313 files changed, 3499 insertions, 8001 deletions

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..c01df45
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,7 @@
+*.pyc
+*.pyo
+/*.patch
+*.swp
+*.orig
+*.rej
+*~
diff --git a/MAINTAINERS b/MAINTAINERS
index ec7fddd..016f325 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1,7 +1,14 @@
 This file contains a list of maintainers for the meta-selinux layer.
 
 Please submit any patches against meta-selinux to the Yocto Project mailing
-list (yocto@yoctoproject.org).
+list (yocto-patches@lists.yoctoproject.org).
+
+git send-email -1 --to yocto-patches@lists.yoctoproject.org --subject-prefix=meta-selinux][PATCH
+
+These values can be set as defaults for this repository:
+
+$ git config sendemail.to yocto-patches@lists.yoctoproject.org
+$ git config format.subjectPrefix meta-selinux][PATCH
 
 You may also contact the maintainers directly.
 
@@ -19,17 +26,12 @@ Please keep this list in alphabetical order.
 Maintainers List (try to look for most precise areas first)
 
 COMMON
-M:	Joe MacDonald <joe_macdonald@mentor.com>
-F:	conf
-F:	classes
-F:	recipes-*
-
-M:	Philip Tricca <flihp@twobit.us>
+M:	Joe MacDonald <joe.macdonald@siemens.com>
 F:	conf
 F:	classes
 F:	recipes-*
 
 COMMON
-M:	Mark Hatle <mark.hatle@windriver.com>
+M:	Yi Zhao <yi.zhao@windriver.com>
 F:	conf
 F:	recipes-*
diff --git a/README b/README
index 20e94ca..67708f7 100644
--- a/README
+++ b/README
@@ -38,7 +38,7 @@ layer should not change the system behavior.
 In order to use the components in this layer you must add the 'selinux' to the
 DISTRO_FEATURES.  In addition to selinux, you should be sure that acl, xattr and
 pam are also present.
-e.g. DISTRO_FEATURES_append = " acl xattr pam selinux"
+e.g. DISTRO_FEATURES:append = " acl xattr pam selinux"
 
 You must also specify a preferred provider for the virtual/refpolicy.  The
 included policies with this layer are simply reference policies and will need
@@ -69,12 +69,20 @@ By default selinux enabled images coming up with "sysvinit" as init manager,
 we can use "systemd" as an init manager using below changes to local.conf
 
 * enable systemd as init manager changes to local.conf
-DISTRO_FEATURES_remove = " sysvinit"
-DISTRO_FEATURES_append = " systemd"
+DISTRO_FEATURES:remove = " sysvinit"
+DISTRO_FEATURES:append = " systemd"
 VIRTUAL-RUNTIME_init_manager = "systemd"
 DISTRO_FEATURES_BACKFILL_CONSIDERED = ""
 
 
+Enable labeling on first boot
+----------------------------
+By default, the system will label selinux contexts during build. To enable
+labeling on first boot. Set FIRST_BOOT_RELABEL to 1 in local.conf:
+
+FIRST_BOOT_RELABEL = "1"
+
+
 Starting up the system
 ----------------------
 Most likely the reference policy selected will not just work "out of the box".
diff --git a/SELinux-FAQ b/SELinux-FAQ
index b6a0df9..2ae6649 100644
--- a/SELinux-FAQ
+++ b/SELinux-FAQ
@@ -47,7 +47,6 @@ controls could be added to an operating system.
 To enable SELinux features, this layers has done these works:
 
    * new DISTRO_FEATURES "selinux" defined
-   * new DISTRO "poky-selinux" defined, with DISTRO_FEATURES += "pam selinux"
    * config file for Linux kernel to enable SELinux
    * recipes for SELinux userland libraries and tools
    * package group (packagegroup-core-selinux) for SELinux userland packages
@@ -67,7 +66,7 @@ After init Poky build environment, please follow these steps:
 
    1. Add meta-selinux path to BUILDDIR/conf/bblayers.conf file.
 
-   2. Set DISTRO="poky-selinux" or add DISTRO_FEATURES_append=" pam selinux"
+   2. Add DISTRO_FEATURES:append=" acl xattr pam selinux"
       in BUILDDIR/conf/local.conf file.
 
    3. Build the default selinux image.
@@ -81,7 +80,7 @@ the following steps:
 
    1. Add meta-selinux path to BUILDDIR/conf/bblayers.conf file
 
-   2. Add DISTRO_FEATURES_append=" pam selinux" in BUILDDIR/conf/local.conf 
+   2. Add DISTRO_FEATURES:append=" pam selinux" in BUILDDIR/conf/local.conf
       file.
 
    3. Add packagegroup-core-selinux to your custom image.
@@ -94,7 +93,6 @@ the following steps:
        $ bitbake core-image-custom
 
 
-
 ==============================================================================
 
 3 - Using SELinux 
@@ -109,7 +107,7 @@ Alternatively, you can add "selinux=0" to your kernel boot parameters. It is
 not recommended but useful on some testing situations.
 For example, when you are using qemu targets,  
 
-  $ runqemu qemumips core-image-selinux ext3 nographic bootparams="selinux=0"
+  $ runqemu qemumips core-image-selinux nographic bootparams="selinux=0"
 
 The initial filesystem relabel step requires considerable memory and can result
 in unexpected, sometimes impossible to reproduce, failures if an OOM condition
diff --git a/classes/enable-audit.bbclass b/classes/enable-audit.bbclass
index 4538b0b..17bcc8e 100644
--- a/classes/enable-audit.bbclass
+++ b/classes/enable-audit.bbclass
@@ -1,4 +1,4 @@
 # There is still no audit DISTRO_FEATURE, so enable audit when selinux feature enabled.
 inherit selinux
 
-PACKAGECONFIG_append = " ${@target_selinux(d, 'audit')}"
+PACKAGECONFIG:append = " ${@target_selinux(d, 'audit')}"
diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass
index de2a124..3dc61d6 100644
--- a/classes/enable-selinux.bbclass
+++ b/classes/enable-selinux.bbclass
@@ -1,4 +1,3 @@
 inherit selinux
 
-PACKAGECONFIG_append = " ${@target_selinux(d)}"
-PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,"
+PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}"
diff --git a/classes/meson-selinux.bbclass b/classes/meson-selinux.bbclass
deleted file mode 100644
index 77a763a..0000000
--- a/classes/meson-selinux.bbclass
+++ /dev/null
@@ -1,4 +0,0 @@
-inherit selinux
-
-PACKAGECONFIG_append = " ${@target_selinux(d)}"
-PACKAGECONFIG[selinux] = "-Dselinux=true,-Dselinux=false,libselinux,"
diff --git a/classes/selinux-image.bbclass b/classes/selinux-image.bbclass
index 7f157d3..b4f9321 100644
--- a/classes/selinux-image.bbclass
+++ b/classes/selinux-image.bbclass
@@ -1,15 +1,29 @@
-selinux_set_labels () {
-    POL_TYPE=$(sed -n -e "s&^SELINUXTYPE[[:space:]]*=[[:space:]]*\([0-9A-Za-z_]\+\)&\1&p" ${IMAGE_ROOTFS}/${sysconfdir}/selinux/config)
-    if ! setfiles -m -r ${IMAGE_ROOTFS} ${IMAGE_ROOTFS}/${sysconfdir}/selinux/${POL_TYPE}/contexts/files/file_contexts ${IMAGE_ROOTFS}
-    then
-        echo WARNING: Unable to set filesystem context, setfiles / restorecon must be run on the live image.
-        touch ${IMAGE_ROOTFS}/.autorelabel
-        exit 0
+selinux_set_labels() {
+    if [ -f ${IMAGE_ROOTFS}/${sysconfdir}/selinux/config ]; then
+        POL_TYPE=$(sed -n -e "s&^SELINUXTYPE[[:space:]]*=[[:space:]]*\([0-9A-Za-z_]\+\)&\1&p" ${IMAGE_ROOTFS}/${sysconfdir}/selinux/config)
+        if ! setfiles -m -r ${IMAGE_ROOTFS} ${IMAGE_ROOTFS}/${sysconfdir}/selinux/${POL_TYPE}/contexts/files/file_contexts ${IMAGE_ROOTFS}
+        then
+            bbwarn "Failed to set security contexts. Restoring security contexts will run on first boot."
+            echo "# first boot relabelling" > ${IMAGE_ROOTFS}/.autorelabel
+        fi
     fi
 }
 
-DEPENDS += "policycoreutils-native"
+# The selinux_set_labels function should run as late as possible. Append
+# it to IMAGE_PREPROCESS_COMMAND in RecipePreFinalise event handler,
+# this ensures it is the last function in IMAGE_PREPROCESS_COMMAND.
+python selinux_setlabels_handler() {
+    if not d or 'selinux' not in d.getVar('DISTRO_FEATURES').split():
+        return
 
-IMAGE_PREPROCESS_COMMAND_append = " selinux_set_labels ;"
+    if d.getVar('FIRST_BOOT_RELABEL') == '1':
+        return
+
+    d.appendVar('IMAGE_PREPROCESS_COMMAND', ' selinux_set_labels; ')
+    d.appendVarFlag('do_image', 'depends', ' policycoreutils-native:do_populate_sysroot')
+}
+
+addhandler selinux_setlabels_handler
+selinux_setlabels_handler[eventmask] = "bb.event.RecipePreFinalise"
 
 inherit core-image
diff --git a/classes/selinux.bbclass b/classes/selinux.bbclass
index fb0df27..13256d5 100644
--- a/classes/selinux.bbclass
+++ b/classes/selinux.bbclass
@@ -2,8 +2,8 @@ def target_selinux(d, truevar = 'selinux', falsevar = ''):
     if not bb.utils.contains("DISTRO_FEATURES", "selinux", True, False, d):
         return falsevar
 
-    pn = d.getVar("PN", True) 
-    type = pn.replace(d.getVar("BPN", True), "") 
+    pn = d.getVar("PN")
+    type = pn.replace(d.getVar("BPN"), "")
     if type in ("-native", "nativesdk-", "-cross", "-crosssdk"):
         return falsevar
 
diff --git a/classes/with-audit.bbclass b/classes/with-audit.bbclass
deleted file mode 100644
index 0c15312..0000000
--- a/classes/with-audit.bbclass
+++ /dev/null
@@ -1,5 +0,0 @@
-# There is still no audit DISTRO_FEATURE, so enable audit when selinux feature enabled.
-inherit selinux
-
-PACKAGECONFIG_append = " ${@target_selinux(d, 'audit')}"
-PACKAGECONFIG[audit] = "--with-audit,--without-audit,audit,"
diff --git a/classes/with-selinux.bbclass b/classes/with-selinux.bbclass
deleted file mode 100644
index 7873d9b..0000000
--- a/classes/with-selinux.bbclass
+++ /dev/null
@@ -1,4 +0,0 @@
-inherit selinux
-
-PACKAGECONFIG_append = " ${@target_selinux(d)}"
-PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux,"
diff --git a/conf/layer.conf b/conf/layer.conf
index 9dd34b1..4e04e5c 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -5,10 +5,9 @@ BBPATH .= ":${LAYERDIR}"
 BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
             ${LAYERDIR}/recipes-*/*/*.bbappend"
 
-# Let us add layer-specific bbappends which are only applied when that
-# layer is included in our configuration
-BBFILES += "${@' '.join('${LAYERDIR}/%s/recipes*/*/*.bbappend' % layer \
-               for layer in BBFILE_COLLECTIONS.split())}"
+BBFILES_DYNAMIC += "networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/*/*/*.bb \
+                    networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/*/*/*.bbappend \
+                   "
 
 BBFILE_COLLECTIONS += "selinux"
 BBFILE_PATTERN_selinux = "^${LAYERDIR}/"
@@ -18,9 +17,11 @@ BBFILE_PRIORITY_selinux = "5"
 # cause compatibility issues with other layers
 LAYERVERSION_selinux = "1"
 
-LAYERSERIES_COMPAT_selinux = "thud warrior"
+LAYERSERIES_COMPAT_selinux = "scarthgap"
 
 LAYERDEPENDS_selinux = " \
     core \
     meta-python \
 "
+
+PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted"
diff --git a/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian
index 43fb348..43fb348 100644
--- a/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian
+++ b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian
diff --git a/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
index 7719d3b..7719d3b 100644
--- a/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
+++ b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
diff --git a/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc
new file mode 100644
index 0000000..8802adb
--- /dev/null
+++ b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc
@@ -0,0 +1 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
diff --git a/meta-python/recipes-extended/augeas/augeas/augeas_%.bbappend b/meta-python/recipes-extended/augeas/augeas/augeas_%.bbappend
deleted file mode 100644
index b01ad25..0000000
--- a/meta-python/recipes-extended/augeas/augeas/augeas_%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)}
diff --git a/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc b/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc
deleted file mode 100644
index 81fe7b7..0000000
--- a/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc
+++ /dev/null
@@ -1 +0,0 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
diff --git a/recipes-connectivity/bind/bind_selinux.inc b/recipes-connectivity/bind/bind_selinux.inc
index 1dfef8a..948a377 100644
--- a/recipes-connectivity/bind/bind_selinux.inc
+++ b/recipes-connectivity/bind/bind_selinux.inc
@@ -1,11 +1,4 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
-
-SRC_URI += "file://volatiles.04_bind"
-
-do_install_append() {
-	install -d ${D}${sysconfdir}/default/volatiles
-	install -m 0644 ${WORKDIR}/volatiles.04_bind ${D}${sysconfdir}/default/volatiles/volatiles.04_bind
-
+do_install:append() {
 	sed -i '/^\s*\/usr\/sbin\/rndc-confgen/a\
 	    [ -x /sbin/restorecon ] && /sbin/restorecon -F /etc/bind/rndc.key' ${D}${sysconfdir}/init.d/bind
 }
diff --git a/recipes-connectivity/bind/files/volatiles.04_bind b/recipes-connectivity/bind/files/volatiles.04_bind
deleted file mode 100644
index c6a8151..0000000
--- a/recipes-connectivity/bind/files/volatiles.04_bind
+++ /dev/null
@@ -1,4 +0,0 @@
-# <type> <owner> <group> <mode> <path> <linksource>
-d root root 0755 /var/run/named none
-d root root 0755 /var/run/bind/run none
-d root root 0755 /var/cache/bind none
diff --git a/recipes-connectivity/dhcp/dhcp_selinux.inc b/recipes-connectivity/dhcp/dhcp_selinux.inc
deleted file mode 100644
index 08389f1..0000000
--- a/recipes-connectivity/dhcp/dhcp_selinux.inc
+++ /dev/null
@@ -1,3 +0,0 @@
-inherit selinux
-
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
diff --git a/recipes-connectivity/dhcp/files/init-server b/recipes-connectivity/dhcp/files/init-server
deleted file mode 100644
index a0e901a..0000000
--- a/recipes-connectivity/dhcp/files/init-server
+++ /dev/null
@@ -1,52 +0,0 @@
-#!/bin/sh
-#
-# $Id: dhcp3-server.init.d,v 1.4 2003/07/13 19:12:41 mdz Exp $
-#
-
-test -f /usr/sbin/dhcpd || exit 0
-
-# It is not safe to start if we don't have a default configuration...
-if [ ! -f /etc/default/dhcp-server ]; then
-	echo "/etc/default/dhcp-server does not exist! - Aborting..."
-	exit 0
-fi
-
-# Read init script configuration (so far only interfaces the daemon
-# should listen on.)
-. /etc/default/dhcp-server
-
-# Restorecon for /var/lib/dhcp/{dhcpd.leases,dhcpd6.leases}
-restorecon_dhcpd_leases(){
-	test ! -x /sbin/restorecon || for x in dhcpd.leases dhcpd6.leases; do
-		[ -f /var/lib/dhcp/$x ] && /sbin/restorecon -F /var/lib/dhcp/$x
-	done
-}
-
-case "$1" in
-	start)
-		echo -n "Starting DHCP server: "
-		test -d /var/lib/dhcp/ || mkdir -p /var/lib/dhcp/
-		test -f /var/lib/dhcp/dhcpd.leases || touch /var/lib/dhcp/dhcpd.leases	
-		restorecon_dhcpd_leases
-		start-stop-daemon -S -x /usr/sbin/dhcpd -- -q $INTERFACES -user dhcp -group dhcp
-		echo "."
-		;;
-	stop)
-		echo -n "Stopping DHCP server: dhcpd3"
-		start-stop-daemon -K -x /usr/sbin/dhcpd
-		echo "."
-		;;
-	restart | force-reload)
-		$0 stop
-		sleep 2
-		$0 start
-		if [ "$?" != "0" ]; then
-			exit 1
-		fi
-		;;
-	*)
-		echo "Usage: /etc/init.d/dhcp-server {start|stop|restart|force-reload}"
-		exit 1 
-esac
-
-exit 0
diff --git a/recipes-connectivity/iproute2/iproute2_%.bbappend b/recipes-connectivity/iproute2/iproute2_%.bbappend
index b01ad25..74e22b3 100644
--- a/recipes-connectivity/iproute2/iproute2_%.bbappend
+++ b/recipes-connectivity/iproute2/iproute2_%.bbappend
@@ -1 +1 @@
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)}
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)}
diff --git a/recipes-connectivity/openssh/openssh_selinux.inc b/recipes-connectivity/openssh/openssh_selinux.inc
index ebd2721..07c25c5 100644
--- a/recipes-connectivity/openssh/openssh_selinux.inc
+++ b/recipes-connectivity/openssh/openssh_selinux.inc
@@ -1,9 +1,6 @@
-inherit with-selinux
+inherit enable-selinux enable-audit
 
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
-
-# There is no distro feature just for audit.
-PACKAGECONFIG_append = " audit"
-
-PACKAGECONFIG[audit] = "--with-audit=linux,--without-audit,audit,"
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
 
+PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux"
+PACKAGECONFIG[audit] = "--with-audit=linux,--without-audit,audit"
diff --git a/recipes-core/base-files/base-files_%.bbappend b/recipes-core/base-files/base-files_%.bbappend
new file mode 100644
index 0000000..f167033
--- /dev/null
+++ b/recipes-core/base-files/base-files_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'base-files_selinux.inc', '', d)}
diff --git a/recipes-core/base-files/base-files_selinux.inc b/recipes-core/base-files/base-files_selinux.inc
new file mode 100644
index 0000000..f2373aa
--- /dev/null
+++ b/recipes-core/base-files/base-files_selinux.inc
@@ -0,0 +1,13 @@
+REFPOLICY_TYPE = "${@d.getVar('PREFERRED_PROVIDER_virtual/refpolicy').split('-')[1] or ''}"
+
+do_install:append () {
+    if [ -n "${REFPOLICY_TYPE}" ]; then
+        if [ "${REFPOLICY_TYPE}" = "standard" ]; then
+            sed -i 's/\s*\/var\/volatile\s*tmpfs\s*defaults/&,rootcontext=system_u:object_r:var_t/' \
+                ${D}${sysconfdir}/fstab
+        else
+            sed -i 's/\s*\/var\/volatile\s*tmpfs\s*defaults/&,rootcontext=system_u:object_r:var_t:s0/' \
+                ${D}${sysconfdir}/fstab
+        fi
+    fi
+}
diff --git a/recipes-core/busybox/busybox_selinux.inc b/recipes-core/busybox/busybox_selinux.inc
index cc83b01..740980f 100644
--- a/recipes-core/busybox/busybox_selinux.inc
+++ b/recipes-core/busybox/busybox_selinux.inc
@@ -1,6 +1,6 @@
 PTEST_BINDIR = "0"
 
-FILES_${PN} += "${libdir}/${PN}"
+FILES:${PN} += "${libdir}/${PN}"
 
 # We should use sh wrappers instead of links so the commands could get correct
 # security labels
@@ -8,9 +8,9 @@ python create_sh_wrapper_reset_alternative_vars () {
     # We need to load the full set of busybox provides from the /etc/busybox.links
     # Use this to see the update-alternatives with the right information
 
-    dvar = d.getVar('D', True)
-    pn = d.getVar('PN', True)
-    base_bindir = d.getVar('base_bindir', True)
+    dvar = d.getVar('PKGD')
+    pn = d.getVar('PN')
+    base_bindir = d.getVar('base_bindir')
 
     def create_sh_alternative_vars(links, target, mode):
         import shutil
@@ -20,7 +20,7 @@ python create_sh_wrapper_reset_alternative_vars () {
         os.fchmod(fwp.fileno(), mode)
         fwp.close()
         # Install the sh wrappers and alternatives reset to link to them
-        wpdir = os.path.join(d.getVar('libdir', True), pn)
+        wpdir = os.path.join(d.getVar('libdir'), pn)
         wpdir_dest = '%s%s' % (dvar, wpdir)
         if not os.path.exists(wpdir_dest):
             os.makedirs(wpdir_dest)
@@ -39,7 +39,7 @@ python create_sh_wrapper_reset_alternative_vars () {
             # Match coreutils
             if alt_name == '[':
                 alt_name = 'lbracket'
-            d.appendVar('ALTERNATIVE_%s' % (pn), ' ' + alt_name)
+            d.appendVar('ALTERNATIVE:%s' % (pn), ' ' + alt_name)
             d.setVarFlag('ALTERNATIVE_LINK_NAME', alt_name, alt_link_name)
             if os.path.exists(alt_wppath_dest):
                 d.setVarFlag('ALTERNATIVE_TARGET', alt_name, alt_wppath)
@@ -55,12 +55,12 @@ python create_sh_wrapper_reset_alternative_vars () {
         create_sh_alternative_vars("/etc/busybox.links.suid", "%s/busybox.suid" % base_bindir, 0o4755)
 }
 
-# Add to PACKAGEBUILDPKGD so it could override the alternatives, which are set in
-# do_package_prepend() section of busybox_*.bb.
-PACKAGEBUILDPKGD_prepend = "create_sh_wrapper_reset_alternative_vars "
+# Add to PACKAGE_PREPROCESS_FUNCS so it could override the alternatives, which are set in
+# do_package:prepend() section of busybox_*.bb.
+PACKAGE_PREPROCESS_FUNCS:prepend = "create_sh_wrapper_reset_alternative_vars "
 
 # Use sh wrappers instead of links
-pkg_postinst_${PN} () {
+pkg_postinst:${PN} () {
 	# This part of code is dedicated to the on target upgrade problem.
 	# It's known that if we don't make appropriate symlinks before update-alternatives calls,
 	# there will be errors indicating missing commands such as 'sed'.
diff --git a/recipes-core/coreutils/coreutils_%.bbappend b/recipes-core/coreutils/coreutils_%.bbappend
index 7b9a2dc..74e22b3 100644
--- a/recipes-core/coreutils/coreutils_%.bbappend
+++ b/recipes-core/coreutils/coreutils_%.bbappend
@@ -1,2 +1 @@
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)}
-
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)}
diff --git a/recipes-core/dbus/dbus_%.bbappend b/recipes-core/dbus/dbus_%.bbappend
index ee221e2..fe51e54 100644
--- a/recipes-core/dbus/dbus_%.bbappend
+++ b/recipes-core/dbus/dbus_%.bbappend
@@ -1,2 +1,2 @@
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)}
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux enable-audit', '', d)}
 
diff --git a/recipes-core/eudev/eudev_selinux.inc b/recipes-core/eudev/eudev_selinux.inc
index 2ad6b13..94950f5 100644
--- a/recipes-core/eudev/eudev_selinux.inc
+++ b/recipes-core/eudev/eudev_selinux.inc
@@ -1,3 +1,3 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
 
 inherit enable-selinux
diff --git a/recipes-core/eudev/files/init b/recipes-core/eudev/files/init
index ee64f86..daa4079 100644
--- a/recipes-core/eudev/files/init
+++ b/recipes-core/eudev/files/init
@@ -3,7 +3,7 @@
 ### BEGIN INIT INFO
 # Provides:          udev
 # Required-Start:    mountvirtfs
-# Required-Stop:
+# Required-Stop:     
 # Default-Start:     S
 # Default-Stop:
 # Short-Description: Start udevd, populate /dev and load drivers.
@@ -14,23 +14,10 @@ export TZ=/etc/localtime
 [ -d /sys/class ] || exit 1
 [ -r /proc/mounts ] || exit 1
 [ -x @UDEVD@ ] || exit 1
-if [ "$use_udev_cache" != "" ]; then
-	[ -f /etc/default/udev-cache ] && . /etc/default/udev-cache
-fi
+
 [ -f /etc/udev/udev.conf ] && . /etc/udev/udev.conf
 [ -f /etc/default/rcS ] && . /etc/default/rcS
 
-readfiles () {
-   READDATA=""
-   for filename in $@; do
-	   if [ -r $filename ]; then
-		   while read line; do
-			   READDATA="$READDATA$line"
-		   done < $filename
-	   fi
-   done
-}
-
 kill_udevd () {
     pid=`pidof -x udevd`
     [ -n "$pid" ] && kill $pid
@@ -59,58 +46,27 @@ case "$1" in
     # the automount rule for udev needs /tmp directory available, as /tmp is a symlink
     # to /var/tmp which in turn is a symlink to /var/volatile/tmp, we need to make sure
     # /var/volatile/tmp directory to be available.
-    mkdir -p /var/volatile/tmp
+    mkdir -m 1777 -p /var/volatile/tmp
 
     # restorecon /run early to allow mdadm creating dir /run/mdadm
     test ! -x /sbin/restorecon || /sbin/restorecon -F /run
 
-    # Cache handling.
-    # A list of files which are used as a criteria to judge whether the udev cache could be reused.
-    CMP_FILE_LIST="/proc/version /proc/cmdline /proc/devices /proc/atags"
-    if [ "$use_udev_cache" != "" ]; then
-	    if [ "$DEVCACHE" != "" ]; then
-		    if [ -e $DEVCACHE ]; then
-			    readfiles $CMP_FILE_LIST
-			    NEWDATA="$READDATA"
-			    readfiles /etc/udev/cache.data
-			    OLDDATA="$READDATA"
-			    if [ "$OLDDATA" = "$NEWDATA" ]; then
-				    tar --directory=/ -xf $DEVCACHE > /dev/null 2>&1
-				    not_first_boot=1
-				    [ "$VERBOSE" != "no" ] && echo "udev: using cache file $DEVCACHE"
-				    [ -e /dev/shm/udev.cache ] && rm -f /dev/shm/udev.cache
-			    else
-				    # Output detailed reason why the cached /dev is not used
-				    if [ "$VERBOSE" != "no" ]; then
-					    echo "udev: udev cache not used"
-					    echo "udev: we use $CMP_FILE_LIST as criteria to judge whether the cache /dev could be resued"
-					    echo "udev: olddata: $OLDDATA"
-					    echo "udev: newdata: $NEWDATA"
-				    fi
-				    echo "$NEWDATA" > /dev/shm/udev.cache
-			    fi
-		    else
-			    if [ "$ROOTFS_READ_ONLY" != "yes" ]; then
-				    # If rootfs is not read-only, it's possible that a new udev cache would be generated;
-				    # otherwise, we do not bother to read files.
-				    readfiles $CMP_FILE_LIST
-				    echo "$READDATA" > /dev/shm/udev.cache
-			    fi
-		    fi
-	    fi
-    fi
-
     # make_extra_nodes
     kill_udevd > "/dev/null" 2>&1
 
