmp_t)
@@ -101,11 +79,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Read symbolic links in the tmp directory (/tmp).
-@@ -4741,10 +4747,11 @@ interface(`files_rw_generic_tmp_sockets'
- gen_require(`
- type tmp_t;
+@@ -4512,6 +4518,7 @@ interface(`files_rw_generic_tmp_sockets',`
')
rw_sock_files_pattern($1, tmp_t, tmp_t)
@@ -113,11 +87,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Mount filesystems in the tmp directory (/tmp)
-@@ -4948,10 +4955,11 @@ interface(`files_tmp_filetrans',`
- gen_require(`
- type tmp_t;
+@@ -4719,6 +4726,7 @@ interface(`files_tmp_filetrans',`
')
filetrans_pattern($1, tmp_t, $2, $3, $4)
@@ -125,5 +95,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Delete the contents of /tmp.
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch
index 7be7147..3281ae8 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-bsdpty_device_t.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch
@@ -1,21 +1,22 @@
-From c0b65c327b9354ee5c403cbde428e762ce3f327e Mon Sep 17 00:00:00 2001
+From 2512a367f4c16d4af6dd90d5f93f223466595d86 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices.
+Subject: [PATCH 22/34] policy/module/terminals: add rules for bsdpty_device_t
+ to complete pty devices.
Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/kernel/terminal.if | 16 ++++++++++++++++
+ policy/modules/kernel/terminal.if | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index 61308843..a84787e6 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
-@@ -585,13 +585,15 @@ interface(`term_getattr_generic_ptys',`
- ## </param>
- #
+@@ -623,9 +623,11 @@ interface(`term_getattr_generic_ptys',`
interface(`term_dontaudit_getattr_generic_ptys',`
gen_require(`
type devpts_t;
@@ -27,11 +28,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
## <summary>
- ## ioctl of generic pty devices.
- ## </summary>
-@@ -603,15 +605,17 @@ interface(`term_dontaudit_getattr_generi
- #
- # cjp: added for ppp
+@@ -641,11 +643,13 @@ interface(`term_dontaudit_getattr_generic_ptys',`
interface(`term_ioctl_generic_ptys',`
gen_require(`
type devpts_t;
@@ -45,11 +42,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Allow setting the attributes of
-@@ -625,13 +629,15 @@ interface(`term_ioctl_generic_ptys',`
- #
- # dwalsh: added for rhgb
+@@ -663,9 +667,11 @@ interface(`term_ioctl_generic_ptys',`
interface(`term_setattr_generic_ptys',`
gen_require(`
type devpts_t;
@@ -61,11 +54,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Dontaudit setting the attributes of
-@@ -645,13 +651,15 @@ interface(`term_setattr_generic_ptys',`
- #
- # dwalsh: added for rhgb
+@@ -683,9 +689,11 @@ interface(`term_setattr_generic_ptys',`
interface(`term_dontaudit_setattr_generic_ptys',`
gen_require(`
type devpts_t;
@@ -77,11 +66,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Read and write the generic pty
-@@ -665,15 +673,17 @@ interface(`term_dontaudit_setattr_generi
- ## </param>
- #
+@@ -703,11 +711,13 @@ interface(`term_dontaudit_setattr_generic_ptys',`
interface(`term_use_generic_ptys',`
gen_require(`
type devpts_t;
@@ -95,11 +80,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Dot not audit attempts to read and
-@@ -687,13 +697,15 @@ interface(`term_use_generic_ptys',`
- ## </param>
- #
+@@ -725,9 +735,11 @@ interface(`term_use_generic_ptys',`
interface(`term_dontaudit_use_generic_ptys',`
gen_require(`
type devpts_t;
@@ -111,11 +92,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
#######################################
- ## <summary>
- ## Set the attributes of the tty device
-@@ -705,14 +717,16 @@ interface(`term_dontaudit_use_generic_pt
- ## </param>
- #
+@@ -743,10 +755,12 @@ interface(`term_dontaudit_use_generic_ptys',`
interface(`term_setattr_controlling_term',`
gen_require(`
type devtty_t;
@@ -128,11 +105,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Read and write the controlling
-@@ -725,14 +739,16 @@ interface(`term_setattr_controlling_term
- ## </param>
- #
+@@ -763,10 +777,12 @@ interface(`term_setattr_controlling_term',`
interface(`term_use_controlling_term',`
gen_require(`
type devtty_t;
@@ -145,5 +118,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
#######################################
- ## <summary>
- ## Get the attributes of the pty multiplexor (/dev/ptmx).
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch
index 346872a..887af46 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-don-t-audit-tty_device_t.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch
@@ -1,7 +1,8 @@
-From 29a0d287880f8f83cf4337a3db7c8b94c0c36e1d Mon Sep 17 00:00:00 2001
+From fcf756e6906bba50d09224184d64ac56f40b6424 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 6/6] don't audit tty_device_t in term_dontaudit_use_console.
+Subject: [PATCH 23/34] policy/module/terminals: don't audit tty_device_t in
+ term_dontaudit_use_console.
We should also not audit terminal to rw tty_device_t and fds in
term_dontaudit_use_console.
@@ -11,14 +12,14 @@ Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/kernel/terminal.if | 3 +++
+ policy/modules/kernel/terminal.if | 3 +++
1 file changed, 3 insertions(+)
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index a84787e6..cf66da2f 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
-@@ -297,13 +297,16 @@ interface(`term_use_console',`
- ## </param>
- #
+@@ -335,9 +335,12 @@ interface(`term_use_console',`
interface(`term_dontaudit_use_console',`
gen_require(`
type console_device_t;
@@ -31,5 +32,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Set the attributes of the console
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
new file mode 100644
index 0000000..0188fa9
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
@@ -0,0 +1,29 @@
+From 85d5fc695ae69956715b502a8f1d95e9070dfbcc Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 24/34] policy/module/rpc: allow nfsd to exec shell commands.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/services/rpc.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
+index 47fa2fd0..d4209231 100644
+--- a/policy/modules/services/rpc.te
++++ b/policy/modules/services/rpc.te
+@@ -227,7 +227,7 @@ kernel_read_network_state(nfsd_t)
+ kernel_dontaudit_getattr_core_if(nfsd_t)
+ kernel_setsched(nfsd_t)
+ kernel_request_load_module(nfsd_t)
+-# kernel_mounton_proc(nfsd_t)
++kernel_mounton_proc(nfsd_t)
+
+ corenet_sendrecv_nfs_server_packets(nfsd_t)
+ corenet_tcp_bind_nfs_port(nfsd_t)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch
index 883daf8..b4befdd 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch
@@ -1,58 +1,25 @@
-From 054a2d81a42bc127d29a916c64b43ad5a7c97f21 Mon Sep 17 00:00:00 2001
+From 97a6eec0d2ea437b5155090ba880a88666f40059 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Fri, 23 Aug 2013 12:01:53 +0800
-Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t.
+Subject: [PATCH 25/34] policy/module/rpc: fix policy for nfsserver to mount
+ nfsd_fs_t.
Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/contrib/rpc.te | 5 +++++
- policy/modules/contrib/rpcbind.te | 5 +++++
- policy/modules/kernel/filesystem.te | 1 +
- policy/modules/kernel/kernel.te | 2 ++
+ policy/modules/kernel/filesystem.te | 1 +
+ policy/modules/kernel/kernel.te | 2 ++
+ policy/modules/services/rpc.te | 5 +++++
+ policy/modules/services/rpcbind.te | 5 +++++
4 files changed, 13 insertions(+)
---- a/policy/modules/contrib/rpcbind.te
-+++ b/policy/modules/contrib/rpcbind.te
-@@ -71,8 +71,13 @@ auth_use_nsswitch(rpcbind_t)
-
- logging_send_syslog_msg(rpcbind_t)
-
- miscfiles_read_localization(rpcbind_t)
-
-+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
-+# because the are running in different level. So add rules to allow this.
-+mls_socket_read_all_levels(rpcbind_t)
-+mls_socket_write_all_levels(rpcbind_t)
-+
- ifdef(`distro_debian',`
- term_dontaudit_use_unallocated_ttys(rpcbind_t)
- ')
---- a/policy/modules/contrib/rpc.te
-+++ b/policy/modules/contrib/rpc.te
-@@ -275,10 +275,15 @@ tunable_policy(`nfs_export_all_ro',`
- files_read_non_auth_files(nfsd_t)
- ')
-
- optional_policy(`
- mount_exec(nfsd_t)
-+ # Should domtrans to mount_t while mounting nfsd_fs_t.
-+ mount_domtrans(nfsd_t)
-+ # nfsd_t need to chdir to /var/lib/nfs and read files.
-+ files_list_var(nfsd_t)
-+ rpc_read_nfs_state_data(nfsd_t)
- ')
-
- ########################################
- #
- # GSSD local policy
+diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
+index 1db0c652..bf1c0173 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
-@@ -127,10 +127,11 @@ fs_noxattr_type(mvfs_t)
- allow mvfs_t self:filesystem associate;
- genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+@@ -129,6 +129,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
type nfsd_fs_t;
fs_type(nfsd_fs_t)
@@ -60,13 +27,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
type nsfs_t;
- fs_type(nsfs_t)
- genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index e971c533..ad7c823a 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
-@@ -324,10 +324,12 @@ mcs_process_set_categories(kernel_t)
-
- mls_process_read_all_levels(kernel_t)
+@@ -334,6 +334,8 @@ mls_process_read_all_levels(kernel_t)
mls_process_write_all_levels(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
@@ -75,5 +40,38 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
ifdef(`distro_redhat',`
# Bugzilla 222337
- fs_rw_tmpfs_chr_files(kernel_t)
+diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
+index d4209231..a2327b44 100644
+--- a/policy/modules/services/rpc.te
++++ b/policy/modules/services/rpc.te
+@@ -280,6 +280,11 @@ tunable_policy(`nfs_export_all_ro',`
+
+ optional_policy(`
+ mount_exec(nfsd_t)
++ # Should domtrans to mount_t while mounting nfsd_fs_t.
++ mount_domtrans(nfsd_t)
++ # nfsd_t need to chdir to /var/lib/nfs and read files.
++ files_list_var(nfsd_t)
++ rpc_read_nfs_state_data(nfsd_t)
')
+
+ ########################################
+diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
+index 5914af99..2055c114 100644
+--- a/policy/modules/services/rpcbind.te
++++ b/policy/modules/services/rpcbind.te
+@@ -75,6 +75,11 @@ logging_send_syslog_msg(rpcbind_t)
+
+ miscfiles_read_localization(rpcbind_t)
+
++# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
++# because the are running in different level. So add rules to allow this.
++mls_socket_read_all_levels(rpcbind_t)
++mls_socket_write_all_levels(rpcbind_t)
++
+ ifdef(`distro_debian',`
+ term_dontaudit_use_unallocated_ttys(rpcbind_t)
+ ')
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
new file mode 100644
index 0000000..94b7dd3
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
@@ -0,0 +1,126 @@
+From 00d81a825519cac67d88e513d75e82ab3269124c Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 11:16:37 -0400
+Subject: [PATCH 26/34] policy/module/sysfs: fix for new SELINUXMNT in /sys
+
+SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
+add rules to access sysfs.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/selinux.if | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
+index 6790e5d0..2c95db81 100644
+--- a/policy/modules/kernel/selinux.if
++++ b/policy/modules/kernel/selinux.if
+@@ -117,6 +117,9 @@ interface(`selinux_mount_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
++ dev_search_sysfs($1)
++
+ allow $1 security_t:filesystem mount;
+ ')
+
+@@ -136,6 +139,9 @@ interface(`selinux_remount_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
++ dev_search_sysfs($1)
++
+ allow $1 security_t:filesystem remount;
+ ')
+
+@@ -155,6 +161,9 @@ interface(`selinux_unmount_fs',`
+ ')
+
+ allow $1 security_t:filesystem unmount;
++
++ dev_getattr_sysfs($1)
++ dev_search_sysfs($1)
+ ')
+
+ ########################################
+@@ -217,6 +226,8 @@ interface(`selinux_dontaudit_getattr_dir',`
+ ')
+
+ dontaudit $1 security_t:dir getattr;
++ dev_dontaudit_getattr_sysfs($1)
++ dev_dontaudit_search_sysfs($1)
+ ')
+
+ ########################################
+@@ -253,6 +264,7 @@ interface(`selinux_dontaudit_search_fs',`
+ type security_t;
+ ')
+
++ dev_dontaudit_search_sysfs($1)
+ dontaudit $1 security_t:dir search_dir_perms;
+ ')
+
+@@ -272,6 +284,7 @@ interface(`selinux_dontaudit_read_fs',`
+ type security_t;
+ ')
+
++ dev_dontaudit_getattr_sysfs($1)
+ dontaudit $1 security_t:dir search_dir_perms;
+ dontaudit $1 security_t:file read_file_perms;
+ ')
+@@ -361,6 +374,7 @@ interface(`selinux_read_policy',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file read_file_perms;
+@@ -394,6 +408,7 @@ interface(`selinux_set_generic_booleans',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+
+ allow $1 security_t:dir list_dir_perms;
+@@ -431,6 +446,7 @@ interface(`selinux_set_all_booleans',`
+ bool secure_mode_policyload;
+ ')
+
++ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+
+ allow $1 security_t:dir list_dir_perms;
+@@ -512,6 +528,7 @@ interface(`selinux_dontaudit_validate_context',`
+ type security_t;
+ ')
+
++ dev_dontaudit_search_sysfs($1)
+ dontaudit $1 security_t:dir list_dir_perms;
+ dontaudit $1 security_t:file rw_file_perms;
+ dontaudit $1 security_t:security check_context;
+@@ -533,6 +550,7 @@ interface(`selinux_compute_access_vector',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+ allow $1 self:netlink_selinux_socket create_socket_perms;
+ allow $1 security_t:dir list_dir_perms;
+@@ -629,6 +647,7 @@ interface(`selinux_compute_user_contexts',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch
index a1fda13..c20dd5f 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-sysadm-to-run-rpcinfo.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch
@@ -1,7 +1,7 @@
-From 7005533d61770fed5a3312aa9dfd1c18dae88c16 Mon Sep 17 00:00:00 2001
+From fbb7431a4288c7dd2739bc3adfa521d427e6375a Mon Sep 17 00:00:00 2001
From: Roy Li <rongqing.li@windriver.com>
Date: Sat, 15 Feb 2014 09:45:00 +0800
-Subject: [PATCH] allow sysadm to run rpcinfo
+Subject: [PATCH 27/34] policy/module/rpc: allow sysadm to run rpcinfo
Upstream-Status: Pending
@@ -11,23 +11,21 @@ type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/roles/sysadm.te | 4 ++++
- 1 file changed, 4 insertions(+)
+ policy/modules/roles/sysadm.te | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index e411d4fd..f326d1d7 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -1169,10 +1169,14 @@ optional_policy(`
- virt_admin(sysadm_t, sysadm_r)
- virt_stream_connect(sysadm_t)
+@@ -939,6 +939,7 @@ optional_policy(`
')
optional_policy(`
+ rpcbind_stream_connect(sysadm_t)
-+')
-+
-+optional_policy(`
- vmware_role(sysadm_r, sysadm_t)
+ rpcbind_admin(sysadm_t, sysadm_r)
')
- optional_policy(`
- vnstatd_admin(sysadm_t, sysadm_r)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch
index fba7759..e0208aa 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-seutils-manage-config-files.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch
@@ -1,22 +1,23 @@
-From be8e015aec19553d3753af132861d24da9ed0265 Mon Sep 17 00:00:00 2001
+From 8a3c685c1f868f04cb4a7953d14443527b920310 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files
+Subject: [PATCH 28/34] policy/module/userdomain: fix selinux utils to manage
+ config files
Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/system/selinuxutil.if | 1 +
- policy/modules/system/userdomain.if | 4 ++++
+ policy/modules/system/selinuxutil.if | 1 +
+ policy/modules/system/userdomain.if | 4 ++++
2 files changed, 5 insertions(+)
+diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
+index 20024993..0fdc8c10 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
-@@ -753,10 +753,11 @@ interface(`seutil_manage_config',`
- gen_require(`
- type selinux_config_t;
+@@ -674,6 +674,7 @@ interface(`seutil_manage_config',`
')
files_search_etc($1)
@@ -24,13 +25,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
manage_files_pattern($1, selinux_config_t, selinux_config_t)
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
')
-
- #######################################
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index 5221bd13..4cf987d1 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
-@@ -1327,10 +1327,14 @@ template(`userdom_security_admin_templat
- logging_read_audit_log($1)
- logging_read_generic_logs($1)
+@@ -1431,6 +1431,10 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -41,5 +40,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
seutil_run_checkpolicy($1, $2)
seutil_run_loadpolicy($1, $2)
seutil_run_semanage($1, $2)
- seutil_run_setfiles($1, $2)
-
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
new file mode 100644
index 0000000..e62c81e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
@@ -0,0 +1,33 @@
+From 524f823bb07e0eb763683b72f18999ef29ae43c9 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 11:30:27 -0400
+Subject: [PATCH 29/34] policy/module/selinuxutil: fix setfiles statvfs to get
+ file count
+
+New setfiles will read /proc/mounts and use statvfs in
+file_system_count() to get file count of filesystems.
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/selinuxutil.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index db6bb368..98fed2d0 100644
+--- a/policy/modules/system/selinuxutil.te
++++ b/policy/modules/system/selinuxutil.te
+@@ -607,6 +607,7 @@ files_relabel_all_files(setfiles_t)
+ files_read_usr_symlinks(setfiles_t)
+ files_dontaudit_read_all_symlinks(setfiles_t)
+
++fs_getattr_all_fs(setfiles_t)
+ fs_getattr_all_xattr_fs(setfiles_t)
+ fs_getattr_cgroup(setfiles_t)
+ fs_getattr_nfs(setfiles_t)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
new file mode 100644
index 0000000..88c94c5
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
@@ -0,0 +1,25 @@
+From 78210f371391ccfad1d18b89a91ffb5a83f451e0 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Fri, 23 Aug 2013 16:36:09 +0800
+Subject: [PATCH 30/34] policy/module/admin: fix dmesg to use /dev/kmsg as
+ default input
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/admin/dmesg.if | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
+index e1973c78..739a4bc5 100644
+--- a/policy/modules/admin/dmesg.if
++++ b/policy/modules/admin/dmesg.if
+@@ -37,4 +37,5 @@ interface(`dmesg_exec',`
+
+ corecmd_search_bin($1)
+ can_exec($1, dmesg_exec_t)
++ dev_read_kmsg($1)
+ ')
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch
index 85c40a4..d002830 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/ftp-add-ftpd_t-to-mlsfilewrite.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch
@@ -1,7 +1,8 @@
-From e4e95b723d31c7b678a05cd81a96b10185978b4e Mon Sep 17 00:00:00 2001
+From a406bcd2838772573e2cdde1a408ea52a60adc87 Mon Sep 17 00:00:00 2001
From: Roy Li <rongqing.li@windriver.com>
Date: Mon, 10 Feb 2014 18:10:12 +0800
-Subject: [PATCH] ftp: add ftpd_t to mls_file_write_all_levels
+Subject: [PATCH 31/34] policy/module/ftp: add ftpd_t to
+ mls_file_write_all_levels
Proftpd will create file under /var/run, but its mls is in high, and
can not write to lowlevel
@@ -12,21 +13,21 @@ type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm
type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null)
-root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name
- allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
+root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name
+ allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
root@localhost:~#
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/contrib/ftp.te | 2 ++
+ policy/modules/services/ftp.te | 2 ++
1 file changed, 2 insertions(+)
---- a/policy/modules/contrib/ftp.te
-+++ b/policy/modules/contrib/ftp.te
-@@ -148,10 +148,12 @@ init_system_domain(ftpdctl_t, ftpdctl_ex
- role ftpdctl_roles types ftpdctl_t;
-
+diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
+index 29bc077c..d582cf80 100644
+--- a/policy/modules/services/ftp.te
++++ b/policy/modules/services/ftp.te
+@@ -150,6 +150,8 @@ role ftpdctl_roles types ftpdctl_t;
type ftpdctl_tmp_t;
files_tmp_file(ftpdctl_tmp_t)
@@ -35,5 +36,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
type sftpd_t;
domain_type(sftpd_t)
role system_r types sftpd_t;
-
- type xferlog_t;
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0032-policy-module-init-update-for-systemd-related-allow-.patch
index 6eba356..37d180c 100644
--- a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0032-policy-module-init-update-for-systemd-related-allow-.patch
@@ -1,7 +1,8 @@
-From 07553727dca51631c93bca482442da8d0c50ac94 Mon Sep 17 00:00:00 2001
+From dfbda15401f92e5d1b9b55c7ba24a543deea18e8 Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 12 Jun 2015 19:37:52 +0530
-Subject: [PATCH] refpolicy: update for systemd related allow rules
+Subject: [PATCH 32/34] policy/module/init: update for systemd related allow
+ rules
It provide, the systemd support related allow rules
@@ -10,14 +11,14 @@ Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/system/init.te | 5 +++++
+ policy/modules/system/init.te | 5 +++++
1 file changed, 5 insertions(+)
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index eabba1ed..5da25cd6 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
-@@ -1387,5 +1387,10 @@ dontaudit systemprocess init_t:unix_stre
- optional_policy(`
- userdom_dontaudit_search_user_home_dirs(systemprocess)
+@@ -1418,3 +1418,8 @@ optional_policy(`
userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
userdom_dontaudit_write_user_tmp_files(systemprocess)
')
@@ -26,3 +27,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+allow kernel_t init_t:process dyntransition;
+allow devpts_t device_t:filesystem associate;
+allow init_t self:capability2 block_suspend;
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0033-refpolicy-minimum-make-sysadmin-module-optional.patch
index b33e84b..644c2cd 100644
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0033-refpolicy-minimum-make-sysadmin-module-optional.patch
@@ -1,4 +1,7 @@
-Subject: [PATCH] refpolicy: fix optional issue on sysadm module
+From 937924e34c516c4a18d183084958b2612439ba52 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 5 Apr 2019 11:53:28 -0400
+Subject: [PATCH 33/34] refpolicy/minimum: make sysadmin module optional
init and locallogin modules have a depend for sysadm module because
they have called sysadm interfaces(sysadm_shell_domtrans). Since
@@ -13,15 +16,15 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/system/init.te | 14 ++++++++------
+ policy/modules/system/init.te | 16 +++++++++-------
policy/modules/system/locallogin.te | 4 +++-
- 2 files changed, 11 insertions(+), 7 deletions(-)
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 5da25cd6..8352428a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
-@@ -344,17 +344,19 @@ ifdef(`init_systemd',`
-
- optional_policy(`
+@@ -446,13 +446,15 @@ ifdef(`init_systemd',`
modutils_domtrans(init_t)
')
',`
@@ -44,13 +47,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
')
')
-
- ifdef(`distro_debian',`
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index a56f3d1f..4c679ff3 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
-@@ -260,11 +260,13 @@ seutil_read_default_contexts(sulogin_t)
- userdom_use_unpriv_users_fds(sulogin_t)
-
+@@ -266,7 +266,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
@@ -61,5 +62,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
# by default, sulogin does not use pam...
# sulogin_pam might need to be defined otherwise
- ifdef(`sulogin_pam', `
- selinux_get_fs_mount(sulogin_t)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch
new file mode 100644
index 0000000..c374384
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch
@@ -0,0 +1,33 @@
+From bbad13d008ab4df827ac2ba8dfc6dd3e430f6dd6 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 19:36:44 +0800
+Subject: [PATCH 34/34] policy/module/apache: add rules for the symlink of
+ /var/log - apache2
+
+We have added rules for the symlink of /var/log in logging.if,
+while apache.te uses /var/log but does not use the interfaces in
+logging.if. So still need add a individual rule for apache.te.
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/services/apache.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
+index 15c4ea53..596370b1 100644
+--- a/policy/modules/services/apache.te
++++ b/policy/modules/services/apache.te
+@@ -412,6 +412,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
++read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
+ logging_log_filetrans(httpd_t, httpd_log_t, file)
+
+ allow httpd_t httpd_modules_t:dir list_dir_perms;
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
new file mode 100644
index 0000000..5e38b8c
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
@@ -0,0 +1,36 @@
+From ab97bea9248f62e735526292fc1253ebb1ecfa6c Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 16:14:09 -0400
+Subject: [PATCH 01/34] fc/subs/volatile: alias common /var/volatile paths
+
+Ensure /var/volatile paths get the appropriate base file context.
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ config/file_contexts.subs_dist | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
+index 346d920e..be532d7f 100644
+--- a/config/file_contexts.subs_dist
++++ b/config/file_contexts.subs_dist
+@@ -31,3 +31,13 @@
+ # not for refpolicy intern, but for /var/run using applications,
+ # like systemd tmpfiles or systemd socket configurations
+ /var/run /run
++
++# volatile aliases
++# ensure the policy applied to the base filesystem objects are reflected in the
++# volatile hierarchy.
++/var/volatile/log /var/log
++/var/volatile/run /var/run
++/var/volatile/cache /var/cache
++/var/volatile/tmp /var/tmp
++/var/volatile/lock /var/lock
++/var/volatile/run/lock /var/lock
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch b/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch
new file mode 100644
index 0000000..98d98d4
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch
@@ -0,0 +1,53 @@
+From cf2f08bdb2d64b38b6c83c96f409c1cd9975fe6a Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] fix update-alternatives for sysvinit
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/admin/shutdown.fc | 1 +
+ policy/modules/kernel/corecommands.fc | 1 +
+ policy/modules/system/init.fc | 1 +
+ 3 files changed, 3 insertions(+)
+
+diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc
+index 03a2230c..2ba049ff 100644
+--- a/policy/modules/admin/shutdown.fc
++++ b/policy/modules/admin/shutdown.fc
+@@ -5,5 +5,6 @@
+ /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+ /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
++/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+ /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
+diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
+index cf3848db..86920167 100644
+--- a/policy/modules/kernel/corecommands.fc
++++ b/policy/modules/kernel/corecommands.fc
+@@ -149,6 +149,7 @@ ifdef(`distro_gentoo',`
+ /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
+index 11a6ce93..93e9d2b4 100644
+--- a/policy/modules/system/init.fc
++++ b/policy/modules/system/init.fc
+@@ -23,6 +23,7 @@ ifdef(`distro_gentoo',`
+ # /usr
+ #
+ /usr/bin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
++/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0)
+ /usr/bin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
+ /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
+ /usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch b/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
new file mode 100644
index 0000000..3cc5395
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
@@ -0,0 +1,68 @@
+From 0f25b7c345d516eccd1c02c93f752ce073b84865 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:51:44 +0530
+Subject: [PATCH 1/9] refpolicy-minimum: audit: logging: getty: audit related
+ allow rules
+
+add allow rules for audit.log file & resolve dependent avc denials.
+
+without this change we are getting audit avc denials mixed into bootlog &
+audit other avc denials.
+
+audit: type=1400 audit(): avc: denied { getattr } for pid=217 comm="mount"
+name="/" dev="proc" ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_0
+audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd"
+path="/run/systemd/journal/dev-log" scontext=sy0
+audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd"
+path="/run/systemd/journal/dev-log" scontext=system_u:system_r:klogd_t:s0
+audit(): avc: denied { open } for pid=540 comm="agetty" path="/var/
+volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t
+:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/getty.te | 3 +++
+ policy/modules/system/logging.te | 8 ++++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
+index 6d3c4284..423db0cc 100644
+--- a/policy/modules/system/getty.te
++++ b/policy/modules/system/getty.te
+@@ -129,3 +129,6 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(getty_t)
+ ')
++
++allow getty_t tmpfs_t:dir search;
++allow getty_t tmpfs_t:file { open write lock };
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index e6221a02..4cc73327 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -249,6 +249,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms;
+ allow audisp_t self:unix_dgram_socket create_socket_perms;
+
+ allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
++allow audisp_t initrc_t:unix_dgram_socket sendto;
+
+ manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
+ files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
+@@ -620,3 +621,10 @@ optional_policy(`
+ # log to the xconsole
+ xserver_rw_console(syslogd_t)
+ ')
++
++
++allow auditd_t tmpfs_t:file { getattr setattr create open read append };
++allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
++allow auditd_t initrc_t:unix_dgram_socket sendto;
++
++allow klogd_t initrc_t:unix_dgram_socket sendto;
+\ No newline at end of file
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
new file mode 100644
index 0000000..22eab15
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
@@ -0,0 +1,31 @@
+From a47fb4d6a25574d900213ef63b5c7e3ce7182419 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 20:48:10 -0400
+Subject: [PATCH 02/34] fc/subs/busybox: set aliases for bin, sbin and usr
+
+The objects in /usr/lib/busybox/* should have the same policy applied as
+the corresponding objects in the / hierarchy.
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ config/file_contexts.subs_dist | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
+index be532d7f..04fca3c3 100644
+--- a/config/file_contexts.subs_dist
++++ b/config/file_contexts.subs_dist
+@@ -41,3 +41,10 @@
+ /var/volatile/tmp /var/tmp
+ /var/volatile/lock /var/lock
+ /var/volatile/run/lock /var/lock
++
++# busybox aliases
++# quickly match up the busybox built-in tree to the base filesystem tree
++/usr/lib/busybox/bin /bin
++/usr/lib/busybox/sbin /sbin
++/usr/lib/busybox/usr /usr
++
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch b/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
new file mode 100644
index 0000000..e2c6c89
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
@@ -0,0 +1,54 @@
+From b69a82237ccc8de3f5b822739760f5cb6596fe51 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:53:46 +0530
+Subject: [PATCH 2/9] refpolicy-minimum: locallogin: add allow rules for type
+ local_login_t
+
+add allow rules for locallogin module avc denials.
+
+without this change we are getting errors like these:
+
+type=AVC msg=audit(): avc: denied { read write open } for pid=353
+comm="login" path="/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext
+=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:
+var_log_t:s0 tclass=file permissive=1
+
+type=AVC msg=audit(): avc: denied { sendto } for pid=353 comm="login"
+path="/run/systemd/journal/dev-log" scontext=system_u:system_r:
+local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0
+tclass=unix_dgram_socket permissive=1
+
+type=AVC msg=audit(): avc: denied { lock } for pid=353 comm="login" path=
+"/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext=system_u:system_r
+:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass
+=file permissive=1
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/locallogin.te | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index 4c679ff3..75750e4c 100644
+--- a/policy/modules/system/locallogin.te
++++ b/policy/modules/system/locallogin.te
+@@ -288,3 +288,13 @@ optional_policy(`
+ optional_policy(`
+ nscd_use(sulogin_t)
+ ')
++
++allow local_login_t initrc_t:fd use;
++allow local_login_t initrc_t:unix_dgram_socket sendto;
++allow local_login_t initrc_t:unix_stream_socket connectto;
++allow local_login_t self:capability net_admin;
++allow local_login_t var_log_t:file { create lock open read write };
++allow local_login_t var_run_t:file { open read write lock};
++allow local_login_t var_run_t:sock_file write;
++allow local_login_t tmpfs_t:dir { add_name write search};
++allow local_login_t tmpfs_t:file { create open read write lock };
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch b/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch
new file mode 100644
index 0000000..f194d6d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch
@@ -0,0 +1,57 @@
+From d0fd07dda45b349af634e4671a70e47fef102386 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:39:41 +0800
+Subject: [PATCH 03/34] fc/sysklogd: apply policy to sysklogd symlink
+
+/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow
+rule for syslogd_t to read syslog_conf_t lnk_file is needed.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/logging.fc | 3 +++
+ policy/modules/system/logging.te | 1 +
+ 2 files changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index 6693d87b..0cf108e0 100644
+--- a/policy/modules/system/logging.fc
++++ b/policy/modules/system/logging.fc
+@@ -2,6 +2,7 @@
+
+ /etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
++/etc/syslog\.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/rsyslog\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+ /etc/systemd/journal.*\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
+@@ -32,10 +33,12 @@
+ /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
+ /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
+ /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
++/usr/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+ /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+ /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++/usr/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 0c5be1cd..38ccfe3a 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -399,6 +399,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
+ allow syslogd_t self:tcp_socket create_stream_socket_perms;
+
+ allow syslogd_t syslog_conf_t:file read_file_perms;
++allow syslogd_t syslog_conf_t:lnk_file read_file_perms;
+ allow syslogd_t syslog_conf_t:dir list_dir_perms;
+
+ # Create and bind to /dev/log or /var/run/log.
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
new file mode 100644
index 0000000..968a9be
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
@@ -0,0 +1,121 @@
+From ec36df125da565fe1a9b64000151afaf40c2887d Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:51:32 +0530
+Subject: [PATCH 3/9] refpolicy-minimum: systemd:unconfined:lib: add systemd
+ services allow rules
+
+systemd allow rules for systemd service file operations: start, stop, restart
+& allow rule for unconfined systemd service.
+
+without this change we are getting these errors:
+:~# systemctl status selinux-init.service
+Failed to get properties: Access denied
+
+:~# systemctl stop selinux-init.service
+Failed to stop selinux-init.service: Access denied
+
+:~# systemctl restart selinux-init.service
+audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
+system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0
+gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl
+restart selinux-init.service" scontext=unconfined_u:unconfined_r:
+unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/init.te | 4 +++
+ policy/modules/system/libraries.te | 3 +++
+ policy/modules/system/systemd.if | 39 +++++++++++++++++++++++++++++
+ policy/modules/system/unconfined.te | 6 +++++
+ 4 files changed, 52 insertions(+)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index d8696580..e15ec4b9 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1425,3 +1425,7 @@ optional_policy(`
+ allow kernel_t init_t:process dyntransition;
+ allow devpts_t device_t:filesystem associate;
+ allow init_t self:capability2 block_suspend;
++allow init_t self:capability2 audit_read;
++
++allow initrc_t init_t:system { start status };
++allow initrc_t init_var_run_t:service { start status };
+diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
+index 422b0ea1..80b0c9a5 100644
+--- a/policy/modules/system/libraries.te
++++ b/policy/modules/system/libraries.te
+@@ -145,3 +145,6 @@ optional_policy(`
+ optional_policy(`
+ unconfined_domain(ldconfig_t)
+ ')
++
++# systemd: init domain to start lib domain service
++systemd_service_lib_function(lib_t)
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index 6353ca69..4519a448 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -905,3 +905,42 @@ interface(`systemd_getattr_updated_runtime',`
+
+ getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
+ ')
++
++########################################
++## <summary>
++## Allow specified domain to start stop reset systemd service
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`systemd_service_file_operations',`
++ gen_require(`
++ class service { start status stop };
++ ')
++
++ allow $1 lib_t:service { start status stop };
++
++')
++
++
++########################################
++## <summary>
++## Allow init domain to start lib domain service
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`systemd_service_lib_function',`
++ gen_require(`
++ class service start;
++ ')
++
++ allow initrc_t $1:service start;
++
++')
+diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
+index 12cc0d7c..c09e94a5 100644
+--- a/policy/modules/system/unconfined.te
++++ b/policy/modules/system/unconfined.te
+@@ -240,3 +240,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
+ optional_policy(`
+ unconfined_dbus_chat(unconfined_execmem_t)
+ ')
++
++
++# systemd: specified domain to start stop reset systemd service
++systemd_service_file_operations(unconfined_t)
++
++allow unconfined_t init_t:system reload;
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
new file mode 100644
index 0000000..36bfdcf
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
@@ -0,0 +1,27 @@
+From abd7d9fa3398be45e733930ebaec9e05b1aba252 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 04/34] fc/hostname: apply policy to common yocto hostname
+ alternatives
+
+Upstream-Status: Inappropriate [only for Yocto]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/hostname.fc | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
+index 83ddeb57..653e038d 100644
+--- a/policy/modules/system/hostname.fc
++++ b/policy/modules/system/hostname.fc
+@@ -1 +1,5 @@
++/usr/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0)
++/usr/bin/hostname\.coreutils -- gen_context(system_u:object_r:hostname_exec_t,s0)
++/usr/lib/busybox/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
++
+ /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
new file mode 100644
index 0000000..06b9192
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
@@ -0,0 +1,96 @@
+From 0918b156dcf4d126fd0e36de5a6c61f114448c8a Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:53:37 +0530
+Subject: [PATCH 4/9] refpolicy-minimum: systemd: mount: logging: authlogin:
+ add allow rules
+
+add allow rules for avc denails for systemd, mount, logging & authlogin
+modules.