     # trigger the sorted events
-    echo -e '\000\000\000\000' > /proc/sys/kernel/hotplug
+    [ -e /proc/sys/kernel/hotplug ] && echo -e '\000' >/proc/sys/kernel/hotplug
     @UDEVD@ -d
 
     udevadm control --env=STARTUP=1
     if [ "$not_first_boot" != "" ];then
-            udevadm trigger --action=add --subsystem-nomatch=tty --subsystem-nomatch=mem --subsystem-nomatch=vc --subsystem-nomatch=vtconsole --subsystem-nomatch=misc --subsystem-nomatch=dcon --subsystem-nomatch=pci_bus  --subsystem-nomatch=graphics	 --subsystem-nomatch=backlight --subsystem-nomatch=video4linux	--subsystem-nomatch=platform
-            (udevadm settle --timeout=10; udevadm control --env=STARTUP=)&
+            if [ "$PROBE_PLATFORM_BUS" != "yes" ]; then
+                PLATFORM_BUS_NOMATCH="--subsystem-nomatch=platform"
+            else
+                PLATFORM_BUS_NOMATCH=""
+            fi
+            udevadm trigger --action=add --subsystem-nomatch=tty --subsystem-nomatch=mem --subsystem-nomatch=vc --subsystem-nomatch=vtconsole --subsystem-nomatch=misc --subsystem-nomatch=dcon --subsystem-nomatch=pci_bus --subsystem-nomatch=graphics --subsystem-nomatch=backlight --subsystem-nomatch=video4linux $PLATFORM_BUS_NOMATCH
+            (udevadm settle --timeout=3; udevadm control --env=STARTUP=)&
     else
             udevadm trigger --action=add
             udevadm settle
diff --git a/recipes-core/eudev/files/udev-cache b/recipes-core/eudev/files/udev-cache
deleted file mode 100644
index 6898577..0000000
--- a/recipes-core/eudev/files/udev-cache
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/bin/sh -e
-
-### BEGIN INIT INFO
-# Provides:          udev-cache
-# Required-Start:    mountall
-# Required-Stop:
-# Default-Start:     S
-# Default-Stop:
-# Short-Description: cache /dev to speedup the udev next boot
-### END INIT INFO
-
-export TZ=/etc/localtime
-
-[ -r /proc/mounts ] || exit 1
-[ -x @UDEVD@ ] || exit 1
-[ -d /sys/class ] || exit 1
-
-[ -f /etc/default/rcS ] && . /etc/default/rcS
-[ -f /etc/default/udev-cache ] && . /etc/default/udev-cache
-
-if [ "$ROOTFS_READ_ONLY" = "yes" ]; then
-    [ "$VERBOSE" != "no" ] && echo "udev-cache: read-only rootfs, skip generating udev-cache"
-    exit 0
-fi
-
-if [ "$DEVCACHE" != "" -a -e /dev/shm/udev.cache ]; then
-	echo "Populating dev cache"
-	tar --directory=/ --selinux --xattrs -cf "$DEVCACHE" dev
-	mv /dev/shm/udev.cache /etc/udev/cache.data
-fi
-
-exit 0
diff --git a/recipes-core/glib-2.0/glib-2.0_%.bbappend b/recipes-core/glib-2.0/glib-2.0_%.bbappend
index e5d2f6f..74e22b3 100644
--- a/recipes-core/glib-2.0/glib-2.0_%.bbappend
+++ b/recipes-core/glib-2.0/glib-2.0_%.bbappend
@@ -1 +1 @@
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'meson-selinux', '', d)}
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)}
diff --git a/recipes-core/initscripts/initscripts-1.0_selinux.inc b/recipes-core/initscripts/initscripts-1.0_selinux.inc
index 6e8a9b6..6530a87 100644
--- a/recipes-core/initscripts/initscripts-1.0_selinux.inc
+++ b/recipes-core/initscripts/initscripts-1.0_selinux.inc
@@ -1,10 +1,10 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
 
-do_install_append () {
+do_install:append () {
 	cat <<-EOF >> ${D}${sysconfdir}/init.d/populate-volatile.sh
 touch /var/log/lastlog
 test ! -x /sbin/restorecon || /sbin/restorecon -iRF /var/volatile/ /var/lib /run \
-    /etc/resolv.conf /etc/adjtime
+    /etc/resolv.conf /etc/adjtime /tmp /var/tmp /var/log /var/lock /var/run
 EOF
 	sed -i '/mount -n -o remount,$rootmode/i\test ! -x /sbin/restorecon || /sbin/restorecon -iRF /run' \
 	    ${D}${sysconfdir}/init.d/checkroot.sh
diff --git a/recipes-core/libcgroup/libcgroup_%.bbappend b/recipes-core/libcgroup/libcgroup_%.bbappend
deleted file mode 100644
index 7719d3b..0000000
--- a/recipes-core/libcgroup/libcgroup_%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/recipes-core/libcgroup/libcgroup_selinux.inc b/recipes-core/libcgroup/libcgroup_selinux.inc
deleted file mode 100644
index 9d9ebfc..0000000
--- a/recipes-core/libcgroup/libcgroup_selinux.inc
+++ /dev/null
@@ -1,10 +0,0 @@
-EXTRA_OECONF_append_class-native = " --enable-pam=no"
-
-do_install_append() {
-	test ! -f ${D}${base_libdir}/security/pam_cgroup.so.0.0.0 || {
-		mv -f ${D}${base_libdir}/security/pam_cgroup.so.0.0.0 ${D}${base_libdir}/security/pam_cgroup.so
-		rm -f ${D}${base_libdir}/security/pam_cgroup.so.*
-	}
-}
-
-BBCLASSEXTEND = "native"
diff --git a/recipes-core/systemd/systemd_selinux.inc b/recipes-core/systemd/systemd_selinux.inc
index b17e70a..7d466ee 100644
--- a/recipes-core/systemd/systemd_selinux.inc
+++ b/recipes-core/systemd/systemd_selinux.inc
@@ -1,6 +1,6 @@
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-audit', '', d)}
+inherit enable-selinux enable-audit
 
-do_install_append() {
+do_install:append() {
 	if ${@bb.utils.contains('PACKAGECONFIG', 'backlight', 'true', 'false', d)}; then
 		install -d ${D}${localstatedir}/lib/systemd/backlight
 	fi
diff --git a/recipes-core/sysvinit/files/sysvinit-fix-is_selinux_enabled.patch b/recipes-core/sysvinit/files/sysvinit-fix-is_selinux_enabled.patch
deleted file mode 100644
index 62703b1..0000000
--- a/recipes-core/sysvinit/files/sysvinit-fix-is_selinux_enabled.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 0db0276202094c8d902fc93a18eca453b6211f8a Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 12 Apr 2012 10:48:04 +0800
-Subject: [PATCH] sysvinit: Fix is_selinux_enabled() for libselinux
-
-is_selinux_enabled()!=1 means SELinux is disabled by kernel
-or SELinux is enabled but policy is not loaded.
-Only at this time, /sbin/init program should call
-selinux_init_load_policy() to detect whether SELinux is enabled
-and to load SELinux policy.
-
-This is fixed already in the upstream sysvinit,
-http://svn.savannah.nongnu.org/viewvc/sysvinit/trunk/src/init.c?root=sysvinit&r1=72&r2=90
----
- src/init.c |   33 +++++++++++++--------------------
- 1 files changed, 13 insertions(+), 20 deletions(-)
-
-diff --git a/src/init.c b/src/init.c
-index 27532ad..75ccf25 100644
---- a/src/init.c
-+++ b/src/init.c
-@@ -54,10 +54,6 @@
- 
- #ifdef WITH_SELINUX
- #  include <selinux/selinux.h>
--#  include <sys/mount.h>
--#  ifndef MNT_DETACH /* present in glibc 2.10, missing in 2.7 */
--#    define MNT_DETACH 2
--#  endif
- #endif
- 
- #ifdef __i386__
-@@ -2869,22 +2865,19 @@ int main(int argc, char **argv)
- 
- #ifdef WITH_SELINUX
- 	if (getenv("SELINUX_INIT") == NULL) {
--	  const int rc = mount("proc", "/proc", "proc", 0, 0);
--	  if (is_selinux_enabled() > 0) {
--	    putenv("SELINUX_INIT=YES");
--	    if (rc == 0) umount2("/proc", MNT_DETACH);
--	    if (selinux_init_load_policy(&enforce) == 0) {
--	      execv(myname, argv);
--	    } else {
--	      if (enforce > 0) {
--		/* SELinux in enforcing mode but load_policy failed */
--		/* At this point, we probably can't open /dev/console, so log() won't work */
--		fprintf(stderr,"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n");
--		exit(1);
--	      }
--	    }
--	  }
--	  if (rc == 0) umount2("/proc", MNT_DETACH);
-+		if (is_selinux_enabled() != 1) {
-+			if (selinux_init_load_policy(&enforce) == 0) {
-+				putenv("SELINUX_INIT=YES");
-+				execv(myname, argv);
-+			} else {
-+				if (enforce > 0) {
-+					/* SELinux in enforcing mode but load_policy failed */
-+					/* At this point, we probably can't open /dev/console, so log() won't work */
-+					fprintf(stderr,"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n");
-+					exit(1);
-+				}
-+			}
-+		}
- 	}
- #endif  
- 	/* Start booting. */
--- 
-1.7.5.4
-
diff --git a/recipes-core/sysvinit/sysvinit-2.88dsf_selinux.inc b/recipes-core/sysvinit/sysvinit-2.88dsf_selinux.inc
deleted file mode 100644
index fcfbdb7..0000000
--- a/recipes-core/sysvinit/sysvinit-2.88dsf_selinux.inc
+++ /dev/null
@@ -1,11 +0,0 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
-
-B = "${S}"
-
-SRC_URI += "file://sysvinit-fix-is_selinux_enabled.patch"
-
-inherit selinux
-
-DEPENDS += "${LIBSELINUX}"
-
-EXTRA_OEMAKE += "${@target_selinux(d, 'WITH_SELINUX=\"yes\"')}"
diff --git a/recipes-core/sysvinit/sysvinit_2.88dsf.bbappend b/recipes-core/sysvinit/sysvinit_3.%.bbappend
index 9df30b6..4ec2267 100644
--- a/recipes-core/sysvinit/sysvinit_2.88dsf.bbappend
+++ b/recipes-core/sysvinit/sysvinit_3.%.bbappend
@@ -1 +1 @@
-require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'sysvinit-2.88dsf_selinux.inc', '', d)}
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'sysvinit_selinux.inc', '', d)}
diff --git a/recipes-extended/logrotate/logrotate_selinux.inc b/recipes-core/sysvinit/sysvinit_selinux.inc
index 1bdca98..1bdca98 100644
--- a/recipes-extended/logrotate/logrotate_selinux.inc
+++ b/recipes-core/sysvinit/sysvinit_selinux.inc
diff --git a/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch b/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch
deleted file mode 100644
index ab54818..0000000
--- a/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-Subject: [PATCH] util-linux: fix libmount_la_DEPENDENCIES.
-
-Upstream-Status: Pending
-
-libmount_la_LIBADD contains "-lselinux", this is not a object that
-could consider as a dependency target. So fix this.
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- libmount/src/Makemodule.am |    2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/libmount/src/Makemodule.am b/libmount/src/Makemodule.am
-index 494e02a..bf494a4 100644
---- a/libmount/src/Makemodule.am
-+++ b/libmount/src/Makemodule.am
-@@ -38,7 +38,7 @@ libmount_la_CFLAGS = \
- 	-I$(top_srcdir)/libmount/src
- 
- libmount_la_DEPENDENCIES = \
--	$(libmount_la_LIBADD) \
-+	libcommon.la libblkid.la \
- 	libmount/src/libmount.sym \
- 	libmount/src/libmount.h.in
- 
--- 
-1.7.5.4
-
diff --git a/recipes-core/util-linux/util-linux_%.bbappend b/recipes-core/util-linux/util-linux_%.bbappend
index b01ad25..74e22b3 100644
--- a/recipes-core/util-linux/util-linux_%.bbappend
+++ b/recipes-core/util-linux/util-linux_%.bbappend
@@ -1 +1 @@
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)}
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)}
diff --git a/recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend b/recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend
deleted file mode 100644
index 7719d3b..0000000
--- a/recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/recipes-devtools/e2fsprogs/e2fsprogs_selinux.inc b/recipes-devtools/e2fsprogs/e2fsprogs_selinux.inc
deleted file mode 100644
index 9cbb7fe..0000000
--- a/recipes-devtools/e2fsprogs/e2fsprogs_selinux.inc
+++ /dev/null
@@ -1,3 +0,0 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
-
-SRC_URI += "file://misc_create_inode.c-label_rootfs.patch"
diff --git a/recipes-devtools/e2fsprogs/files/lib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch b/recipes-devtools/e2fsprogs/files/lib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch
deleted file mode 100644
index b87c414..0000000
--- a/recipes-devtools/e2fsprogs/files/lib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Add xattr name index for xattrs with the 'security' prefix. These are defined
-in the ext(2|3|4)/xattr.h in the kernel. We use the EXT2 prefix for consistency
-with e2fslibs naming.
-
-Signed-off-by: Philip Tricca <flihp@twobit.us>
-
-Index: e2fsprogs-1.42.9/lib/ext2fs/ext2_ext_attr.h
-===================================================================
---- e2fsprogs-1.42.9.orig/lib/ext2fs/ext2_ext_attr.h
-+++ e2fsprogs-1.42.9/lib/ext2fs/ext2_ext_attr.h
-@@ -15,6 +15,9 @@
- /* Maximum number of references to one attribute block */
- #define EXT2_EXT_ATTR_REFCOUNT_MAX	1024
- 
-+/* Name indexes */
-+#define EXT2_XATTR_INDEX_SECURITY               6
-+
- struct ext2_ext_attr_header {
- 	__u32	h_magic;	/* magic number for identification */
- 	__u32	h_refcount;	/* reference count */
diff --git a/recipes-devtools/e2fsprogs/files/misc_create_inode.c-label_rootfs.patch b/recipes-devtools/e2fsprogs/files/misc_create_inode.c-label_rootfs.patch
deleted file mode 100644
index 046e521..0000000
--- a/recipes-devtools/e2fsprogs/files/misc_create_inode.c-label_rootfs.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From: Philip Tricca <flihp@twobit.us>
-To: tytso@mit.edu
-Cc: liezhi.yang@windriver.com
-Date: Sat, 20 Feb 2016 18:58:58 +0000
-Subject: [PATCH] misc/create_inode.c: Copy xattrs from root directory when populating fs.
-
-When copying a file system using the -d option the xattrs from the root
-directory need to be copied before the populate_fs recusion starts.
-
-Signed-off-by: Philip Tricca <flihp@twobit.us>
-Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
-
----
- misc/create_inode.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/misc/create_inode.c b/misc/create_inode.c
-index a7b6d348..cfd15922 100644
---- a/misc/create_inode.c
-+++ b/misc/create_inode.c
-@@ -979,6 +979,13 @@ errcode_t populate_fs2(ext2_filsys fs, ext2_ino_t parent_ino,
- 		return retval;
- 	}
- 
-+	retval = set_inode_xattr(fs, root, source_dir);
-+	if (retval) {
-+		com_err(__func__, retval,
-+			_("while setting xattrs for \"%s\""), source_dir);
-+		goto out;
-+	}
-+
- 	file_info.path_len = 0;
- 	file_info.path_max_len = 255;
- 	file_info.path = calloc(file_info.path_max_len, 1);
-@@ -987,6 +994,7 @@ errcode_t populate_fs2(ext2_filsys fs, ext2_ino_t parent_ino,
- 			       &file_info, fs_callbacks);
- 
- 	free(file_info.path);
-+out:
- 	free(hdlinks.hdl);
- 	return retval;
- }
--- 
-2.11.1
-
diff --git a/recipes-devtools/python/files/sitecustomize.py b/recipes-devtools/python/files/sitecustomize.py
deleted file mode 100644
index d2b71fa..0000000
--- a/recipes-devtools/python/files/sitecustomize.py
+++ /dev/null
@@ -1,26 +0,0 @@
-# OpenEmbedded sitecustomize.py (C) 2002-2008 Michael 'Mickey' Lauer <mlauer@vanille-media.de>
-# GPLv2 or later
-# Version: 20081123
-# Features:
-# * set proper default encoding
-# Features removed for SELinux:
-# * enable readline completion in the interactive interpreter
-# * load command line history on startup
-# * save command line history on exit 
-
-import os
-
-def __enableDefaultEncoding():
-    import sys
-    try:
-        sys.setdefaultencoding( "utf8" )
-    except LookupError:
-        pass
-
-import sys
-try:
-    import rlcompleter, readline
-except ImportError:
-    pass
-else:
-    __enableDefaultEncoding()
diff --git a/recipes-devtools/python/python-ipy_0.83.bb b/recipes-devtools/python/python-ipy_0.83.bb
deleted file mode 100644
index df060fa..0000000
--- a/recipes-devtools/python/python-ipy_0.83.bb
+++ /dev/null
@@ -1,32 +0,0 @@
-SUMMARY = "Python module for handling IPv4 and IPv6 Addresses and Networks"
-DESCRIPTION = "IPy is a Python module for handling IPv4 and IPv6 Addresses and Networks \ 
-in a fashion similar to perl's Net::IP and friends. The IP class allows \
-a comfortable parsing and handling for most notations in use for IPv4 \
-and IPv6 Addresses and Networks."
-SECTION = "devel/python"
-HOMEPAGE = "https://github.com/haypo/python-ipy"
-DEPENDS = "python"
-LICENSE = "BSD"
-LIC_FILES_CHKSUM = "file://COPYING;md5=ebc0028ff5cdaf7796604875027dcd55"
-
-SRC_URI = "https://pypi.python.org/packages/source/I/IPy/IPy-${PV}.tar.gz"
-
-SRC_URI[md5sum] = "7b8c6eb4111b15aea31b67108e769712"
-SRC_URI[sha256sum] = "61da5a532b159b387176f6eabf11946e7458b6df8fb8b91ff1d345ca7a6edab8"
-
-S = "${WORKDIR}/IPy-${PV}"
-
-inherit distutils
-
-# need to export these variables for python-config to work
-export BUILD_SYS
-export HOST_SYS
-export STAGING_INCDIR
-export STAGING_LIBDIR
-
-BBCLASSEXTEND = "native"
-
-do_install_append() {
-	install -d ${D}/${datadir}/doc/${BPN}-${PV}
-	install AUTHORS COPYING ChangeLog README ${D}/${datadir}/doc/${BPN}-${PV}
-}
diff --git a/recipes-devtools/python/python_%.bbappend b/recipes-devtools/python/python_%.bbappend
deleted file mode 100644
index 7719d3b..0000000
--- a/recipes-devtools/python/python_%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/recipes-devtools/python/python_selinux.inc b/recipes-devtools/python/python_selinux.inc
deleted file mode 100644
index bb54a90..0000000
--- a/recipes-devtools/python/python_selinux.inc
+++ /dev/null
@@ -1,5 +0,0 @@
-# If selinux enabled, disable handlers to rw command history file
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
-
-inherit selinux
-
diff --git a/recipes-devtools/rpm/rpm_selinux.inc b/recipes-devtools/rpm/rpm_selinux.inc
index 983dda7..8c11cac 100644
--- a/recipes-devtools/rpm/rpm_selinux.inc
+++ b/recipes-devtools/rpm/rpm_selinux.inc
@@ -1,2 +1 @@
-inherit with-selinux
-PACKAGECONFIG[selinux] = "${WITH_SELINUX},${WITHOUT_SELINUX},libsemanage,"
+inherit enable-selinux
diff --git a/recipes-extended/at/at_%.bbappend b/recipes-extended/at/at_%.bbappend
index b01ad25..74e22b3 100644
--- a/recipes-extended/at/at_%.bbappend
+++ b/recipes-extended/at/at_%.bbappend
@@ -1 +1 @@
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)}
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)}
diff --git a/recipes-extended/cronie/cronie_%.bbappend b/recipes-extended/cronie/cronie_%.bbappend
index cfa56ca..7c3a686 100644
--- a/recipes-extended/cronie/cronie_%.bbappend
+++ b/recipes-extended/cronie/cronie_%.bbappend
@@ -1,2 +1 @@
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-audit', '', d)}
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)}
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux enable-audit', '', d)}
diff --git a/recipes-extended/findutils/findutils-4.2.31/findutils-selinux.patch b/recipes-extended/findutils/findutils-4.2.31/findutils-selinux.patch
deleted file mode 100644
index 73a9747..0000000
--- a/recipes-extended/findutils/findutils-4.2.31/findutils-selinux.patch
+++ /dev/null
@@ -1,499 +0,0 @@
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 21 Jun 2012 17:01:39 +0800
-Subject: [PATCH] findutils: support selinux.
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- configure.in     |   10 +++++
- doc/find.texi    |   12 +++++++
- find/Makefile.am |    2 +-
- find/defs.h      |   15 ++++++++-
- find/find.1      |    4 ++
- find/find.c      |   97 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
- find/parser.c    |   50 ++++++++++++++++++++++++++--
- find/pred.c      |   53 +++++++++++++++++++++++++++++
- find/util.c      |    3 ++
- 9 files changed, 240 insertions(+), 6 deletions(-)
-
-diff --git a/configure.in b/configure.in
-index 6a20f15..00dd7f8 100644
---- a/configure.in
-+++ b/configure.in
-@@ -101,6 +101,16 @@ dnl C library, try -lsun.
- AC_CHECK_FUNC(getpwnam, [],
- [AC_CHECK_LIB(sun, getpwnam)])
- 
-+AC_ARG_WITH([selinux],
-+           AS_HELP_STRING([--without-selinux], [disable SELinux support]),
-+           [:],
-+[AC_CHECK_LIB([selinux], [is_selinux_enabled],
-+             [with_selinux=yes], [with_selinux=no])])
-+if test x$with_selinux != xno; then
-+   AC_DEFINE([WITH_SELINUX], [1], [Define to support SELinux])
-+   AC_SUBST([LIBSELINUX], [-lselinux])
-+fi
-+
- dnl Checks for header files.
- AC_HEADER_STDC
- dnl Assume unistd.h is present - coreutils does too.
-diff --git a/doc/find.texi b/doc/find.texi
-index 5b5f0cf..e1ad433 100644
---- a/doc/find.texi
-+++ b/doc/find.texi
-@@ -1091,6 +1091,14 @@ will probably be made in early 2006.
- 
- @end deffn
- 
-+@deffn Test -context pattern
-+True if file's SELinux context matches the pattern @var{pattern}.
-+The pattern uses shell glob matching.
-+
-+This predicate is supported only on @code{find} versions compiled with
-+SELinux support and only when SELinux is enabled.
-+@end deffn
-+
- @node Contents
- @section Contents
- 
-@@ -1599,6 +1607,10 @@ semantics, you will see a difference between the mode as printed by
- @item %M
- File's permissions (in symbolic form, as for @code{ls}).  This
- directive is supported in findutils 4.2.5 and later.
-+
-+@item %Z
-+File's SELinux context, or empty string if the file has no SELinux context
-+or this version of find does not support SELinux.
- @end table
- 
- @node Size Directives
-diff --git a/find/Makefile.am b/find/Makefile.am
-index 8e71a32..405955a 100644
---- a/find/Makefile.am
-+++ b/find/Makefile.am
-@@ -6,7 +6,7 @@ bin_PROGRAMS = find
- find_SOURCES = find.c fstype.c parser.c pred.c tree.c util.c version.c
- EXTRA_DIST = defs.h $(man_MANS)
- INCLUDES = -I../gnulib/lib -I$(top_srcdir)/lib -I$(top_srcdir)/gnulib/lib -I../intl -DLOCALEDIR=\"$(localedir)\"
--LDADD = ../lib/libfind.a ../gnulib/lib/libgnulib.a @INTLLIBS@
-+LDADD = ../lib/libfind.a ../gnulib/lib/libgnulib.a @INTLLIBS@ @LIBSELINUX@
- man_MANS = find.1
- SUBDIRS = testsuite
- 
-diff --git a/find/defs.h b/find/defs.h
-index 9369c9a..8a8cf28 100644
---- a/find/defs.h
-+++ b/find/defs.h
-@@ -131,6 +131,10 @@ int get_statinfo PARAMS((const char *pathname, const char *name, struct stat *p)
- #define MODE_RWX	(S_IXUSR | S_IXGRP | S_IXOTH | MODE_RW)
- #define MODE_ALL	(S_ISUID | S_ISGID | S_ISVTX | MODE_RWX)
- 
-+#ifdef WITH_SELINUX
-+#include <selinux/selinux.h>
-+#endif
-+
- #if 1
- #include <stdbool.h>
- typedef bool boolean;
-@@ -320,6 +324,9 @@ struct predicate
-     struct dir_id   fileid;	/* samefile */
-     mode_t type;		/* type */
-     FILE *stream;		/* ls fls fprint0 */
-+#ifdef WITH_SELINUX
-+    security_context_t scontext; /* scontext */
-+#endif
-     struct format_val printf_vec; /* printf fprintf fprint  */
-   } args;
- 
-@@ -481,7 +488,9 @@ boolean pred_uid PARAMS((char *pathname, struct stat *stat_buf, struct predicate
- boolean pred_used PARAMS((char *pathname, struct stat *stat_buf, struct predicate *pred_ptr));
- boolean pred_user PARAMS((char *pathname, struct stat *stat_buf, struct predicate *pred_ptr));
- boolean pred_xtype PARAMS((char *pathname, struct stat *stat_buf, struct predicate *pred_ptr));
--
-+#ifdef WITH_SELINUX
-+boolean pred_context PARAMS((char *pathname, struct stat *stat_buf, struct predicate *pred_ptr));
-+#endif
- 
- 
- int launch PARAMS((const struct buildcmd_control *ctl,
-@@ -570,6 +579,10 @@ struct options
-    * can be changed with the positional option, -regextype.
-    */
-   int regex_options;
-+
-+#ifdef WITH_SELINUX
-+  int (*x_getfilecon) ();
-+#endif
- };
- extern struct options options;
- 
-diff --git a/find/find.1 b/find/find.1
-index 9be362f..2753d47 100644
---- a/find/find.1
-+++ b/find/find.1
-@@ -487,6 +487,8 @@ links: if the \-H or \-P option was specified, true if the file is a
- link to a file of type \fIc\fR; if the \-L option has been given, true
- if \fIc\fR is `l'.  In other words, for symbolic links, \-xtype checks
- the type of the file that \-type does not check.
-+.IP "\-context \fIpattern\fR"
-+(SELinux only) Security context of the file matches glob \fIpattern\fR.
- 
- .SS ACTIONS
- .IP "\-delete\fR"
-@@ -789,6 +791,8 @@ File's numeric user ID.
- File's type (like in ls \-l), U=unknown type (shouldn't happen)
- .IP %Y
- File's type (like %y), plus follow symlinks: L=loop, N=nonexistent
-+.IP %Z
-+(SELinux only) file's security context
- .PP
- A `%' character followed by any other character is discarded, but the
- other character is printed (don't rely on this, as further format
-diff --git a/find/find.c b/find/find.c
-index df28db6..6b3a2de 100644
---- a/find/find.c
-+++ b/find/find.c
-@@ -245,6 +245,92 @@ optionp_stat(const char *name, struct stat *p)
-   return lstat(name, p);
- }
- 
-+#ifdef WITH_SELINUX
-+static int
-+fallback_getfilecon(const char *name, security_context_t *p, int prev_rv)
-+{
-+  /* Our original getfilecon() call failed.  Perhaps we can't follow a
-+   * symbolic link.  If that might be the problem, lgetfilecon() the link.
-+   * Otherwise, admit defeat.
-+   */
-+  switch (errno)
-+    {
-+    case ENOENT:
-+    case ENOTDIR:
-+#ifdef DEBUG_STAT
-+      fprintf(stderr, "fallback_getfilecon(): getfilecon(%s) failed; falling back on lgetfilecon()\n", name);
-+#endif
-+      return lgetfilecon(name, p);
-+
-+    case EACCES:
-+    case EIO:
-+    case ELOOP:
-+    case ENAMETOOLONG:
-+#ifdef EOVERFLOW
-+    case EOVERFLOW:	    /* EOVERFLOW is not #defined on UNICOS. */
-+#endif
-+    default:
-+      return prev_rv;	       
-+    }
-+}
-+
-+/* optionh_getfilecon() implements the getfilecon operation when the
-+ * -H option is in effect.
-+ *
-+ * If the item to be examined is a command-line argument, we follow
-+ * symbolic links.  If the getfilecon() call fails on the command-line
-+ * item, we fall back on the properties of the symbolic link.
-+ *
-+ * If the item to be examined is not a command-line argument, we
-+ * examine the link itself.
-+ */
-+int
-+optionh_getfilecon(const char *name, security_context_t *p)
-+{
-+  if (0 == state.curdepth)
-+    {
-+      /* This file is from the command line; deference the link (if it
-+       * is a link).
-+       */
-+      int rv = getfilecon(name, p);
-+      if (0 == rv)
-+       return 0;		/* success */
-+      else
-+       return fallback_getfilecon(name, p, rv);
-+    }
-+  else
-+    {
-+      /* Not a file on the command line; do not derefernce the link.
-+       */
-+      return lgetfilecon(name, p);
-+    }
-+}
-+
-+/* optionl_getfilecon() implements the getfilecon operation when the
-+ * -L option is in effect.  That option makes us examine the thing the
-+ * symbolic link points to, not the symbolic link itself.
-+ */
-+int
-+optionl_getfilecon(const char *name, security_context_t *p)
-+{
-+  int rv = getfilecon(name, p);
-+  if (0 == rv)
-+    return 0;			/* normal case. */
-+  else
-+    return fallback_getfilecon(name, p, rv);
-+}
-+
-+/* optionp_getfilecon() implements the stat operation when the -P
-+ * option is in effect (this is also the default).  That option makes
-+ * us examine the symbolic link itself, not the thing it points to.
-+ */
-+int
-+optionp_getfilecon(const char *name, security_context_t *p)
-+{
-+  return lgetfilecon(name, p);
-+}
-+#endif /* WITH_SELINUX */
-+
- #ifdef DEBUG_STAT
- static uintmax_t stat_count = 0u;
- 
-@@ -272,11 +358,17 @@ set_follow_state(enum SymlinkOption opt)
-     {
-     case SYMLINK_ALWAYS_DEREF:  /* -L */
-       options.xstat = optionl_stat;
-+#ifdef WITH_SELINUX
-+      options.x_getfilecon = optionl_getfilecon;
-+#endif
-       options.no_leaf_check = true;
-       break;
-       
-     case SYMLINK_NEVER_DEREF:	/* -P (default) */
-       options.xstat = optionp_stat;
-+#ifdef WITH_SELINUX
-+      options.x_getfilecon = optionp_getfilecon;
-+#endif
-       /* Can't turn no_leaf_check off because the user might have specified 
-        * -noleaf anyway
-        */
-@@ -284,6 +376,9 @@ set_follow_state(enum SymlinkOption opt)
-       
-     case SYMLINK_DEREF_ARGSONLY: /* -H */
-       options.xstat = optionh_stat;
-+#ifdef WITH_SELINUX
-+      options.x_getfilecon = optionh_getfilecon;
-+#endif
-       options.no_leaf_check = true;
-     }
- 
-@@ -1807,7 +1902,7 @@ complete_pending_execs(struct predicate *p)
- static void
- process_dir (char *pathname, char *name, int pathlen, struct stat *statp, char *parent)
- {
--  int subdirs_left;		/* Number of unexamined subdirs in PATHNAME. */
-+  int subdirs_left = 0;		/* Number of unexamined subdirs in PATHNAME. */
-   boolean subdirs_unreliable;	/* if true, cannot use dir link count as subdir limif (if false, it may STILL be unreliable) */
-   int idx;			/* Which entry are we on? */
-   struct stat stat_buf;
-diff --git a/find/parser.c b/find/parser.c
-index fcdb98a..e67e09f 100644
---- a/find/parser.c
-+++ b/find/parser.c
-@@ -48,6 +48,10 @@
- /* We need <unistd.h> for isatty(). */
- #include <unistd.h> 
- 
-+#ifdef WITH_SELINUX
-+#include <selinux/selinux.h>
-+#endif
-+
- #if ENABLE_NLS
- # include <libintl.h>
- # define _(Text) gettext (Text)
-@@ -148,7 +152,9 @@ static boolean parse_noignore_race PARAMS((const struct parser_table*, char *arg
- static boolean parse_warn          PARAMS((const struct parser_table*, char *argv[], int *arg_ptr));
- static boolean parse_xtype         PARAMS((const struct parser_table*, char *argv[], int *arg_ptr));
- static boolean parse_quit          PARAMS((const struct parser_table*, char *argv[], int *arg_ptr));
--
-+#ifdef WITH_SELINUX
-+static boolean parse_context       PARAMS((const struct parser_table*, char *argv[], int *arg_ptr));
-+#endif
- 
- 
- boolean parse_print             PARAMS((const struct parser_table*, char *argv[], int *arg_ptr));
-@@ -216,6 +222,9 @@ static struct parser_table const parse_table[] =
-   PARSE_TEST       ("cmin",                  cmin),	     /* GNU */
-   PARSE_TEST       ("cnewer",                cnewer),	     /* GNU */
-   PARSE_TEST       ("ctime",                 ctime),
-+#ifdef WITH_SELINUX
-+  PARSE_TEST       ("context",               context),	     /* GNU */
-+#endif
-   PARSE_POSOPT     ("daystart",              daystart),	     /* GNU */
-   PARSE_ACTION     ("delete",                delete), /* GNU, Mac OS, FreeBSD */
-   PARSE_OPTION     ("d",                     d), /* Mac OS X, FreeBSD, NetBSD, OpenBSD, but deprecated  in favour of -depth */
-@@ -801,8 +810,12 @@ tests (N can be +N or -N or N): -amin N -anewer FILE -atime N -cmin N\n\
-   puts (_("\
-       -nouser -nogroup -path PATTERN -perm [+-]MODE -regex PATTERN\n\
-       -wholename PATTERN -size N[bcwkMG] -true -type [bcdpflsD] -uid N\n\
--      -used N -user NAME -xtype [bcdpfls]\n"));
-+      -used N -user NAME -xtype [bcdpfls]"));
-+#ifdef WITH_SELINUX
-   puts (_("\
-+      -context CONTEXT\n"));
-+#endif
-+  puts (_("\n\
- actions: -delete -print0 -printf FORMAT -fprintf FILE FORMAT -print \n\
-       -fprint0 FILE -fprint FILE -ls -fls FILE -prune -quit\n\
-       -exec COMMAND ; -exec COMMAND {} + -ok COMMAND ;\n\
-@@ -1718,6 +1731,10 @@ parse_version (const struct parser_table* entry, char **argv, int *arg_ptr)
-   printf("LEAF_OPTIMISATION ");
-   ++features;
- #endif
-+#if defined(WITH_SELINUX)
-+  printf("SELINUX ");
-+  ++features;
-+#endif
-   if (0 == features)
-     {
-       /* For the moment, leave this as English in case someone wants
-@@ -1729,6 +1746,32 @@ parse_version (const struct parser_table* entry, char **argv, int *arg_ptr)
-   exit (0);
- }
- 
-+#ifdef WITH_SELINUX
-+static boolean
-+parse_context (const struct parser_table* entry, char **argv, int *arg_ptr)
-+{
-+  struct predicate *our_pred;
-+
-+  if ((argv == NULL) || (argv[*arg_ptr] == NULL))
-+    return false;
-+
-+  if (is_selinux_enabled() <= 0)
-+    {
-+      error (1, 0, _("invalid predicate -context: SELinux is not enabled."));
-+      return false;
-+    }
-+  our_pred = insert_primary (entry);
-+  our_pred->need_stat = false;
-+#ifdef DEBUG
-+  our_pred->p_name = find_pred_name (pred_context);
-+#endif /*DEBUG*/
-+  our_pred->args.scontext = argv[*arg_ptr];
-+
-+  (*arg_ptr)++;
-+  return true;
-+}
-+#endif /* WITH_SELINUX */
-+
- static boolean
- parse_xdev (const struct parser_table* entry, char **argv, int *arg_ptr)
- {
-@@ -1971,7 +2014,7 @@ insert_fprintf (FILE *fp, const struct parser_table *entry, PRED_FUNC func, char
- 	  if (*scan2 == '.')
- 	    for (scan2++; ISDIGIT (*scan2); scan2++)
- 	      /* Do nothing. */ ;
--	  if (strchr ("abcdDfFgGhHiklmMnpPstuUyY", *scan2))
-+	  if (strchr ("abcdDfFgGhHiklmMnpPstuUyYZ", *scan2))
- 	    {
- 	      segmentp = make_segment (segmentp, format, scan2 - format,
- 				       (int) *scan2);
-@@ -2046,6 +2089,7 @@ make_segment (struct segment **segment, char *format, int len, int kind)
-     case 'u':			/* user name */
-     case 'y':			/* file type */
-     case 'Y':			/* symlink pointed file type */
-+    case 'Z':			/* SELinux security context */
-       fprintf_stat_needed = true;
-       /* FALLTHROUGH */
-     case 'f':			/* basename of path */
-diff --git a/find/pred.c b/find/pred.c
-index 9ec10a4..1da49dc 100644
---- a/find/pred.c
-+++ b/find/pred.c
-@@ -38,6 +38,10 @@
- #include "buildcmd.h"
- #include "yesno.h"
- 
-+#ifdef WITH_SELINUX
-+#include <selinux/selinux.h>
-+#endif /*WITH_SELINUX*/
-+
- #if ENABLE_NLS
- # include <libintl.h>
- # define _(Text) gettext (Text)
-@@ -217,6 +221,9 @@ struct pred_assoc pred_table[] =
-   {pred_used, "used    "},
-   {pred_user, "user    "},
-   {pred_xtype, "xtype   "},
-+#ifdef WITH_SELINUX
-+  {pred_context, "context"},
-+#endif /*WITH_SELINUX*/
-   {0, "none    "}
- };
- 
-@@ -905,6 +912,27 @@ pred_fprintf (char *pathname, struct stat *stat_buf, struct predicate *pred_ptr)
- 		     mode_to_filetype(stat_buf->st_mode & S_IFMT));
- 	  }
- 	  break;
-+	case 'Z':               /* SELinux security context */
-+#ifdef WITH_SELINUX
-+	  {
-+	    security_context_t scontext;
-+	    int rv;
-+	    rv = (*options.x_getfilecon) (state.rel_pathname, &scontext);
-+
-+	    if (rv < 0)
-+	      {
-+		fprintf (stderr, "getfilecon(%s): %s", pathname,
-+			 strerror(errno));
-+		fflush (stderr);
-+	      }
-+	    else
-+	      {
-+		fprintf (fp, segment->text, scontext);
-+		freecon (scontext);
-+	      }
-+	  }
-+#endif /* WITH_SELINUX */
-+	  break;
- 	}
-     }
-   return true;
-@@ -1497,6 +1525,31 @@ pred_xtype (char *pathname, struct stat *stat_buf, struct predicate *pred_ptr)
-    */
-   return (pred_type (pathname, &sbuf, pred_ptr));
- }
-+
-+#ifdef WITH_SELINUX
-+
-+boolean
-+pred_context (char *pathname, struct stat *stat_buf,
-+	      struct predicate *pred_ptr)
-+{
-+  int rv;
-+  security_context_t scontext;
-+
-+  rv = (*options.x_getfilecon) (state.rel_pathname, &scontext);
-+
-+  if (rv < 0)
-+    {
-+      fprintf (stderr, "getfilecon(%s): %s\n", pathname, strerror(errno));
-+      fflush (stderr);
-+      return false;
-+    }
-+
-+  rv = (fnmatch (pred_ptr->args.scontext, scontext, 0) == 0);
-+  freecon (scontext);
-+  return rv;
-+}
-+
-+#endif /*WITH_SELINUX*/
- 
- /*  1) fork to get a child; parent remembers the child pid
-     2) child execs the command requested
-diff --git a/find/util.c b/find/util.c
-index 97c8687..77bdfa8 100644
---- a/find/util.c
-+++ b/find/util.c
-@@ -78,6 +78,9 @@ get_new_pred (const struct parser_table *entry)
-   last_pred->need_stat = true;
-   last_pred->need_type = true;
-   last_pred->args.str = NULL;
-+#ifdef WITH_SELINUX
-+  last_pred->args.scontext = NULL;
-+#endif
-   last_pred->pred_next = NULL;
-   last_pred->pred_left = NULL;
-   last_pred->pred_right = NULL;
--- 
-1.7.5.4
-
diff --git a/recipes-devtools/prelink/prelink_git.bbappend b/recipes-extended/findutils/findutils_%.bbappend
index 74e22b3..74e22b3 100644
--- a/recipes-devtools/prelink/prelink_git.bbappend
+++ b/recipes-extended/findutils/findutils_%.bbappend
diff --git a/recipes-extended/findutils/findutils_4.6.%.bbappend b/recipes-extended/findutils/findutils_4.6.%.bbappend
deleted file mode 100644
index b01ad25..0000000
--- a/recipes-extended/findutils/findutils_4.6.%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)}
diff --git a/recipes-extended/logrotate/logrotate_%.bbappend b/recipes-extended/logrotate/logrotate_%.bbappend
deleted file mode 100644
index 7719d3b..0000000
--- a/recipes-extended/logrotate/logrotate_%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/recipes-extended/lsof/lsof_selinux.inc b/recipes-extended/lsof/lsof_selinux.inc
index 6691b4c..9021f38 100644
--- a/recipes-extended/lsof/lsof_selinux.inc
+++ b/recipes-extended/lsof/lsof_selinux.inc
@@ -2,7 +2,7 @@ inherit selinux
 