+
+without this change we are getting avc denial like these:
+
+type=AVC msg=audit(): avc: denied { sendto } for pid=893 comm="systemd-
+tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r:
+systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=
+unix_dgram_socket permissive=0
+
+type=AVC msg=audit(): avc: denied { open } for pid=703 comm="systemd-
+tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u:
+system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=
+file permissive=0
+
+type=AVC msg=audit(): avc: denied { read write } for pid=486 comm="mount"
+path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r:
+mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket
+
+type=AVC msg=audit(): avc: denied { unix_read unix_write } for pid=292
+comm="syslogd" key=1095648583 scontext=system_u:system_r:syslogd_t:s0
+tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/authlogin.te | 2 ++
+ policy/modules/system/logging.te | 7 ++++++-
+ policy/modules/system/mount.te | 3 +++
+ policy/modules/system/systemd.te | 5 +++++
+ 4 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
+index 28f74bac..dfa46612 100644
+--- a/policy/modules/system/authlogin.te
++++ b/policy/modules/system/authlogin.te
+@@ -479,3 +479,5 @@ optional_policy(`
+ samba_read_var_files(nsswitch_domain)
+ samba_dontaudit_write_var_files(nsswitch_domain)
+ ')
++
++allow chkpwd_t proc_t:filesystem getattr;
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 4cc73327..98c2bd19 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -627,4 +627,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append };
+ allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
+ allow auditd_t initrc_t:unix_dgram_socket sendto;
+
+-allow klogd_t initrc_t:unix_dgram_socket sendto;
+\ No newline at end of file
++allow klogd_t initrc_t:unix_dgram_socket sendto;
++
++allow syslogd_t self:shm create;
++allow syslogd_t self:sem { create read unix_write write };
++allow syslogd_t self:shm { read unix_read unix_write write };
++allow syslogd_t tmpfs_t:file { read write };
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index 3dcb8493..a87d0e82 100644
+--- a/policy/modules/system/mount.te
++++ b/policy/modules/system/mount.te
+@@ -231,3 +231,6 @@ optional_policy(`
+ files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+ unconfined_domain(unconfined_mount_t)
+ ')
++
++allow mount_t proc_t:filesystem getattr;
++allow mount_t initrc_t:udp_socket { read write };
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index f6455f6f..b13337b9 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1011,6 +1011,11 @@ allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
+ allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
+ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
+
++allow systemd_tmpfiles_t init_t:dir search;
++allow systemd_tmpfiles_t proc_t:filesystem getattr;
++allow systemd_tmpfiles_t init_t:file read;
++allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
++
+ kernel_getattr_proc(systemd_tmpfiles_t)
+ kernel_read_kernel_sysctls(systemd_tmpfiles_t)
+ kernel_read_network_state(systemd_tmpfiles_t)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
new file mode 100644
index 0000000..194a474
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
@@ -0,0 +1,30 @@
+From 783ba03eff9d5b94363fff148aa1c745ff02ddd4 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 21:37:32 -0400
+Subject: [PATCH 05/34] fc/bash: apply /usr/bin/bash context to /bin/bash.bash
+
+We include /bin/bash.bash as a valid alias for /bin/bash, so ensure we apply
+the proper context to the target for our policy.
+
+Upstream-Status: Inappropriate [only for Yocto]
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/corecommands.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
+index e7415cac..cf3848db 100644
+--- a/policy/modules/kernel/corecommands.fc
++++ b/policy/modules/kernel/corecommands.fc
+@@ -141,6 +141,7 @@ ifdef(`distro_gentoo',`
+ /usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/bash.bash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch b/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
new file mode 100644
index 0000000..aec54cd
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
@@ -0,0 +1,37 @@
+From 54a00a22a0d9aca794440bf51511f5477e9249d2 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:53:53 +0530
+Subject: [PATCH 5/9] refpolicy-minimum: init: fix reboot with systemd as init
+ manager.
+
+add allow rule to fix avc denial during system reboot.
+
+without this change we are getting:
+
+audit: type=1107 audit(): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
+system_u:system_r:init_t:s0 msg='avc: denied { reboot } for auid=n/a uid=0
+gid=0 cmdline="/bin/systemctl --force reboot" scontext=system_u:system_r:
+initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/init.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index e15ec4b9..843fdcff 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1427,5 +1427,5 @@ allow devpts_t device_t:filesystem associate;
+ allow init_t self:capability2 block_suspend;
+ allow init_t self:capability2 audit_read;
+
+-allow initrc_t init_t:system { start status };
++allow initrc_t init_t:system { start status reboot };
+ allow initrc_t init_var_run_t:service { start status };
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
index b90b744..d098118 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_resolv.conf.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
@@ -1,24 +1,30 @@
-Subject: [PATCH] fix real path for resolv.conf
+From 9818faa2a732d6d1cda72926526f104de74bd992 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 4 Apr 2019 10:45:03 -0400
+Subject: [PATCH 06/34] fc/resolv.conf: label resolv.conf in var/run/ properly
-Upstream-Status: Inappropriate [only for Poky]
+Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/system/sysnetwork.fc | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
+ policy/modules/system/sysnetwork.fc | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
+index 1e5432a4..ac7c2dd1 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
-@@ -23,10 +23,11 @@ ifdef(`distro_debian',`
- /etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
+@@ -22,6 +22,7 @@ ifdef(`distro_debian',`
/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
-+/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
++/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
-
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch b/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
new file mode 100644
index 0000000..bf770d9
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
@@ -0,0 +1,92 @@
+From ca6644e1f1066a8354f2f6dbb068713f59225f37 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Wed, 3 Apr 2019 14:51:29 -0400
+Subject: [PATCH 6/9] refpolicy-minimum: systemd: mount: enable required
+ refpolicy booleans
+
+enable required refpolicy booleans for these modules
+
+i. mount: allow_mount_anyfile
+without enabling this boolean we are getting below avc denial
+
+audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media
+/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0
+tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0
+
+This avc can be allowed using the boolean 'allow_mount_anyfile'
+allow mount_t initrc_var_run_t:dir mounton;
+
+ii. systemd : systemd_tmpfiles_manage_all
+without enabling this boolean we are not getting access to mount systemd
+essential tmpfs during bootup, also not getting access to create audit.log
+
+audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name=
+"sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles
+_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0
+
+ ls /var/log
+ /var/log -> volatile/log
+:~#
+
+The old refpolicy included a pre-generated booleans.conf that could be
+patched. That's no longer the case so we're left with a few options,
+tweak the default directly or create a template booleans.conf file which
+will be updated during build time. Since this is intended to be applied
+only for specific configuraitons it seems like the same either way and
+this avoids us playing games to work around .gitignore.
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/booleans.conf | 9 +++++++++
+ policy/modules/system/mount.te | 2 +-
+ policy/modules/system/systemd.te | 2 +-
+ 3 files changed, 11 insertions(+), 2 deletions(-)
+ create mode 100644 policy/booleans.conf
+
+diff --git a/policy/booleans.conf b/policy/booleans.conf
+new file mode 100644
+index 00000000..850f56ed
+--- /dev/null
++++ b/policy/booleans.conf
+@@ -0,0 +1,9 @@
++#
++# Allow the mount command to mount any directory or file.
++#
++allow_mount_anyfile = true
++
++#
++# Enable support for systemd-tmpfiles to manage all non-security files.
++#
++systemd_tmpfiles_manage_all = true
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index a87d0e82..868052b7 100644
+--- a/policy/modules/system/mount.te
++++ b/policy/modules/system/mount.te
+@@ -10,7 +10,7 @@ policy_module(mount, 1.20.0)
+ ## Allow the mount command to mount any directory or file.
+ ## </p>
+ ## </desc>
+-gen_tunable(allow_mount_anyfile, false)
++gen_tunable(allow_mount_anyfile, true)
+
+ attribute_role mount_roles;
+ roleattribute system_r mount_roles;
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index b13337b9..74f9c1cb 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -10,7 +10,7 @@ policy_module(systemd, 1.7.5)
+ ## Enable support for systemd-tmpfiles to manage all non-security files.
+ ## </p>
+ ## </desc>
+-gen_tunable(systemd_tmpfiles_manage_all, false)
++gen_tunable(systemd_tmpfiles_manage_all, true)
+
+ ## <desc>
+ ## <p>
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch b/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch
new file mode 100644
index 0000000..824c136
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch
@@ -0,0 +1,27 @@
+From 3323cd185bd27a010fb4353d16cb6c3a8608fd20 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 21:43:53 -0400
+Subject: [PATCH 07/34] fc/login: apply login context to login.shadow
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/authlogin.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
+index e22945cd..a42bc0da 100644
+--- a/policy/modules/system/authlogin.fc
++++ b/policy/modules/system/authlogin.fc
+@@ -5,6 +5,7 @@
+ /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+
+ /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
++/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0)
+ /usr/bin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
+ /usr/bin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
+ /usr/bin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch b/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch
new file mode 100644
index 0000000..307574c
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch
@@ -0,0 +1,103 @@
+From a1b92a176fe791468e750b95fa8299e8beecf2b1 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:54:09 +0530
+Subject: [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal
+ service
+
+1. fix for systemd services: login & journal wile using refpolicy-minimum and
+systemd as init manager.
+2. fix login duration after providing root password.
+
+without these changes we are getting avc denails like these and below
+systemd services failure:
+
+audit[]: AVC avc: denied { write } for pid=422 comm="login" path="/run/
+systemd/sessions/c1.ref" dev="tmpfs" ino=13455 scontext=system_u:system_r:
+local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0
+tclass=fifo_file permissive=0
+
+audit[]: AVC avc: denied { open } for pid=216 comm="systemd-tmpfile" path
+="/proc/1/environ" dev="proc" ino=9221 scontext=system_u:system_r:
+systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
+
+audit[]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:
+system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path
+="/lib/systemd/system/systemd-journald.service" cmdline="/bin/journalctl
+--flush" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:
+lib_t:s0 tclass=service
+
+[FAILED] Failed to start Flush Journal to Persistent Storage.
+See 'systemctl status systemd-journal-flush.service' for details.
+
+[FAILED] Failed to start Login Service.
+See 'systemctl status systemd-logind.service' for details.
+
+[FAILED] Failed to start Avahi mDNS/DNS-SD Stack.
+See 'systemctl status avahi-daemon.service' for details.
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/init.te | 2 ++
+ policy/modules/system/locallogin.te | 3 +++
+ policy/modules/system/systemd.if | 6 ++++--
+ policy/modules/system/systemd.te | 2 +-
+ 4 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 843fdcff..ca8678b8 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1429,3 +1429,5 @@ allow init_t self:capability2 audit_read;
+
+ allow initrc_t init_t:system { start status reboot };
+ allow initrc_t init_var_run_t:service { start status };
++
++allow initrc_t init_var_run_t:service stop;
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index 75750e4c..2c2cfc7d 100644
+--- a/policy/modules/system/locallogin.te
++++ b/policy/modules/system/locallogin.te
+@@ -298,3 +298,6 @@ allow local_login_t var_run_t:file { open read write lock};
+ allow local_login_t var_run_t:sock_file write;
+ allow local_login_t tmpfs_t:dir { add_name write search};
+ allow local_login_t tmpfs_t:file { create open read write lock };
++allow local_login_t init_var_run_t:fifo_file write;
++allow local_login_t initrc_t:dbus send_msg;
++allow initrc_t local_login_t:dbus send_msg;
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index 4519a448..79133e6f 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -938,9 +938,11 @@ interface(`systemd_service_file_operations',`
+ #
+ interface(`systemd_service_lib_function',`
+ gen_require(`
+- class service start;
++ class service { start status stop };
++ class file { execmod open };
+ ')
+
+- allow initrc_t $1:service start;
++ allow initrc_t $1:service { start status stop };
++ allow initrc_t $1:file execmod;
+
+ ')
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 74f9c1cb..f1d26a44 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1013,7 +1013,7 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
+
+ allow systemd_tmpfiles_t init_t:dir search;
+ allow systemd_tmpfiles_t proc_t:filesystem getattr;
+-allow systemd_tmpfiles_t init_t:file read;
++allow systemd_tmpfiles_t init_t:file { open getattr read };
+ allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
+
+ kernel_getattr_proc(systemd_tmpfiles_t)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-git/0008-fc-bind-fix-real-path-for-bind.patch
index 3218c88..6472a21 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0008-fc-bind-fix-real-path-for-bind.patch
@@ -1,19 +1,21 @@
-From e438a9466a615db3f63421157d5ee3bd6d055403 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:09:11 +0800
-Subject: [PATCH] refpolicy: fix real path for bind.
+From 9207386c0a860b3b6520eca5e509b9633c67c1e4 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 21:58:53 -0400
+Subject: [PATCH 08/34] fc/bind: fix real path for bind
-Upstream-Status: Inappropriate [configuration]
+Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/contrib/bind.fc | 2 ++
+ policy/modules/services/bind.fc | 2 ++
1 file changed, 2 insertions(+)
---- a/policy/modules/contrib/bind.fc
-+++ b/policy/modules/contrib/bind.fc
-@@ -1,10 +1,12 @@
+diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
+index b4879dc1..59498e25 100644
+--- a/policy/modules/services/bind.fc
++++ b/policy/modules/services/bind.fc
+@@ -1,8 +1,10 @@
/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
@@ -24,5 +26,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
- /etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
- /etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
new file mode 100644
index 0000000..05543da
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
@@ -0,0 +1,110 @@
+From c268b15ec696aa23be73e040daae433b509fa82f Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:54:17 +0530
+Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files
+ services
+
+fix for systemd tmp files setup service while using refpolicy-minimum and
+systemd as init manager.
+
+these allow rules require kernel domain & files access, so added interfaces
+at systemd.te to merge these allow rules.
+
+without these changes we are getting avc denails like these and below
+systemd services failure:
+
+audit[]: AVC avc: denied { getattr } for pid=232 comm="systemd-tmpfile"
+path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd
+_tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file
+
+audit[]: AVC avc: denied { search } for pid=232 comm="systemd-tmpfile"
+name="kernel" dev="proc" ino=9341 scontext=system_u:system_r:
+systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0
+tclass=dir permissive=0
+
+[FAILED] Failed to start Create Static Device Nodes in /dev.
+See 'systemctl status systemd-tmpfiles-setup-dev.service' for details.
+
+[FAILED] Failed to start Create Volatile Files and Directories.
+See 'systemctl status systemd-tmpfiles-setup.service' for details.
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/files.if | 19 +++++++++++++++++++
+ policy/modules/kernel/kernel.if | 21 +++++++++++++++++++++
+ policy/modules/system/systemd.te | 2 ++
+ 3 files changed, 42 insertions(+)
+
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index eb067ad3..ff74f55a 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -7076,3 +7076,22 @@ interface(`files_unconfined',`
+
+ typeattribute $1 files_unconfined_type;
+ ')
++
++########################################
++## <summary>
++## systemd tmp files access to kernel tmp files domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',`
++ gen_require(`
++ type tmp_t;
++ class lnk_file getattr;
++ ')
++
++ allow $1 tmp_t:lnk_file getattr;
++')
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index 1ad282aa..342eb033 100644
+--- a/policy/modules/kernel/kernel.if
++++ b/policy/modules/kernel/kernel.if
+@@ -3584,3 +3584,24 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',`
+ allow $1 unlabeled_t:infiniband_endport manage_subnet;
+ ')
+
++########################################
++## <summary>
++## systemd tmp files access to kernel sysctl domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',`
++ gen_require(`
++ type sysctl_kernel_t;
++ class dir search;
++ class file { open read };
++ ')
++
++ allow $1 sysctl_kernel_t:dir search;
++ allow $1 sysctl_kernel_t:file { open read };
++
++')
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index f1d26a44..b4c64bc1 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1139,4 +1139,6 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated
+
+ seutil_read_file_contexts(systemd_update_done_t)
+
++systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t)
++systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t)
+ systemd_log_parse_environment(systemd_update_done_t)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch
new file mode 100644
index 0000000..382a62c
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch
@@ -0,0 +1,28 @@
+From afaee985ce8cb915905b9cbef141db5d4b7f228c Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 21:59:18 -0400
+Subject: [PATCH 09/34] fc/hwclock: add hwclock alternatives
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/clock.fc | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
+index 30196589..e0dc4b6f 100644
+--- a/policy/modules/system/clock.fc
++++ b/policy/modules/system/clock.fc
+@@ -2,4 +2,7 @@
+
+ /usr/bin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+
+-/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
++/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0)
++/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
++/usr/lib/busybox/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
++/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch b/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
new file mode 100644
index 0000000..de9180a
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
@@ -0,0 +1,70 @@
+From 3c7c492f060212bf7c854a27ffa6afa5035f4862 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:54:29 +0530
+Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog
+
+syslog & getty related allow rules required to fix the syslog mixup with
+boot log, while using systemd as init manager.