 DEPENDS += "${LIBSELINUX}"
 
-do_configure_prepend () {
+do_configure:prepend () {
 	export LINUX_HASSELINUX="${@target_selinux(d, 'Y', 'N')}"
 	export LSOF_CFGF="${CFLAGS}"
 	export LSOF_CFGL="${LDFLAGS}"
diff --git a/recipes-extended/net-tools/files/netstat-selinux-support.patch b/recipes-extended/net-tools/files/netstat-selinux-support.patch
deleted file mode 100644
index f089041..0000000
--- a/recipes-extended/net-tools/files/netstat-selinux-support.patch
+++ /dev/null
@@ -1,244 +0,0 @@
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Wed, 13 Jun 2012 13:32:01 +0800
-Subject: [PATCH] net-tools: netstat add SELinux support.
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
----
- Makefile  |  9 ++++++++-
- netstat.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---
- 2 files changed, 74 insertions(+), 4 deletions(-)
-
-diff --git a/Makefile b/Makefile
-index 8fcc55c..0b5c395 100644
---- a/Makefile
-+++ b/Makefile
-@@ -116,6 +116,13 @@ NET_LIB = $(NET_LIB_PATH)/lib$(NET_LIB_NAME).a
- CFLAGS	= $(COPTS) -I. -idirafter ./include/ -I$(NET_LIB_PATH)
- LDFLAGS	= $(LOPTS) -L$(NET_LIB_PATH)
- 
-+ifeq ($(HAVE_SELINUX),1)
-+SELINUX_LDFLAGS	= -lselinux
-+CFLAGS		+= -DHAVE_SELINUX
-+else
-+SELINUX_LDFLAGS	=
-+endif
-+
- SUBDIRS	= man/ $(NET_LIB_PATH)/
- 
- ifeq ($(origin CC), undefined)
-@@ -209,7 +216,7 @@ plipconfig:	$(NET_LIB) plipconfig.o
- 		$(CC) $(LDFLAGS) -o plipconfig plipconfig.o $(NLIB)
- 
- netstat:	$(NET_LIB) netstat.o statistics.o
--		$(CC) $(LDFLAGS) -o netstat netstat.o statistics.o $(NLIB) $(RESLIB)
-+		$(CC) $(SELINUX_LDFLAGS) $(LDFLAGS) -o netstat netstat.o statistics.o $(NLIB) $(RESLIB)
- 
- iptunnel:	$(NET_LIB) iptunnel.o
- 		$(CC) $(LDFLAGS) -o iptunnel iptunnel.o $(NLIB) $(RESLIB)
-diff --git a/netstat.c b/netstat.c
-index fc10414..a773e81 100644
---- a/netstat.c
-+++ b/netstat.c
-@@ -90,6 +90,12 @@
- #include <sys/types.h>
- #include <asm-generic/param.h>
- 
-+#if HAVE_SELINUX
-+#include <selinux/selinux.h>
-+#else
-+#define security_context_t char*
-+#endif
-+
- #include "net-support.h"
- #include "pathnames.h"
- #include "version.h"
-@@ -101,6 +107,7 @@
- #include "proc.h"
- 
- #define PROGNAME_WIDTH 20
-+#define SELINUX_WIDTH 50
- 
- #if !defined(s6_addr32) && defined(in6a_words)
- #define s6_addr32 in6a_words	/* libinet6			*/
-@@ -180,6 +187,7 @@ int flag_wide= 0;
- int flag_prg = 0;
- int flag_arg = 0;
- int flag_ver = 0;
-+int flag_selinux = 0;
- 
- FILE *procinfo;
- 
-@@ -243,12 +251,17 @@ FILE *procinfo;
- #define PROGNAME_WIDTH1(s) PROGNAME_WIDTH2(s)
- #define PROGNAME_WIDTH2(s) #s
- 
-+#define SELINUX_WIDTHs SELINUX_WIDTH1(SELINUX_WIDTH)
-+#define SELINUX_WIDTH1(s) SELINUX_WIDTH2(s)
-+#define SELINUX_WIDTH2(s) #s
-+
- #define PRG_HASH_SIZE 211
- 
- static struct prg_node {
-     struct prg_node *next;
-     unsigned long inode;
-     char name[PROGNAME_WIDTH];
-+    char scon[SELINUX_WIDTH];
- } *prg_hash[PRG_HASH_SIZE];
- 
- static char prg_cache_loaded = 0;
-@@ -256,9 +269,12 @@ static char prg_cache_loaded = 0;
- #define PRG_HASHIT(x) ((x) % PRG_HASH_SIZE)
- 
- #define PROGNAME_BANNER "PID/Program name"
-+#define SELINUX_BANNER "Security Context"
- 
- #define print_progname_banner() do { if (flag_prg) printf("%-" PROGNAME_WIDTHs "s"," " PROGNAME_BANNER); } while (0)
- 
-+#define print_selinux_banner() do { if (flag_selinux) printf("%-" SELINUX_WIDTHs "s"," " SELINUX_BANNER); } while (0)
-+
- #define PRG_LOCAL_ADDRESS "local_address"
- #define PRG_INODE	 "inode"
- #define PRG_SOCKET_PFX    "socket:["
-@@ -280,7 +296,7 @@ static char prg_cache_loaded = 0;
- /* NOT working as of glibc-2.0.7: */
- #undef  DIRENT_HAVE_D_TYPE_WORKS
- 
--static void prg_cache_add(unsigned long inode, char *name)
-+static void prg_cache_add(unsigned long inode, char *name, char *scon)
- {
-     unsigned hi = PRG_HASHIT(inode);
-     struct prg_node **pnp,*pn;
-@@ -301,6 +317,14 @@ static void prg_cache_add(unsigned long inode, char *name)
-     if (strlen(name)>sizeof(pn->name)-1) 
- 	name[sizeof(pn->name)-1]='\0';
-     strcpy(pn->name,name);
-+
-+    {
-+	int len=(strlen(scon)-sizeof(pn->scon))+1;
-+	if (len > 0)
-+	    strcpy(pn->scon,&scon[len+1]);
-+	else
-+	    strcpy(pn->scon,scon);
-+    }
- }
- 
- static const char *prg_cache_get(unsigned long inode)
-@@ -313,6 +337,16 @@ static const char *prg_cache_get(unsigned long inode)
-     return("-");
- }
- 
-+static const char *prg_cache_get_con(unsigned long inode)
-+{
-+    unsigned hi=PRG_HASHIT(inode);
-+    struct prg_node *pn;
-+
-+    for (pn=prg_hash[hi];pn;pn=pn->next)
-+        if (pn->inode==inode) return(pn->scon);
-+    return("-");
-+}
-+
- static void prg_cache_clear(void)
- {
-     struct prg_node **pnp,*pn;
-@@ -384,6 +418,7 @@ static void prg_cache_load(void)
-     const char *cs,*cmdlp;
-     DIR *dirproc=NULL,*dirfd=NULL;
-     struct dirent *direproc,*direfd;
-+    security_context_t scon=NULL;
- 
-     if (prg_cache_loaded || !flag_prg) return;
-     prg_cache_loaded=1;
-@@ -453,7 +488,15 @@ static void prg_cache_load(void)
- 	    }
- 
- 	    snprintf(finbuf, sizeof(finbuf), "%s/%s", direproc->d_name, cmdlp);
--	    prg_cache_add(inode, finbuf);
-+#if HAVE_SELINUX
-+	    if (getpidcon(atoi(direproc->d_name), &scon) == -1) {
-+		scon=strdup("-");
-+	    }
-+	    prg_cache_add(inode, finbuf, scon);
-+	    freecon(scon);
-+#else
-+	    prg_cache_add(inode, finbuf, "-");
-+#endif
- 	}
- 	closedir(dirfd); 
- 	dirfd = NULL;
-@@ -573,6 +616,8 @@ static void finish_this_one(int uid, unsigned long inode, const char *timers)
-     }
-     if (flag_prg)
- 	printf(" %-16s",prg_cache_get(inode));
-+    if (flag_selinux)
-+	printf("%-" SELINUX_WIDTHs "s",prg_cache_get_con(inode));
-     if (flag_opt)
- 	printf(" %s", timers);
-     putchar('\n');
-@@ -1566,6 +1611,8 @@ static void unix_do_one(int nr, const char *line)
- 	printf("-        ");
-     if (flag_prg)
- 	printf("%-" PROGNAME_WIDTHs "s",(has & HAS_INODE?prg_cache_get(inode):"-"));
-+    if (flag_selinux)
-+	printf("%-" SELINUX_WIDTHs "s",(has & HAS_INODE?prg_cache_get_con(inode):"-"));
-     puts(path);
- }
- 
-@@ -1584,6 +1631,7 @@ static int unix_info(void)
- 
-     printf(_("\nProto RefCnt Flags       Type       State         I-Node  "));
-     print_progname_banner();
-+    print_selinux_banner();
-     printf(_(" Path\n"));	/* xxx */
- 
-     {
-@@ -1874,6 +1922,7 @@ static void usage(void)
-     fprintf(stderr, _("        -o, --timers             display timers\n"));
-     fprintf(stderr, _("        -F, --fib                display Forwarding Information Base (default)\n"));
-     fprintf(stderr, _("        -C, --cache              display routing cache instead of FIB\n\n"));
-+    fprintf(stderr, _("        -Z, --context            display SELinux security context for sockets\n\n"));
- 
-     fprintf(stderr, _("  <Socket>={-t|--tcp} {-u|--udp} {-S|--sctp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom\n"));
-     fprintf(stderr, _("  <AF>=Use '-6|-4' or '-A <af>' or '--<af>'; default: %s\n"), DFLT_AF);
-@@ -1920,6 +1969,7 @@ int main
- 	{"cache", 0, 0, 'C'},
- 	{"fib", 0, 0, 'F'},
- 	{"groups", 0, 0, 'g'},
-+	{"context", 0, 0, 'Z'},
- 	{NULL, 0, 0, 0}
-     };
- 
-@@ -1931,7 +1981,7 @@ int main
-     getroute_init();		/* Set up AF routing support */
- 
-     afname[0] = '\0';
--    while ((i = getopt_long(argc, argv, "MCFA:acdegphinNorstuSWVv?wxl64", longopts, &lop)) != EOF)
-+    while ((i = getopt_long(argc, argv, "MCFA:acdegphinNorstuSWVv?wxlZ64", longopts, &lop)) != EOF)
- 	switch (i) {
- 	case -1:
- 	    break;
-@@ -2036,6 +2086,19 @@ int main
- 	    if (aftrans_opt("unix"))
- 		exit(1);
- 	    break;
-+	case 'Z':
-+#if HAVE_SELINUX
-+	    if (is_selinux_enabled() <= 0) {
-+		fprintf(stderr, _("SELinux is not enabled on this machine.\n"));
-+		exit(1);
-+	    }
-+	    flag_prg++;
-+	    flag_selinux++;
-+#else
-+	    fprintf(stderr, _("SELinux is not enabled for this application.\n"));
-+	    exit(1);
-+#endif
-+	    break;
- 	case '?':
- 	case 'h':
- 	    usage();
--- 
-1.9.1
-
diff --git a/recipes-extended/net-tools/net-tools_selinux.inc b/recipes-extended/net-tools/net-tools_selinux.inc
index cc3196f..6454205 100644
--- a/recipes-extended/net-tools/net-tools_selinux.inc
+++ b/recipes-extended/net-tools/net-tools_selinux.inc
@@ -1,9 +1,10 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+inherit enable-selinux
 
-SRC_URI += "file://netstat-selinux-support.patch"
+PACKAGECONFIG[selinux] = ",,libselinux"
 
-inherit selinux
-
-DEPENDS += "${LIBSELINUX}"
-
-EXTRA_OEMAKE += "${@target_selinux(d, 'HAVE_SELINUX=1', 'HAVE_SELINUX=0')}"
+do_configure:append() {
+    if ${@bb.utils.contains('PACKAGECONFIG', 'selinux', 'true', 'false', d)} ; then
+        echo "#define HAVE_SELINUX 1" >> ${S}/config.h
+        echo "HAVE_SELINUX=1" >> ${S}/config.make
+    fi
+}
diff --git a/recipes-extended/pam/libpam_selinux.inc b/recipes-extended/pam/libpam_selinux.inc
index adcf938..2f8b945 100644
--- a/recipes-extended/pam/libpam_selinux.inc
+++ b/recipes-extended/pam/libpam_selinux.inc
@@ -1,3 +1,4 @@
 inherit enable-selinux
 
-RDEPENDS_${PN}-runtime += "${@target_selinux(d, 'pam-plugin-selinux')}"
+PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux"
+RDEPENDS:${PN}-runtime += "${@target_selinux(d, 'pam-plugin-selinux')}"
diff --git a/recipes-extended/parted/parted_%.bbappend b/recipes-extended/sed/sed_4.%.bbappend
index 74e22b3..74e22b3 100644
--- a/recipes-extended/parted/parted_%.bbappend
+++ b/recipes-extended/sed/sed_4.%.bbappend
diff --git a/recipes-extended/sed/sed_4.2.2.bbappend b/recipes-extended/sed/sed_4.2.2.bbappend
deleted file mode 100644
index b01ad25..0000000
--- a/recipes-extended/sed/sed_4.2.2.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)}
diff --git a/recipes-extended/shadow/shadow_selinux.inc b/recipes-extended/shadow/shadow_selinux.inc
index 496ea6a..e719ebc 100644
--- a/recipes-extended/shadow/shadow_selinux.inc
+++ b/recipes-extended/shadow/shadow_selinux.inc
@@ -1,6 +1,3 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
-
-inherit with-selinux with-audit
-
-PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux libsemanage,"
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
 