+
+without this change we are getting these avc denials:
+
+audit: avc: denied { search } for pid=484 comm="syslogd" name="/"
+dev="tmpfs" ino=7269 scontext=system_u:system_r:syslogd_t:s0 tcontext=
+system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
+
+audit: avc: denied { write } for pid=372 comm="syslogd" name="log" dev=
+"tmpfs" ino=954 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:
+object_r:tmpfs_t:s0 tclass=dir permissive=0
+
+audit: avc: denied { add_name } for pid=390 comm="syslogd" name=
+"messages" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r
+:tmpfs_t:s0 tclass=dir permissive=0
+
+audit: avc: denied { sendto } for pid=558 comm="agetty" path="/run/systemd
+/journal/dev-log" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:
+system_r:initrc_t:s0 tclass=unix_dgram_socket permissive=0
+
+audit: avc: denied { create } for pid=374 comm="syslogd" name="messages"
+scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:
+s0 tclass=file permissive=0
+
+audit: avc: denied { append } for pid=423 comm="syslogd" name="messages"
+dev="tmpfs" ino=7995 scontext=system_u:system_r:syslogd_t:s0 tcontext=
+system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
+
+audit: avc: denied { getattr } for pid=425 comm="syslogd" path="/var/
+volatile/log/messages" dev="tmpfs" ino=8857 scontext=system_u:system_r:
+syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/getty.te | 1 +
+ policy/modules/system/logging.te | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
+index 423db0cc..9ab03956 100644
+--- a/policy/modules/system/getty.te
++++ b/policy/modules/system/getty.te
+@@ -132,3 +132,4 @@ optional_policy(`
+
+ allow getty_t tmpfs_t:dir search;
+ allow getty_t tmpfs_t:file { open write lock };
++allow getty_t initrc_t:unix_dgram_socket sendto;
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 98c2bd19..6a94ac12 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -632,4 +632,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto;
+ allow syslogd_t self:shm create;
+ allow syslogd_t self:sem { create read unix_write write };
+ allow syslogd_t self:shm { read unix_read unix_write write };
+-allow syslogd_t tmpfs_t:file { read write };
++allow syslogd_t tmpfs_t:file { read write create getattr append open };
++allow syslogd_t tmpfs_t:dir { search write add_name };
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
new file mode 100644
index 0000000..5de6d0d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
@@ -0,0 +1,24 @@
+From 9f8b5359ce85eab23a5c46157497c44fd3bc4335 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 08:26:55 -0400
+Subject: [PATCH 10/34] fc/dmesg: apply policy to dmesg alternatives
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/admin/dmesg.fc | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
+index e52fdfcf..85d15127 100644
+--- a/policy/modules/admin/dmesg.fc
++++ b/policy/modules/admin/dmesg.fc
+@@ -1 +1,3 @@
+-/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
++/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
++/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0)
++/usr/lib/busybox/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch
index a01e2eb..ab81b31 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ssh.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch
@@ -1,24 +1,27 @@
-Subject: [PATCH] refpolicy: fix real path for ssh
+From c7002e990710f83763a1481ddaa56a1f658defee Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 09:20:58 -0400
+Subject: [PATCH 11/34] fc/ssh: apply policy to ssh alternatives
-Upstream-Status: Inappropriate [configuration]
+Upstream-Status: Pending
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/services/ssh.fc | 1 +
1 file changed, 1 insertion(+)
+diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
+index 4ac3e733..1f453091 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
-@@ -2,10 +2,11 @@ HOME_DIR/\.ssh(/.*)? gen_context(syste
-
- /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
+@@ -4,6 +4,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
+/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
-
- /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
- /usr/lib/ssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+ /usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch
new file mode 100644
index 0000000..8346fcf
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch
@@ -0,0 +1,48 @@
+From 881a9f637b6eec90d1fa20bf4c102bb595225aaf Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Tue, 9 Jun 2015 21:22:52 +0530
+Subject: [PATCH 12/34] fc/sysnetwork: apply policy to ip alternatives
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/sysnetwork.fc | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
+index ac7c2dd1..4e441503 100644
+--- a/policy/modules/system/sysnetwork.fc
++++ b/policy/modules/system/sysnetwork.fc
+@@ -60,6 +60,8 @@ ifdef(`distro_redhat',`
+ /usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+@@ -67,9 +69,17 @@ ifdef(`distro_redhat',`
+ /usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+
++#
++# /usr/lib/busybox
++#
++/usr/lib/busybox/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/lib/busybox/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/lib/busybox/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++
+ #
+ # /var
+ #
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
new file mode 100644
index 0000000..9ec2e21
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
@@ -0,0 +1,28 @@
+From 434fe791713127cea8a796529266b87763833117 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 09:36:08 -0400
+Subject: [PATCH 13/34] fc/udev: apply policy to udevadm in libexec
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/udev.fc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
+index 606ad517..2919c0bd 100644
+--- a/policy/modules/system/udev.fc
++++ b/policy/modules/system/udev.fc
+@@ -28,6 +28,8 @@ ifdef(`distro_debian',`
+ /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
+
++/usr/libexec/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
++
+ ifdef(`distro_redhat',`
+ /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+ ')
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
new file mode 100644
index 0000000..fff816a
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
@@ -0,0 +1,29 @@
+From c8dbbbaed4371c600d057736d1dab78371066fdd Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 09:54:07 -0400
+Subject: [PATCH 14/34] fc/rpm: apply rpm_exec policy to cpio binaries
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/admin/rpm.fc | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
+index 578d465c..f2b8003a 100644
+--- a/policy/modules/admin/rpm.fc
++++ b/policy/modules/admin/rpm.fc
+@@ -65,5 +65,8 @@ ifdef(`distro_redhat',`
+ /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
+
+ ifdef(`enable_mls',`
+-/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ ')
++
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch
index b8597f9..b26eeea 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_su.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch
@@ -1,22 +1,26 @@
-From 4affa5e9797f5d51597c9b8e0f2503883c766699 Mon Sep 17 00:00:00 2001
+From d6eb7326773a01cea4cb6949e8e8f94e12d145ca Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@windriver.com>
Date: Thu, 13 Feb 2014 00:33:07 -0500
-Subject: [PATCH] fix real path for su.shadow command
+Subject: [PATCH 15/34] fc/su: apply policy to su alternatives
-Upstream-Status: Inappropriate [only for Poky]
+Upstream-Status: Pending
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/admin/su.fc | 2 ++
+ policy/modules/admin/su.fc | 2 ++
1 file changed, 2 insertions(+)
+diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
+index 3375c969..435a6892 100644
--- a/policy/modules/admin/su.fc
+++ b/policy/modules/admin/su.fc
-@@ -2,5 +2,6 @@
- /bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
-
+@@ -1,3 +1,5 @@
/usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
-+/bin/su.shadow -- gen_context(system_u:object_r:su_exec_t,s0)
++/usr/bin/su\.shadow -- gen_context(system_u:object_r:su_exec_t,s0)
++/usr/bin/su\.util-linux -- gen_context(system_u:object_r:su_exec_t,s0)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch b/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch
new file mode 100644
index 0000000..35676f8
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch
@@ -0,0 +1,76 @@
+From 4cc043905534403d2c6c5882ed982bd09a6c605f Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Mon, 27 Jan 2014 03:54:01 -0500
+Subject: [PATCH 16/34] fc/fstools: fix real path for fstools
+
+Upstream-Status: Pending
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/fstools.fc | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
+index 8fbd5ce4..d719e22c 100644
+--- a/policy/modules/system/fstools.fc
++++ b/policy/modules/system/fstools.fc
+@@ -58,6 +58,7 @@
+ /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -72,10 +73,12 @@
+ /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/hdparm\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -88,17 +91,20 @@
+ /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -108,6 +114,12 @@
+ /usr/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
++/usr/lib/busybox/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/lib/busybox/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/lib/busybox/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/lib/busybox/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/lib/busybox/sbin/swapon -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++
+ /var/swap -- gen_context(system_u:object_r:swapfile_t,s0)
+
+ /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-git/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch
index b755b45..af24d90 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch
@@ -1,7 +1,8 @@
-From 27e62a5d9ab9993760369ccdad83673e9148cbb2 Mon Sep 17 00:00:00 2001
+From f84b1809e45bf08ce2a603827de3ade876ce8683 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 1/6] Add the syslogd_t to trusted object
+Subject: [PATCH 17/34] policy/module/logging: Add the syslogd_t to trusted
+ object
We add the syslogd_t to trusted object, because other process need
to have the right to connectto/sendto /dev/log.
@@ -12,14 +13,14 @@ Signed-off-by: Roy.Li <rongqing.li@windriver.com>
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/system/logging.te | 1 +
+ policy/modules/system/logging.te | 1 +
1 file changed, 1 insertion(+)
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 38ccfe3a..c892f547 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -484,10 +484,11 @@ files_var_lib_filetrans(syslogd_t, syslo
-
- fs_getattr_all_fs(syslogd_t)
+@@ -501,6 +501,7 @@ fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
@@ -27,5 +28,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
term_write_console(syslogd_t)
# Allow syslog to a terminal
- term_write_unallocated_ttys(syslogd_t)
-
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch b/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
new file mode 100644
index 0000000..6dca744
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
@@ -0,0 +1,100 @@
+From ccb0b3884513829a2ab344f1682df6ea6ff4e7de Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 18/34] policy/module/logging: add rules for the symlink of
+ /var/log
+
+/var/log is a symlink in poky, so we need allow rules for files to read
+lnk_file while doing search/list/delete/rw... in /var/log/ directory.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/logging.fc | 1 +
+ policy/modules/system/logging.if | 6 ++++++
+ policy/modules/system/logging.te | 2 ++
+ 3 files changed, 9 insertions(+)
+
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index 0cf108e0..5bec7e99 100644
+--- a/policy/modules/system/logging.fc
++++ b/policy/modules/system/logging.fc
+@@ -55,6 +55,7 @@ ifdef(`distro_suse', `
+ /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+ /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
++/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+ /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
+diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
+index 7b7644f7..0c7268ff 100644
+--- a/policy/modules/system/logging.if
++++ b/policy/modules/system/logging.if
+@@ -972,10 +972,12 @@ interface(`logging_append_all_inherited_logs',`
+ interface(`logging_read_all_logs',`
+ gen_require(`
+ attribute logfile;
++ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 logfile:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, logfile, logfile)
+ ')
+
+@@ -994,10 +996,12 @@ interface(`logging_read_all_logs',`
+ interface(`logging_exec_all_logs',`
+ gen_require(`
+ attribute logfile;
++ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 logfile:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ can_exec($1, logfile)
+ ')
+
+@@ -1099,6 +1103,7 @@ interface(`logging_read_generic_logs',`
+
+ files_search_var($1)
+ allow $1 var_log_t:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, var_log_t, var_log_t)
+ ')
+
+@@ -1200,6 +1205,7 @@ interface(`logging_manage_generic_logs',`
+
+ files_search_var($1)
+ manage_files_pattern($1, var_log_t, var_log_t)
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index c892f547..499a4552 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -161,6 +161,7 @@ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t auditd_log_t:dir setattr;
+ manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t var_log_t:dir search_dir_perms;
++allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
+
+ manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+ manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+@@ -288,6 +289,7 @@ allow audisp_remote_t self:capability { setpcap setuid };
+ allow audisp_remote_t self:process { getcap setcap };
+ allow audisp_remote_t self:tcp_socket create_socket_perms;
+ allow audisp_remote_t var_log_t:dir search_dir_perms;
++allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+ manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch b/recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch
new file mode 100644
index 0000000..a532316
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch
@@ -0,0 +1,33 @@
+From b52614cce12e4a7d3437350bb35688d5470f92fc Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 10:33:18 -0400
+Subject: [PATCH 19/34] policy/module/logging: add rules for syslogd symlink of
+ /var/log
+
+We have added rules for the symlink of /var/log in logging.if, while
+syslogd_t uses /var/log but does not use the interfaces in logging.if. So
+still need add a individual rule for syslogd_t.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/logging.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 499a4552..e6221a02 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -417,6 +417,7 @@ files_search_spool(syslogd_t)
+
+ # Allow access for syslog-ng
+ allow syslogd_t var_log_t:dir { create setattr };
++allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
+
+ # for systemd but can not be conditional
+ files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
index b828b7a..a494671 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
@@ -1,7 +1,8 @@
-From bad816bc752369a6c1bf40231c505d21d95cab08 Mon Sep 17 00:00:00 2001
+From 07456143d9478b345dbe480e1b418b744de96751 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Fri, 23 Aug 2013 11:20:00 +0800
-Subject: [PATCH 4/6] add rules for the subdir symlinks in /var/
+Subject: [PATCH 20/34] policy/module/logging: add domain rules for the subdir
+ symlinks in /var/
Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
/var for poky, so we need allow rules for all domains to read these
@@ -13,14 +14,14 @@ Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/kernel/domain.te | 3 +++
+ policy/modules/kernel/domain.te | 3 +++
1 file changed, 3 insertions(+)
+diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
+index 1a55e3d2..babb794f 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
-@@ -108,10 +108,13 @@ dev_rw_zero(domain)
- term_use_controlling_term(domain)
-
+@@ -110,6 +110,9 @@ term_use_controlling_term(domain)
# list the root directory
files_list_root(domain)
@@ -30,5 +31,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
ifdef(`hide_broken_symptoms',`
# This check is in the general socket
# listen code, before protocol-specific
- # listen function is called, so bad calls
- # to listen on UDP sockets should be silenced
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch
index 07ebf58..aa61a80 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-tmp-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch
@@ -1,7 +1,7 @@
-From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
+From edcfc7eb98658352f3ffdeb8079517c54ba7f984 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] add rules for the symlink of /tmp
+Subject: [PATCH 21/34] policy/module/files: add rules for the symlink of /tmp
/tmp is a symlink in poky, so we need allow rules for files to read
lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
@@ -11,15 +11,15 @@ Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/kernel/files.fc | 1 +
- policy/modules/kernel/files.if | 8 ++++++++
- 2 files changed, 9 insertions(+), 0 deletions(-)
+ policy/modules/kernel/files.fc | 1 +
+ policy/modules/kernel/files.if | 8 ++++++++
+ 2 files changed, 9 insertions(+)
+diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
+index c3496c21..05b1734b 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
-@@ -191,10 +191,11 @@ ifdef(`distro_debian',`
-
- #
+@@ -176,6 +176,7 @@ HOME_ROOT/lost\+found/.* <<none>>
# /tmp
#
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
@@ -27,13 +27,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
/tmp/.* <<none>>
/tmp/\.journal <<none>>
- /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
- /tmp/lost\+found/.* <<none>>
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index f1c94411..eb067ad3 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
-@@ -4471,10 +4471,11 @@ interface(`files_search_tmp',`
- gen_require(`
- type tmp_t;
+@@ -4350,6 +4350,7 @@ interface(`files_search_tmp',`
')
allow $1 tmp_t:dir search_dir_perms;
@@ -41,11 +39,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Do not audit attempts to search the tmp directory (/tmp).
-@@ -4507,10 +4508,11 @@ interface(`files_list_tmp',`
- gen_require(`
- type tmp_t;
+@@ -4386,6 +4387,7 @@ interface(`files_list_tmp',`
')
allow $1 tmp_t:dir list_dir_perms;
@@ -53,11 +47,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Do not audit listing of the tmp directory (/tmp).
-@@ -4543,10 +4545,11 @@ interface(`files_delete_tmp_dir_entry',`
- gen_require(`
- type tmp_t;
+@@ -4422,6 +4424,7 @@ interface(`files_delete_tmp_dir_entry',`
')
allow $1 tmp_t:dir del_entry_dir_perms;
@@ -65,11 +55,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Read files in the tmp directory (/tmp).
-@@ -4561,10 +4564,11 @@ interface(`files_read_generic_tmp_files'
- gen_require(`
- type tmp_t;
+@@ -4440,6 +4443,7 @@ interface(`files_read_generic_tmp_files',`
')
read_files_pattern($1, tmp_t, tmp_t)
@@ -77,11 +63,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Manage temporary directories in /tmp.
-@@ -4579,10 +4583,11 @@ interface(`files_manage_generic_tmp_dirs
- gen_require(`
- type tmp_t;
+@@ -4458,6 +4462,7 @@ interface(`files_manage_generic_tmp_dirs',`
')
manage_dirs_pattern($1, tmp_t, tmp_t)
@@ -89,11 +71,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Manage temporary files and directories in /tmp.
-@@ -4597,10 +4602,11 @@ interface(`files_manage_generic_tmp_file
- gen_require(`
- type tmp_t;
+@@ -4476,6 +4481,7 @@ interface(`files_manage_generic_tmp_files',`
')
manage_files_pattern($1, tmp_t, tmp_t)
@@ -101,11 +79,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Read symbolic links in the tmp directory (/tmp).
-@@ -4633,10 +4639,11 @@ interface(`files_rw_generic_tmp_sockets'
- gen_require(`
- type tmp_t;
+@@ -4512,6 +4518,7 @@ interface(`files_rw_generic_tmp_sockets',`
')
rw_sock_files_pattern($1, tmp_t, tmp_t)
@@ -113,11 +87,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Mount filesystems in the tmp directory (/tmp)
-@@ -4840,10 +4847,11 @@ interface(`files_tmp_filetrans',`
- gen_require(`
- type tmp_t;
+@@ -4719,6 +4726,7 @@ interface(`files_tmp_filetrans',`
')
filetrans_pattern($1, tmp_t, $2, $3, $4)
@@ -125,5 +95,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Delete the contents of /tmp.
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-git/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch
index ad7b5a6..68235b1 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch
@@ -1,21 +1,22 @@
-From c0b65c327b9354ee5c403cbde428e762ce3f327e Mon Sep 17 00:00:00 2001
+From 938ae00d2358d6ebad8173fce274ebb70d95cf72 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices.
+Subject: [PATCH 22/34] policy/module/terminals: add rules for bsdpty_device_t
+ to complete pty devices.
Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/kernel/terminal.if | 16 ++++++++++++++++
+ policy/modules/kernel/terminal.if | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index 61308843..a84787e6 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
-@@ -603,13 +603,15 @@ interface(`term_getattr_generic_ptys',`
- ## </param>
- #
+@@ -623,9 +623,11 @@ interface(`term_getattr_generic_ptys',`
interface(`term_dontaudit_getattr_generic_ptys',`
gen_require(`
type devpts_t;
@@ -27,11 +28,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
## <summary>
- ## ioctl of generic pty devices.
- ## </summary>
-@@ -621,15 +623,17 @@ interface(`term_dontaudit_getattr_generi
- #
- # cjp: added for ppp
+@@ -641,11 +643,13 @@ interface(`term_dontaudit_getattr_generic_ptys',`
interface(`term_ioctl_generic_ptys',`
gen_require(`
type devpts_t;
@@ -45,11 +42,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Allow setting the attributes of
-@@ -643,13 +647,15 @@ interface(`term_ioctl_generic_ptys',`
- #
- # dwalsh: added for rhgb
+@@ -663,9 +667,11 @@ interface(`term_ioctl_generic_ptys',`
interface(`term_setattr_generic_ptys',`
gen_require(`
type devpts_t;
@@ -61,11 +54,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Dontaudit setting the attributes of
-@@ -663,13 +669,15 @@ interface(`term_setattr_generic_ptys',`
- #
- # dwalsh: added for rhgb
+@@ -683,9 +689,11 @@ interface(`term_setattr_generic_ptys',`
interface(`term_dontaudit_setattr_generic_ptys',`
gen_require(`
type devpts_t;
@@ -77,11 +66,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Read and write the generic pty
-@@ -683,15 +691,17 @@ interface(`term_dontaudit_setattr_generi
- ## </param>
- #
+@@ -703,11 +711,13 @@ interface(`term_dontaudit_setattr_generic_ptys',`
interface(`term_use_generic_ptys',`
gen_require(`
type devpts_t;
@@ -95,11 +80,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Dot not audit attempts to read and
-@@ -705,13 +715,15 @@ interface(`term_use_generic_ptys',`
- ## </param>
- #
+@@ -725,9 +735,11 @@ interface(`term_use_generic_ptys',`
interface(`term_dontaudit_use_generic_ptys',`
gen_require(`
type devpts_t;
@@ -111,11 +92,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
#######################################
- ## <summary>
- ## Set the attributes of the tty device
-@@ -723,14 +735,16 @@ interface(`term_dontaudit_use_generic_pt
- ## </param>
- #
+@@ -743,10 +755,12 @@ interface(`term_dontaudit_use_generic_ptys',`
interface(`term_setattr_controlling_term',`
gen_require(`
type devtty_t;
@@ -128,11 +105,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Read and write the controlling
-@@ -743,14 +757,16 @@ interface(`term_setattr_controlling_term
- ## </param>
- #
+@@ -763,10 +777,12 @@ interface(`term_setattr_controlling_term',`
interface(`term_use_controlling_term',`
gen_require(`
type devtty_t;
@@ -145,5 +118,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
#######################################
- ## <summary>
- ## Get the attributes of the pty multiplexor (/dev/ptmx).
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-git/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch
index e3ea75e..06f9207 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch
@@ -1,7 +1,8 @@
-From 29a0d287880f8f83cf4337a3db7c8b94c0c36e1d Mon Sep 17 00:00:00 2001
+From 3f5a9b987211ef511bfd1c76b1a7dffad51fba0c Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 6/6] don't audit tty_device_t in term_dontaudit_use_console.
+Subject: [PATCH 23/34] policy/module/terminals: don't audit tty_device_t in
+ term_dontaudit_use_console.
We should also not audit terminal to rw tty_device_t and fds in
term_dontaudit_use_console.
@@ -11,14 +12,14 @@ Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/kernel/terminal.if | 3 +++
+ policy/modules/kernel/terminal.if | 3 +++
1 file changed, 3 insertions(+)
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index a84787e6..cf66da2f 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
-@@ -315,13 +315,16 @@ interface(`term_use_console',`
- ## </param>
- #
+@@ -335,9 +335,12 @@ interface(`term_use_console',`
interface(`term_dontaudit_use_console',`
gen_require(`
type console_device_t;
@@ -31,5 +32,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
')
########################################
- ## <summary>
- ## Set the attributes of the console
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
new file mode 100644
index 0000000..01f6c8b
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
@@ -0,0 +1,29 @@
+From bc1f2fba24fb63cd9a65ec22b34fcc59798bbaff Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 24/34] policy/module/rpc: allow nfsd to exec shell commands.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/services/rpc.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
+index 47fa2fd0..d4209231 100644
+--- a/policy/modules/services/rpc.te
++++ b/policy/modules/services/rpc.te
+@@ -227,7 +227,7 @@ kernel_read_network_state(nfsd_t)
+ kernel_dontaudit_getattr_core_if(nfsd_t)
+ kernel_setsched(nfsd_t)
+ kernel_request_load_module(nfsd_t)
+-# kernel_mounton_proc(nfsd_t)
++kernel_mounton_proc(nfsd_t)
+
+ corenet_sendrecv_nfs_server_packets(nfsd_t)
+ corenet_tcp_bind_nfs_port(nfsd_t)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch
index d0b0073..78a4328 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch
@@ -1,58 +1,25 @@
-From 054a2d81a42bc127d29a916c64b43ad5a7c97f21 Mon Sep 17 00:00:00 2001
+From f24c277f622d1ae72275525c6d5863f1ddce1d58 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Fri, 23 Aug 2013 12:01:53 +0800
-Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t.
+Subject: [PATCH 25/34] policy/module/rpc: fix policy for nfsserver to mount
+ nfsd_fs_t.
Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/contrib/rpc.te | 5 +++++
- policy/modules/contrib/rpcbind.te | 5 +++++
- policy/modules/kernel/filesystem.te | 1 +
- policy/modules/kernel/kernel.te | 2 ++
+ policy/modules/kernel/filesystem.te | 1 +
+ policy/modules/kernel/kernel.te | 2 ++
+ policy/modules/services/rpc.te | 5 +++++
+ policy/modules/services/rpcbind.te | 5 +++++
4 files changed, 13 insertions(+)
---- a/policy/modules/contrib/rpcbind.te
-+++ b/policy/modules/contrib/rpcbind.te
-@@ -73,8 +73,13 @@ auth_use_nsswitch(rpcbind_t)
-
- logging_send_syslog_msg(rpcbind_t)
-
- miscfiles_read_localization(rpcbind_t)
-
-+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
-+# because the are running in different level. So add rules to allow this.
-+mls_socket_read_all_levels(rpcbind_t)
-+mls_socket_write_all_levels(rpcbind_t)
-+
- ifdef(`distro_debian',`
- term_dontaudit_use_unallocated_ttys(rpcbind_t)
- ')
---- a/policy/modules/contrib/rpc.te
-+++ b/policy/modules/contrib/rpc.te
-@@ -277,10 +277,15 @@ tunable_policy(`nfs_export_all_ro',`
- files_read_non_auth_files(nfsd_t)
- ')
-
- optional_policy(`
- mount_exec(nfsd_t)
-+ # Should domtrans to mount_t while mounting nfsd_fs_t.
-+ mount_domtrans(nfsd_t)
-+ # nfsd_t need to chdir to /var/lib/nfs and read files.
-+ files_list_var(nfsd_t)
-+ rpc_read_nfs_state_data(nfsd_t)
- ')
-
- ########################################
- #
- # GSSD local policy
+diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
+index 41037951..b341ba83 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
-@@ -127,10 +127,11 @@ fs_noxattr_type(mvfs_t)
- allow mvfs_t self:filesystem associate;
- genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+@@ -129,6 +129,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
type nfsd_fs_t;
fs_type(nfsd_fs_t)
@@ -60,13 +27,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
type nsfs_t;
- fs_type(nsfs_t)
- genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index 8e958074..7b81c732 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
-@@ -325,10 +325,12 @@ mcs_process_set_categories(kernel_t)
-
- mls_process_read_all_levels(kernel_t)
+@@ -334,6 +334,8 @@ mls_process_read_all_levels(kernel_t)
mls_process_write_all_levels(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
@@ -75,5 +40,38 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
ifdef(`distro_redhat',`
# Bugzilla 222337
- fs_rw_tmpfs_chr_files(kernel_t)
+diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
+index d4209231..a2327b44 100644
+--- a/policy/modules/services/rpc.te
++++ b/policy/modules/services/rpc.te
+@@ -280,6 +280,11 @@ tunable_policy(`nfs_export_all_ro',`
+
+ optional_policy(`
+ mount_exec(nfsd_t)
++ # Should domtrans to mount_t while mounting nfsd_fs_t.
++ mount_domtrans(nfsd_t)
++ # nfsd_t need to chdir to /var/lib/nfs and read files.
++ files_list_var(nfsd_t)
++ rpc_read_nfs_state_data(nfsd_t)
')
+
+ ########################################
+diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
+index 5914af99..2055c114 100644
+--- a/policy/modules/services/rpcbind.te
++++ b/policy/modules/services/rpcbind.te
+@@ -75,6 +75,11 @@ logging_send_syslog_msg(rpcbind_t)
+
+ miscfiles_read_localization(rpcbind_t)
+
++# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
++# because the are running in different level. So add rules to allow this.
++mls_socket_read_all_levels(rpcbind_t)
++mls_socket_write_all_levels(rpcbind_t)
++
+ ifdef(`distro_debian',`
+ term_dontaudit_use_unallocated_ttys(rpcbind_t)
+ ')
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
new file mode 100644
index 0000000..257395a
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
@@ -0,0 +1,126 @@
+From 06d2bad9325fdc6b0a73858bca7ba51fe591f39d Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 11:16:37 -0400
+Subject: [PATCH 26/34] policy/module/sysfs: fix for new SELINUXMNT in /sys
+
+SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
+add rules to access sysfs.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/selinux.if | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
+index 6790e5d0..2c95db81 100644
+--- a/policy/modules/kernel/selinux.if
++++ b/policy/modules/kernel/selinux.if
+@@ -117,6 +117,9 @@ interface(`selinux_mount_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
++ dev_search_sysfs($1)
++
+ allow $1 security_t:filesystem mount;
+ ')
+
+@@ -136,6 +139,9 @@ interface(`selinux_remount_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
++ dev_search_sysfs($1)
++
+ allow $1 security_t:filesystem remount;
+ ')
+
+@@ -155,6 +161,9 @@ interface(`selinux_unmount_fs',`
+ ')
+
+ allow $1 security_t:filesystem unmount;
++
++ dev_getattr_sysfs($1)
++ dev_search_sysfs($1)
+ ')
+
+ ########################################
+@@ -217,6 +226,8 @@ interface(`selinux_dontaudit_getattr_dir',`
+ ')
+
+ dontaudit $1 security_t:dir getattr;
++ dev_dontaudit_getattr_sysfs($1)
++ dev_dontaudit_search_sysfs($1)
+ ')
+
+ ########################################
+@@ -253,6 +264,7 @@ interface(`selinux_dontaudit_search_fs',`
+ type security_t;
+ ')
+
++ dev_dontaudit_search_sysfs($1)
+ dontaudit $1 security_t:dir search_dir_perms;
+ ')
+
+@@ -272,6 +284,7 @@ interface(`selinux_dontaudit_read_fs',`
+ type security_t;
+ ')
+
++ dev_dontaudit_getattr_sysfs($1)
+ dontaudit $1 security_t:dir search_dir_perms;
+ dontaudit $1 security_t:file read_file_perms;
+ ')
+@@ -361,6 +374,7 @@ interface(`selinux_read_policy',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file read_file_perms;
+@@ -394,6 +408,7 @@ interface(`selinux_set_generic_booleans',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+
+ allow $1 security_t:dir list_dir_perms;
+@@ -431,6 +446,7 @@ interface(`selinux_set_all_booleans',`
+ bool secure_mode_policyload;
+ ')
+
++ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+
+ allow $1 security_t:dir list_dir_perms;
+@@ -512,6 +528,7 @@ interface(`selinux_dontaudit_validate_context',`
+ type security_t;
+ ')
+
++ dev_dontaudit_search_sysfs($1)
+ dontaudit $1 security_t:dir list_dir_perms;
+ dontaudit $1 security_t:file rw_file_perms;
+ dontaudit $1 security_t:security check_context;
+@@ -533,6 +550,7 @@ interface(`selinux_compute_access_vector',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+ allow $1 self:netlink_selinux_socket create_socket_perms;
+ allow $1 security_t:dir list_dir_perms;
+@@ -629,6 +647,7 @@ interface(`selinux_compute_user_contexts',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-git/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch
index a1fda13..23226a0 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch
@@ -1,7 +1,7 @@
-From 7005533d61770fed5a3312aa9dfd1c18dae88c16 Mon Sep 17 00:00:00 2001
+From 447036f5ead83977933b375f5587595b85307a7d Mon Sep 17 00:00:00 2001
From: Roy Li <rongqing.li@windriver.com>
Date: Sat, 15 Feb 2014 09:45:00 +0800
-Subject: [PATCH] allow sysadm to run rpcinfo
+Subject: [PATCH 27/34] policy/module/rpc: allow sysadm to run rpcinfo
Upstream-Status: Pending
@@ -11,23 +11,21 @@ type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/roles/sysadm.te | 4 ++++
- 1 file changed, 4 insertions(+)
+ policy/modules/roles/sysadm.te | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 2ae952bf..d781378f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -1169,10 +1169,14 @@ optional_policy(`
- virt_admin(sysadm_t, sysadm_r)
- virt_stream_connect(sysadm_t)
+@@ -945,6 +945,7 @@ optional_policy(`
')
optional_policy(`
+ rpcbind_stream_connect(sysadm_t)
-+')
-+
-+optional_policy(`
- vmware_role(sysadm_r, sysadm_t)
+ rpcbind_admin(sysadm_t, sysadm_r)
')
- optional_policy(`
- vnstatd_admin(sysadm_t, sysadm_r)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-git/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch
index e0f8c1a..732eaaf 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch
@@ -1,22 +1,23 @@
-From be8e015aec19553d3753af132861d24da9ed0265 Mon Sep 17 00:00:00 2001
+From 391ab30556a3276bac131b3d4bd6c5e52b49c77c Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files
+Subject: [PATCH 28/34] policy/module/userdomain: fix selinux utils to manage
+ config files
Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/system/selinuxutil.if | 1 +
- policy/modules/system/userdomain.if | 4 ++++
+ policy/modules/system/selinuxutil.if | 1 +
+ policy/modules/system/userdomain.if | 4 ++++
2 files changed, 5 insertions(+)
+diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
+index 20024993..0fdc8c10 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
-@@ -753,10 +753,11 @@ interface(`seutil_manage_config',`
- gen_require(`
- type selinux_config_t;
+@@ -674,6 +674,7 @@ interface(`seutil_manage_config',`
')
files_search_etc($1)
@@ -24,13 +25,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
manage_files_pattern($1, selinux_config_t, selinux_config_t)
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
')
-
- #######################################
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index 5221bd13..4cf987d1 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
-@@ -1361,10 +1361,14 @@ template(`userdom_security_admin_templat
- logging_read_audit_log($1)
- logging_read_generic_logs($1)
+@@ -1431,6 +1431,10 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -41,5 +40,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
seutil_run_checkpolicy($1, $2)
seutil_run_loadpolicy($1, $2)
seutil_run_semanage($1, $2)
- seutil_run_setfiles($1, $2)
-
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch b/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
new file mode 100644
index 0000000..14734b2
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
@@ -0,0 +1,33 @@
+From d97aef0ecdb2ff964b1ed3d0b18ce83c2ab42f14 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 11:30:27 -0400
+Subject: [PATCH 29/34] policy/module/selinuxutil: fix setfiles statvfs to get
+ file count
+
+New setfiles will read /proc/mounts and use statvfs in
+file_system_count() to get file count of filesystems.
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/selinuxutil.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index 8a1688cc..a9930e9e 100644
+--- a/policy/modules/system/selinuxutil.te
++++ b/policy/modules/system/selinuxutil.te
+@@ -607,6 +607,7 @@ files_relabel_all_files(setfiles_t)
+ files_read_usr_symlinks(setfiles_t)
+ files_dontaudit_read_all_symlinks(setfiles_t)
+
++fs_getattr_all_fs(setfiles_t)
+ fs_getattr_all_xattr_fs(setfiles_t)
+ fs_getattr_cgroup(setfiles_t)
+ fs_getattr_nfs(setfiles_t)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch b/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
new file mode 100644
index 0000000..aebdcb3
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
@@ -0,0 +1,25 @@
+From 43eba9b9205c5e63f634d60ab8eb5302f7bf4408 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Fri, 23 Aug 2013 16:36:09 +0800
+Subject: [PATCH 30/34] policy/module/admin: fix dmesg to use /dev/kmsg as
+ default input
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/admin/dmesg.if | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
+index e1973c78..739a4bc5 100644
+--- a/policy/modules/admin/dmesg.if
++++ b/policy/modules/admin/dmesg.if
+@@ -37,4 +37,5 @@ interface(`dmesg_exec',`
+
+ corecmd_search_bin($1)
+ can_exec($1, dmesg_exec_t)
++ dev_read_kmsg($1)
+ ')
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-git/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch
index 85c40a4..afba90f 100644
--- a/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch
@@ -1,7 +1,8 @@
-From e4e95b723d31c7b678a05cd81a96b10185978b4e Mon Sep 17 00:00:00 2001
+From 2d81043e7c98b31b37a1ecd1f037a04c60e662aa Mon Sep 17 00:00:00 2001
From: Roy Li <rongqing.li@windriver.com>
Date: Mon, 10 Feb 2014 18:10:12 +0800
-Subject: [PATCH] ftp: add ftpd_t to mls_file_write_all_levels
+Subject: [PATCH 31/34] policy/module/ftp: add ftpd_t to
+ mls_file_write_all_levels
Proftpd will create file under /var/run, but its mls is in high, and
can not write to lowlevel
@@ -12,21 +13,21 @@ type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm
type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null)
-root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name
- allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
+root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name
+ allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
root@localhost:~#
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/contrib/ftp.te | 2 ++
+ policy/modules/services/ftp.te | 2 ++
1 file changed, 2 insertions(+)
---- a/policy/modules/contrib/ftp.te
-+++ b/policy/modules/contrib/ftp.te
-@@ -148,10 +148,12 @@ init_system_domain(ftpdctl_t, ftpdctl_ex
- role ftpdctl_roles types ftpdctl_t;
-
+diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
+index 29bc077c..d582cf80 100644
+--- a/policy/modules/services/ftp.te
++++ b/policy/modules/services/ftp.te
+@@ -150,6 +150,8 @@ role ftpdctl_roles types ftpdctl_t;
type ftpdctl_tmp_t;
files_tmp_file(ftpdctl_tmp_t)
@@ -35,5 +36,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
type sftpd_t;
domain_type(sftpd_t)
role system_r types sftpd_t;
-
- type xferlog_t;
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch
index 41b9c2b..ced90be 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/refpolicy-update-for_systemd.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch
@@ -1,27 +1,32 @@
-From 07553727dca51631c93bca482442da8d0c50ac94 Mon Sep 17 00:00:00 2001
+From ddb7393018483be0ce1cfc4734043b413e3b8a04 Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 12 Jun 2015 19:37:52 +0530
-Subject: [PATCH] refpolicy: update for systemd related allow rules
+Subject: [PATCH 32/34] policy/module/init: update for systemd related allow
+ rules
It provide, the systemd support related allow rules
+Upstream-Status: Pending
+
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/system/init.te | 5 +++++
+ policy/modules/system/init.te | 5 +++++
1 file changed, 5 insertions(+)
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index f7635d6f..2e6b57a6 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
-@@ -1105,5 +1105,10 @@ optional_policy(`
- ')
-
- optional_policy(`
- zebra_read_config(initrc_t)
+@@ -1418,3 +1418,8 @@ optional_policy(`
+ userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
+ userdom_dontaudit_write_user_tmp_files(systemprocess)
')
+
+# systemd related allow rules
+allow kernel_t init_t:process dyntransition;
+allow devpts_t device_t:filesystem associate;
+allow init_t self:capability2 block_suspend;
-\ No newline at end of file
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module_2.20170204.patch b/recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch
index 3a8a95e..09a16fb 100644
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module_2.20170204.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch
@@ -1,4 +1,7 @@
-Subject: [PATCH] refpolicy: fix optional issue on sysadm module
+From a45624beb571ad5dadfca95d53ff69925c9f628c Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 5 Apr 2019 11:53:28 -0400
+Subject: [PATCH 33/34] refpolicy/minimum: make sysadmin module optional
init and locallogin modules have a depend for sysadm module because
they have called sysadm interfaces(sysadm_shell_domtrans). Since
@@ -13,16 +16,16 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/system/init.te | 14 ++++++++------
+ policy/modules/system/init.te | 16 +++++++++-------
policy/modules/system/locallogin.te | 4 +++-
- 2 files changed, 11 insertions(+), 7 deletions(-)
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 2e6b57a6..d8696580 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
-@@ -300,16 +300,18 @@ ifdef(`init_systemd',`
-
- optional_policy(`
- modutils_domtrans_insmod(init_t)
+@@ -448,13 +448,15 @@ ifdef(`init_systemd',`
+ modutils_domtrans(init_t)
')
',`
- tunable_policy(`init_upstart',`
@@ -30,34 +33,25 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
- ',`
- # Run the shell in the sysadm role for single-user mode.
- # causes problems with upstart
-- sysadm_shell_domtrans(init_t)
+- ifndef(`distro_debian',`
+- sysadm_shell_domtrans(init_t)
+ optional_policy(`
+ tunable_policy(`init_upstart',`
+ corecmd_shell_domtrans(init_t, initrc_t)
+ ',`
+ # Run the shell in the sysadm role for single-user mode.