+inherit enable-selinux enable-audit
diff --git a/recipes-extended/sudo/sudo_%.bbappend b/recipes-extended/sudo/sudo_%.bbappend
index b01ad25..7c3a686 100644
--- a/recipes-extended/sudo/sudo_%.bbappend
+++ b/recipes-extended/sudo/sudo_%.bbappend
@@ -1 +1 @@
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)}
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux enable-audit', '', d)}
diff --git a/recipes-extended/sysklogd/files/sysklogd b/recipes-extended/sysklogd/files/sysklogd
index 8c6eeb5..2a7eae4 100755..100644
--- a/recipes-extended/sysklogd/files/sysklogd
+++ b/recipes-extended/sysklogd/files/sysklogd
@@ -12,15 +12,19 @@
 # Short-Description:    System logger
 ### END INIT INFO
 
+# Source function library.
+. /etc/init.d/functions
+
 PATH=/bin:/usr/bin:/sbin:/usr/sbin
 
 pidfile_syslogd=/var/run/syslogd.pid
-pidfile_klogd=/var/run/klogd.pid
-binpath_syslogd=/sbin/syslogd
-binpath_klogd=/sbin/klogd
+binpath_syslogd=/usr/sbin/syslogd
 
 test -x $binpath || exit 0
 
+# run secure by default
+SYSLOGD="-ss"
+
 test ! -r /etc/default/syslogd || . /etc/default/syslogd
 
 create_xconsole()
@@ -87,43 +91,47 @@ running()
     return 0
 }
 
+waitpid ()
+{
+  pid=$1
+  # Give pid a chance to exit before we restart with a 5s timeout in 1s intervals
+  if [ -z "$pid" ]; then
+    return
+  fi
+  timeout=5;
+  while [ $timeout -gt 0 ]
+  do
+    timeout=$(( $timeout-1 ))
+    kill -0 $pid 2> /dev/null || break
+    sleep 1
+  done
+}
+
 case "$1" in
   start)
     log_begin_msg "Starting system log daemon..."
     create_xconsole
+    test ! -x /sbin/restorecon || /sbin/restorecon -F /var/log
     start-stop-daemon --start --quiet --pidfile $pidfile_syslogd --name syslogd --startas $binpath_syslogd -- $SYSLOGD
-    test ! -x /sbin/restorecon || /sbin/restorecon -RF /dev/log /var/log/
-    log_end_msg $?
-    log_begin_msg "Starting kernel log daemon..."
-    start-stop-daemon --start --quiet --pidfile $pidfile_klogd --name klogd --startas $binpath_klogd -- $KLOGD
     log_end_msg $?
     ;;
   stop)
     log_begin_msg "Stopping system log daemon..."
     start-stop-daemon --stop --quiet --pidfile $pidfile_syslogd --name syslogd
     log_end_msg $?
-    log_begin_msg "Stopping kernel log daemon..."
-    start-stop-daemon --stop --quiet --retry 3 --exec $binpath_klogd --pidfile $pidfile_klogd
-    log_end_msg $?
     ;;
   reload|force-reload)
     log_begin_msg "Reloading system log daemon..."
     start-stop-daemon --stop --quiet --signal 1 --pidfile $pidfile_syslogd --name syslogd
     log_end_msg $?
-    log_begin_msg "Reloading kernel log daemon..."
-    start-stop-daemon --stop --quiet --retry 3 --exec $binpath_klogd --pidfile $pidfile_klogd
-    start-stop-daemon --start --quiet --pidfile $pidfile_klogd --name klogd --startas $binpath_klogd -- $KLOGD
-    log_end_msg $?
     ;;
   restart)
     log_begin_msg "Restarting system log daemon..."
+    pid=`cat $pidfile_syslogd 2> /dev/null`
     start-stop-daemon --stop --retry 5 --quiet --pidfile $pidfile_syslogd --name syslogd
+    waitpid $pid
     start-stop-daemon --start --quiet --pidfile $pidfile_syslogd --name syslogd --startas $binpath_syslogd -- $SYSLOGD
     log_end_msg $?
-    log_begin_msg "Reloading kernel log daemon..."
-    start-stop-daemon --stop --quiet --retry 3 --exec $binpath_klogd --pidfile $pidfile_klogd
-    start-stop-daemon --start --quiet --pidfile $pidfile_klogd --name klogd --startas $binpath_klogd -- $KLOGD
-    log_end_msg $?
     ;;
   reload-or-restart)
     if running
@@ -133,8 +141,14 @@ case "$1" in
 	$0 start
     fi
     ;;
+  status)
+    status syslogd
+    RETVAL=$?
+    [ $RETVAL -eq 0 ] && exit $rval
+    exit $RETVAL
+    ;;
   *)
-    log_success_msg "Usage: /etc/init.d/sysklogd {start|stop|reload|restart|force-reload|reload-or-restart}"
+    log_success_msg "Usage: /etc/init.d/sysklogd {start|stop|reload|restart|force-reload|reload-or-restart|status}"
     exit 1
 esac
 
diff --git a/recipes-extended/sysklogd/sysklogd_selinux.inc b/recipes-extended/sysklogd/sysklogd_selinux.inc
index 81fe7b7..8802adb 100644
--- a/recipes-extended/sysklogd/sysklogd_selinux.inc
+++ b/recipes-extended/sysklogd/sysklogd_selinux.inc
@@ -1 +1 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
diff --git a/recipes-extended/tar/tar_selinux.inc b/recipes-extended/tar/tar_selinux.inc
index 341df8b..8c11cac 100644
--- a/recipes-extended/tar/tar_selinux.inc
+++ b/recipes-extended/tar/tar_selinux.inc
@@ -1,3 +1 @@
-inherit with-selinux
-
-PACKAGECONFIG_append = "${@bb.utils.contains('DISTRO_FEATURES', 'acl', ' acl', '', d)}"
+inherit enable-selinux
diff --git a/recipes-graphics/mesa/mesa_%.bbappend b/recipes-graphics/mesa/mesa_%.bbappend
index b0b03ec..ef81ec4 100644
--- a/recipes-graphics/mesa/mesa_%.bbappend
+++ b/recipes-graphics/mesa/mesa_%.bbappend
@@ -1,2 +1,2 @@
-require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
-
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)}
+PACKAGECONFIG[selinux] = "-Dselinux=true,-Dselinux=false,libselinux"
diff --git a/recipes-graphics/mesa/mesa_selinux.inc b/recipes-graphics/mesa/mesa_selinux.inc
deleted file mode 100644
index 0004f71..0000000
--- a/recipes-graphics/mesa/mesa_selinux.inc
+++ /dev/null
@@ -1,6 +0,0 @@
-inherit enable-selinux
-
-# But wait!  There's more!  mesa builds a host program named builtin_compiler
-# and it needs selinux, too.  We replace the PACKAGECONFIG[] in the bbclass.
-#
-PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux libselinux-native,"
diff --git a/recipes-graphics/xcb/libxcb_selinux.inc b/recipes-graphics/xcb/libxcb_selinux.inc
deleted file mode 100644
index 29bdadb..0000000
--- a/recipes-graphics/xcb/libxcb_selinux.inc
+++ /dev/null
@@ -1,6 +0,0 @@
-inherit enable-selinux
-# libxcb-xselinux will not build with libselinux, so remove the depend
-PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,,"
-
-PACKAGES += "${PN}-xselinux"
-FILES_${PN}-xselinux += "${libdir}/libxcb-xselinux.so.*"
diff --git a/recipes-graphics/xcb/libxcb_%.bbappend b/recipes-graphics/xorg-lib/libxcb_%.bbappend
index 7719d3b..7719d3b 100644
--- a/recipes-graphics/xcb/libxcb_%.bbappend
+++ b/recipes-graphics/xorg-lib/libxcb_%.bbappend
diff --git a/recipes-graphics/xorg-lib/libxcb_selinux.inc b/recipes-graphics/xorg-lib/libxcb_selinux.inc
new file mode 100644
index 0000000..04c66c1
--- /dev/null
+++ b/recipes-graphics/xorg-lib/libxcb_selinux.inc
@@ -0,0 +1,5 @@
+inherit enable-selinux
+PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux"
+
+PACKAGES += "${PN}-xselinux"
+FILES:${PN}-xselinux += "${libdir}/libxcb-xselinux.so.*"
diff --git a/recipes-kernel/linux/files/selinux.cfg b/recipes-kernel/linux/files/selinux.cfg
index 2edd366..8333a05 100644
--- a/recipes-kernel/linux/files/selinux.cfg
+++ b/recipes-kernel/linux/files/selinux.cfg
@@ -23,9 +23,6 @@ CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_SELINUX=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
-CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
-CONFIG_SECURITY_SELINUX_DISABLE=y
 CONFIG_SECURITY_SELINUX_DEVELOP=y
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
-CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
 CONFIG_AUDIT_GENERIC=y
diff --git a/recipes-connectivity/dhcp/dhcp_%.bbappend b/recipes-kernel/linux/linux-yocto_%.bbappend
index 7719d3b..7719d3b 100644
--- a/recipes-connectivity/dhcp/dhcp_%.bbappend
+++ b/recipes-kernel/linux/linux-yocto_%.bbappend
diff --git a/recipes-kernel/linux/linux-yocto_4.%.bbappend b/recipes-kernel/linux/linux-yocto_4.%.bbappend
deleted file mode 100644
index 7719d3b..0000000
--- a/recipes-kernel/linux/linux-yocto_4.%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/recipes-kernel/linux/linux-yocto_5.%.bbappend b/recipes-kernel/linux/linux-yocto_5.%.bbappend
deleted file mode 100644
index 7719d3b..0000000
--- a/recipes-kernel/linux/linux-yocto_5.%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/recipes-kernel/linux/linux-yocto_selinux.inc b/recipes-kernel/linux/linux-yocto_selinux.inc
index 3312e06..ba078f7 100644
--- a/recipes-kernel/linux/linux-yocto_selinux.inc
+++ b/recipes-kernel/linux/linux-yocto_selinux.inc
@@ -1,4 +1,4 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
 
 # Enable selinux support in the kernel if the feature is enabled
 SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'file://selinux.cfg', '', d)}"
diff --git a/recipes-kernel/perf/perf_selinux.inc b/recipes-kernel/perf/perf_selinux.inc
index bed3cc2..f1bdaf8 100644
--- a/recipes-kernel/perf/perf_selinux.inc
+++ b/recipes-kernel/perf/perf_selinux.inc
@@ -1 +1 @@
-DEPENDS .= "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', ' audit', '', d)}"
+inherit enable-audit
diff --git a/recipes-security/audit/audit/0001-Remove-strdupa-as-suggested-in-pull-request-25.patch b/recipes-security/audit/audit/0001-Remove-strdupa-as-suggested-in-pull-request-25.patch
deleted file mode 100644
index 38029aa..0000000
--- a/recipes-security/audit/audit/0001-Remove-strdupa-as-suggested-in-pull-request-25.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From a1782b58b687b74249dc8b2411a3f646b821ebd6 Mon Sep 17 00:00:00 2001
-From: Steve Grubb <sgrubb@redhat.com>
-Date: Thu, 4 Oct 2018 08:45:47 -0400
-Subject: [PATCH] Remove strdupa as suggested in pull request #25
-
----
- src/auditd.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-Origin: https://github.com/linux-audit/audit-userspace/commit/a1782b58b687b74249dc8b2411a3f646b821ebd6
-Applied-Upstream: yes
-
-diff --git a/src/auditd.c b/src/auditd.c
-index b0952db..c826ec0 100644
---- a/src/auditd.c
-+++ b/src/auditd.c
-@@ -209,21 +209,22 @@ static void cont_handler(struct ev_loop *loop, struct ev_signal *sig,
- 
- static int extract_type(const char *str)
- {
--	const char *tptr, *ptr2, *ptr = str;
-+	const char *ptr2, *ptr = str;
- 	if (*str == 'n') {
- 		ptr = strchr(str+1, ' ');
- 		if (ptr == NULL)
- 			return -1; // Malformed - bomb out
- 		ptr++;
- 	}
-+
- 	// ptr should be at 't'
- 	ptr2 = strchr(ptr, ' ');
--	// get type=xxx in a buffer
--	tptr = strndupa(ptr, ptr2 - ptr);
-+
- 	// find =
--	str = strchr(tptr, '=');
--	if (str == NULL)
-+	str = strchr(ptr, '=');
-+	if (str == NULL || str >= ptr2)
- 		return -1; // Malformed - bomb out
-+
- 	// name is 1 past
- 	str++;
- 	return audit_name_to_msg_type(str);
--- 
-2.20.1
-
diff --git a/recipes-security/audit/audit/0002-Add-substitue-functions-for-strndupa-rawmemchr.patch b/recipes-security/audit/audit/0002-Add-substitue-functions-for-strndupa-rawmemchr.patch
deleted file mode 100644
index c948aa3..0000000
--- a/recipes-security/audit/audit/0002-Add-substitue-functions-for-strndupa-rawmemchr.patch
+++ /dev/null
@@ -1,134 +0,0 @@
-From 5346b6af0ca67a2965ca5846ae150f3021a2aa17 Mon Sep 17 00:00:00 2001
-From: Steve Grubb <sgrubb@redhat.com>
-Date: Tue, 26 Feb 2019 18:33:33 -0500
-Subject: [PATCH] Add substitue functions for strndupa & rawmemchr
-
----
-Origin: https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e
-Applied-Upstream: yes
-
- auparse/auparse.c   | 12 +++++++++++-
- auparse/interpret.c |  9 ++++++++-
- configure.ac        | 14 +++++++++++++-
- src/ausearch-lol.c  | 12 +++++++++++-
- 4 files changed, 43 insertions(+), 4 deletions(-)
-
-diff --git a/auparse/auparse.c b/auparse/auparse.c
-index f84712e..3764046 100644
---- a/auparse/auparse.c
-+++ b/auparse/auparse.c
-@@ -1,5 +1,5 @@
- /* auparse.c --
-- * Copyright 2006-08,2012-17 Red Hat Inc., Durham, North Carolina.
-+ * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina.
-  * All Rights Reserved.
-  *
-  * This library is free software; you can redistribute it and/or
-@@ -1100,6 +1100,16 @@ static int str2event(char *s, au_event_t *e)
- 	return 0;
- }
- 
-+#ifndef HAVE_STRNDUPA
-+static inline char *strndupa(const char *old, size_t n)
-+{
-+	size_t len = strnlen(old, n);
-+	char *tmp = alloca(len + 1);
-+	tmp[len] = 0;
-+	return memcpy(tmp, old, len);
-+}
-+#endif
-+
- /* Returns 0 on success and 1 on error */
- static int extract_timestamp(const char *b, au_event_t *e)
- {
-diff --git a/auparse/interpret.c b/auparse/interpret.c
-index 1846f9d..8540bd1 100644
---- a/auparse/interpret.c
-+++ b/auparse/interpret.c
-@@ -853,6 +853,13 @@ err_out:
- 		return print_escaped(id->val);
- }
- 
-+// rawmemchr is faster. Let's use it if we have it.
-+#ifdef HAVE_RAWMEMCHR
-+#define STRCHR rawmemchr
-+#else
-+#define STRCHR strchr
-+#endif
-+
- static const char *print_proctitle(const char *val)
- {
- 	char *out = (char *)print_escaped(val);
-@@ -863,7 +870,7 @@ static const char *print_proctitle(const char *val)
- 		// Proctitle has arguments separated by NUL bytes
- 		// We need to write over the NUL bytes with a space
- 		// so that we can see the arguments
--		while ((ptr  = rawmemchr(ptr, '\0'))) {
-+		while ((ptr  = STRCHR(ptr, '\0'))) {
- 			if (ptr >= end)
- 				break;
- 			*ptr = ' ';
-diff --git a/configure.ac b/configure.ac
-index ede7109..97b547f 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1,7 +1,7 @@
- dnl
- define([AC_INIT_NOTICE],
- [### Generated automatically using autoconf version] AC_ACVERSION [
--### Copyright 2005-18 Steve Grubb <sgrubb@redhat.com>
-+### Copyright 2005-19 Steve Grubb <sgrubb@redhat.com>
- ###
- ### Permission is hereby granted, free of charge, to any person obtaining a
- ### copy of this software and associated documentation files (the "Software"),
-@@ -72,6 +72,18 @@ dnl; posix_fallocate is used in audisp-remote
- AC_CHECK_FUNCS([posix_fallocate])
- dnl; signalfd is needed for libev
- AC_CHECK_FUNC([signalfd], [], [ AC_MSG_ERROR([The signalfd system call is necessary for auditd]) ])
-+dnl; check if rawmemchr is available
-+AC_CHECK_FUNCS([rawmemchr])
-+dnl; check if strndupa is available
-+AC_LINK_IFELSE(
-+  [AC_LANG_SOURCE(
-+    [[
-+      #define _GNU_SOURCE
-+      #include <string.h>
-+      int main() { (void) strndupa("test", 10); return 0; }]])],
-+ [AC_DEFINE(HAVE_STRNDUPA, 1, [Let us know if we have it or not])],
-+ []
-+)
- 
- ALLWARNS=""
- ALLDEBUG="-g"
-diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c
-index 4fbfbae..5eecefe 100644
---- a/src/ausearch-lol.c
-+++ b/src/ausearch-lol.c
-@@ -1,6 +1,6 @@
- /*
- * ausearch-lol.c - linked list of linked lists library
--* Copyright (c) 2008,2010,2014,2016 Red Hat Inc., Durham, North Carolina.
-+* Copyright (c) 2008,2010,2014,2016,2019 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved. 
- *
- * This software may be freely redistributed and/or modified under the
-@@ -131,6 +131,16 @@ static int inline events_are_equal(event *e1, event *e2)
- 	return 1;
- }
- 
-+#ifndef HAVE_STRNDUPA
-+static inline char *strndupa(const char *old, size_t n)
-+{
-+	size_t len = strnlen(old, n);
-+	char *tmp = alloca(len + 1);
-+	tmp[len] = 0;
-+	return memcpy(tmp, old, len);
-+}
-+#endif
-+
- /*
-  * This function will look at the line and pick out pieces of it.
-  */
--- 
-2.20.1
-
diff --git a/recipes-security/audit/audit/audit-python-configure.patch b/recipes-security/audit/audit/audit-python-configure.patch
deleted file mode 100644
index cb62ec3..0000000
--- a/recipes-security/audit/audit/audit-python-configure.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From be689ee1748c6aa531dbca982e0218d077ac901c Mon Sep 17 00:00:00 2001
-From: Li xin <lixin.fnst@cn.fujitsu.com>
-Date: Sun, 19 Jul 2015 00:49:13 +0900
-Subject: [PATCH] audit: python cross-compile
-
-Upstream-Status: pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Li Xin <lixin.fnst@cn.fujitsu.com>
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-Signed-off-by: T.O. Radzy Radzykewycz <radzy@windriver.com>
----
- configure.ac | 17 ++---------------
- 1 file changed, 2 insertions(+), 15 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 1f48cb4..cdb5219 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -94,21 +94,8 @@ if test x$use_python = xno ; then
- else
- AC_MSG_RESULT(testing)
- AM_PATH_PYTHON
--PYINCLUDEDIR=`python${am_cv_python_version} -c "from distutils import sysconfig; print(sysconfig.get_config_var('INCLUDEPY'))"`
--if test -f ${PYINCLUDEDIR}/Python.h ; then
--	python_found="yes"
--	AC_SUBST(PYINCLUDEDIR)
--	pybind_dir="python"
--	AC_SUBST(pybind_dir)
--	AC_MSG_NOTICE(Python bindings will be built)
--else
--	python_found="no"
--	if test "x$use_python" = xyes ; then
--		AC_MSG_ERROR([Python explicitly requested and python headers were not found])
--	else
--		AC_MSG_WARN("Python headers not found - python bindings will not be made")
--	fi
--fi
-+python_found="yes"
-+AC_MSG_NOTICE(Python bindings will be built)
- fi
- AM_CONDITIONAL(HAVE_PYTHON, test ${python_found} = "yes")
- 
--- 
-1.9.1
-
diff --git a/recipes-security/audit/audit/audit-python.patch b/recipes-security/audit/audit/audit-python.patch
deleted file mode 100644
index 0c2dc1c..0000000
--- a/recipes-security/audit/audit/audit-python.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 9c8fd14feabe985242ef08e52c3e866d7755fa6e Mon Sep 17 00:00:00 2001
-From: Li xin <lixin.fnst@cn.fujitsu.com>
-Date: Sun, 19 Jul 2015 01:40:48 +0900
-Subject: [PATCH] Remove hard coded python include directory
-
-Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
----
- bindings/Makefile.am                | 8 +++++++-
- bindings/python/python2/Makefile.am | 3 ++-
- bindings/swig/python/Makefile.am    | 5 +++--
- 3 files changed, 12 insertions(+), 4 deletions(-)
-
-diff --git a/bindings/Makefile.am b/bindings/Makefile.am
-index cc68df3..998b990 100644
---- a/bindings/Makefile.am
-+++ b/bindings/Makefile.am
-@@ -22,4 +22,10 @@
- 
- CONFIG_CLEAN_FILES = *.loT *.rej *.orig
- 
--SUBDIRS = python golang swig
-+SUBDIRS = swig
-+if HAVE_PYTHON
-+SUBDIRS += python
-+endif
-+if HAVE_GOLANG
-+SUBDIRS += golang
-+endif
-diff --git a/bindings/python/python2/Makefile.am b/bindings/python/python2/Makefile.am
-index 1dcb5bc..6226358 100644
---- a/bindings/python/python2/Makefile.am
-+++ b/bindings/python/python2/Makefile.am
-@@ -23,7 +23,8 @@
- 
- CONFIG_CLEAN_FILES = *.loT *.rej *.orig
- AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing
--AM_CPPFLAGS = -I$(top_builddir) -I@PYINCLUDEDIR@
-+PYINC ?= /usr/include/python$(PYTHON_VERSION)
-+AM_CPPFLAGS = -I$(top_builddir) -I${PYINC}
- 
- pyexec_LTLIBRARIES = auparse.la
- 
-diff --git a/bindings/swig/python/Makefile.am b/bindings/swig/python/Makefile.am
-index 8c98b94..ae7c52b 100644
---- a/bindings/swig/python/Makefile.am
-+++ b/bindings/swig/python/Makefile.am
-@@ -21,9 +21,10 @@
- #
- CONFIG_CLEAN_FILES = *.loT *.rej *.orig
- AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing
--AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib -I@PYINCLUDEDIR@
-+PYINC ?= /usr/include/$(PYLIBVER)
-+AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib -I${PYINC}
- SWIG_FLAGS = -python
--SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib -I@PYINCLUDEDIR@
-+SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib -I${PYINC}
- pyexec_PYTHON = audit.py
- pyexec_LTLIBRARIES = _audit.la
- pyexec_SOLIBRARIES = _audit.so
--- 
-1.8.4.2
-
diff --git a/recipes-security/audit/audit/audit-volatile.conf b/recipes-security/audit/audit/audit-volatile.conf
deleted file mode 100644
index 9cbe154..0000000
--- a/recipes-security/audit/audit/audit-volatile.conf
+++ /dev/null
@@ -1 +0,0 @@
-d  /var/log/audit 0750 root root -
diff --git a/recipes-security/audit/audit/auditd b/recipes-security/audit/audit/auditd
deleted file mode 100755
index fcd96c9..0000000
--- a/recipes-security/audit/audit/auditd
+++ /dev/null
@@ -1,153 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides:          auditd
-# Required-Start:    $local_fs
-# Required-Stop:     $local_fs
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: Audit Daemon
-# Description:       Collects audit information from Linux 2.6 Kernels.
-### END INIT INFO
-
-# Author: Philipp Matthias Hahn <pmhahn@debian.org>
-# Based on Debians /etc/init.d/skeleton and Auditds init.d/auditd.init
-
-# June, 2012: Adopted for yocto <amy.fong@windriver.com>
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/bin:/usr/sbin:/usr/bin
-DESC="audit daemon"
-NAME=auditd
-DAEMON=/sbin/auditd
-PIDFILE=/var/run/"$NAME".pid
-SCRIPTNAME=/etc/init.d/"$NAME"
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/"$NAME" ] && . /etc/default/"$NAME"
-
-. /etc/default/rcS
-
-. /etc/init.d/functions                                                
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
-	# Return
-	#   0 if daemon has been started
-	#   1 if daemon was already running
-	#   2 if daemon could not be started
-	start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" --test > /dev/null \
-		|| return 1
-	start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" -- \
-		$EXTRAOPTIONS \
-		|| return 2
-	if [ -f /etc/audit/audit.rules ]
-	then
-		/sbin/auditctl -R /etc/audit/audit.rules >/dev/null
-	fi
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
-	# Return
-	#   0 if daemon has been stopped
-	#   1 if daemon was already stopped
-	#   2 if daemon could not be stopped
-	#   other if a failure occurred
-	start-stop-daemon -K --quiet --pidfile "$PIDFILE" --name "$NAME"
-	RETVAL="$?"
-	[ "$RETVAL" = 2 ] && return 2
-	# Many daemons don't delete their pidfiles when they exit.
-	rm -f "$PIDFILE"
-	rm -f /var/run/audit_events
-	# Remove watches so shutdown works cleanly
-	case "$AUDITD_CLEAN_STOP" in
-		no|NO) ;;
-		*) /sbin/auditctl -D >/dev/null ;;
-	esac
-	return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
-	start-stop-daemon -K --signal HUP --quiet --pidfile $PIDFILE --name $NAME
-	return 0
-}
-
-if [ ! -e /var/log/audit ]; then
-	mkdir -p /var/log/audit
-	[ -x /sbin/restorecon ] && /sbin/restorecon -F /var/log/audit
-fi
-
-case "$1" in
-  start)
-	[ "$VERBOSE" != no ] && echo "Starting $DESC" "$NAME"
-	do_start
-	case "$?" in
-		0|1) [ "$VERBOSE" != no ] && echo 0 ;;
-		2) [ "$VERBOSE" != no ] && echo 1 ;;
-	esac
-	;;
-  stop)
-	[ "$VERBOSE" != no ] && echo "Stopping $DESC" "$NAME"
-	do_stop
-	case "$?" in
-		0|1) [ "$VERBOSE" != no ] && echo 0 ;;
-		2) [ "$VERBOSE" != no ] && echo 1 ;;
-	esac
-	;;
-  reload|force-reload)
-	echo "Reloading $DESC" "$NAME"
-	do_reload
-	echo $?
-	;;
-  restart)
-	echo "Restarting $DESC" "$NAME"
-	do_stop
-	case "$?" in
-	  0|1)
-		do_start
-		case "$?" in
-			0) echo 0 ;;
-			1) echo 1 ;; # Old process is still running
-			*) echo 1 ;; # Failed to start
-		esac
-		;;
-	  *)
-		# Failed to stop
-		echo 1
-		;;
-	esac
-	;;
-  rotate)
-	echo "Rotating $DESC logs" "$NAME"
-	start-stop-daemon -K --signal USR1 --quiet --pidfile "$PIDFILE" --name "$NAME"
-	echo $?
-	;;
-  status)
-	pidofproc "$DAEMON" >/dev/null
-	status=$?
-	if [ $status -eq 0 ]; then
-		echo "$NAME is running."
-	else
-		echo "$NAME is not running."
-	fi
-	exit $status
-	;;
-  *)
-	echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload|rotate|status}" >&2
-	exit 3
-	;;
-esac
-
-:
diff --git a/recipes-security/audit/audit/auditd.service b/recipes-security/audit/audit/auditd.service
deleted file mode 100644
index ebc0798..0000000
--- a/recipes-security/audit/audit/auditd.service
+++ /dev/null
@@ -1,20 +0,0 @@
-[Unit]
-Description=Security Auditing Service
-DefaultDependencies=no
-After=local-fs.target
-Conflicts=shutdown.target
-Before=sysinit.target shutdown.target
-After=systemd-tmpfiles-setup.service
-
-[Service]
-ExecStart=/sbin/auditd -n
-## To use augenrules, copy this file to /etc/systemd/system/auditd.service
-## and uncomment the next line and delete/comment out the auditctl line.
-## Then copy existing rules to /etc/audit/rules.d/
-## Not doing this last step can cause loss of existing rules
-#ExecStartPost=-/sbin/augenrules --load
-ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
-ExecReload=/bin/kill -HUP $MAINPID
-
-[Install]
-WantedBy=multi-user.target
diff --git a/recipes-security/audit/audit/fix-swig-host-contamination.patch b/recipes-security/audit/audit/fix-swig-host-contamination.patch
deleted file mode 100644
index faeeeeb..0000000
--- a/recipes-security/audit/audit/fix-swig-host-contamination.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From d7577e1e55595123e3bcec78fa4a79fe8a314fe5 Mon Sep 17 00:00:00 2001
-From: Li xin <lixin.fnst@cn.fujitsu.com>
-Date: Sun, 19 Jul 2015 02:42:58 +0900
-Subject: [PATCH] audit: Fixed swig host contamination issue
-
-The audit build uses swig to generate a python wrapper.
-Unfortunately, the swig info file references host include
-directories.  Some of these were previously noticed and
-eliminated, but the one fixed here was not.
-
-Upstream Status:  pending
-
-Signed-off-by: Anders Hedlund <anders.hedlund@windriver.com>
-Signed-off-by: Joe Slater <jslater@windriver.com>
----
- bindings/swig/python/Makefile.am | 3 ++-
- bindings/swig/src/auditswig.i    | 4 ++--
- 2 files changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/bindings/swig/python/Makefile.am b/bindings/swig/python/Makefile.am
-index ae7c52b..d1bb93c 100644
---- a/bindings/swig/python/Makefile.am
-+++ b/bindings/swig/python/Makefile.am
-@@ -22,6 +22,7 @@
- CONFIG_CLEAN_FILES = *.loT *.rej *.orig
- AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing
- PYINC ?= /usr/include/$(PYLIBVER)
-+STDINC ?= /usr/include
- AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib -I${PYINC}
- SWIG_FLAGS = -python
- SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib -I${PYINC}
-@@ -35,7 +36,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h ${top_builddir}/lib/libaudi
- _audit_la_LIBADD = $(top_builddir)/lib/libaudit.la
- nodist__audit_la_SOURCES  = audit_wrap.c
- audit.py audit_wrap.c: ${srcdir}/../src/auditswig.i 
--	swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} ${srcdir}/../src/auditswig.i 
-+	swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} -I$(STDINC) ${srcdir}/../src/auditswig.i 
- 
- CLEANFILES = audit.py* audit_wrap.c *~
- 
-diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i
-index 9364ac4..48667d4 100644
---- a/bindings/swig/src/auditswig.i
-+++ b/bindings/swig/src/auditswig.i
-@@ -39,8 +39,8 @@ signed
- #define __attribute(X) /*nothing*/
- typedef unsigned __u32;
- typedef unsigned uid_t;
--%include "/usr/include/linux/audit.h"
-+%include "linux/audit.h"
- #define __extension__ /*nothing*/
--%include "/usr/include/stdint.h"
-+%include "stdint.h"
- %include "../lib/libaudit.h"
- 
--- 
-1.8.4.2
-
diff --git a/recipes-security/audit/audit_2.8.4.bb b/recipes-security/audit/audit_2.8.4.bb
deleted file mode 100644
index 594786a..0000000
--- a/recipes-security/audit/audit_2.8.4.bb
+++ /dev/null
@@ -1,106 +0,0 @@
-SUMMARY = "User space tools for kernel auditing"
-DESCRIPTION = "The audit package contains the user space utilities for \
-storing and searching the audit records generated by the audit subsystem \
-in the Linux kernel."
-HOMEPAGE = "http://people.redhat.com/sgrubb/audit/"
-SECTION = "base"
-LICENSE = "GPLv2+ & LGPLv2+"
-LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
-
-SRC_URI = "http://people.redhat.com/sgrubb/${BPN}/${BPN}-${PV}.tar.gz \
-           file://audit-python-configure.patch \
-           file://audit-python.patch \
-           file://fix-swig-host-contamination.patch \
-           file://0001-Remove-strdupa-as-suggested-in-pull-request-25.patch \
-           file://0002-Add-substitue-functions-for-strndupa-rawmemchr.patch \
-           file://auditd \
-           file://auditd.service \
-           file://audit-volatile.conf \
-"
-SRC_URI[md5sum] = "ec9510312564c3d9483bccf8dbda4779"
-SRC_URI[sha256sum] = "a410694d09fc5708d980a61a5abcb9633a591364f1ecc7e97ad5daef9c898c38"
-
-inherit autotools pythonnative update-rc.d systemd
-
-UPDATERCPN = "auditd"
-INITSCRIPT_NAME = "auditd"
-INITSCRIPT_PARAMS = "defaults"
-
-SYSTEMD_PACKAGES = "auditd"
-SYSTEMD_SERVICE_auditd = "auditd.service"
-
-DEPENDS += "python tcp-wrappers libcap-ng linux-libc-headers (>= 2.6.30) swig-native"
-
-EXTRA_OECONF += "--without-prelude \
-        --with-libwrap \
-        --enable-gssapi-krb5=no \
-        --with-libcap-ng=yes \
-        --with-python=yes \
-        --libdir=${base_libdir} \
-        --sbindir=${base_sbindir} \
-        --without-python3 \
-        --disable-zos-remote \
-        "
-EXTRA_OECONF_append_arm = " --with-arm=yes"
-EXTRA_OECONF_append_aarch64 = " --with-aarch64=yes"
-
-EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \
-	PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \
-	pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \
-	STDINC='${STAGING_INCDIR}' \
-	pkgconfigdir=${libdir}/pkgconfig \
-	"
-
-SUMMARY_audispd-plugins = "Plugins for the audit event dispatcher"
-DESCRIPTION_audispd-plugins = "The audispd-plugins package provides plugins for the real-time \
-interface to the audit system, audispd. These plugins can do things \
-like relay events to remote machines or analyze events for suspicious \
-behavior."
-
-PACKAGES =+ "audispd-plugins"
-PACKAGES += "auditd ${PN}-python"
-
-FILES_${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* ${base_libdir}/libauparse.so.*"
-FILES_auditd += "${bindir}/* ${base_sbindir}/* ${sysconfdir}/*"
-FILES_audispd-plugins += "${sysconfdir}/audisp/audisp-remote.conf \
-	${sysconfdir}/audisp/plugins.d/au-remote.conf \
-	${sbindir}/audisp-remote ${localstatedir}/spool/audit \
-	"
-FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug"
-FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}"
-
-CONFFILES_auditd += "${sysconfdir}/audit/audit.rules"
-RDEPENDS_auditd += "bash"
-
-do_install_append() {
-	rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a
-	rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.la
-
-	# reuse auditd config
-	[ ! -e ${D}/etc/default ] && mkdir ${D}/etc/default
-	mv ${D}/etc/sysconfig/auditd ${D}/etc/default
-	rmdir ${D}/etc/sysconfig/
-
-	# replace init.d
-	install -D -m 0755 ${WORKDIR}/auditd ${D}/etc/init.d/auditd
-	rm -rf ${D}/etc/rc.d
-
-	if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
-		install -d ${D}${sysconfdir}/tmpfiles.d/
-		install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/
-	fi
-
-	# install systemd unit files
-	install -d ${D}${systemd_unitdir}/system
-	install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system
-
-	# audit-2.5 doesn't install any rules by default, so we do that here
-	mkdir -p ${D}/etc/audit ${D}/etc/audit/rules.d
-	cp ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules
-
-	chmod 750 ${D}/etc/audit ${D}/etc/audit/rules.d
-	chmod 640 ${D}/etc/audit/auditd.conf ${D}/etc/audit/rules.d/audit.rules
-
-	# Based on the audit.spec "Copy default rules into place on new installation"
-	cp ${D}/etc/audit/rules.d/audit.rules ${D}/etc/audit/audit.rules
-}
diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb
index a4cf1b8..148c8a2 100644
--- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
+++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
@@ -6,9 +6,9 @@ PACKAGES = "\
     ${PN} \
     "
 