+ # causes problems with upstart
-+ sysadm_shell_domtrans(init_t)
-+ ')
++ ifndef(`distro_debian',`
++ sysadm_shell_domtrans(init_t)
++ ')
+ ')
')
')
-
- ifdef(`distro_debian',`
- fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
-@@ -1109,6 +1111,6 @@ optional_policy(`
- ')
-
- # systemd related allow rules
- allow kernel_t init_t:process dyntransition;
- allow devpts_t device_t:filesystem associate;
--allow init_t self:capability2 block_suspend;
-\ No newline at end of file
-+allow init_t self:capability2 block_suspend;
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index a56f3d1f..4c679ff3 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
-@@ -244,11 +244,13 @@ seutil_read_default_contexts(sulogin_t)
- userdom_use_unpriv_users_fds(sulogin_t)
-
+@@ -266,7 +266,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
@@ -66,7 +60,8 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+ sysadm_shell_domtrans(sulogin_t)
+')
- # suse and debian do not use pam with sulogin...
- ifdef(`distro_suse', `define(`sulogin_no_pam')')
- ifdef(`distro_debian', `define(`sulogin_no_pam')')
-
+ # by default, sulogin does not use pam...
+ # sulogin_pam might need to be defined otherwise
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-git/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch
index 8d22c21..03b1439 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch
@@ -1,7 +1,8 @@
-From ed2b0a00e2fb78056041b03c7e198e8f5adaf939 Mon Sep 17 00:00:00 2001
+From 2e2abdbc7a0e57a27518de0d879ecc84053203d8 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 19:36:44 +0800
-Subject: [PATCH 3/6] add rules for the symlink of /var/log - apache2
+Subject: [PATCH 34/34] policy/module/apache: add rules for the symlink of
+ /var/log - apache2
We have added rules for the symlink of /var/log in logging.if,
while apache.te uses /var/log but does not use the interfaces in
@@ -12,20 +13,21 @@ Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/contrib/apache.te | 1 +
+ policy/modules/services/apache.te | 1 +
1 file changed, 1 insertion(+)
---- a/policy/modules/contrib/apache.te
-+++ b/policy/modules/contrib/apache.te
-@@ -409,10 +409,11 @@ allow httpd_t httpd_log_t:dir setattr_di
- create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
- create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
+index 15c4ea53..596370b1 100644
+--- a/policy/modules/services/apache.te
++++ b/policy/modules/services/apache.te
+@@ -412,6 +412,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
- mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
- read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+--
+2.19.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch
deleted file mode 100644
index 946dcc2..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for clock
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/clock.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/system/clock.fc
-+++ b/policy/modules/system/clock.fc
-@@ -1,5 +1,6 @@
- /etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0)
-
- /usr/bin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
-
-+/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0)
- /usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch
deleted file mode 100644
index 689c75b..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for dmesg
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/admin/dmesg.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/admin/dmesg.fc
-+++ b/policy/modules/admin/dmesg.fc
-@@ -1 +1,2 @@
-+/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0)
- /usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch
deleted file mode 100644
index b441257..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-Subject: [PATCH] fix real path for shadow commands.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/admin/usermanage.fc | 6 ++++++
- 1 file changed, 6 insertions(+)
-
---- a/policy/modules/admin/usermanage.fc
-+++ b/policy/modules/admin/usermanage.fc
-@@ -2,20 +2,24 @@ ifdef(`distro_debian',`
- /etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0)
- ')
-
- /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
- /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
-+/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
- /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
-+/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
- /usr/bin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
- /usr/bin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
- /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
- /usr/bin/groupadd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
- /usr/bin/groupdel -- gen_context(system_u:object_r:groupadd_exec_t,s0)
- /usr/bin/groupmod -- gen_context(system_u:object_r:groupadd_exec_t,s0)
- /usr/bin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/bin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
-+/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0)
-+/usr/bin/passwd\.tinylogin -- gen_context(system_u:object_r:passwd_exec_t,s0)
- /usr/bin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/bin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/bin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0)
- /usr/bin/userdel -- gen_context(system_u:object_r:useradd_exec_t,s0)
- /usr/bin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0)
-@@ -36,10 +40,12 @@ ifdef(`distro_debian',`
- /usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0)
- /usr/sbin/userdel -- gen_context(system_u:object_r:useradd_exec_t,s0)
- /usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0)
- /usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-+/usr/sbin/vigr\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-+/usr/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-
- /usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0)
-
- /var/cache/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch
deleted file mode 100644
index 5ed7eae..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-fix ftpwho install dir
-
-Upstream-Status: Pending
-
-ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it
-
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/ftp.fc | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/policy/modules/contrib/ftp.fc
-+++ b/policy/modules/contrib/ftp.fc
-@@ -15,11 +15,11 @@
- /usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
-
- /usr/lib/systemd/system/proftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0)
- /usr/lib/systemd/system/vsftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0)
-
--/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
-+/usr/bin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
- /usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
- /usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
- /usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
- /usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
-
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch
deleted file mode 100644
index b3e2846..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From c0bb2996db4f55f3987967bacfb99805fc45d027 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:21:55 +0800
-Subject: [PATCH] refpolicy: fix real path for mta
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/mta.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/contrib/mta.fc
-+++ b/policy/modules/contrib/mta.fc
-@@ -23,10 +23,11 @@ HOME_DIR/\.maildir(/.*)? gen_context(sys
- /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
- /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/usr/sbin/msmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
- /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
-
- /var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch
deleted file mode 100644
index 0adf7c2..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 642fab321a5f1f40495b4ca07f1fca4145024986 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:25:36 +0800
-Subject: [PATCH] refpolicy: fix real path for nscd
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/nscd.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/contrib/nscd.fc
-+++ b/policy/modules/contrib/nscd.fc
-@@ -1,8 +1,9 @@
- /etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
-
- /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
-+/usr/bin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
-
- /var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
-
- /var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
-
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch
deleted file mode 100644
index 3cd766d..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From 3ecbd842d51a8e70b3403e857a24203285d4983b Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Mon, 27 Jan 2014 01:13:06 -0500
-Subject: [PATCH] refpolicy: fix real path for cpio
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/rpm.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/contrib/rpm.fc
-+++ b/policy/modules/contrib/rpm.fc
-@@ -67,6 +67,7 @@ ifdef(`distro_redhat',`
- /run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
- /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
-
- ifdef(`enable_mls',`
- /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
- ')
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch
deleted file mode 100644
index 8ea210e..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From 3615e2d67f402a37ae7333e62b54f1d9d0a3bfd1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:27:19 +0800
-Subject: [PATCH] refpolicy: fix real path for screen
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/screen.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/contrib/screen.fc
-+++ b/policy/modules/contrib/screen.fc
-@@ -4,6 +4,7 @@ HOME_DIR/\.tmux\.conf -- gen_context(sys
-
- /run/screen(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0)
- /run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0)
-
- /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
-+/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0)
- /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch
deleted file mode 100644
index 8aec193..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-Subject: [PATCH] fix file_contexts.subs_dist for poky
-
-This file is used for Linux distros to define specific pathes
-mapping to the pathes in file_contexts.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- config/file_contexts.subs_dist | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
---- a/config/file_contexts.subs_dist
-+++ b/config/file_contexts.subs_dist
-@@ -26,5 +26,16 @@
-
- # backward compatibility
- # not for refpolicy intern, but for /var/run using applications,
- # like systemd tmpfiles or systemd socket configurations
- /var/run /run
-+
-+/var/volatile/log /var/log
-+/var/volatile/run /var/run
-+/var/volatile/cache /var/cache
-+/var/volatile/tmp /var/tmp
-+/var/volatile/lock /var/lock
-+/var/volatile/run/lock /var/lock
-+/www /var/www
-+/usr/lib/busybox/bin /bin
-+/usr/lib/busybox/sbin /sbin
-+/usr/lib/busybox/usr /usr
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch
deleted file mode 100644
index f53b551..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 025bd3c77d3eeb0e316413bf7e6353f1ccd7f6b2 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Sat, 25 Jan 2014 23:40:05 -0500
-Subject: [PATCH] refpolicy: fix real path for udevd/udevadm
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/udev.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/policy/modules/system/udev.fc
-+++ b/policy/modules/system/udev.fc
-@@ -32,10 +32,11 @@ ifdef(`distro_redhat',`
- /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
- ')
-
- /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
- /usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-
- /usr/share/virtualbox/VBoxCreateUSBNode\.sh -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
-
- /run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
-
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_bash.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_bash.patch
deleted file mode 100644
index 49136e6..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_bash.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index f2e4f51..c39912d 100644
---- a/policy/modules/kernel/corecommands.fc
-+++ b/policy/modules/kernel/corecommands.fc
-@@ -141,6 +141,7 @@ ifdef(`distro_gentoo',`
- /usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin\.bash -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch
deleted file mode 100644
index e3edce1..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 3/4] fix update-alternatives for hostname
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/hostname.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/system/hostname.fc
-+++ b/policy/modules/system/hostname.fc
-@@ -1 +1,3 @@
-+/usr/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0)
-+
- /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch
deleted file mode 100644
index b12ee9d..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-Subject: [PATCH] add rules for the symlink of /var/log - syslogd_t
-
-We have added rules for the symlink of /var/log in logging.if,
-while syslogd_t uses /var/log but does not use the
-interfaces in logging.if. So still need add a individual rule for
-syslogd_t.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/logging.te | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -406,10 +406,11 @@ manage_files_pattern(syslogd_t, var_log_
- rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
- files_search_spool(syslogd_t)
-
- # Allow access for syslog-ng
- allow syslogd_t var_log_t:dir { create setattr };
-+allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
-
- # for systemd but can not be conditional
- files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
-
- # manage temporary files
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
deleted file mode 100644
index 7c7355f..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-Subject: [PATCH] add rules for the symlink of /var/log - audisp_remote_t
-
-We have added rules for the symlink of /var/log in logging.if,
-while audisp_remote_t uses /var/log but does not use the
-interfaces in logging.if. So still need add a individual rule for
-audisp_remote_t.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/logging.te | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -280,10 +280,11 @@ optional_policy(`
-
- allow audisp_remote_t self:capability { setpcap setuid };
- allow audisp_remote_t self:process { getcap setcap };
- allow audisp_remote_t self:tcp_socket create_socket_perms;
- allow audisp_remote_t var_log_t:dir search_dir_perms;
-+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
-
- manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
- manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
- files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
-
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
deleted file mode 100644
index 4a05a2a..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 03cb6534f75812f3a33ac768fe83861e0805b0e0 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 2/6] add rules for the symlink of /var/log
-
-/var/log is a symlink in poky, so we need allow rules for files to read
-lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/logging.fc | 1 +
- policy/modules/system/logging.if | 14 +++++++++++++-
- policy/modules/system/logging.te | 1 +
- 3 files changed, 15 insertions(+), 1 deletion(-)
-
-Index: refpolicy/policy/modules/system/logging.fc
-===================================================================
---- refpolicy.orig/policy/modules/system/logging.fc
-+++ refpolicy/policy/modules/system/logging.fc
-@@ -53,6 +53,7 @@ ifdef(`distro_suse', `
- /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-
- /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
-+/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
- /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
- /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-Index: refpolicy/policy/modules/system/logging.if
-===================================================================
---- refpolicy.orig/policy/modules/system/logging.if
-+++ refpolicy/policy/modules/system/logging.if
-@@ -945,10 +945,12 @@ interface(`logging_append_all_inherited_
- interface(`logging_read_all_logs',`
- gen_require(`
- attribute logfile;
-+ type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 logfile:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- read_files_pattern($1, logfile, logfile)
- ')
-
-@@ -967,10 +969,12 @@ interface(`logging_read_all_logs',`
- interface(`logging_exec_all_logs',`
- gen_require(`
- attribute logfile;
-+ type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 logfile:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- can_exec($1, logfile)
- ')
-
-@@ -1072,6 +1076,7 @@ interface(`logging_read_generic_logs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- read_files_pattern($1, var_log_t, var_log_t)
- ')
-
-@@ -1173,6 +1178,7 @@ interface(`logging_manage_generic_logs',
-
- files_search_var($1)
- manage_files_pattern($1, var_log_t, var_log_t)
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-Index: refpolicy/policy/modules/system/logging.te
-===================================================================
---- refpolicy.orig/policy/modules/system/logging.te
-+++ refpolicy/policy/modules/system/logging.te
-@@ -159,6 +159,7 @@ manage_files_pattern(auditd_t, auditd_lo
- allow auditd_t auditd_log_t:dir setattr;
- manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
- allow auditd_t var_log_t:dir search_dir_perms;
-+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
-
- manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
- manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
deleted file mode 100644
index a9a0a55..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] allow nfsd to exec shell commands.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/rpc.te | 2 +-
- policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
- 2 files changed, 19 insertions(+), 1 deletion(-)
-
---- a/policy/modules/contrib/rpc.te
-+++ b/policy/modules/contrib/rpc.te
-@@ -224,11 +224,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
-
- kernel_read_network_state(nfsd_t)
- kernel_dontaudit_getattr_core_if(nfsd_t)
- kernel_setsched(nfsd_t)
- kernel_request_load_module(nfsd_t)
--# kernel_mounton_proc(nfsd_t)
-+kernel_mounton_proc(nfsd_t)
-
- corenet_sendrecv_nfs_server_packets(nfsd_t)
- corenet_tcp_bind_nfs_port(nfsd_t)
- corenet_udp_bind_nfs_port(nfsd_t)
-
---- a/policy/modules/kernel/kernel.if
-+++ b/policy/modules/kernel/kernel.if
-@@ -880,43 +880,42 @@ interface(`kernel_unmount_proc',`
- allow $1 proc_t:filesystem unmount;
- ')
-
- ########################################
- ## <summary>
--## Get the attributes of the proc filesystem.
-+## Mounton a proc filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`kernel_getattr_proc',`
-+interface(`kernel_mounton_proc',`
- gen_require(`
- type proc_t;
- ')
-
-- allow $1 proc_t:filesystem getattr;
-+ allow $1 proc_t:dir mounton;
- ')
-
- ########################################
- ## <summary>
--## Mount on proc directories.
-+## Get the attributes of the proc filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`kernel_mounton_proc',`
-+interface(`kernel_getattr_proc',`
- gen_require(`
- type proc_t;
- ')
-
-- allow $1 proc_t:dir mounton;
-+ allow $1 proc_t:filesystem getattr;
- ')
-
- ########################################
- ## <summary>
- ## Do not audit attempts to set the
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch
deleted file mode 100644
index 08e9398..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 87b6daf87a07350a58c1724db8fc0a99b849818a Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] fix setfiles_t to read symlinks
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/selinuxutil.te | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -591,10 +591,13 @@ files_read_etc_files(setfiles_t)
- files_list_all(setfiles_t)
- files_relabel_all_files(setfiles_t)
- files_read_usr_symlinks(setfiles_t)
- files_dontaudit_read_all_symlinks(setfiles_t)
-
-+# needs to be able to read symlinks to make restorecon on symlink working
-+files_read_all_symlinks(setfiles_t)
-+
- fs_getattr_all_xattr_fs(setfiles_t)
- fs_getattr_nfs(setfiles_t)
- fs_getattr_pstore_dirs(setfiles_t)
- fs_getattr_pstorefs(setfiles_t)
- fs_getattr_tracefs(setfiles_t)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
deleted file mode 100644
index 11a6963..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From 2f5981f2244289a1cc79748e9ffdaaea168b1df2 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 23 Aug 2013 16:36:09 +0800
-Subject: [PATCH] fix dmesg to use /dev/kmsg as default input
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/admin/dmesg.if | 1 +
- policy/modules/admin/dmesg.te | 2 ++
- 2 files changed, 3 insertions(+)
-
---- a/policy/modules/admin/dmesg.if
-+++ b/policy/modules/admin/dmesg.if
-@@ -35,6 +35,7 @@ interface(`dmesg_exec',`
- type dmesg_exec_t;
- ')
-
- corecmd_search_bin($1)
- can_exec($1, dmesg_exec_t)
-+ dev_read_kmsg($1)
- ')
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch
deleted file mode 100644
index f3adc70..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch
+++ /dev/null
@@ -1,253 +0,0 @@
-From 0bd1187768c79ccf7d0563fa8e2bc01494fef167 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] fix for new SELINUXMNT in /sys
-
-SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
-add rules to access sysfs.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/selinux.if | 26 ++++++++++++++++++++++++++
- 1 file changed, 26 insertions(+)
-
---- a/policy/modules/kernel/selinux.if
-+++ b/policy/modules/kernel/selinux.if
-@@ -56,10 +56,14 @@ interface(`selinux_labeled_boolean',`
- interface(`selinux_get_fs_mount',`
- gen_require(`
- type security_t;
- ')
-
-+ # SELINUXMNT is now /sys/fs/selinux, so we should add rules to
-+ # access sysfs
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- # starting in libselinux 2.0.5, init_selinuxmnt() will
- # attempt to short circuit by checking if SELINUXMNT
- # (/selinux) is already a selinuxfs
- allow $1 security_t:filesystem getattr;
-
-@@ -86,10 +90,11 @@ interface(`selinux_get_fs_mount',`
- interface(`selinux_dontaudit_get_fs_mount',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- # starting in libselinux 2.0.5, init_selinuxmnt() will
- # attempt to short circuit by checking if SELINUXMNT
- # (/selinux) is already a selinuxfs
- dontaudit $1 security_t:filesystem getattr;
-
-@@ -115,10 +120,12 @@ interface(`selinux_dontaudit_get_fs_moun
- interface(`selinux_mount_fs',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- allow $1 security_t:filesystem mount;
- ')
-
- ########################################
- ## <summary>
-@@ -134,10 +141,12 @@ interface(`selinux_mount_fs',`
- interface(`selinux_remount_fs',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- allow $1 security_t:filesystem remount;
- ')
-
- ########################################
- ## <summary>
-@@ -152,10 +161,12 @@ interface(`selinux_remount_fs',`
- interface(`selinux_unmount_fs',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- allow $1 security_t:filesystem unmount;
- ')
-
- ########################################
- ## <summary>
-@@ -170,10 +181,12 @@ interface(`selinux_unmount_fs',`
- interface(`selinux_getattr_fs',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
-+ dev_search_sysfs($1)
- allow $1 security_t:filesystem getattr;
-
- dev_getattr_sysfs($1)
- dev_search_sysfs($1)
- ')
-@@ -192,10 +205,11 @@ interface(`selinux_getattr_fs',`
- interface(`selinux_dontaudit_getattr_fs',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:filesystem getattr;
-
- dev_dontaudit_getattr_sysfs($1)
- dev_dontaudit_search_sysfs($1)
- ')
-@@ -214,10 +228,11 @@ interface(`selinux_dontaudit_getattr_fs'
- interface(`selinux_dontaudit_getattr_dir',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:dir getattr;
- ')
-
- ########################################
- ## <summary>
-@@ -232,10 +247,11 @@ interface(`selinux_dontaudit_getattr_dir
- interface(`selinux_search_fs',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir search_dir_perms;
- ')
-
- ########################################
-@@ -251,10 +267,11 @@ interface(`selinux_search_fs',`
- interface(`selinux_dontaudit_search_fs',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:dir search_dir_perms;
- ')
-
- ########################################
- ## <summary>
-@@ -270,10 +287,11 @@ interface(`selinux_dontaudit_search_fs',
- interface(`selinux_dontaudit_read_fs',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:dir search_dir_perms;
- dontaudit $1 security_t:file read_file_perms;
- ')
-
- ########################################
-@@ -291,10 +309,11 @@ interface(`selinux_dontaudit_read_fs',`
- interface(`selinux_get_enforce_mode',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file read_file_perms;
- ')
-
-@@ -359,10 +378,11 @@ interface(`selinux_load_policy',`
- interface(`selinux_read_policy',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file read_file_perms;
- allow $1 security_t:security read_policy;
- ')
-@@ -424,10 +444,11 @@ interface(`selinux_set_boolean',`
- interface(`selinux_set_generic_booleans',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
-
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-
-@@ -461,10 +482,11 @@ interface(`selinux_set_all_booleans',`
- type security_t, secure_mode_policyload_t;
- attribute boolean_type;
- bool secure_mode_policyload;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
-
- allow $1 security_t:dir list_dir_perms;
- allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
- allow $1 secure_mode_policyload_t:file read_file_perms;
-@@ -520,10 +542,11 @@ interface(`selinux_set_parameters',`
- interface(`selinux_validate_context',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
- allow $1 security_t:security check_context;
- ')
-@@ -542,10 +565,11 @@ interface(`selinux_validate_context',`
- interface(`selinux_dontaudit_validate_context',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:dir list_dir_perms;
- dontaudit $1 security_t:file rw_file_perms;
- dontaudit $1 security_t:security check_context;
- ')
-
-@@ -563,10 +587,11 @@ interface(`selinux_dontaudit_validate_co
- interface(`selinux_compute_access_vector',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
- allow $1 security_t:security compute_av;
- ')
-@@ -658,10 +683,11 @@ interface(`selinux_compute_relabel_conte
- interface(`selinux_compute_user_contexts',`
- gen_require(`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
- allow $1 security_t:security compute_user;
- ')
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch
deleted file mode 100644
index 0cd8bf9..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From f4e034d6996c5b1f88a9262828dac2ad6ee09b7b Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 23 Aug 2013 14:38:53 +0800
-Subject: [PATCH] fix setfiles statvfs to get file count
-
-New setfiles will read /proc/mounts and use statvfs in
-file_system_count() to get file count of filesystems.
-
-Upstream-Status: pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/selinuxutil.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -594,10 +594,11 @@ files_read_usr_symlinks(setfiles_t)
- files_dontaudit_read_all_symlinks(setfiles_t)
-
- # needs to be able to read symlinks to make restorecon on symlink working
- files_read_all_symlinks(setfiles_t)
-
-+fs_getattr_all_fs(setfiles_t)
- fs_getattr_all_xattr_fs(setfiles_t)
- fs_getattr_nfs(setfiles_t)
- fs_getattr_pstore_dirs(setfiles_t)
- fs_getattr_pstorefs(setfiles_t)
- fs_getattr_tracefs(setfiles_t)
diff --git a/recipes-security/refpolicy/refpolicy-mcs_2.20170204.bb b/recipes-security/refpolicy/refpolicy-mcs_2.20190201.bb
index 062727b..062727b 100644
--- a/recipes-security/refpolicy/refpolicy-mcs_2.20170204.bb
+++ b/recipes-security/refpolicy/refpolicy-mcs_2.20190201.bb
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch b/recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch
deleted file mode 100644
index bf7b980..0000000
--- a/recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-refpolicy-minimum: systemd: mount: enable required refpolicy booleans
-
-enable required refpolicy booleans for these modules
-
-i. mount: allow_mount_anyfile
-without enabling this boolean we are getting below avc denial
-
-audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media
-/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0
-tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0
-
-This avc can be allowed using the boolean 'allow_mount_anyfile'
-allow mount_t initrc_var_run_t:dir mounton;
-
-ii. systemd : systemd_tmpfiles_manage_all
-without enabling this boolean we are not getting access to mount systemd
-essential tmpfs during bootup, also not getting access to create audit.log
-
-audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name=
-"sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles
-_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0
-
- ls /var/log
- /var/log -> volatile/log
-:~#
-
-Upstream-Status: Pending
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-
---- a/policy/booleans.conf
-+++ b/policy/booleans.conf
-@@ -1156,12 +1156,12 @@ racoon_read_shadow = false
- #
- # Allow the mount command to mount any directory or file.
- #
--allow_mount_anyfile = false
-+allow_mount_anyfile = true
-
- #
- # Enable support for systemd-tmpfiles to manage all non-security files.
- #
--systemd_tmpfiles_manage_all = false
-+systemd_tmpfiles_manage_all = true
-
- #
- # Allow users to connect to mysql
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20170204.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb
index da6626e..40abe35 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20170204.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb
@@ -1,3 +1,6 @@
+################################################################################
+# Note that -minimum specifically inherits from -targeted. Key policy pieces
+# will be missing if you do not preserve this relationship.
include refpolicy-targeted_${PV}.bb
SUMMARY = "SELinux minimum policy"
@@ -10,15 +13,24 @@ domains are unconfined. \
POLICY_NAME = "minimum"
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:${THISDIR}/refpolicy-${PV}:${THISDIR}/refpolicy-targeted:"
-
CORE_POLICY_MODULES = "unconfined \
- selinuxutil storage sysnetwork \
- application libraries miscfiles logging userdomain \
- init mount modutils getty authlogin locallogin \
+ selinuxutil \
+ storage \
+ sysnetwork \
+ application \
+ libraries \
+ miscfiles \
+ logging \
+ userdomain \
+ init \
+ mount \
+ modutils \
+ getty \
+ authlogin \
+ locallogin \
"
#systemd dependent policy modules
-CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev', '', d)}"
+CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev fstools', '', d)}"
# nscd caches libc-issued requests to the name service.
# Without nscd.pp, commands want to use these caches will be blocked.
@@ -67,18 +79,3 @@ prepare_policy_store () {
cp ${MOD_FILE} ${MOD_DIR}/hll
done
}
-
-SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', ' ${SYSTEMD_REFPOLICY_PATCHES}', '', d)}"
-
-
-SYSTEMD_REFPOLICY_PATCHES = " \
- file://0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \
- file://0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch \
- file://0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \
- file://0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \
- file://0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch \
- file://0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch \
- file://0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch \
- file://0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch \
- file://0009-refpolicy-minimum-systemd-fix-for-syslog.patch \
- "
diff --git a/recipes-security/refpolicy/refpolicy-minimum_git.bb b/recipes-security/refpolicy/refpolicy-minimum_git.bb
index 0f2a139..40abe35 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_git.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_git.bb
@@ -1,3 +1,6 @@
+################################################################################
+# Note that -minimum specifically inherits from -targeted. Key policy pieces
+# will be missing if you do not preserve this relationship.
include refpolicy-targeted_${PV}.bb
SUMMARY = "SELinux minimum policy"
@@ -10,12 +13,21 @@ domains are unconfined. \
POLICY_NAME = "minimum"
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:${THISDIR}/refpolicy-${PV}:${THISDIR}/refpolicy-targeted:"
-
CORE_POLICY_MODULES = "unconfined \
- selinuxutil storage sysnetwork \
- application libraries miscfiles logging userdomain \
- init mount modutils getty authlogin locallogin \
+ selinuxutil \
+ storage \
+ sysnetwork \
+ application \
+ libraries \
+ miscfiles \
+ logging \
+ userdomain \
+ init \
+ mount \
+ modutils \
+ getty \
+ authlogin \
+ locallogin \
"
#systemd dependent policy modules
CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev fstools', '', d)}"
diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20170204.bb b/recipes-security/refpolicy/refpolicy-mls_2.20190201.bb
index 7388232..7388232 100644
--- a/recipes-security/refpolicy/refpolicy-mls_2.20170204.bb
+++ b/recipes-security/refpolicy/refpolicy-mls_2.20190201.bb
diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20170204.bb b/recipes-security/refpolicy/refpolicy-standard_2.20190201.bb
index 3674fdd..3674fdd 100644
--- a/recipes-security/refpolicy/refpolicy-standard_2.20170204.bb
+++ b/recipes-security/refpolicy/refpolicy-standard_2.20190201.bb
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch
deleted file mode 100644
index 17a8199..0000000
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From e1693b640f889818091c976a90041ea6a843fafd Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Wed, 17 Feb 2016 08:35:51 -0500
-Subject: [PATCH] remove duplicate type_transition
-
-Remove duplicate type rules from init_t to init_script_file_type,
-they have been included by systemd policies. This also fixes the
-errors while installing modules for refpolicy-targeted if systemd
-support is enabled:
-
-| Conflicting type rules
-| Binary policy creation failed at line 327 of \
- .../tmp/work/qemux86-poky-linux/refpolicy-targeted/git-r0/image\
- /var/lib/selinux/targeted/tmp/modules/100/init/cil
-| Failed to generate binary
-| semodule: Failed!
-
-Upstream-Status: Inappropriate
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/init.if | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/policy/modules/system/init.if
-+++ b/policy/modules/system/init.if
-@@ -1430,16 +1430,16 @@ interface(`init_spec_domtrans_script',`
- ## </summary>
- ## </param>
- #
- interface(`init_domtrans_script',`
- gen_require(`
-- type initrc_t;
-+ type initrc_t, initrc_exec_t;
- attribute init_script_file_type;
- ')
-
- files_list_etc($1)
-- domtrans_pattern($1, init_script_file_type, initrc_t)
-+ domtrans_pattern($1, initrc_exec_t, initrc_t)
-
- ifdef(`enable_mcs',`
- range_transition $1 init_script_file_type:process s0;
- ')
-
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition_2.20170204.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition_2.20170204.patch
deleted file mode 100644
index 1dc9911..0000000
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition_2.20170204.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From e1693b640f889818091c976a90041ea6a843fafd Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Wed, 17 Feb 2016 08:35:51 -0500
-Subject: [PATCH] remove duplicate type_transition
-
-Remove duplicate type rules from init_t to init_script_file_type,
-they have been included by systemd policies. This also fixes the
-errors while installing modules for refpolicy-targeted if systemd
-support is enabled:
-
-| Conflicting type rules
-| Binary policy creation failed at line 327 of \
- .../tmp/work/qemux86-poky-linux/refpolicy-targeted/git-r0/image\
- /var/lib/selinux/targeted/tmp/modules/100/init/cil
-| Failed to generate binary
-| semodule: Failed!
-
-Upstream-Status: Inappropriate
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/init.if | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/policy/modules/system/init.if
-+++ b/policy/modules/system/init.if
-@@ -1268,16 +1268,16 @@ interface(`init_spec_domtrans_script',`
- ## </summary>
- ## </param>
- #
- interface(`init_domtrans_script',`
- gen_require(`
-- type initrc_t;
-+ type initrc_t, initrc_exec_t;
- attribute init_script_file_type;
- ')
-
- files_list_etc($1)
-- domtrans_pattern($1, init_script_file_type, initrc_t)
-+ domtrans_pattern($1, initrc_exec_t, initrc_t)
-
- ifdef(`enable_mcs',`
- range_transition $1 init_script_file_type:process s0;
- ')
-
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
deleted file mode 100644
index 29d3e2d..0000000
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
+++ /dev/null
@@ -1,222 +0,0 @@
-Subject: [PATCH] refpolicy: make unconfined_u the default selinux user
-
-For targeted policy type, we define unconfined_u as the default selinux
-user for root and normal users, so users could login in and run most
-commands and services on unconfined domains.
-
-Also add rules for users to run init scripts directly, instead of via
-run_init.
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
----
- config/appconfig-mcs/seusers | 4 ++--
- policy/modules/roles/sysadm.te | 1 +
- policy/modules/system/init.if | 47 ++++++++++++++++++++++++++++++-------
- policy/modules/system/unconfined.te | 7 ++++++
- policy/users | 16 +++++--------
- 5 files changed, 55 insertions(+), 20 deletions(-)
-
---- a/config/appconfig-mcs/seusers
-+++ b/config/appconfig-mcs/seusers
-@@ -1,2 +1,3 @@
--root:root:s0-mcs_systemhigh
--__default__:user_u:s0
-+root:unconfined_u:s0-mcs_systemhigh
-+__default__:unconfined_u:s0
-+
---- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -37,10 +37,11 @@ ubac_process_exempt(sysadm_t)
- ubac_file_exempt(sysadm_t)
- ubac_fd_exempt(sysadm_t)
-
- init_exec(sysadm_t)
- init_admin(sysadm_t)
-+init_script_role_transition(sysadm_r)
-
- selinux_read_policy(sysadm_t)
-
- # Add/remove user home directories
- userdom_manage_user_home_dirs(sysadm_t)
---- a/policy/modules/system/init.if
-+++ b/policy/modules/system/init.if
-@@ -1394,30 +1394,31 @@ interface(`init_script_file_entry_type',
- ## </summary>
- ## </param>
- #
- interface(`init_spec_domtrans_script',`
- gen_require(`
-- type initrc_t, initrc_exec_t;
-+ type initrc_t;
-+ attribute init_script_file_type;
- ')
-
- files_list_etc($1)
-- spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
-+ spec_domtrans_pattern($1, init_script_file_type, initrc_t)
-
- ifdef(`distro_gentoo',`
- gen_require(`
- type rc_exec_t;
- ')
-
- domtrans_pattern($1, rc_exec_t, initrc_t)
- ')
-
- ifdef(`enable_mcs',`
-- range_transition $1 initrc_exec_t:process s0;
-+ range_transition $1 init_script_file_type:process s0;
- ')
-
- ifdef(`enable_mls',`
-- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
-+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- ')
- ')
-
- ########################################
- ## <summary>
-@@ -1429,22 +1430,23 @@ interface(`init_spec_domtrans_script',`
- ## </summary>
- ## </param>
- #
- interface(`init_domtrans_script',`
- gen_require(`
-- type initrc_t, initrc_exec_t;
-+ type initrc_t;
-+ attribute init_script_file_type;
- ')
-
- files_list_etc($1)
-- domtrans_pattern($1, initrc_exec_t, initrc_t)
-+ domtrans_pattern($1, init_script_file_type, initrc_t)
-
- ifdef(`enable_mcs',`
-- range_transition $1 initrc_exec_t:process s0;
-+ range_transition $1 init_script_file_type:process s0;
- ')
-
- ifdef(`enable_mls',`
-- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
-+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- ')
- ')
-
- ########################################
- ## <summary>
-@@ -2972,5 +2974,34 @@ interface(`init_admin',`
- init_stop_all_units($1)
- init_stop_generic_units($1)
- init_stop_system($1)
- init_telinit($1)
- ')
-+
-+########################################
-+## <summary>
-+## Transition to system_r when execute an init script
-+## </summary>
-+## <desc>
-+## <p>
-+## Execute a init script in a specified role
-+## </p>
-+## <p>
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+## </p>
-+## </desc>
-+## <param name="source_role">
-+## <summary>
-+## Role to transition from.
-+## </summary>
-+## </param>
-+#
-+interface(`init_script_role_transition',`
-+ gen_require(`
-+ attribute init_script_file_type;
-+ ')
-+
-+ role_transition $1 init_script_file_type system_r;
-+')
-+
---- a/policy/modules/system/unconfined.te
-+++ b/policy/modules/system/unconfined.te
-@@ -18,10 +18,15 @@ init_system_domain(unconfined_t, unconfi
-
- type unconfined_execmem_t;
- type unconfined_execmem_exec_t;
- init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
- role unconfined_r types unconfined_execmem_t;
-+role unconfined_r types unconfined_t;
-+role system_r types unconfined_t;
-+role_transition system_r unconfined_exec_t unconfined_r;
-+allow system_r unconfined_r;
-+allow unconfined_r system_r;
-
- ########################################
- #
- # Local policy
- #
-@@ -48,10 +53,12 @@ unconfined_domain(unconfined_t)
- userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
-
- ifdef(`direct_sysadm_daemon',`
- optional_policy(`
- init_run_daemon(unconfined_t, unconfined_r)
-+ init_domtrans_script(unconfined_t)
-+ init_script_role_transition(unconfined_r)
- ')
- ',`
- ifdef(`distro_gentoo',`
- seutil_run_runinit(unconfined_t, unconfined_r)
- seutil_init_script_run_runinit(unconfined_t, unconfined_r)
---- a/policy/users
-+++ b/policy/users
-@@ -13,37 +13,33 @@
- # system_u is the user identity for system processes and objects.
- # There should be no corresponding Unix user identity for system,
- # and a user process should never be assigned the system user
- # identity.
- #
--gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
- #
- # user_u is a generic user identity for Linux users who have no
- # SELinux user identity defined. The modified daemons will use
- # this user identity in the security context if there is no matching
- # SELinux user identity for a Linux user. If you do not want to
- # permit any access to such users, then remove this entry.
- #
- gen_user(user_u, user, user_r, s0, s0)
--gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
--gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+gen_user(staff_u, user, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
- # Until order dependence is fixed for users:
- ifdef(`direct_sysadm_daemon',`
-- gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+ gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
- ',`
-- gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+ gen_user(unconfined_u, user, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
- ')
-
- #
- # The following users correspond to Unix identities.
- # These identities are typically assigned as the user attribute
- # when login starts the user shell. Users with access to the sysadm_r
- # role should use the staff_r role instead of the user_r role when
- # not in the sysadm_r.
- #
--ifdef(`direct_sysadm_daemon',`
-- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
--',`
-- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
--')
-+gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user_2.20170204.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user_2.20170204.patch
deleted file mode 100644
index f28ab74..0000000
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user_2.20170204.patch
+++ /dev/null
@@ -1,222 +0,0 @@
-Subject: [PATCH] refpolicy: make unconfined_u the default selinux user
-
-For targeted policy type, we define unconfined_u as the default selinux
-user for root and normal users, so users could login in and run most
-commands and services on unconfined domains.
-
-Also add rules for users to run init scripts directly, instead of via
-run_init.