-ALLOW_EMPTY_${PN} = "1"
+ALLOW_EMPTY:${PN} = "1"
 
-RDEPENDS_${PN} = " \
+RDEPENDS:${PN} = " \
 	libsepol \
 	libsepol-bin \
 	libselinux \
@@ -24,4 +24,5 @@ RDEPENDS_${PN} = " \
 	selinux-labeldev \
 	refpolicy \
 	coreutils \
+	auditd \
 	"
diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
index e198e84..0f9abae 100644
--- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
+++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
@@ -6,9 +6,9 @@ PACKAGES = "\
 	${PN} \
 "
 
-ALLOW_EMPTY_${PN} = "1"
+ALLOW_EMPTY:${PN} = "1"
 
-RDEPENDS_${PN} = "\
+RDEPENDS:${PN} = "\
 	coreutils \
 	libsepol \
 	libselinux \
diff --git a/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb b/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb
index 2263592..7fd5d1c 100644
--- a/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb
+++ b/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb
@@ -6,9 +6,9 @@ PACKAGES = "\
     ${PN} \
 "
 
-ALLOW_EMPTY_${PN} = "1"
+ALLOW_EMPTY:${PN} = "1"
 
-RDEPENDS_${PN} = "\
+RDEPENDS:${PN} = "\
 	policycoreutils-fixfiles \
 	policycoreutils-genhomedircon \
 	policycoreutils-loadpolicy \
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
deleted file mode 100644
index 2692ffa..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 49dd08e69938debc792ac9c3ac3e81a38929d11f Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Thu, 28 Mar 2019 16:14:09 -0400
-Subject: [PATCH 01/34] fc/subs/volatile: alias common /var/volatile paths
-
-Ensure /var/volatile paths get the appropriate base file context.
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- config/file_contexts.subs_dist | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
-index 346d920e..be532d7f 100644
---- a/config/file_contexts.subs_dist
-+++ b/config/file_contexts.subs_dist
-@@ -31,3 +31,13 @@
- # not for refpolicy intern, but for /var/run using applications,
- # like systemd tmpfiles or systemd socket configurations
- /var/run /run
-+
-+# volatile aliases
-+# ensure the policy applied to the base filesystem objects are reflected in the
-+# volatile hierarchy.
-+/var/volatile/log /var/log
-+/var/volatile/run /var/run
-+/var/volatile/cache /var/cache
-+/var/volatile/tmp /var/tmp
-+/var/volatile/lock /var/lock
-+/var/volatile/run/lock /var/lock
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
deleted file mode 100644
index f92ddb8..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From aa79b5e7803232a4e57e2cf60613f6fb7dcfc025 Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade@mentor.com>
-Date: Fri, 26 Aug 2016 17:51:44 +0530
-Subject: [PATCH 1/9] refpolicy-minimum: audit: logging: getty: audit related
- allow rules
-
-add allow rules for audit.log file & resolve dependent avc denials.
-
-without this change we are getting audit avc denials mixed into bootlog &
-audit other avc denials.
-
-audit: type=1400 audit(): avc:  denied  { getattr } for  pid=217 comm="mount"
-name="/" dev="proc" ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_0
-audit: type=1400 audit(): avc:  denied  { sendto } for  pid=310 comm="klogd"
-path="/run/systemd/journal/dev-log" scontext=sy0
-audit: type=1400 audit(): avc:  denied  { sendto } for  pid=310 comm="klogd"
-path="/run/systemd/journal/dev-log" scontext=system_u:system_r:klogd_t:s0
-audit(): avc:  denied  { open } for  pid=540 comm="agetty" path="/var/
-volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t
-:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
-
-Upstream-Status: Pending
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/getty.te   | 3 +++
- policy/modules/system/logging.te | 8 ++++++++
- 2 files changed, 11 insertions(+)
-
-diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index 6d3c4284..423db0cc 100644
---- a/policy/modules/system/getty.te
-+++ b/policy/modules/system/getty.te
-@@ -129,3 +129,6 @@ optional_policy(`
- optional_policy(`
- 	udev_read_db(getty_t)
- ')
-+
-+allow getty_t tmpfs_t:dir search;
-+allow getty_t tmpfs_t:file { open write lock };
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 63e92a8e..8ab46925 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -249,6 +249,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms;
- allow audisp_t self:unix_dgram_socket create_socket_perms;
- 
- allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
-+allow audisp_t initrc_t:unix_dgram_socket sendto;
- 
- manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
- files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
-@@ -620,3 +621,10 @@ optional_policy(`
- 	# log to the xconsole
- 	xserver_rw_console(syslogd_t)
- ')
-+
-+
-+allow auditd_t tmpfs_t:file { getattr setattr create open read append };
-+allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
-+allow auditd_t initrc_t:unix_dgram_socket sendto;
-+
-+allow klogd_t initrc_t:unix_dgram_socket sendto;
-\ No newline at end of file
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
deleted file mode 100644
index a963751..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From c02445a1073ca6fcb42c771c233ab8aa822cbdda Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Thu, 28 Mar 2019 20:48:10 -0400
-Subject: [PATCH 02/34] fc/subs/busybox: set aliases for bin, sbin and usr
-
-The objects in /usr/lib/busybox/* should have the same policy applied as
-the corresponding objects in the / hierarchy.
-
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- config/file_contexts.subs_dist | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
-index be532d7f..04fca3c3 100644
---- a/config/file_contexts.subs_dist
-+++ b/config/file_contexts.subs_dist
-@@ -41,3 +41,10 @@
- /var/volatile/tmp /var/tmp
- /var/volatile/lock /var/lock
- /var/volatile/run/lock /var/lock
-+
-+# busybox aliases
-+# quickly match up the busybox built-in tree to the base filesystem tree
-+/usr/lib/busybox/bin /bin
-+/usr/lib/busybox/sbin /sbin
-+/usr/lib/busybox/usr /usr
-+
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
deleted file mode 100644
index 37423ec..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From d8fe68150ae85657b2091bc193b11bd77f7b1f31 Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade@mentor.com>
-Date: Fri, 26 Aug 2016 17:53:46 +0530
-Subject: [PATCH 2/9] refpolicy-minimum: locallogin: add allow rules for type
- local_login_t
-
-add allow rules for locallogin module avc denials.
-
-without this change we are getting errors like these:
-
-type=AVC msg=audit(): avc:  denied  { read write open } for  pid=353
-comm="login" path="/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext
-=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:
-var_log_t:s0 tclass=file permissive=1
-
-type=AVC msg=audit(): avc:  denied  { sendto } for  pid=353 comm="login"
-path="/run/systemd/journal/dev-log" scontext=system_u:system_r:
-local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0
-tclass=unix_dgram_socket permissive=1
-
-type=AVC msg=audit(): avc:  denied  { lock } for  pid=353 comm="login" path=
-"/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext=system_u:system_r
-:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass
-=file permissive=1
-
-Upstream-Status: Pending
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/locallogin.te | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 4c679ff3..75750e4c 100644
---- a/policy/modules/system/locallogin.te
-+++ b/policy/modules/system/locallogin.te
-@@ -288,3 +288,13 @@ optional_policy(`
- optional_policy(`
- 	nscd_use(sulogin_t)
- ')
-+
-+allow local_login_t initrc_t:fd use;
-+allow local_login_t initrc_t:unix_dgram_socket sendto;
-+allow local_login_t initrc_t:unix_stream_socket connectto;
-+allow local_login_t self:capability net_admin;
-+allow local_login_t var_log_t:file { create lock open read write };
-+allow local_login_t var_run_t:file { open read write lock};
-+allow local_login_t var_run_t:sock_file write;
-+allow local_login_t tmpfs_t:dir { add_name write search};
-+allow local_login_t tmpfs_t:file { create open read write lock };
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch
deleted file mode 100644
index ad94252..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From fdbd4461bbd6ce8a7f2b2702f7801ed07c41d5a9 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:39:41 +0800
-Subject: [PATCH 03/34] fc/sysklogd: apply policy to sysklogd symlink
-
-/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow
-rule for syslogd_t to read syslog_conf_t lnk_file is needed.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/logging.fc | 3 +++
- policy/modules/system/logging.te | 1 +
- 2 files changed, 4 insertions(+)
-
-diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 6693d87b..0cf108e0 100644
---- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
-@@ -2,6 +2,7 @@
- 
- /etc/rsyslog\.conf					--	gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/syslog\.conf					--	gen_context(system_u:object_r:syslog_conf_t,s0)
-+/etc/syslog\.conf\.sysklogd	gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/rsyslog\.d(/.*)?					gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/audit(/.*)?						gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
- /etc/systemd/journal.*\.conf		--	gen_context(system_u:object_r:syslog_conf_t,s0)
-@@ -32,10 +33,12 @@
- /usr/sbin/auditctl	--	gen_context(system_u:object_r:auditctl_exec_t,s0)
- /usr/sbin/auditd	--	gen_context(system_u:object_r:auditd_exec_t,s0)
- /usr/sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
-+/usr/sbin/klogd\.sysklogd	--	gen_context(system_u:object_r:klogd_exec_t,s0)
- /usr/sbin/metalog	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/sbin/minilogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/sbin/rklogd	--	gen_context(system_u:object_r:klogd_exec_t,s0)
- /usr/sbin/rsyslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/usr/sbin/syslogd\.sysklogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/sbin/syslog-ng	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/sbin/syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
- 
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index adc628f8..07ed546d 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -399,6 +399,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
- allow syslogd_t self:tcp_socket create_stream_socket_perms;
- 
- allow syslogd_t syslog_conf_t:file read_file_perms;
-+allow syslogd_t syslog_conf_t:lnk_file read_file_perms;
- allow syslogd_t syslog_conf_t:dir list_dir_perms;
- 
- # Create and bind to /dev/log or /var/run/log.
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
deleted file mode 100644
index ed470e4..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-From 53aaf2acb8bc3fb115e5d5327f6e7a994cfbf0bd Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade@mentor.com>
-Date: Fri, 26 Aug 2016 17:51:32 +0530
-Subject: [PATCH 3/9] refpolicy-minimum: systemd:unconfined:lib: add systemd
- services allow rules
-
-systemd allow rules for systemd service file operations: start, stop, restart
-& allow rule for unconfined systemd service.
-
-without this change we are getting these errors:
-:~# systemctl status selinux-init.service
-Failed to get properties: Access denied
-
-:~# systemctl stop selinux-init.service
-Failed to stop selinux-init.service: Access denied
-
-:~# systemctl restart  selinux-init.service
-audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
-system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0
-gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl
-restart selinux-init.service" scontext=unconfined_u:unconfined_r:
-unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service
-
-Upstream-Status: Pending
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/init.te       |  4 +++
- policy/modules/system/libraries.te  |  3 +++
- policy/modules/system/systemd.if    | 39 +++++++++++++++++++++++++++++
- policy/modules/system/unconfined.te |  6 +++++
- 4 files changed, 52 insertions(+)
-
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 8352428a..15745c83 100644
---- a/policy/modules/system/init.te
-+++ b/policy/modules/system/init.te
-@@ -1425,3 +1425,7 @@ optional_policy(`
- allow kernel_t init_t:process dyntransition;
- allow devpts_t device_t:filesystem associate;
- allow init_t self:capability2 block_suspend;
-+allow init_t self:capability2 audit_read;
-+
-+allow initrc_t init_t:system { start status };
-+allow initrc_t init_var_run_t:service { start status };
-diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 422b0ea1..80b0c9a5 100644
---- a/policy/modules/system/libraries.te
-+++ b/policy/modules/system/libraries.te
-@@ -145,3 +145,6 @@ optional_policy(`
- optional_policy(`
- 	unconfined_domain(ldconfig_t)
- ')
-+
-+# systemd: init domain to start lib domain service
-+systemd_service_lib_function(lib_t)
-diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 8d2bb8da..8fc61843 100644
---- a/policy/modules/system/systemd.if
-+++ b/policy/modules/system/systemd.if
-@@ -887,3 +887,42 @@ interface(`systemd_getattr_updated_runtime',`
- 
- 	getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
- ')
-+
-+########################################
-+## <summary>
-+## Allow specified domain to start stop reset systemd service
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`systemd_service_file_operations',`
-+         gen_require(`
-+               class service { start status stop };
-+         ')
-+
-+	allow $1 lib_t:service { start status stop };
-+
-+')
-+
-+
-+########################################
-+## <summary>
-+## Allow init domain to start lib domain service
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`systemd_service_lib_function',`
-+         gen_require(`
-+               class service start;
-+         ')
-+
-+	allow initrc_t $1:service start;
-+
-+')
-diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 12cc0d7c..c09e94a5 100644
---- a/policy/modules/system/unconfined.te
-+++ b/policy/modules/system/unconfined.te
-@@ -240,3 +240,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
- optional_policy(`
- 	unconfined_dbus_chat(unconfined_execmem_t)
- ')
-+
-+
-+# systemd: specified domain to start stop reset systemd service
-+systemd_service_file_operations(unconfined_t)
-+
-+allow unconfined_t init_t:system reload;
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
deleted file mode 100644
index 98b6156..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From 5694d5bdc5ff824c4d5848dcd61cf021305b5e00 Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade@mentor.com>
-Date: Fri, 26 Aug 2016 17:53:37 +0530
-Subject: [PATCH 4/9] refpolicy-minimum: systemd: mount: logging: authlogin:
- add allow rules
-
-add allow rules for avc denails for systemd, mount, logging & authlogin
-modules.
-
-without this change we are getting avc denial like these:
-
-type=AVC msg=audit(): avc:  denied  { sendto } for pid=893 comm="systemd-
-tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r:
-systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=
-unix_dgram_socket permissive=0
-
-type=AVC msg=audit(): avc:  denied  { open } for  pid=703 comm="systemd-
-tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u:
-system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=
-file permissive=0
-
-type=AVC msg=audit(): avc:  denied  { read write } for  pid=486 comm="mount"
-path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r:
-mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket
-
-type=AVC msg=audit(): avc:  denied  { unix_read unix_write } for  pid=292
-comm="syslogd" key=1095648583  scontext=system_u:system_r:syslogd_t:s0
-tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1
-
-Upstream-Status: Pending
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/authlogin.te | 2 ++
- policy/modules/system/logging.te   | 7 ++++++-
- policy/modules/system/mount.te     | 3 +++
- policy/modules/system/systemd.te   | 5 +++++
- 4 files changed, 16 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 345e07f3..39f860e0 100644
---- a/policy/modules/system/authlogin.te
-+++ b/policy/modules/system/authlogin.te
-@@ -472,3 +472,5 @@ optional_policy(`
- 	samba_read_var_files(nsswitch_domain)
- 	samba_dontaudit_write_var_files(nsswitch_domain)
- ')
-+
-+allow chkpwd_t proc_t:filesystem getattr;
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 8ab46925..520f7da6 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -627,4 +627,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append };
- allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
- allow auditd_t initrc_t:unix_dgram_socket sendto;
- 
--allow klogd_t initrc_t:unix_dgram_socket sendto;
-\ No newline at end of file
-+allow klogd_t initrc_t:unix_dgram_socket sendto;
-+
-+allow syslogd_t self:shm create;
-+allow syslogd_t self:sem { create read unix_write write };
-+allow syslogd_t self:shm { read unix_read unix_write write };
-+allow syslogd_t tmpfs_t:file { read write };
-diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 3dcb8493..a87d0e82 100644
---- a/policy/modules/system/mount.te
-+++ b/policy/modules/system/mount.te
-@@ -231,3 +231,6 @@ optional_policy(`
- 	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
- 	unconfined_domain(unconfined_mount_t)
- ')
-+
-+allow mount_t proc_t:filesystem getattr;
-+allow mount_t initrc_t:udp_socket { read write };
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index a6f09dfd..68b80de3 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -993,6 +993,11 @@ allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
- allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
- allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
- 
-+allow systemd_tmpfiles_t init_t:dir search;
-+allow systemd_tmpfiles_t proc_t:filesystem getattr;
-+allow systemd_tmpfiles_t init_t:file read;
-+allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
-+
- kernel_getattr_proc(systemd_tmpfiles_t)
- kernel_read_kernel_sysctls(systemd_tmpfiles_t)
- kernel_read_network_state(systemd_tmpfiles_t)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
deleted file mode 100644
index 7d7908f..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From bf8da1fd057ce11e8ce6e445ccd532fde11868a6 Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade@mentor.com>
-Date: Fri, 26 Aug 2016 17:53:53 +0530
-Subject: [PATCH 5/9] refpolicy-minimum: init: fix reboot with systemd as init
- manager.
-
-add allow rule to fix avc denial during system reboot.
-
-without this change we are getting:
-
-audit: type=1107 audit(): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
-system_u:system_r:init_t:s0 msg='avc:  denied  { reboot } for auid=n/a uid=0
-gid=0 cmdline="/bin/systemctl --force reboot" scontext=system_u:system_r:
-initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system
-
-Upstream-Status: Pending
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/init.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 15745c83..d6a0270a 100644
---- a/policy/modules/system/init.te
-+++ b/policy/modules/system/init.te
-@@ -1427,5 +1427,5 @@ allow devpts_t device_t:filesystem associate;
- allow init_t self:capability2 block_suspend;
- allow init_t self:capability2 audit_read;
- 
--allow initrc_t init_t:system { start status };
-+allow initrc_t init_t:system { start status reboot };
- allow initrc_t init_var_run_t:service { start status };
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
deleted file mode 100644
index f318c23..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 8614bc85ab13b72f7f83892ffd227c73b3df42bc Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Thu, 4 Apr 2019 10:45:03 -0400
-Subject: [PATCH 06/34] fc/resolv.conf: label resolv.conf in var/run/ properly
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
-
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/sysnetwork.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 1e5432a4..ac7c2dd1 100644
---- a/policy/modules/system/sysnetwork.fc
-+++ b/policy/modules/system/sysnetwork.fc
-@@ -22,6 +22,7 @@ ifdef(`distro_debian',`
- /etc/denyhosts.*	--	gen_context(system_u:object_r:net_conf_t,s0)
- /etc/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)
- /etc/yp\.conf.*		--	gen_context(system_u:object_r:net_conf_t,s0)
-+/var/run/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)
- 
- /etc/dhcp3(/.*)?		gen_context(system_u:object_r:dhcp_etc_t,s0)
- /etc/dhcp3?/dhclient.*		gen_context(system_u:object_r:dhcp_etc_t,s0)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
deleted file mode 100644
index 4f7d916..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From 853b6611e50369b386a77d5bd8a28eeb9ef4cb9b Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Wed, 3 Apr 2019 14:51:29 -0400
-Subject: [PATCH 6/9] refpolicy-minimum: systemd: mount: enable required
- refpolicy booleans
-
-enable required refpolicy booleans for these modules
-
-i. mount:  allow_mount_anyfile
-without enabling this boolean we are getting below avc denial
-
-audit(): avc:  denied  { mounton } for  pid=462 comm="mount" path="/run/media
-/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0
-tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0
-
-This avc can be allowed using the boolean 'allow_mount_anyfile'
-allow mount_t initrc_var_run_t:dir mounton;
-
-ii. systemd : systemd_tmpfiles_manage_all
-without enabling this boolean we are not getting access to mount systemd
-essential tmpfs during bootup, also not getting access to create audit.log
-
-audit(): avc:  denied  { search } for  pid=168 comm="systemd-tmpfile" name=
-"sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles
-_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0
-
- ls  /var/log
- /var/log -> volatile/log
-:~#
-
-The old refpolicy included a pre-generated booleans.conf that could be
-patched.  That's no longer the case so we're left with a few options,
-tweak the default directly or create a template booleans.conf file which
-will be updated during build time.  Since this is intended to be applied
-only for specific configuraitons it seems like the same either way and
-this avoids us playing games to work around .gitignore.
-
-Upstream-Status: Pending
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/booleans.conf             | 9 +++++++++
- policy/modules/system/mount.te   | 2 +-
- policy/modules/system/systemd.te | 2 +-
- 3 files changed, 11 insertions(+), 2 deletions(-)
- create mode 100644 policy/booleans.conf
-
-diff --git a/policy/booleans.conf b/policy/booleans.conf
-new file mode 100644
-index 00000000..850f56ed
---- /dev/null
-+++ b/policy/booleans.conf
-@@ -0,0 +1,9 @@
-+#
-+# Allow the mount command to mount any directory or file.
-+#
-+allow_mount_anyfile = true
-+
-+#
-+# Enable support for systemd-tmpfiles to manage all non-security files.
-+#
-+systemd_tmpfiles_manage_all = true
-diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index a87d0e82..868052b7 100644
---- a/policy/modules/system/mount.te
-+++ b/policy/modules/system/mount.te
-@@ -10,7 +10,7 @@ policy_module(mount, 1.20.0)
- ## Allow the mount command to mount any directory or file.
- ## </p>
- ## </desc>
--gen_tunable(allow_mount_anyfile, false)
-+gen_tunable(allow_mount_anyfile, true)
- 
- attribute_role mount_roles;
- roleattribute system_r mount_roles;
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 68b80de3..a1ef6990 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -10,7 +10,7 @@ policy_module(systemd, 1.7.0)
- ## Enable support for systemd-tmpfiles to manage all non-security files.
- ## </p>
- ## </desc>
--gen_tunable(systemd_tmpfiles_manage_all, false)
-+gen_tunable(systemd_tmpfiles_manage_all, true)
- 
- ## <desc>
- ## <p>
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch
deleted file mode 100644
index 27cbc9f..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-From 34630eecb211199c60c9b01fd77f0ede6e182712 Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade@mentor.com>
-Date: Fri, 26 Aug 2016 17:54:09 +0530
-Subject: [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal
- service
-
-1. fix for systemd services: login & journal wile using refpolicy-minimum and
-systemd as init manager.
-2. fix login duration after providing root password.
-
-without these changes we are getting avc denails like these and below
-systemd services failure:
-
-audit[]: AVC avc:  denied  { write } for  pid=422 comm="login" path="/run/
-systemd/sessions/c1.ref" dev="tmpfs" ino=13455 scontext=system_u:system_r:
-local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0
-tclass=fifo_file permissive=0
-
-audit[]: AVC avc:  denied  { open } for  pid=216 comm="systemd-tmpfile" path
-="/proc/1/environ" dev="proc" ino=9221 scontext=system_u:system_r:
-systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
-
-audit[]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:
-system_r:init_t:s0 msg='avc:  denied  { stop } for auid=n/a uid=0 gid=0 path
-="/lib/systemd/system/systemd-journald.service" cmdline="/bin/journalctl
---flush" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:
-lib_t:s0 tclass=service
-
-[FAILED] Failed to start Flush Journal to Persistent Storage.
-See 'systemctl status systemd-journal-flush.service' for details.
-
-[FAILED] Failed to start Login Service.
-See 'systemctl status systemd-logind.service' for details.
-
-[FAILED] Failed to start Avahi mDNS/DNS-SD Stack.
-See 'systemctl status avahi-daemon.service' for details.
-
-Upstream-Status: Pending
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/init.te       | 2 ++
- policy/modules/system/locallogin.te | 3 +++
- policy/modules/system/systemd.if    | 6 ++++--
- policy/modules/system/systemd.te    | 2 +-
- 4 files changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index d6a0270a..035c7ad2 100644
---- a/policy/modules/system/init.te
-+++ b/policy/modules/system/init.te
-@@ -1429,3 +1429,5 @@ allow init_t self:capability2 audit_read;
- 
- allow initrc_t init_t:system { start status reboot };
- allow initrc_t init_var_run_t:service { start status };
-+
-+allow initrc_t init_var_run_t:service stop;
-diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 75750e4c..2c2cfc7d 100644
---- a/policy/modules/system/locallogin.te
-+++ b/policy/modules/system/locallogin.te
-@@ -298,3 +298,6 @@ allow local_login_t var_run_t:file { open read write lock};
- allow local_login_t var_run_t:sock_file write;
- allow local_login_t tmpfs_t:dir { add_name write search};
- allow local_login_t tmpfs_t:file { create open read write lock };
-+allow local_login_t init_var_run_t:fifo_file write;
-+allow local_login_t initrc_t:dbus send_msg;
-+allow initrc_t local_login_t:dbus send_msg;
-diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 8fc61843..1166505f 100644
---- a/policy/modules/system/systemd.if
-+++ b/policy/modules/system/systemd.if
-@@ -920,9 +920,11 @@ interface(`systemd_service_file_operations',`
- #
- interface(`systemd_service_lib_function',`
-          gen_require(`
--               class service start;
-+		class service { start status stop };
-+		class file { execmod open };
-          ')
- 
--	allow initrc_t $1:service start;
-+	allow initrc_t $1:service { start status stop };
-+	allow initrc_t $1:file execmod;
- 
- ')
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index a1ef6990..a62c3c38 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -995,7 +995,7 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
- 
- allow systemd_tmpfiles_t init_t:dir search;
- allow systemd_tmpfiles_t proc_t:filesystem getattr;
--allow systemd_tmpfiles_t init_t:file read;
-+allow systemd_tmpfiles_t init_t:file { open getattr read };
- allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
- 
- kernel_getattr_proc(systemd_tmpfiles_t)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0008-fc-bind-fix-real-path-for-bind.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0008-fc-bind-fix-real-path-for-bind.patch
deleted file mode 100644
index 7a9f3f2..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0008-fc-bind-fix-real-path-for-bind.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 878b005462f7b2208427af60ed6b670dca697b6c Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Thu, 28 Mar 2019 21:58:53 -0400
-Subject: [PATCH 08/34] fc/bind: fix real path for bind
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/services/bind.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
-index b4879dc1..59498e25 100644
---- a/policy/modules/services/bind.fc
-+++ b/policy/modules/services/bind.fc
-@@ -1,8 +1,10 @@
- /etc/rc\.d/init\.d/named	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/bind	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/unbound	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
- 
- /etc/bind(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
- /etc/bind/named\.conf.*	--	gen_context(system_u:object_r:named_conf_t,s0)
-+/etc/bind/rndc\.conf    --      gen_context(system_u:object_r:named_conf_t,s0)
- /etc/bind/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
- /etc/dnssec-trigger/dnssec_trigger_server\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
- /etc/named\.rfc1912\.zones	--	gen_context(system_u:object_r:named_conf_t,s0)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
deleted file mode 100644
index efe81a4..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-From 6ac3c261a7cfc3a5d38ccc420f1ea371258c49fa Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade@mentor.com>
-Date: Fri, 26 Aug 2016 17:54:17 +0530
-Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files
- services
-
-fix for systemd tmp files setup service while using refpolicy-minimum and
-systemd as init manager.
-
-these allow rules require kernel domain & files access, so added interfaces
-at systemd.te to merge these allow rules.
-
-without these changes we are getting avc denails like these and below
-systemd services failure:
-
-audit[]: AVC avc:  denied  { getattr } for  pid=232 comm="systemd-tmpfile"
-path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd
-_tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file
-
-audit[]: AVC avc:  denied  { search } for  pid=232 comm="systemd-tmpfile"
-name="kernel" dev="proc" ino=9341 scontext=system_u:system_r:
-systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0
-tclass=dir permissive=0
-
-[FAILED] Failed to start Create Static Device Nodes in /dev.
-See 'systemctl status systemd-tmpfiles-setup-dev.service' for details.
-
-[FAILED] Failed to start Create Volatile Files and Directories.
-See 'systemctl status systemd-tmpfiles-setup.service' for details.
-
-Upstream-Status: Pending
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/files.if   | 19 +++++++++++++++++++
- policy/modules/kernel/kernel.if  | 21 +++++++++++++++++++++
- policy/modules/system/systemd.te |  2 ++
- 3 files changed, 42 insertions(+)
-
-diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index eb067ad3..ff74f55a 100644
---- a/policy/modules/kernel/files.if
-+++ b/policy/modules/kernel/files.if
-@@ -7076,3 +7076,22 @@ interface(`files_unconfined',`
- 
- 	typeattribute $1 files_unconfined_type;
- ')
-+
-+########################################
-+## <summary>
-+##	systemd tmp files access to kernel tmp files domain
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',`
-+	gen_require(`
-+	type tmp_t;
-+        class lnk_file getattr;
-+	')
-+
-+	allow $1 tmp_t:lnk_file getattr;
-+')
-diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 1ad282aa..342eb033 100644
---- a/policy/modules/kernel/kernel.if
-+++ b/policy/modules/kernel/kernel.if
-@@ -3584,3 +3584,24 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',`
- 	allow $1 unlabeled_t:infiniband_endport manage_subnet;
- ')
- 
-+########################################
-+## <summary>
-+##	systemd tmp files access to kernel sysctl domain
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',`
-+         gen_require(`
-+                type sysctl_kernel_t;
-+                class dir search;
-+                class file { open read };
-+         ')
-+
-+        allow $1 sysctl_kernel_t:dir search;
-+        allow $1 sysctl_kernel_t:file { open read };
-+
-+')
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index a62c3c38..9b696823 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -1121,3 +1121,5 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated
- 
- kernel_read_system_state(systemd_update_done_t)
- 
-+systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t)
-+systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch
deleted file mode 100644
index 6039f49..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From d21287d2c0b63e19e1004f098a1934b6b02a0c05 Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Thu, 28 Mar 2019 21:59:18 -0400
-Subject: [PATCH 09/34] fc/hwclock: add hwclock alternatives
-
-Upstream-Status: Pending
-
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/clock.fc | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
-index 30196589..e0dc4b6f 100644
---- a/policy/modules/system/clock.fc
-+++ b/policy/modules/system/clock.fc
-@@ -2,4 +2,7 @@
- 
- /usr/bin/hwclock	--	gen_context(system_u:object_r:hwclock_exec_t,s0)
- 
--/usr/sbin/hwclock	--	gen_context(system_u:object_r:hwclock_exec_t,s0)
-+/usr/sbin/hwclock\.util-linux	--	gen_context(system_u:object_r:hwclock_exec_t,s0)
-+/usr/sbin/hwclock             	--	gen_context(system_u:object_r:hwclock_exec_t,s0)
-+/usr/lib/busybox/sbin/hwclock	--	gen_context(system_u:object_r:hwclock_exec_t,s0)
-+/sbin/hwclock             	--	gen_context(system_u:object_r:hwclock_exec_t,s0)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0009-refpolicy-minimum-systemd-fix-for-syslog.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
deleted file mode 100644
index f67221a..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 57d554187619e32ecf925ecb015a60f1fca26fb8 Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade@mentor.com>
-Date: Fri, 26 Aug 2016 17:54:29 +0530
-Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog
-
-syslog & getty related allow rules required to fix the syslog mixup with
-boot log, while using systemd as init manager.
-
-without this change we are getting these avc denials:
-
-audit: avc:  denied  { search } for  pid=484 comm="syslogd" name="/"
-dev="tmpfs" ino=7269 scontext=system_u:system_r:syslogd_t:s0 tcontext=
-system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
-
-audit: avc:  denied  { write } for  pid=372 comm="syslogd" name="log" dev=
-"tmpfs" ino=954 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:
-object_r:tmpfs_t:s0 tclass=dir permissive=0
-
-audit: avc:  denied  { add_name } for  pid=390 comm="syslogd" name=
-"messages" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r
-:tmpfs_t:s0 tclass=dir permissive=0
-
-audit: avc:  denied  { sendto } for  pid=558 comm="agetty" path="/run/systemd
-/journal/dev-log" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:
-system_r:initrc_t:s0 tclass=unix_dgram_socket permissive=0
-
-audit: avc:  denied  { create } for  pid=374 comm="syslogd" name="messages"
-scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:
-s0 tclass=file permissive=0
-
-audit: avc:  denied  { append } for  pid=423 comm="syslogd" name="messages"
-dev="tmpfs" ino=7995 scontext=system_u:system_r:syslogd_t:s0 tcontext=
-system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
-
-audit: avc:  denied  { getattr } for  pid=425 comm="syslogd" path="/var/
-volatile/log/messages" dev="tmpfs" ino=8857 scontext=system_u:system_r:
-syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
-
-Upstream-Status: Pending
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/getty.te   | 1 +
- policy/modules/system/logging.te | 3 ++-
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index 423db0cc..9ab03956 100644
---- a/policy/modules/system/getty.te
-+++ b/policy/modules/system/getty.te
-@@ -132,3 +132,4 @@ optional_policy(`
- 
- allow getty_t tmpfs_t:dir search;
- allow getty_t tmpfs_t:file { open write lock };
-+allow getty_t initrc_t:unix_dgram_socket sendto;
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 520f7da6..4e02dab8 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -632,4 +632,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto;
- allow syslogd_t self:shm create;
- allow syslogd_t self:sem { create read unix_write write };
- allow syslogd_t self:shm { read unix_read unix_write write };
--allow syslogd_t tmpfs_t:file { read write };
-+allow syslogd_t tmpfs_t:file { read write create getattr append open };
-+allow syslogd_t tmpfs_t:dir { search write add_name };
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
deleted file mode 100644
index dc715c4..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From 0ee40e0a68645e23f59842929629a94ebe9873b4 Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Fri, 29 Mar 2019 08:26:55 -0400
-Subject: [PATCH 10/34] fc/dmesg: apply policy to dmesg alternatives
-
-Upstream-Status: Pending
-
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/admin/dmesg.fc | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
-index e52fdfcf..85d15127 100644
---- a/policy/modules/admin/dmesg.fc
-+++ b/policy/modules/admin/dmesg.fc
-@@ -1 +1,3 @@
--/usr/bin/dmesg		--		gen_context(system_u:object_r:dmesg_exec_t,s0)
-+/usr/bin/dmesg			--		gen_context(system_u:object_r:dmesg_exec_t,s0)
-+/usr/bin/dmesg\.util-linux	--		gen_context(system_u:object_r:dmesg_exec_t,s0)
-+/usr/lib/busybox/bin/dmesg	--		gen_context(system_u:object_r:dmesg_exec_t,s0)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
deleted file mode 100644
index 495b82f..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From e38e269b172ec75dcd218cfeac64271fbb3d17db Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Fri, 29 Mar 2019 09:36:08 -0400
-Subject: [PATCH 13/34] fc/udev: apply policy to udevadm in libexec
-
-Upstream-Status: Pending
-
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/udev.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 009d821a..cc438609 100644
---- a/policy/modules/system/udev.fc
-+++ b/policy/modules/system/udev.fc
-@@ -28,6 +28,8 @@ ifdef(`distro_debian',`
- /usr/sbin/udevstart	--	gen_context(system_u:object_r:udev_exec_t,s0)
- /usr/sbin/wait_for_sysfs --	gen_context(system_u:object_r:udev_exec_t,s0)
- 
-+/usr/libexec/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
-+
- ifdef(`distro_redhat',`
- /usr/sbin/start_udev --	gen_context(system_u:object_r:udev_exec_t,s0)
- ')
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
deleted file mode 100644
index 6ffabe4..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 8d730316e752601949346c9ebd4aff8a3cb2b1bf Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Fri, 29 Mar 2019 09:54:07 -0400
-Subject: [PATCH 14/34] fc/rpm: apply rpm_exec policy to cpio binaries
-
-Upstream-Status: Pending
-
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/admin/rpm.fc | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
-index 578d465c..f2b8003a 100644
---- a/policy/modules/admin/rpm.fc
-+++ b/policy/modules/admin/rpm.fc
-@@ -65,5 +65,8 @@ ifdef(`distro_redhat',`
- /run/PackageKit(/.*)?	gen_context(system_u:object_r:rpm_var_run_t,s0)
- 
- ifdef(`enable_mls',`
--/usr/sbin/cpio	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/sbin/cpio		--	gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/bin/cpio		--	gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/bin/cpio.cpio	--	gen_context(system_u:object_r:rpm_exec_t,s0)
- ')
-+
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
deleted file mode 100644
index b253f84..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From 0036dfb42db831e2dd6c6dc71c093e983a30dbd6 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 18/34] policy/module/logging: add rules for the symlink of
- /var/log
-
-/var/log is a symlink in poky, so we need allow rules for files to read
-lnk_file while doing search/list/delete/rw... in /var/log/ directory.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/logging.fc | 1 +
- policy/modules/system/logging.if | 6 ++++++
- policy/modules/system/logging.te | 2 ++
- 3 files changed, 9 insertions(+)
-
-diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 0cf108e0..5bec7e99 100644
---- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
-@@ -55,6 +55,7 @@ ifdef(`distro_suse', `
- /var/dnscache/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
- 
- /var/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
-+/var/log		-l	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
- /var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
- /var/log/dmesg		--	gen_context(system_u:object_r:var_log_t,s0)
- /var/log/syslog		--	gen_context(system_u:object_r:var_log_t,s0)
-diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 16091eb6..e83cb5b5 100644
---- a/policy/modules/system/logging.if
-+++ b/policy/modules/system/logging.if
-@@ -948,10 +948,12 @@ interface(`logging_append_all_inherited_logs',`
- interface(`logging_read_all_logs',`
- 	gen_require(`
- 		attribute logfile;
-+		type var_log_t;
- 	')
- 
- 	files_search_var($1)
- 	allow $1 logfile:dir list_dir_perms;
-+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
- 	read_files_pattern($1, logfile, logfile)
- ')
- 
-@@ -970,10 +972,12 @@ interface(`logging_read_all_logs',`
- interface(`logging_exec_all_logs',`
- 	gen_require(`
- 		attribute logfile;
-+		type var_log_t;
- 	')
- 
- 	files_search_var($1)
- 	allow $1 logfile:dir list_dir_perms;
-+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
- 	can_exec($1, logfile)
- ')
- 
-@@ -1075,6 +1079,7 @@ interface(`logging_read_generic_logs',`
- 
- 	files_search_var($1)
- 	allow $1 var_log_t:dir list_dir_perms;
-+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
- 	read_files_pattern($1, var_log_t, var_log_t)
- ')
- 
-@@ -1176,6 +1181,7 @@ interface(`logging_manage_generic_logs',`
- 
- 	files_search_var($1)
- 	manage_files_pattern($1, var_log_t, var_log_t)
-+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index a7b69932..fa5664b0 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -161,6 +161,7 @@ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
- allow auditd_t auditd_log_t:dir setattr;
- manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
- allow auditd_t var_log_t:dir search_dir_perms;
-+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
- 
- manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
- manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
-@@ -288,6 +289,7 @@ allow audisp_remote_t self:capability { setpcap setuid };
- allow audisp_remote_t self:process { getcap setcap };
- allow audisp_remote_t self:tcp_socket create_socket_perms;
- allow audisp_remote_t var_log_t:dir search_dir_perms;
-+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
- 
- manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
- manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch
deleted file mode 100644
index 588c5c6..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 51e282aa2730e4c6e038d42a84a561c080f41187 Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Fri, 29 Mar 2019 10:33:18 -0400
-Subject: [PATCH 19/34] policy/module/logging: add rules for syslogd symlink of
- /var/log
-
-We have added rules for the symlink of /var/log in logging.if, while
-syslogd_t uses /var/log but does not use the interfaces in logging.if. So
-still need add a individual rule for syslogd_t.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/logging.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index fa5664b0..63e92a8e 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -417,6 +417,7 @@ files_search_spool(syslogd_t)
- 
- # Allow access for syslog-ng
- allow syslogd_t var_log_t:dir { create setattr };
-+allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
- 
- # for systemd but can not be conditional
- files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
deleted file mode 100644
index 3d55476..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 6a0b9c735253a2596bfb2a453694e620a1fdc50b Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 23 Aug 2013 11:20:00 +0800
-Subject: [PATCH 20/34] policy/module/logging: add domain rules for the subdir
- symlinks in /var/
-
-Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
-/var for poky, so we need allow rules for all domains to read these
-symlinks. Domains still need their practical allow rules to read the
-contents, so this is still a secure relax.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/domain.te | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index 1a55e3d2..babb794f 100644
---- a/policy/modules/kernel/domain.te
-+++ b/policy/modules/kernel/domain.te
-@@ -110,6 +110,9 @@ term_use_controlling_term(domain)
- # list the root directory
- files_list_root(domain)
- 
-+# Yocto/oe-core use some var volatile links
-+files_read_var_symlinks(domain)
-+
- ifdef(`hide_broken_symptoms',`
- 	# This check is in the general socket
- 	# listen code, before protocol-specific
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch
deleted file mode 100644
index 3281ae8..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From 2512a367f4c16d4af6dd90d5f93f223466595d86 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 22/34] policy/module/terminals: add rules for bsdpty_device_t
- to complete pty devices.
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/terminal.if | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 61308843..a84787e6 100644
---- a/policy/modules/kernel/terminal.if
-+++ b/policy/modules/kernel/terminal.if
-@@ -623,9 +623,11 @@ interface(`term_getattr_generic_ptys',`
- interface(`term_dontaudit_getattr_generic_ptys',`
- 	gen_require(`
- 		type devpts_t;
-+		type bsdpty_device_t;
- 	')
- 
- 	dontaudit $1 devpts_t:chr_file getattr;
-+	dontaudit $1 bsdpty_device_t:chr_file getattr;
- ')
- ########################################
- ## <summary>
-@@ -641,11 +643,13 @@ interface(`term_dontaudit_getattr_generic_ptys',`
- interface(`term_ioctl_generic_ptys',`
- 	gen_require(`
- 		type devpts_t;
-+		type bsdpty_device_t;
- 	')
- 
- 	dev_list_all_dev_nodes($1)
- 	allow $1 devpts_t:dir search;
- 	allow $1 devpts_t:chr_file ioctl;
-+	allow $1 bsdpty_device_t:chr_file ioctl;
- ')
- 
- ########################################
-@@ -663,9 +667,11 @@ interface(`term_ioctl_generic_ptys',`
- interface(`term_setattr_generic_ptys',`
- 	gen_require(`
- 		type devpts_t;
-+		type bsdpty_device_t;
- 	')
- 
- 	allow $1 devpts_t:chr_file setattr;
-+	allow $1 bsdpty_device_t:chr_file setattr;
- ')
- 
- ########################################
-@@ -683,9 +689,11 @@ interface(`term_setattr_generic_ptys',`
- interface(`term_dontaudit_setattr_generic_ptys',`
- 	gen_require(`
- 		type devpts_t;
-+		type bsdpty_device_t;
- 	')
- 
- 	dontaudit $1 devpts_t:chr_file setattr;
-+	dontaudit $1 bsdpty_device_t:chr_file setattr;
- ')
- 
- ########################################
-@@ -703,11 +711,13 @@ interface(`term_dontaudit_setattr_generic_ptys',`
- interface(`term_use_generic_ptys',`
- 	gen_require(`
- 		type devpts_t;
-+		type bsdpty_device_t;
- 	')
- 
- 	dev_list_all_dev_nodes($1)
- 	allow $1 devpts_t:dir list_dir_perms;
- 	allow $1 devpts_t:chr_file { rw_term_perms lock append };
-+	allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
- ')
- 
- ########################################
-@@ -725,9 +735,11 @@ interface(`term_use_generic_ptys',`
- interface(`term_dontaudit_use_generic_ptys',`
- 	gen_require(`
- 		type devpts_t;
-+		type bsdpty_device_t;
- 	')
- 
- 	dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
-+	dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl };
- ')
- 
- #######################################
-@@ -743,10 +755,12 @@ interface(`term_dontaudit_use_generic_ptys',`
- interface(`term_setattr_controlling_term',`
- 	gen_require(`
- 		type devtty_t;
-+		type bsdpty_device_t;
- 	')
- 
- 	dev_list_all_dev_nodes($1)
- 	allow $1 devtty_t:chr_file setattr;
-+	allow $1 bsdpty_device_t:chr_file setattr;
- ')
- 
- ########################################
-@@ -763,10 +777,12 @@ interface(`term_setattr_controlling_term',`
- interface(`term_use_controlling_term',`
- 	gen_require(`
- 		type devtty_t;
-+		type bsdpty_device_t;
- 	')
- 
- 	dev_list_all_dev_nodes($1)
- 	allow $1 devtty_t:chr_file { rw_term_perms lock append };
-+	allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
- ')
- 
- #######################################
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
deleted file mode 100644
index 0188fa9..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 85d5fc695ae69956715b502a8f1d95e9070dfbcc Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 24/34] policy/module/rpc: allow nfsd to exec shell commands.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/services/rpc.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index 47fa2fd0..d4209231 100644
---- a/policy/modules/services/rpc.te
-+++ b/policy/modules/services/rpc.te
-@@ -227,7 +227,7 @@ kernel_read_network_state(nfsd_t)
- kernel_dontaudit_getattr_core_if(nfsd_t)
- kernel_setsched(nfsd_t)
- kernel_request_load_module(nfsd_t)
--# kernel_mounton_proc(nfsd_t)
-+kernel_mounton_proc(nfsd_t)
- 
- corenet_sendrecv_nfs_server_packets(nfsd_t)
- corenet_tcp_bind_nfs_port(nfsd_t)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch
deleted file mode 100644
index b4befdd..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From 97a6eec0d2ea437b5155090ba880a88666f40059 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 23 Aug 2013 12:01:53 +0800
-Subject: [PATCH 25/34] policy/module/rpc: fix policy for nfsserver to mount
- nfsd_fs_t.
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/filesystem.te | 1 +
- policy/modules/kernel/kernel.te     | 2 ++
- policy/modules/services/rpc.te      | 5 +++++
- policy/modules/services/rpcbind.te  | 5 +++++
- 4 files changed, 13 insertions(+)
-
-diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 1db0c652..bf1c0173 100644
---- a/policy/modules/kernel/filesystem.te
-+++ b/policy/modules/kernel/filesystem.te
-@@ -129,6 +129,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
- 
- type nfsd_fs_t;
- fs_type(nfsd_fs_t)
-+files_mountpoint(nfsd_fs_t)
- genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
- 
- type nsfs_t;
-diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index e971c533..ad7c823a 100644
---- a/policy/modules/kernel/kernel.te
-+++ b/policy/modules/kernel/kernel.te
-@@ -334,6 +334,8 @@ mls_process_read_all_levels(kernel_t)
- mls_process_write_all_levels(kernel_t)
- mls_file_write_all_levels(kernel_t)
- mls_file_read_all_levels(kernel_t)
-+mls_socket_write_all_levels(kernel_t)
-+mls_fd_use_all_levels(kernel_t)
- 
- ifdef(`distro_redhat',`
- 	# Bugzilla 222337
-diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index d4209231..a2327b44 100644
---- a/policy/modules/services/rpc.te
-+++ b/policy/modules/services/rpc.te
-@@ -280,6 +280,11 @@ tunable_policy(`nfs_export_all_ro',`
- 
- optional_policy(`
- 	mount_exec(nfsd_t)
-+	# Should domtrans to mount_t while mounting nfsd_fs_t.
-+	mount_domtrans(nfsd_t)
-+	# nfsd_t need to chdir to /var/lib/nfs and read files.
-+	files_list_var(nfsd_t)
-+	rpc_read_nfs_state_data(nfsd_t)
- ')
- 
- ########################################
-diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
-index 5914af99..2055c114 100644
---- a/policy/modules/services/rpcbind.te
-+++ b/policy/modules/services/rpcbind.te
-@@ -75,6 +75,11 @@ logging_send_syslog_msg(rpcbind_t)
- 
- miscfiles_read_localization(rpcbind_t)
- 
-+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
-+# because the are running in different level. So add rules to allow this.
-+mls_socket_read_all_levels(rpcbind_t)
-+mls_socket_write_all_levels(rpcbind_t)
-+
- ifdef(`distro_debian',`
- 	term_dontaudit_use_unallocated_ttys(rpcbind_t)
- ')
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
deleted file mode 100644
index 94b7dd3..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-From 00d81a825519cac67d88e513d75e82ab3269124c Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Fri, 29 Mar 2019 11:16:37 -0400
-Subject: [PATCH 26/34] policy/module/sysfs: fix for new SELINUXMNT in /sys
-
-SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
-add rules to access sysfs.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/selinux.if | 19 +++++++++++++++++++
- 1 file changed, 19 insertions(+)
-
-diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
-index 6790e5d0..2c95db81 100644
---- a/policy/modules/kernel/selinux.if
-+++ b/policy/modules/kernel/selinux.if
-@@ -117,6 +117,9 @@ interface(`selinux_mount_fs',`
- 		type security_t;
- 	')
- 
-+	dev_getattr_sysfs($1)
-+	dev_search_sysfs($1)
-+
- 	allow $1 security_t:filesystem mount;
- ')
- 
-@@ -136,6 +139,9 @@ interface(`selinux_remount_fs',`
- 		type security_t;
- 	')
- 
-+	dev_getattr_sysfs($1)
-+	dev_search_sysfs($1)
-+
- 	allow $1 security_t:filesystem remount;
- ')
- 
-@@ -155,6 +161,9 @@ interface(`selinux_unmount_fs',`
- 	')
- 
- 	allow $1 security_t:filesystem unmount;
-+
-+	dev_getattr_sysfs($1)
-+	dev_search_sysfs($1)
- ')
- 
- ########################################
-@@ -217,6 +226,8 @@ interface(`selinux_dontaudit_getattr_dir',`
- 	')
- 
- 	dontaudit $1 security_t:dir getattr;
-+	dev_dontaudit_getattr_sysfs($1)
-+	dev_dontaudit_search_sysfs($1)
- ')
- 
- ########################################
-@@ -253,6 +264,7 @@ interface(`selinux_dontaudit_search_fs',`
- 		type security_t;
- 	')
- 
-+	dev_dontaudit_search_sysfs($1)
- 	dontaudit $1 security_t:dir search_dir_perms;
- ')
- 
-@@ -272,6 +284,7 @@ interface(`selinux_dontaudit_read_fs',`
- 		type security_t;
- 	')
- 
-+	dev_dontaudit_getattr_sysfs($1)
- 	dontaudit $1 security_t:dir search_dir_perms;
- 	dontaudit $1 security_t:file read_file_perms;
- ')
-@@ -361,6 +374,7 @@ interface(`selinux_read_policy',`
- 		type security_t;
- 	')
- 
-+	dev_getattr_sysfs($1)
- 	dev_search_sysfs($1)
- 	allow $1 security_t:dir list_dir_perms;
- 	allow $1 security_t:file read_file_perms;
-@@ -394,6 +408,7 @@ interface(`selinux_set_generic_booleans',`
- 		type security_t;
- 	')
- 
-+	dev_getattr_sysfs($1)
- 	dev_search_sysfs($1)
- 
- 	allow $1 security_t:dir list_dir_perms;
-@@ -431,6 +446,7 @@ interface(`selinux_set_all_booleans',`
- 		bool secure_mode_policyload;
- 	')
- 
-+	dev_getattr_sysfs($1)
- 	dev_search_sysfs($1)
- 
- 	allow $1 security_t:dir list_dir_perms;
-@@ -512,6 +528,7 @@ interface(`selinux_dontaudit_validate_context',`
- 		type security_t;
- 	')
- 
-+	dev_dontaudit_search_sysfs($1)
- 	dontaudit $1 security_t:dir list_dir_perms;
- 	dontaudit $1 security_t:file rw_file_perms;
- 	dontaudit $1 security_t:security check_context;
-@@ -533,6 +550,7 @@ interface(`selinux_compute_access_vector',`
- 		type security_t;
- 	')
- 
-+	dev_getattr_sysfs($1)
- 	dev_search_sysfs($1)
- 	allow $1 self:netlink_selinux_socket create_socket_perms;
- 	allow $1 security_t:dir list_dir_perms;
-@@ -629,6 +647,7 @@ interface(`selinux_compute_user_contexts',`
- 		type security_t;
- 	')
- 
-+	dev_getattr_sysfs($1)
- 	dev_search_sysfs($1)
- 	allow $1 security_t:dir list_dir_perms;
- 	allow $1 security_t:file rw_file_perms;
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch
deleted file mode 100644
index c20dd5f..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From fbb7431a4288c7dd2739bc3adfa521d427e6375a Mon Sep 17 00:00:00 2001
-From: Roy Li <rongqing.li@windriver.com>
-Date: Sat, 15 Feb 2014 09:45:00 +0800
-Subject: [PATCH 27/34] policy/module/rpc: allow sysadm to run rpcinfo
-
-Upstream-Status: Pending
-
-type=AVC msg=audit(1392427946.976:264): avc:  denied  { connectto } for  pid=2111 comm="rpcinfo" path="/run/rpcbind.sock" scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tclass=unix_stream_socket
-type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null)
-
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/roles/sysadm.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e411d4fd..f326d1d7 100644
---- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -939,6 +939,7 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	rpcbind_stream_connect(sysadm_t)
- 	rpcbind_admin(sysadm_t, sysadm_r)
- ')
- 
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch
deleted file mode 100644
index e0208aa..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 8a3c685c1f868f04cb4a7953d14443527b920310 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 28/34] policy/module/userdomain: fix selinux utils to manage
- config files
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/selinuxutil.if | 1 +
- policy/modules/system/userdomain.if  | 4 ++++
- 2 files changed, 5 insertions(+)
-
-diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 20024993..0fdc8c10 100644
---- a/policy/modules/system/selinuxutil.if
-+++ b/policy/modules/system/selinuxutil.if
-@@ -674,6 +674,7 @@ interface(`seutil_manage_config',`
- 	')
- 
- 	files_search_etc($1)
-+	manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
- 	manage_files_pattern($1, selinux_config_t, selinux_config_t)
- 	read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
- ')
-diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 5221bd13..4cf987d1 100644
---- a/policy/modules/system/userdomain.if
-+++ b/policy/modules/system/userdomain.if
-@@ -1431,6 +1431,10 @@ template(`userdom_security_admin_template',`
- 	logging_read_audit_config($1)
- 
- 	seutil_manage_bin_policy($1)
-+	seutil_manage_default_contexts($1)
-+	seutil_manage_file_contexts($1)
-+	seutil_manage_module_store($1)
-+	seutil_manage_config($1)
- 	seutil_run_checkpolicy($1, $2)
- 	seutil_run_loadpolicy($1, $2)
- 	seutil_run_semanage($1, $2)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
deleted file mode 100644
index e62c81e..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 524f823bb07e0eb763683b72f18999ef29ae43c9 Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Fri, 29 Mar 2019 11:30:27 -0400
-Subject: [PATCH 29/34] policy/module/selinuxutil: fix setfiles statvfs to get
- file count
-
-New setfiles will read /proc/mounts and use statvfs in
-file_system_count() to get file count of filesystems.
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/selinuxutil.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index db6bb368..98fed2d0 100644
---- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -607,6 +607,7 @@ files_relabel_all_files(setfiles_t)
- files_read_usr_symlinks(setfiles_t)
- files_dontaudit_read_all_symlinks(setfiles_t)
- 
-+fs_getattr_all_fs(setfiles_t)
- fs_getattr_all_xattr_fs(setfiles_t)
- fs_getattr_cgroup(setfiles_t)
- fs_getattr_nfs(setfiles_t)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
deleted file mode 100644
index 88c94c5..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 78210f371391ccfad1d18b89a91ffb5a83f451e0 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 23 Aug 2013 16:36:09 +0800
-Subject: [PATCH 30/34] policy/module/admin: fix dmesg to use /dev/kmsg as
- default input
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/admin/dmesg.if | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
-index e1973c78..739a4bc5 100644
---- a/policy/modules/admin/dmesg.if
-+++ b/policy/modules/admin/dmesg.if
-@@ -37,4 +37,5 @@ interface(`dmesg_exec',`
- 
- 	corecmd_search_bin($1)
- 	can_exec($1, dmesg_exec_t)
-+	dev_read_kmsg($1)
- ')
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch
deleted file mode 100644
index d002830..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From a406bcd2838772573e2cdde1a408ea52a60adc87 Mon Sep 17 00:00:00 2001
-From: Roy Li <rongqing.li@windriver.com>
-Date: Mon, 10 Feb 2014 18:10:12 +0800
-Subject: [PATCH 31/34] policy/module/ftp: add ftpd_t to
- mls_file_write_all_levels
-
-Proftpd will create file under /var/run, but its mls is in high, and
-can not write to lowlevel
-
-Upstream-Status: Pending
-
-type=AVC msg=audit(1392347709.621:15): avc:  denied  { write } for  pid=545 comm="proftpd" name="/" dev="tmpfs" ino=5853 scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
-type=AVC msg=audit(1392347709.621:15): avc:  denied  { add_name } for  pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
-type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null)
-
-root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name
-   allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
-root@localhost:~#
-
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/services/ftp.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 29bc077c..d582cf80 100644
---- a/policy/modules/services/ftp.te
-+++ b/policy/modules/services/ftp.te
-@@ -150,6 +150,8 @@ role ftpdctl_roles types ftpdctl_t;
- type ftpdctl_tmp_t;
- files_tmp_file(ftpdctl_tmp_t)
- 
-+mls_file_write_all_levels(ftpd_t)
-+
- type sftpd_t;
- domain_type(sftpd_t)
- role system_r types sftpd_t;
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0032-policy-module-init-update-for-systemd-related-allow-.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0032-policy-module-init-update-for-systemd-related-allow-.patch
deleted file mode 100644
index 37d180c..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0032-policy-module-init-update-for-systemd-related-allow-.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From dfbda15401f92e5d1b9b55c7ba24a543deea18e8 Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade@mentor.com>
-Date: Fri, 12 Jun 2015 19:37:52 +0530
-Subject: [PATCH 32/34] policy/module/init: update for systemd related allow
- rules
-
-It provide, the systemd support related allow rules
-
-Upstream-Status: Pending
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/init.te | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index eabba1ed..5da25cd6 100644
---- a/policy/modules/system/init.te
-+++ b/policy/modules/system/init.te
-@@ -1418,3 +1418,8 @@ optional_policy(`
- 	userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
- 	userdom_dontaudit_write_user_tmp_files(systemprocess)
- ')
-+
-+# systemd related allow rules
-+allow kernel_t init_t:process dyntransition;
-+allow devpts_t device_t:filesystem associate;
-+allow init_t self:capability2 block_suspend;
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0033-refpolicy-minimum-make-sysadmin-module-optional.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0033-refpolicy-minimum-make-sysadmin-module-optional.patch
deleted file mode 100644
index 644c2cd..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0033-refpolicy-minimum-make-sysadmin-module-optional.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 937924e34c516c4a18d183084958b2612439ba52 Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Fri, 5 Apr 2019 11:53:28 -0400
-Subject: [PATCH 33/34] refpolicy/minimum: make sysadmin module optional
-
-init and locallogin modules have a depend for sysadm module because
-they have called sysadm interfaces(sysadm_shell_domtrans). Since
-sysadm is not a core module, we could make the sysadm_shell_domtrans
-calls optionally by optional_policy.
-
-So, we could make the minimum policy without sysadm module.
-
-Upstream-Status: pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/init.te       | 16 +++++++++-------
- policy/modules/system/locallogin.te |  4 +++-
- 2 files changed, 12 insertions(+), 8 deletions(-)
-
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 5da25cd6..8352428a 100644
---- a/policy/modules/system/init.te
-+++ b/policy/modules/system/init.te
-@@ -446,13 +446,15 @@ ifdef(`init_systemd',`
- 		modutils_domtrans(init_t)
- 	')
- ',`
--	tunable_policy(`init_upstart',`
--		corecmd_shell_domtrans(init_t, initrc_t)
--	',`
--		# Run the shell in the sysadm role for single-user mode.
--		# causes problems with upstart
--		ifndef(`distro_debian',`
--			sysadm_shell_domtrans(init_t)
-+	optional_policy(`
-+		tunable_policy(`init_upstart',`
-+			corecmd_shell_domtrans(init_t, initrc_t)
-+		',`
-+			# Run the shell in the sysadm role for single-user mode.
-+			# causes problems with upstart
-+			ifndef(`distro_debian',`
-+				sysadm_shell_domtrans(init_t)
-+			')
- 		')
- 	')
- ')
-diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index a56f3d1f..4c679ff3 100644
---- a/policy/modules/system/locallogin.te
-+++ b/policy/modules/system/locallogin.te
-@@ -266,7 +266,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
- userdom_search_user_home_dirs(sulogin_t)
- userdom_use_user_ptys(sulogin_t)
- 
--sysadm_shell_domtrans(sulogin_t)
-+optional_policy(`
-+	sysadm_shell_domtrans(sulogin_t)
-+')
- 
- # by default, sulogin does not use pam...
- # sulogin_pam might need to be defined otherwise
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch
deleted file mode 100644
index c374384..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From bbad13d008ab4df827ac2ba8dfc6dd3e430f6dd6 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:36:44 +0800
-Subject: [PATCH 34/34] policy/module/apache: add rules for the symlink of
- /var/log - apache2
-
-We have added rules for the symlink of /var/log in logging.if,
-while apache.te uses /var/log but does not use the interfaces in
-logging.if. So still need add a individual rule for apache.te.
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/services/apache.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 15c4ea53..596370b1 100644
---- a/policy/modules/services/apache.te
-+++ b/policy/modules/services/apache.te
-@@ -412,6 +412,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
- logging_log_filetrans(httpd_t, httpd_log_t, file)
- 
- allow httpd_t httpd_modules_t:dir list_dir_perms;
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch b/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch
deleted file mode 100644
index 98d98d4..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From cf2f08bdb2d64b38b6c83c96f409c1cd9975fe6a Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] fix update-alternatives for sysvinit
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/admin/shutdown.fc      | 1 +
- policy/modules/kernel/corecommands.fc | 1 +
- policy/modules/system/init.fc         | 1 +
- 3 files changed, 3 insertions(+)
-
-diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc
-index 03a2230c..2ba049ff 100644
---- a/policy/modules/admin/shutdown.fc
-+++ b/policy/modules/admin/shutdown.fc
-@@ -5,5 +5,6 @@
- /usr/lib/upstart/shutdown	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
- 
- /usr/sbin/shutdown	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
-+/usr/sbin/shutdown\.sysvinit	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
- 
- /run/shutdown\.pid	--	gen_context(system_u:object_r:shutdown_var_run_t,s0)
-diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index cf3848db..86920167 100644
---- a/policy/modules/kernel/corecommands.fc
-+++ b/policy/modules/kernel/corecommands.fc
-@@ -149,6 +149,7 @@ ifdef(`distro_gentoo',`
- /usr/bin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
- /usr/bin/mksh			--	gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/mountpoint		--	gen_context(system_u:object_r:bin_t,s0)
-+/usr/bin/mountpoint\.sysvinit	--	gen_context(system_u:object_r:bin_t,s0)
- /usr/bin/nologin		--	gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/sash			--	gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
-diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 11a6ce93..93e9d2b4 100644
---- a/policy/modules/system/init.fc
-+++ b/policy/modules/system/init.fc
-@@ -23,6 +23,7 @@ ifdef(`distro_gentoo',`
- # /usr
- #
- /usr/bin/init(ng)?	--	gen_context(system_u:object_r:init_exec_t,s0)
-+/usr/sbin/init\.sysvinit	--	gen_context(system_u:object_r:init_exec_t,s0)
- /usr/bin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
- /usr/bin/sepg_ctl	--	gen_context(system_u:object_r:initrc_exec_t,s0)
- /usr/bin/systemd	--	gen_context(system_u:object_r:init_exec_t,s0)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch b/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
deleted file mode 100644
index 3cc5395..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 0f25b7c345d516eccd1c02c93f752ce073b84865 Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade@mentor.com>
-Date: Fri, 26 Aug 2016 17:51:44 +0530
-Subject: [PATCH 1/9] refpolicy-minimum: audit: logging: getty: audit related
- allow rules
-
-add allow rules for audit.log file & resolve dependent avc denials.
-
-without this change we are getting audit avc denials mixed into bootlog &
-audit other avc denials.
-
-audit: type=1400 audit(): avc:  denied  { getattr } for  pid=217 comm="mount"
-name="/" dev="proc" ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_0
-audit: type=1400 audit(): avc:  denied  { sendto } for  pid=310 comm="klogd"
-path="/run/systemd/journal/dev-log" scontext=sy0
-audit: type=1400 audit(): avc:  denied  { sendto } for  pid=310 comm="klogd"
-path="/run/systemd/journal/dev-log" scontext=system_u:system_r:klogd_t:s0
-audit(): avc:  denied  { open } for  pid=540 comm="agetty" path="/var/
-volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t
-:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
-
-Upstream-Status: Pending
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/getty.te   | 3 +++
- policy/modules/system/logging.te | 8 ++++++++
- 2 files changed, 11 insertions(+)
-
-diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index 6d3c4284..423db0cc 100644
---- a/policy/modules/system/getty.te
-+++ b/policy/modules/system/getty.te
-@@ -129,3 +129,6 @@ optional_policy(`
- optional_policy(`
- 	udev_read_db(getty_t)
- ')
-+
-+allow getty_t tmpfs_t:dir search;
-+allow getty_t tmpfs_t:file { open write lock };
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index e6221a02..4cc73327 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -249,6 +249,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms;
- allow audisp_t self:unix_dgram_socket create_socket_perms;
- 
- allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
-+allow audisp_t initrc_t:unix_dgram_socket sendto;
- 
- manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
- files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
-@@ -620,3 +621,10 @@ optional_policy(`
- 	# log to the xconsole
- 	xserver_rw_console(syslogd_t)
- ')
-+
-+
-+allow auditd_t tmpfs_t:file { getattr setattr create open read append };
-+allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
-+allow auditd_t initrc_t:unix_dgram_socket sendto;
-+
-+allow klogd_t initrc_t:unix_dgram_socket sendto;
-\ No newline at end of file
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch b/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
deleted file mode 100644
index e2c6c89..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From b69a82237ccc8de3f5b822739760f5cb6596fe51 Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade@mentor.com>
-Date: Fri, 26 Aug 2016 17:53:46 +0530
-Subject: [PATCH 2/9] refpolicy-minimum: locallogin: add allow rules for type
- local_login_t
-
-add allow rules for locallogin module avc denials.
-
-without this change we are getting errors like these:
-
-type=AVC msg=audit(): avc:  denied  { read write open } for  pid=353
-comm="login" path="/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext
-=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:
-var_log_t:s0 tclass=file permissive=1
-
-type=AVC msg=audit(): avc:  denied  { sendto } for  pid=353 comm="login"
-path="/run/systemd/journal/dev-log" scontext=system_u:system_r:
-local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0
-tclass=unix_dgram_socket permissive=1
-
-type=AVC msg=audit(): avc:  denied  { lock } for  pid=353 comm="login" path=
-"/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext=system_u:system_r
-:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass
-=file permissive=1
-
-Upstream-Status: Pending
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/locallogin.te | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 4c679ff3..75750e4c 100644
---- a/policy/modules/system/locallogin.te
-+++ b/policy/modules/system/locallogin.te
-@@ -288,3 +288,13 @@ optional_policy(`
- optional_policy(`
- 	nscd_use(sulogin_t)
- ')
-+
-+allow local_login_t initrc_t:fd use;
-+allow local_login_t initrc_t:unix_dgram_socket sendto;
-+allow local_login_t initrc_t:unix_stream_socket connectto;
-+allow local_login_t self:capability net_admin;
-+allow local_login_t var_log_t:file { create lock open read write };
-+allow local_login_t var_run_t:file { open read write lock};
-+allow local_login_t var_run_t:sock_file write;
-+allow local_login_t tmpfs_t:dir { add_name write search};
-+allow local_login_t tmpfs_t:file { create open read write lock };
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch b/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch
deleted file mode 100644
index f194d6d..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From d0fd07dda45b349af634e4671a70e47fef102386 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:39:41 +0800
-Subject: [PATCH 03/34] fc/sysklogd: apply policy to sysklogd symlink
-
-/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow
-rule for syslogd_t to read syslog_conf_t lnk_file is needed.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/logging.fc | 3 +++
- policy/modules/system/logging.te | 1 +
- 2 files changed, 4 insertions(+)
-
-diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 6693d87b..0cf108e0 100644
---- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
-@@ -2,6 +2,7 @@
- 
- /etc/rsyslog\.conf					--	gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/syslog\.conf					--	gen_context(system_u:object_r:syslog_conf_t,s0)
-+/etc/syslog\.conf\.sysklogd	gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/rsyslog\.d(/.*)?					gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/audit(/.*)?						gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
- /etc/systemd/journal.*\.conf		--	gen_context(system_u:object_r:syslog_conf_t,s0)
-@@ -32,10 +33,12 @@
- /usr/sbin/auditctl	--	gen_context(system_u:object_r:auditctl_exec_t,s0)
- /usr/sbin/auditd	--	gen_context(system_u:object_r:auditd_exec_t,s0)
- /usr/sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
-+/usr/sbin/klogd\.sysklogd	--	gen_context(system_u:object_r:klogd_exec_t,s0)
- /usr/sbin/metalog	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/sbin/minilogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/sbin/rklogd	--	gen_context(system_u:object_r:klogd_exec_t,s0)
- /usr/sbin/rsyslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/usr/sbin/syslogd\.sysklogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/sbin/syslog-ng	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/sbin/syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
- 
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 0c5be1cd..38ccfe3a 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -399,6 +399,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
- allow syslogd_t self:tcp_socket create_stream_socket_perms;
- 
- allow syslogd_t syslog_conf_t:file read_file_perms;
-+allow syslogd_t syslog_conf_t:lnk_file read_file_perms;
- allow syslogd_t syslog_conf_t:dir list_dir_perms;
- 
- # Create and bind to /dev/log or /var/run/log.
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
deleted file mode 100644
index 968a9be..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-From ec36df125da565fe1a9b64000151afaf40c2887d Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade@mentor.com>
-Date: Fri, 26 Aug 2016 17:51:32 +0530
-Subject: [PATCH 3/9] refpolicy-minimum: systemd:unconfined:lib: add systemd
- services allow rules
-
-systemd allow rules for systemd service file operations: start, stop, restart
-& allow rule for unconfined systemd service.
-
-without this change we are getting these errors:
-:~# systemctl status selinux-init.service
-Failed to get properties: Access denied
-
-:~# systemctl stop selinux-init.service
-Failed to stop selinux-init.service: Access denied
-
-:~# systemctl restart  selinux-init.service
-audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
-system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0
-gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl
-restart selinux-init.service" scontext=unconfined_u:unconfined_r:
-unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service
-
-Upstream-Status: Pending
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/init.te       |  4 +++
- policy/modules/system/libraries.te  |  3 +++
- policy/modules/system/systemd.if    | 39 +++++++++++++++++++++++++++++
- policy/modules/system/unconfined.te |  6 +++++
- 4 files changed, 52 insertions(+)
-
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index d8696580..e15ec4b9 100644
---- a/policy/modules/system/init.te
-+++ b/policy/modules/system/init.te
-@@ -1425,3 +1425,7 @@ optional_policy(`
- allow kernel_t init_t:process dyntransition;
- allow devpts_t device_t:filesystem associate;
- allow init_t self:capability2 block_suspend;
-+allow init_t self:capability2 audit_read;
-+
-+allow initrc_t init_t:system { start status };
-+allow initrc_t init_var_run_t:service { start status };
-diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 422b0ea1..80b0c9a5 100644
---- a/policy/modules/system/libraries.te
-+++ b/policy/modules/system/libraries.te
-@@ -145,3 +145,6 @@ optional_policy(`
- optional_policy(`
- 	unconfined_domain(ldconfig_t)
- ')
-+
-+# systemd: init domain to start lib domain service
-+systemd_service_lib_function(lib_t)
-diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 6353ca69..4519a448 100644
---- a/policy/modules/system/systemd.if
-+++ b/policy/modules/system/systemd.if
-@@ -905,3 +905,42 @@ interface(`systemd_getattr_updated_runtime',`
- 
- 	getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
- ')
-+
-+########################################
-+## <summary>
-+## Allow specified domain to start stop reset systemd service
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`systemd_service_file_operations',`
-+         gen_require(`
-+               class service { start status stop };
-+         ')
-+
-+	allow $1 lib_t:service { start status stop };
-+
-+')
-+
-+
-+########################################
-+## <summary>
-+## Allow init domain to start lib domain service
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`systemd_service_lib_function',`
-+         gen_require(`
-+               class service start;
-+         ')
-+
-+	allow initrc_t $1:service start;
-+
-+')
-diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 12cc0d7c..c09e94a5 100644
---- a/policy/modules/system/unconfined.te
-+++ b/policy/modules/system/unconfined.te
-@@ -240,3 +240,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
- optional_policy(`
- 	unconfined_dbus_chat(unconfined_execmem_t)
- ')
-+
-+
-+# systemd: specified domain to start stop reset systemd service
-+systemd_service_file_operations(unconfined_t)
-+
-+allow unconfined_t init_t:system reload;
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
deleted file mode 100644
index 36bfdcf..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From abd7d9fa3398be45e733930ebaec9e05b1aba252 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 04/34] fc/hostname: apply policy to common yocto hostname
- alternatives
-
-Upstream-Status: Inappropriate [only for Yocto]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/hostname.fc | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
-index 83ddeb57..653e038d 100644
---- a/policy/modules/system/hostname.fc
-+++ b/policy/modules/system/hostname.fc
-@@ -1 +1,5 @@
-+/usr/bin/hostname\.net-tools	--	gen_context(system_u:object_r:hostname_exec_t,s0)
-+/usr/bin/hostname\.coreutils	--	gen_context(system_u:object_r:hostname_exec_t,s0)
-+/usr/lib/busybox/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
-+
- /usr/bin/hostname	--	gen_context(system_u:object_r:hostname_exec_t,s0)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
deleted file mode 100644
index 06b9192..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From 0918b156dcf4d126fd0e36de5a6c61f114448c8a Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade@mentor.com>
-Date: Fri, 26 Aug 2016 17:53:37 +0530
-Subject: [PATCH 4/9] refpolicy-minimum: systemd: mount: logging: authlogin:
- add allow rules
-
-add allow rules for avc denails for systemd, mount, logging & authlogin
-modules.
-
-without this change we are getting avc denial like these:
-
-type=AVC msg=audit(): avc:  denied  { sendto } for pid=893 comm="systemd-
-tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r:
-systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=
-unix_dgram_socket permissive=0
-
-type=AVC msg=audit(): avc:  denied  { open } for  pid=703 comm="systemd-
-tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u:
-system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=
-file permissive=0
-
-type=AVC msg=audit(): avc:  denied  { read write } for  pid=486 comm="mount"
-path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r:
-mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket
-
-type=AVC msg=audit(): avc:  denied  { unix_read unix_write } for  pid=292
-comm="syslogd" key=1095648583  scontext=system_u:system_r:syslogd_t:s0
-tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1
-
-Upstream-Status: Pending
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/authlogin.te | 2 ++
- policy/modules/system/logging.te   | 7 ++++++-
- policy/modules/system/mount.te     | 3 +++
- policy/modules/system/systemd.te   | 5 +++++
- 4 files changed, 16 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 28f74bac..dfa46612 100644
---- a/policy/modules/system/authlogin.te
-+++ b/policy/modules/system/authlogin.te
-@@ -479,3 +479,5 @@ optional_policy(`
- 	samba_read_var_files(nsswitch_domain)
- 	samba_dontaudit_write_var_files(nsswitch_domain)
- ')
-+
-+allow chkpwd_t proc_t:filesystem getattr;
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 4cc73327..98c2bd19 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -627,4 +627,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append };
- allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
- allow auditd_t initrc_t:unix_dgram_socket sendto;
- 
--allow klogd_t initrc_t:unix_dgram_socket sendto;
-\ No newline at end of file
-+allow klogd_t initrc_t:unix_dgram_socket sendto;
-+
-+allow syslogd_t self:shm create;
-+allow syslogd_t self:sem { create read unix_write write };
-+allow syslogd_t self:shm { read unix_read unix_write write };
-+allow syslogd_t tmpfs_t:file { read write };
-diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 3dcb8493..a87d0e82 100644
---- a/policy/modules/system/mount.te
-+++ b/policy/modules/system/mount.te
-@@ -231,3 +231,6 @@ optional_policy(`
- 	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
- 	unconfined_domain(unconfined_mount_t)
- ')
-+
-+allow mount_t proc_t:filesystem getattr;
-+allow mount_t initrc_t:udp_socket { read write };
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index f6455f6f..b13337b9 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -1011,6 +1011,11 @@ allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
- allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
- allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
- 
-+allow systemd_tmpfiles_t init_t:dir search;
-+allow systemd_tmpfiles_t proc_t:filesystem getattr;
-+allow systemd_tmpfiles_t init_t:file read;
-+allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
-+
- kernel_getattr_proc(systemd_tmpfiles_t)
- kernel_read_kernel_sysctls(systemd_tmpfiles_t)
- kernel_read_network_state(systemd_tmpfiles_t)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
deleted file mode 100644
index 194a474..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 783ba03eff9d5b94363fff148aa1c745ff02ddd4 Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Thu, 28 Mar 2019 21:37:32 -0400
-Subject: [PATCH 05/34] fc/bash: apply /usr/bin/bash context to /bin/bash.bash
-
-We include /bin/bash.bash as a valid alias for /bin/bash, so ensure we apply
-the proper context to the target for our policy.
-
-Upstream-Status: Inappropriate [only for Yocto]
-
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/corecommands.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index e7415cac..cf3848db 100644
---- a/policy/modules/kernel/corecommands.fc
-+++ b/policy/modules/kernel/corecommands.fc
-@@ -141,6 +141,7 @@ ifdef(`distro_gentoo',`
- /usr/bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/bash.bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/git-shell		--	gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:bin_t,s0)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch b/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
deleted file mode 100644
index aec54cd..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 54a00a22a0d9aca794440bf51511f5477e9249d2 Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade@mentor.com>
-Date: Fri, 26 Aug 2016 17:53:53 +0530