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
----
- config/appconfig-mcs/seusers | 4 ++--
- policy/modules/roles/sysadm.te | 1 +
- policy/modules/system/init.if | 47 ++++++++++++++++++++++++++++++-------
- policy/modules/system/unconfined.te | 7 ++++++
- policy/users | 16 +++++--------
- 5 files changed, 55 insertions(+), 20 deletions(-)
-
---- a/config/appconfig-mcs/seusers
-+++ b/config/appconfig-mcs/seusers
-@@ -1,2 +1,3 @@
--root:root:s0-mcs_systemhigh
--__default__:user_u:s0
-+root:unconfined_u:s0-mcs_systemhigh
-+__default__:unconfined_u:s0
-+
---- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -41,10 +41,11 @@ init_reload(sysadm_t)
- init_reboot_system(sysadm_t)
- init_shutdown_system(sysadm_t)
- init_start_generic_units(sysadm_t)
- init_stop_generic_units(sysadm_t)
- init_reload_generic_units(sysadm_t)
-+init_script_role_transition(sysadm_r)
-
- # Add/remove user home directories
- userdom_manage_user_home_dirs(sysadm_t)
- userdom_home_filetrans_user_home_dir(sysadm_t)
-
---- a/policy/modules/system/init.if
-+++ b/policy/modules/system/init.if
-@@ -1232,30 +1232,31 @@ interface(`init_script_file_entry_type',
- ## </summary>
- ## </param>
- #
- interface(`init_spec_domtrans_script',`
- gen_require(`
-- type initrc_t, initrc_exec_t;
-+ type initrc_t;
-+ attribute init_script_file_type;
- ')
-
- files_list_etc($1)
-- spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
-+ spec_domtrans_pattern($1, init_script_file_type, initrc_t)
-
- ifdef(`distro_gentoo',`
- gen_require(`
- type rc_exec_t;
- ')
-
- domtrans_pattern($1, rc_exec_t, initrc_t)
- ')
-
- ifdef(`enable_mcs',`
-- range_transition $1 initrc_exec_t:process s0;
-+ range_transition $1 init_script_file_type:process s0;
- ')
-
- ifdef(`enable_mls',`
-- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
-+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- ')
- ')
-
- ########################################
- ## <summary>
-@@ -1267,22 +1268,23 @@ interface(`init_spec_domtrans_script',`
- ## </summary>
- ## </param>
- #
- interface(`init_domtrans_script',`
- gen_require(`
-- type initrc_t, initrc_exec_t;
-+ type initrc_t;
-+ attribute init_script_file_type;
- ')
-
- files_list_etc($1)
-- domtrans_pattern($1, initrc_exec_t, initrc_t)
-+ domtrans_pattern($1, init_script_file_type, initrc_t)
-
- ifdef(`enable_mcs',`
-- range_transition $1 initrc_exec_t:process s0;
-+ range_transition $1 init_script_file_type:process s0;
- ')
-
- ifdef(`enable_mls',`
-- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
-+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- ')
- ')
-
- ########################################
- ## <summary>
-@@ -2502,5 +2504,34 @@ interface(`init_reload_all_units',`
- class service reload;
- ')
-
- allow $1 systemdunit:service reload;
- ')
-+
-+########################################
-+## <summary>
-+## Transition to system_r when execute an init script
-+## </summary>
-+## <desc>
-+## <p>
-+## Execute a init script in a specified role
-+## </p>
-+## <p>
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+## </p>
-+## </desc>
-+## <param name="source_role">
-+## <summary>
-+## Role to transition from.
-+## </summary>
-+## </param>
-+#
-+interface(`init_script_role_transition',`
-+ gen_require(`
-+ attribute init_script_file_type;
-+ ')
-+
-+ role_transition $1 init_script_file_type system_r;
-+')
-+
---- a/policy/modules/system/unconfined.te
-+++ b/policy/modules/system/unconfined.te
-@@ -18,10 +18,15 @@ init_system_domain(unconfined_t, unconfi
-
- type unconfined_execmem_t;
- type unconfined_execmem_exec_t;
- init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
- role unconfined_r types unconfined_execmem_t;
-+role unconfined_r types unconfined_t;
-+role system_r types unconfined_t;
-+role_transition system_r unconfined_exec_t unconfined_r;
-+allow system_r unconfined_r;
-+allow unconfined_r system_r;
-
- ########################################
- #
- # Local policy
- #
-@@ -48,10 +53,12 @@ unconfined_domain(unconfined_t)
- userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
-
- ifdef(`direct_sysadm_daemon',`
- optional_policy(`
- init_run_daemon(unconfined_t, unconfined_r)
-+ init_domtrans_script(unconfined_t)
-+ init_script_role_transition(unconfined_r)
- ')
- ',`
- ifdef(`distro_gentoo',`
- seutil_run_runinit(unconfined_t, unconfined_r)
- seutil_init_script_run_runinit(unconfined_t, unconfined_r)
---- a/policy/users
-+++ b/policy/users
-@@ -13,37 +13,33 @@
- # system_u is the user identity for system processes and objects.
- # There should be no corresponding Unix user identity for system,
- # and a user process should never be assigned the system user
- # identity.
- #
--gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
- #
- # user_u is a generic user identity for Linux users who have no
- # SELinux user identity defined. The modified daemons will use
- # this user identity in the security context if there is no matching
- # SELinux user identity for a Linux user. If you do not want to
- # permit any access to such users, then remove this entry.
- #
- gen_user(user_u, user, user_r, s0, s0)
--gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
--gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+gen_user(staff_u, user, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
- # Until order dependence is fixed for users:
- ifdef(`direct_sysadm_daemon',`
-- gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+ gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
- ',`
-- gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+ gen_user(unconfined_u, user, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
- ')
-
- #
- # The following users correspond to Unix identities.
- # These identities are typically assigned as the user attribute
- # when login starts the user shell. Users with access to the sysadm_r
- # role should use the staff_r role instead of the user_r role when
- # not in the sysadm_r.
- #
--ifdef(`direct_sysadm_daemon',`
-- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
--',`
-- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
--')
-+gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20170204.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20170204.bb
deleted file mode 100644
index 4705c46..0000000
--- a/recipes-security/refpolicy/refpolicy-targeted_2.20170204.bb
+++ /dev/null
@@ -1,29 +0,0 @@
-SUMMARY = "SELinux targeted policy"
-DESCRIPTION = "\
-This is the targeted variant of the SELinux reference policy. Most service \
-domains are locked down. Users and admins will login in with unconfined_t \
-domain, so they have the same access to the system as if SELinux was not \
-enabled. \
-"
-
-FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
-
-POLICY_NAME = "targeted"
-POLICY_TYPE = "mcs"
-POLICY_MLS_SENS = "0"
-
-include refpolicy_${PV}.inc
-
-SRC_URI += "${@bb.utils.contains('${PV}', '2.20170805', '${PATCH_2.20170805}', '${PATCH_2.20170204}', d)}"
-
-PATCH_2.20170805 = " \
- file://refpolicy-fix-optional-issue-on-sysadm-module.patch \
- file://refpolicy-unconfined_u-default-user.patch \
- ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://refpolicy-remove-duplicate-type_transition.patch', '', d)} \
- "
-
-PATCH_2.20170204 = " \
- file://refpolicy-fix-optional-issue-on-sysadm-module_2.20170204.patch \
- file://refpolicy-unconfined_u-default-user_2.20170204.patch \
- ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://refpolicy-remove-duplicate-type_transition_2.20170204.patch', '', d)} \
- "
diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb
new file mode 100644
index 0000000..1ecdb4e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb
@@ -0,0 +1,35 @@
+SUMMARY = "SELinux targeted policy"
+DESCRIPTION = "\
+This is the targeted variant of the SELinux reference policy. Most service \
+domains are locked down. Users and admins will login in with unconfined_t \
+domain, so they have the same access to the system as if SELinux was not \
+enabled. \
+"
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
+
+POLICY_NAME = "targeted"
+POLICY_TYPE = "mcs"
+POLICY_MLS_SENS = "0"
+
+include refpolicy_${PV}.inc
+
+SYSTEMD_REFPOLICY_PATCHES = " \
+ file://0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch \
+ file://0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \
+ file://0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \
+ file://0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \
+ file://0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch \
+ file://0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch \
+ file://0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch \
+ file://0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch \
+ file://0009-refpolicy-minimum-systemd-fix-for-syslog.patch \
+ "
+
+SYSVINIT_REFPOLICY_PATCHES = " \
+ file://0001-fix-update-alternatives-for-sysvinit.patch \
+ "
+
+SRC_URI += " \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${SYSTEMD_REFPOLICY_PATCHES}', '${SYSVINIT_REFPOLICY_PATCHES}', d)} \
+ "
diff --git a/recipes-security/refpolicy/refpolicy-targeted_git.bb b/recipes-security/refpolicy/refpolicy-targeted_git.bb
index f795bf7..1ecdb4e 100644
--- a/recipes-security/refpolicy/refpolicy-targeted_git.bb
+++ b/recipes-security/refpolicy/refpolicy-targeted_git.bb
@@ -14,8 +14,22 @@ POLICY_MLS_SENS = "0"
include refpolicy_${PV}.inc
+SYSTEMD_REFPOLICY_PATCHES = " \
+ file://0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch \
+ file://0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \
+ file://0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \
+ file://0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \
+ file://0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch \
+ file://0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch \
+ file://0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch \
+ file://0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch \
+ file://0009-refpolicy-minimum-systemd-fix-for-syslog.patch \
+ "
+
+SYSVINIT_REFPOLICY_PATCHES = " \
+ file://0001-fix-update-alternatives-for-sysvinit.patch \
+ "
+
SRC_URI += " \
- file://refpolicy-fix-optional-issue-on-sysadm-module.patch \
- file://refpolicy-unconfined_u-default-user.patch \
- ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://refpolicy-remove-duplicate-type_transition.patch', '', d)} \
- "
+ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${SYSTEMD_REFPOLICY_PATCHES}', '${SYSVINIT_REFPOLICY_PATCHES}', d)} \
+ "
diff --git a/recipes-security/refpolicy/refpolicy_2.20170204.inc b/recipes-security/refpolicy/refpolicy_2.20170204.inc
deleted file mode 100644
index 8b72cbd..0000000
--- a/recipes-security/refpolicy/refpolicy_2.20170204.inc
+++ /dev/null
@@ -1,58 +0,0 @@
-SRC_URI = "https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2;"
-SRC_URI[md5sum] = "76a7a455289c9216ee0fbb8de71c9799"
-SRC_URI[sha256sum] = "5e4daee61d89dfdc8c7bf369f81c99845931e337916dc6401e301c5de57ea336"
-
-FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20170204:"
-
-# Fix file contexts for Poky
-SRC_URI += "file://poky-fc-subs_dist.patch \
- file://poky-fc-update-alternatives_sysvinit.patch \
- file://poky-fc-update-alternatives_sysklogd.patch \
- file://poky-fc-update-alternatives_hostname.patch \
- file://poky-fc-update-alternatives_bash.patch \
- file://poky-fc-fix-real-path_resolv.conf.patch \
- file://poky-fc-fix-real-path_login.patch \
- file://poky-fc-fix-real-path_shadow.patch \
- file://poky-fc-fix-bind.patch \
- file://poky-fc-clock.patch \
- file://poky-fc-dmesg.patch \
- file://poky-fc-fstools.patch \
- file://poky-fc-mta.patch \
- file://poky-fc-netutils.patch \
- file://poky-fc-nscd.patch \
- file://poky-fc-screen.patch \
- file://poky-fc-ssh.patch \
- file://poky-fc-sysnetwork.patch \
- file://poky-fc-udevd.patch \
- file://poky-fc-rpm.patch \
- file://poky-fc-ftpwho-dir.patch \
- file://poky-fc-fix-real-path_su.patch \
- file://refpolicy-update-for_systemd.patch \
- "
-
-# Specific policy for Poky
-SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
- file://poky-policy-add-rules-for-var-log-symlink.patch \
- file://poky-policy-add-rules-for-var-log-symlink-apache.patch \
- file://poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch \
- file://poky-policy-add-rules-for-syslogd_t-symlink.patch \
- file://poky-policy-add-rules-for-var-cache-symlink.patch \
- file://poky-policy-add-rules-for-tmp-symlink.patch \
- file://poky-policy-add-rules-for-bsdpty_device_t.patch \
- file://poky-policy-don-t-audit-tty_device_t.patch \
- file://poky-policy-allow-nfsd-to-exec-shell-commands.patch \
- file://poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch \
- file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \
- file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \
- file://poky-policy-allow-sysadm-to-run-rpcinfo.patch \
- "
-
-# Other policy fixes
-SRC_URI += " \
- file://poky-policy-fix-seutils-manage-config-files.patch \
- file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \
- file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
- file://ftp-add-ftpd_t-to-mlsfilewrite.patch \
- "
-
-include refpolicy_common.inc
diff --git a/recipes-security/refpolicy/refpolicy_2.20190201.inc b/recipes-security/refpolicy/refpolicy_2.20190201.inc
new file mode 100644
index 0000000..fa61fc5
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy_2.20190201.inc
@@ -0,0 +1,7 @@
+SRC_URI = "https://raw.githubusercontent.com/wiki/SELinuxProject/refpolicy/files/refpolicy-${PV}.tar.bz2;"
+SRC_URI[md5sum] = "76a7a455289c9216ee0fbb8de71c9799"
+SRC_URI[sha256sum] = "5e4daee61d89dfdc8c7bf369f81c99845931e337916dc6401e301c5de57ea336"
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20190201:"
+
+include refpolicy_common.inc
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 2ce02ac..137ccee 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -1,6 +1,6 @@
DEFAULT_ENFORCING ??= "enforcing"
-SECTION = "base"
+SECTION = "admin"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833"
@@ -9,11 +9,51 @@ PROVIDES += "virtual/refpolicy"
RPROVIDES_${PN} += "refpolicy"
# Specific config files for Poky
-SRC_URI += "file://customizable_types \
- file://setrans-mls.conf \
- file://setrans-mcs.conf \
+SRC_URI += "file://customizable_types \
+ file://setrans-mls.conf \
+ file://setrans-mcs.conf \
"
+# Base patches applied to all Yocto-based platforms. Your own version of
+# refpolicy should provide a version of these and place them in your own
+# refpolicy-${PV} directory.
+SRC_URI += " \
+ file://0001-fc-subs-volatile-alias-common-var-volatile-paths.patch \
+ file://0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch \
+ file://0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch \
+ file://0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch \
+ file://0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch \
+ file://0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch \
+ file://0007-fc-login-apply-login-context-to-login.shadow.patch \
+ file://0008-fc-bind-fix-real-path-for-bind.patch \
+ file://0009-fc-hwclock-add-hwclock-alternatives.patch \
+ file://0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \
+ file://0011-fc-ssh-apply-policy-to-ssh-alternatives.patch \
+ file://0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch \
+ file://0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch \
+ file://0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \
+ file://0015-fc-su-apply-policy-to-su-alternatives.patch \
+ file://0016-fc-fstools-fix-real-path-for-fstools.patch \
+ file://0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch \
+ file://0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch \
+ file://0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch \
+ file://0020-policy-module-logging-add-domain-rules-for-the-subdi.patch \
+ file://0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch \
+ file://0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch \
+ file://0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch \
+ file://0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch \
+ file://0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch \
+ file://0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch \
+ file://0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch \
+ file://0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch \
+ file://0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch \
+ file://0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch \
+ file://0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch \
+ file://0032-policy-module-init-update-for-systemd-related-allow-.patch \
+ file://0033-refpolicy-minimum-make-sysadmin-module-optional.patch \
+ file://0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch \
+ "
+
S = "${WORKDIR}/refpolicy"
CONFFILES_${PN} += "${sysconfdir}/selinux/config"
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc
index b2fd638..8aeaf27 100644
--- a/recipes-security/refpolicy/refpolicy_git.inc
+++ b/recipes-security/refpolicy/refpolicy_git.inc
@@ -1,58 +1,9 @@
-PV = "2.20170805+git${SRCPV}"
+PV = "2.20190201+git${SRCPV}"
-SRC_URI = "git://github.com/TresysTechnology/refpolicy.git;protocol=git;branch=master;name=refpolicy;destsuffix=refpolicy"
-SRC_URI += "git://github.com/TresysTechnology/refpolicy-contrib.git;protocol=git;branch=master;name=refpolicy-contrib;destsuffix=refpolicy/policy/modules/contrib"
+SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=git;branch=master;name=refpolicy;destsuffix=refpolicy"
-SRCREV_refpolicy ?= "794ed7efd0eca19d0353659a1ec9d4ef4e4b751c"
-SRCREV_refpolicy-contrib ?= "a393275a6ecb76311323726a029767a3a01e109e"
-SRCREV_FORMAT = "refpolicy.refpolicy-contrib"
+SRCREV_refpolicy ?= "df696a325404b84c2c931c85356510005e5e6916"
FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-git:"
-# Fix file contexts for Poky
-SRC_URI += "file://poky-fc-subs_dist.patch \
- file://poky-fc-update-alternatives_sysvinit.patch \
- file://poky-fc-update-alternatives_hostname.patch \
- file://poky-fc-update-alternatives_bash.patch \
- file://poky-fc-fix-real-path_resolv.conf.patch \
- file://poky-fc-fix-real-path_login.patch \
- file://poky-fc-fix-real-path_shadow.patch \
- file://poky-fc-fix-bind.patch \
- file://poky-fc-clock.patch \
- file://poky-fc-dmesg.patch \
- file://poky-fc-fstools.patch \
- file://poky-fc-mta.patch \
- file://poky-fc-screen.patch \
- file://poky-fc-ssh.patch \
- file://poky-fc-sysnetwork.patch \
- file://poky-fc-udevd.patch \
- file://poky-fc-rpm.patch \
- file://poky-fc-fix-real-path_su.patch \
- file://refpolicy-update-for_systemd.patch \
- "
-
-# Specific policy for Poky
-SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
- file://poky-policy-add-rules-for-var-log-symlink.patch \
- file://poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch \
- file://poky-policy-add-rules-for-syslogd_t-symlink.patch \
- file://poky-policy-add-rules-for-var-cache-symlink.patch \
- file://poky-policy-add-rules-for-tmp-symlink.patch \
- file://poky-policy-add-rules-for-bsdpty_device_t.patch \
- file://poky-policy-don-t-audit-tty_device_t.patch \
- file://poky-policy-allow-nfsd-to-exec-shell-commands.patch \
- file://poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch \
- file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \
- file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \
- file://poky-policy-allow-sysadm-to-run-rpcinfo.patch \
- "
-
-# Other policy fixes
-SRC_URI += " \
- file://poky-policy-fix-seutils-manage-config-files.patch \
- file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \
- file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
- file://ftp-add-ftpd_t-to-mlsfilewrite.patch \
- "
-
include refpolicy_common.inc