-Subject: [PATCH 5/9] refpolicy-minimum: init: fix reboot with systemd as init
- manager.
-
-add allow rule to fix avc denial during system reboot.
-
-without this change we are getting:
-
-audit: type=1107 audit(): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
-system_u:system_r:init_t:s0 msg='avc:  denied  { reboot } for auid=n/a uid=0
-gid=0 cmdline="/bin/systemctl --force reboot" scontext=system_u:system_r:
-initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system
-
-Upstream-Status: Pending
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/init.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index e15ec4b9..843fdcff 100644
---- a/policy/modules/system/init.te
-+++ b/policy/modules/system/init.te
-@@ -1427,5 +1427,5 @@ allow devpts_t device_t:filesystem associate;
- allow init_t self:capability2 block_suspend;
- allow init_t self:capability2 audit_read;
- 
--allow initrc_t init_t:system { start status };
-+allow initrc_t init_t:system { start status reboot };
- allow initrc_t init_var_run_t:service { start status };
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch b/recipes-security/refpolicy/refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
deleted file mode 100644
index d098118..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 9818faa2a732d6d1cda72926526f104de74bd992 Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Thu, 4 Apr 2019 10:45:03 -0400
-Subject: [PATCH 06/34] fc/resolv.conf: label resolv.conf in var/run/ properly
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
-
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/sysnetwork.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 1e5432a4..ac7c2dd1 100644
---- a/policy/modules/system/sysnetwork.fc
-+++ b/policy/modules/system/sysnetwork.fc
-@@ -22,6 +22,7 @@ ifdef(`distro_debian',`
- /etc/denyhosts.*	--	gen_context(system_u:object_r:net_conf_t,s0)
- /etc/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)
- /etc/yp\.conf.*		--	gen_context(system_u:object_r:net_conf_t,s0)
-+/var/run/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)
- 
- /etc/dhcp3(/.*)?		gen_context(system_u:object_r:dhcp_etc_t,s0)
- /etc/dhcp3?/dhclient.*		gen_context(system_u:object_r:dhcp_etc_t,s0)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch b/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
deleted file mode 100644
index bf770d9..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From ca6644e1f1066a8354f2f6dbb068713f59225f37 Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Wed, 3 Apr 2019 14:51:29 -0400
-Subject: [PATCH 6/9] refpolicy-minimum: systemd: mount: enable required
- refpolicy booleans
-
-enable required refpolicy booleans for these modules
-
-i. mount:  allow_mount_anyfile
-without enabling this boolean we are getting below avc denial
-
-audit(): avc:  denied  { mounton } for  pid=462 comm="mount" path="/run/media
-/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0
-tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0
-
-This avc can be allowed using the boolean 'allow_mount_anyfile'
-allow mount_t initrc_var_run_t:dir mounton;
-
-ii. systemd : systemd_tmpfiles_manage_all
-without enabling this boolean we are not getting access to mount systemd
-essential tmpfs during bootup, also not getting access to create audit.log
-
-audit(): avc:  denied  { search } for  pid=168 comm="systemd-tmpfile" name=
-"sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles
-_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0
-
- ls  /var/log
- /var/log -> volatile/log
-:~#
-
-The old refpolicy included a pre-generated booleans.conf that could be
-patched.  That's no longer the case so we're left with a few options,
-tweak the default directly or create a template booleans.conf file which
-will be updated during build time.  Since this is intended to be applied
-only for specific configuraitons it seems like the same either way and
-this avoids us playing games to work around .gitignore.
-
-Upstream-Status: Pending
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/booleans.conf             | 9 +++++++++
- policy/modules/system/mount.te   | 2 +-
- policy/modules/system/systemd.te | 2 +-
- 3 files changed, 11 insertions(+), 2 deletions(-)
- create mode 100644 policy/booleans.conf
-
-diff --git a/policy/booleans.conf b/policy/booleans.conf
-new file mode 100644
-index 00000000..850f56ed
---- /dev/null
-+++ b/policy/booleans.conf
-@@ -0,0 +1,9 @@
-+#
-+# Allow the mount command to mount any directory or file.
-+#
-+allow_mount_anyfile = true
-+
-+#
-+# Enable support for systemd-tmpfiles to manage all non-security files.
-+#
-+systemd_tmpfiles_manage_all = true
-diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index a87d0e82..868052b7 100644
---- a/policy/modules/system/mount.te
-+++ b/policy/modules/system/mount.te
-@@ -10,7 +10,7 @@ policy_module(mount, 1.20.0)
- ## Allow the mount command to mount any directory or file.
- ## </p>
- ## </desc>
--gen_tunable(allow_mount_anyfile, false)
-+gen_tunable(allow_mount_anyfile, true)
- 
- attribute_role mount_roles;
- roleattribute system_r mount_roles;
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index b13337b9..74f9c1cb 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -10,7 +10,7 @@ policy_module(systemd, 1.7.5)
- ## Enable support for systemd-tmpfiles to manage all non-security files.
- ## </p>
- ## </desc>
--gen_tunable(systemd_tmpfiles_manage_all, false)
-+gen_tunable(systemd_tmpfiles_manage_all, true)
- 
- ## <desc>
- ## <p>
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch b/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch
deleted file mode 100644
index 824c136..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 3323cd185bd27a010fb4353d16cb6c3a8608fd20 Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Thu, 28 Mar 2019 21:43:53 -0400
-Subject: [PATCH 07/34] fc/login: apply login context to login.shadow
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/authlogin.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index e22945cd..a42bc0da 100644
---- a/policy/modules/system/authlogin.fc
-+++ b/policy/modules/system/authlogin.fc
-@@ -5,6 +5,7 @@
- /etc/shadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
- 
- /usr/bin/login		--	gen_context(system_u:object_r:login_exec_t,s0)
-+/usr/bin/login\.shadow	--	gen_context(system_u:object_r:login_exec_t,s0)
- /usr/bin/pam_console_apply	--	gen_context(system_u:object_r:pam_console_exec_t,s0)
- /usr/bin/pam_timestamp_check	--	gen_context(system_u:object_r:pam_exec_t,s0)
- /usr/bin/unix_chkpwd		--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch b/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch
deleted file mode 100644
index 307574c..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-From a1b92a176fe791468e750b95fa8299e8beecf2b1 Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade@mentor.com>
-Date: Fri, 26 Aug 2016 17:54:09 +0530
-Subject: [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal
- service
-
-1. fix for systemd services: login & journal wile using refpolicy-minimum and
-systemd as init manager.
-2. fix login duration after providing root password.
-
-without these changes we are getting avc denails like these and below
-systemd services failure:
-
-audit[]: AVC avc:  denied  { write } for  pid=422 comm="login" path="/run/
-systemd/sessions/c1.ref" dev="tmpfs" ino=13455 scontext=system_u:system_r:
-local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0
-tclass=fifo_file permissive=0
-
-audit[]: AVC avc:  denied  { open } for  pid=216 comm="systemd-tmpfile" path
-="/proc/1/environ" dev="proc" ino=9221 scontext=system_u:system_r:
-systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
-
-audit[]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:
-system_r:init_t:s0 msg='avc:  denied  { stop } for auid=n/a uid=0 gid=0 path
-="/lib/systemd/system/systemd-journald.service" cmdline="/bin/journalctl
---flush" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:
-lib_t:s0 tclass=service
-
-[FAILED] Failed to start Flush Journal to Persistent Storage.
-See 'systemctl status systemd-journal-flush.service' for details.
-
-[FAILED] Failed to start Login Service.
-See 'systemctl status systemd-logind.service' for details.
-
-[FAILED] Failed to start Avahi mDNS/DNS-SD Stack.
-See 'systemctl status avahi-daemon.service' for details.
-
-Upstream-Status: Pending
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/init.te       | 2 ++
- policy/modules/system/locallogin.te | 3 +++
- policy/modules/system/systemd.if    | 6 ++++--
- policy/modules/system/systemd.te    | 2 +-
- 4 files changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 843fdcff..ca8678b8 100644
---- a/policy/modules/system/init.te
-+++ b/policy/modules/system/init.te
-@@ -1429,3 +1429,5 @@ allow init_t self:capability2 audit_read;
- 
- allow initrc_t init_t:system { start status reboot };
- allow initrc_t init_var_run_t:service { start status };
-+
-+allow initrc_t init_var_run_t:service stop;
-diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 75750e4c..2c2cfc7d 100644
---- a/policy/modules/system/locallogin.te
-+++ b/policy/modules/system/locallogin.te
-@@ -298,3 +298,6 @@ allow local_login_t var_run_t:file { open read write lock};
- allow local_login_t var_run_t:sock_file write;
- allow local_login_t tmpfs_t:dir { add_name write search};
- allow local_login_t tmpfs_t:file { create open read write lock };
-+allow local_login_t init_var_run_t:fifo_file write;
-+allow local_login_t initrc_t:dbus send_msg;
-+allow initrc_t local_login_t:dbus send_msg;
-diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 4519a448..79133e6f 100644
---- a/policy/modules/system/systemd.if
-+++ b/policy/modules/system/systemd.if
-@@ -938,9 +938,11 @@ interface(`systemd_service_file_operations',`
- #
- interface(`systemd_service_lib_function',`
-          gen_require(`
--               class service start;
-+		class service { start status stop };
-+		class file { execmod open };
-          ')
- 
--	allow initrc_t $1:service start;
-+	allow initrc_t $1:service { start status stop };
-+	allow initrc_t $1:file execmod;
- 
- ')
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 74f9c1cb..f1d26a44 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -1013,7 +1013,7 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
- 
- allow systemd_tmpfiles_t init_t:dir search;
- allow systemd_tmpfiles_t proc_t:filesystem getattr;
--allow systemd_tmpfiles_t init_t:file read;
-+allow systemd_tmpfiles_t init_t:file { open getattr read };
- allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
- 
- kernel_getattr_proc(systemd_tmpfiles_t)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0008-fc-bind-fix-real-path-for-bind.patch b/recipes-security/refpolicy/refpolicy-git/0008-fc-bind-fix-real-path-for-bind.patch
deleted file mode 100644
index 6472a21..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0008-fc-bind-fix-real-path-for-bind.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 9207386c0a860b3b6520eca5e509b9633c67c1e4 Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Thu, 28 Mar 2019 21:58:53 -0400
-Subject: [PATCH 08/34] fc/bind: fix real path for bind
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/services/bind.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
-index b4879dc1..59498e25 100644
---- a/policy/modules/services/bind.fc
-+++ b/policy/modules/services/bind.fc
-@@ -1,8 +1,10 @@
- /etc/rc\.d/init\.d/named	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/bind	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/unbound	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
- 
- /etc/bind(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
- /etc/bind/named\.conf.*	--	gen_context(system_u:object_r:named_conf_t,s0)
-+/etc/bind/rndc\.conf    --      gen_context(system_u:object_r:named_conf_t,s0)
- /etc/bind/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
- /etc/dnssec-trigger/dnssec_trigger_server\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
- /etc/named\.rfc1912\.zones	--	gen_context(system_u:object_r:named_conf_t,s0)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
deleted file mode 100644
index 05543da..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From c268b15ec696aa23be73e040daae433b509fa82f Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade@mentor.com>
-Date: Fri, 26 Aug 2016 17:54:17 +0530
-Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files
- services
-
-fix for systemd tmp files setup service while using refpolicy-minimum and
-systemd as init manager.
-
-these allow rules require kernel domain & files access, so added interfaces
-at systemd.te to merge these allow rules.
-
-without these changes we are getting avc denails like these and below
-systemd services failure:
-
-audit[]: AVC avc:  denied  { getattr } for  pid=232 comm="systemd-tmpfile"
-path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd
-_tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file
-
-audit[]: AVC avc:  denied  { search } for  pid=232 comm="systemd-tmpfile"
-name="kernel" dev="proc" ino=9341 scontext=system_u:system_r:
-systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0
-tclass=dir permissive=0
-
-[FAILED] Failed to start Create Static Device Nodes in /dev.
-See 'systemctl status systemd-tmpfiles-setup-dev.service' for details.
-
-[FAILED] Failed to start Create Volatile Files and Directories.
-See 'systemctl status systemd-tmpfiles-setup.service' for details.
-
-Upstream-Status: Pending
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/files.if   | 19 +++++++++++++++++++
- policy/modules/kernel/kernel.if  | 21 +++++++++++++++++++++
- policy/modules/system/systemd.te |  2 ++
- 3 files changed, 42 insertions(+)
-
-diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index eb067ad3..ff74f55a 100644
---- a/policy/modules/kernel/files.if
-+++ b/policy/modules/kernel/files.if
-@@ -7076,3 +7076,22 @@ interface(`files_unconfined',`
- 
- 	typeattribute $1 files_unconfined_type;
- ')
-+
-+########################################
-+## <summary>
-+##	systemd tmp files access to kernel tmp files domain
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',`
-+	gen_require(`
-+	type tmp_t;
-+        class lnk_file getattr;
-+	')
-+
-+	allow $1 tmp_t:lnk_file getattr;
-+')
-diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 1ad282aa..342eb033 100644
---- a/policy/modules/kernel/kernel.if
-+++ b/policy/modules/kernel/kernel.if
-@@ -3584,3 +3584,24 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',`
- 	allow $1 unlabeled_t:infiniband_endport manage_subnet;
- ')
- 
-+########################################
-+## <summary>
-+##	systemd tmp files access to kernel sysctl domain
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',`
-+         gen_require(`
-+                type sysctl_kernel_t;
-+                class dir search;
-+                class file { open read };
-+         ')
-+
-+        allow $1 sysctl_kernel_t:dir search;
-+        allow $1 sysctl_kernel_t:file { open read };
-+
-+')
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index f1d26a44..b4c64bc1 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -1139,4 +1139,6 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated
- 
- seutil_read_file_contexts(systemd_update_done_t)
- 
-+systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t)
-+systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t)
- systemd_log_parse_environment(systemd_update_done_t)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch
deleted file mode 100644
index 382a62c..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From afaee985ce8cb915905b9cbef141db5d4b7f228c Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Thu, 28 Mar 2019 21:59:18 -0400
-Subject: [PATCH 09/34] fc/hwclock: add hwclock alternatives
-
-Upstream-Status: Pending
-
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/clock.fc | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
-index 30196589..e0dc4b6f 100644
---- a/policy/modules/system/clock.fc
-+++ b/policy/modules/system/clock.fc
-@@ -2,4 +2,7 @@
- 
- /usr/bin/hwclock	--	gen_context(system_u:object_r:hwclock_exec_t,s0)
- 
--/usr/sbin/hwclock	--	gen_context(system_u:object_r:hwclock_exec_t,s0)
-+/usr/sbin/hwclock\.util-linux	--	gen_context(system_u:object_r:hwclock_exec_t,s0)
-+/usr/sbin/hwclock             	--	gen_context(system_u:object_r:hwclock_exec_t,s0)
-+/usr/lib/busybox/sbin/hwclock	--	gen_context(system_u:object_r:hwclock_exec_t,s0)
-+/sbin/hwclock             	--	gen_context(system_u:object_r:hwclock_exec_t,s0)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch b/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
deleted file mode 100644
index de9180a..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 3c7c492f060212bf7c854a27ffa6afa5035f4862 Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade@mentor.com>
-Date: Fri, 26 Aug 2016 17:54:29 +0530
-Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog
-
-syslog & getty related allow rules required to fix the syslog mixup with
-boot log, while using systemd as init manager.
-
-without this change we are getting these avc denials:
-
-audit: avc:  denied  { search } for  pid=484 comm="syslogd" name="/"
-dev="tmpfs" ino=7269 scontext=system_u:system_r:syslogd_t:s0 tcontext=
-system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
-
-audit: avc:  denied  { write } for  pid=372 comm="syslogd" name="log" dev=
-"tmpfs" ino=954 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:
-object_r:tmpfs_t:s0 tclass=dir permissive=0
-
-audit: avc:  denied  { add_name } for  pid=390 comm="syslogd" name=
-"messages" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r
-:tmpfs_t:s0 tclass=dir permissive=0
-
-audit: avc:  denied  { sendto } for  pid=558 comm="agetty" path="/run/systemd
-/journal/dev-log" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:
-system_r:initrc_t:s0 tclass=unix_dgram_socket permissive=0
-
-audit: avc:  denied  { create } for  pid=374 comm="syslogd" name="messages"
-scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:
-s0 tclass=file permissive=0
-
-audit: avc:  denied  { append } for  pid=423 comm="syslogd" name="messages"
-dev="tmpfs" ino=7995 scontext=system_u:system_r:syslogd_t:s0 tcontext=
-system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
-
-audit: avc:  denied  { getattr } for  pid=425 comm="syslogd" path="/var/
-volatile/log/messages" dev="tmpfs" ino=8857 scontext=system_u:system_r:
-syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
-
-Upstream-Status: Pending
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/getty.te   | 1 +
- policy/modules/system/logging.te | 3 ++-
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index 423db0cc..9ab03956 100644
---- a/policy/modules/system/getty.te
-+++ b/policy/modules/system/getty.te
-@@ -132,3 +132,4 @@ optional_policy(`
- 
- allow getty_t tmpfs_t:dir search;
- allow getty_t tmpfs_t:file { open write lock };
-+allow getty_t initrc_t:unix_dgram_socket sendto;
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 98c2bd19..6a94ac12 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -632,4 +632,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto;
- allow syslogd_t self:shm create;
- allow syslogd_t self:sem { create read unix_write write };
- allow syslogd_t self:shm { read unix_read unix_write write };
--allow syslogd_t tmpfs_t:file { read write };
-+allow syslogd_t tmpfs_t:file { read write create getattr append open };
-+allow syslogd_t tmpfs_t:dir { search write add_name };
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
deleted file mode 100644
index 5de6d0d..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From 9f8b5359ce85eab23a5c46157497c44fd3bc4335 Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Fri, 29 Mar 2019 08:26:55 -0400
-Subject: [PATCH 10/34] fc/dmesg: apply policy to dmesg alternatives
-
-Upstream-Status: Pending
-
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/admin/dmesg.fc | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
-index e52fdfcf..85d15127 100644
---- a/policy/modules/admin/dmesg.fc
-+++ b/policy/modules/admin/dmesg.fc
-@@ -1 +1,3 @@
--/usr/bin/dmesg		--		gen_context(system_u:object_r:dmesg_exec_t,s0)
-+/usr/bin/dmesg			--		gen_context(system_u:object_r:dmesg_exec_t,s0)
-+/usr/bin/dmesg\.util-linux	--		gen_context(system_u:object_r:dmesg_exec_t,s0)
-+/usr/lib/busybox/bin/dmesg	--		gen_context(system_u:object_r:dmesg_exec_t,s0)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch
deleted file mode 100644
index ab81b31..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From c7002e990710f83763a1481ddaa56a1f658defee Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Fri, 29 Mar 2019 09:20:58 -0400
-Subject: [PATCH 11/34] fc/ssh: apply policy to ssh alternatives
-
-Upstream-Status: Pending
-
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/services/ssh.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 4ac3e733..1f453091 100644
---- a/policy/modules/services/ssh.fc
-+++ b/policy/modules/services/ssh.fc
-@@ -4,6 +4,7 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
- /etc/ssh/ssh_host.*_key		--	gen_context(system_u:object_r:sshd_key_t,s0)
- 
- /usr/bin/ssh			--	gen_context(system_u:object_r:ssh_exec_t,s0)
-+/usr/bin/ssh\.openssh		--	gen_context(system_u:object_r:ssh_exec_t,s0)
- /usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)
- /usr/bin/ssh-keygen		--	gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
- /usr/bin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch
deleted file mode 100644
index 8346fcf..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 881a9f637b6eec90d1fa20bf4c102bb595225aaf Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Tue, 9 Jun 2015 21:22:52 +0530
-Subject: [PATCH 12/34] fc/sysnetwork: apply policy to ip alternatives
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/sysnetwork.fc | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index ac7c2dd1..4e441503 100644
---- a/policy/modules/system/sysnetwork.fc
-+++ b/policy/modules/system/sysnetwork.fc
-@@ -60,6 +60,8 @@ ifdef(`distro_redhat',`
- /usr/sbin/dhcpcd		--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /usr/sbin/ethtool		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /usr/sbin/ifconfig		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/ifconfig\.net-tools	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/ip\.iproute2		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /usr/sbin/ip			--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /usr/sbin/ipx_configure		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /usr/sbin/ipx_interface		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
-@@ -67,9 +69,17 @@ ifdef(`distro_redhat',`
- /usr/sbin/iw			--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /usr/sbin/iwconfig		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /usr/sbin/mii-tool		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/mii-tool\.net-tools	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /usr/sbin/pump			--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /usr/sbin/tc			--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
- 
-+#
-+# /usr/lib/busybox
-+#
-+/usr/lib/busybox/bin/ifconfig	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/lib/busybox/bin/ip		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/lib/busybox/sbin/mii-tool	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+
- #
- # /var
- #
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
deleted file mode 100644
index 9ec2e21..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 434fe791713127cea8a796529266b87763833117 Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Fri, 29 Mar 2019 09:36:08 -0400
-Subject: [PATCH 13/34] fc/udev: apply policy to udevadm in libexec
-
-Upstream-Status: Pending
-
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/udev.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 606ad517..2919c0bd 100644
---- a/policy/modules/system/udev.fc
-+++ b/policy/modules/system/udev.fc
-@@ -28,6 +28,8 @@ ifdef(`distro_debian',`
- /usr/sbin/udevstart	--	gen_context(system_u:object_r:udev_exec_t,s0)
- /usr/sbin/wait_for_sysfs --	gen_context(system_u:object_r:udev_exec_t,s0)
- 
-+/usr/libexec/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
-+
- ifdef(`distro_redhat',`
- /usr/sbin/start_udev --	gen_context(system_u:object_r:udev_exec_t,s0)
- ')
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
deleted file mode 100644
index fff816a..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From c8dbbbaed4371c600d057736d1dab78371066fdd Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Fri, 29 Mar 2019 09:54:07 -0400
-Subject: [PATCH 14/34] fc/rpm: apply rpm_exec policy to cpio binaries
-
-Upstream-Status: Pending
-
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/admin/rpm.fc | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
-index 578d465c..f2b8003a 100644
---- a/policy/modules/admin/rpm.fc
-+++ b/policy/modules/admin/rpm.fc
-@@ -65,5 +65,8 @@ ifdef(`distro_redhat',`
- /run/PackageKit(/.*)?	gen_context(system_u:object_r:rpm_var_run_t,s0)
- 
- ifdef(`enable_mls',`
--/usr/sbin/cpio	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/sbin/cpio		--	gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/bin/cpio		--	gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/bin/cpio.cpio	--	gen_context(system_u:object_r:rpm_exec_t,s0)
- ')
-+
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch
deleted file mode 100644
index b26eeea..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From d6eb7326773a01cea4cb6949e8e8f94e12d145ca Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Thu, 13 Feb 2014 00:33:07 -0500
-Subject: [PATCH 15/34] fc/su: apply policy to su alternatives
-
-Upstream-Status: Pending
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/admin/su.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
-index 3375c969..435a6892 100644
---- a/policy/modules/admin/su.fc
-+++ b/policy/modules/admin/su.fc
-@@ -1,3 +1,5 @@
- /usr/(local/)?bin/ksu	--	gen_context(system_u:object_r:su_exec_t,s0)
- /usr/bin/kdesu		--	gen_context(system_u:object_r:su_exec_t,s0)
- /usr/bin/su		--	gen_context(system_u:object_r:su_exec_t,s0)
-+/usr/bin/su\.shadow	--	gen_context(system_u:object_r:su_exec_t,s0)
-+/usr/bin/su\.util-linux	--	gen_context(system_u:object_r:su_exec_t,s0)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch b/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch
deleted file mode 100644
index 35676f8..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 4cc043905534403d2c6c5882ed982bd09a6c605f Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Mon, 27 Jan 2014 03:54:01 -0500
-Subject: [PATCH 16/34] fc/fstools: fix real path for fstools
-
-Upstream-Status: Pending
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/fstools.fc | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index 8fbd5ce4..d719e22c 100644
---- a/policy/modules/system/fstools.fc
-+++ b/policy/modules/system/fstools.fc
-@@ -58,6 +58,7 @@
- /usr/sbin/addpart		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/badblocks		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/blkid			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/blkid\.util-linux	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/blockdev		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/cfdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/clubufflush		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -72,10 +73,12 @@
- /usr/sbin/efibootmgr		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/fatsort		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/fdisk			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/fdisk\.util-linux	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/findfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/fsck.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/gdisk			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/hdparm		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/hdparm\.util-linux	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/install-mbr		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/jfs_.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/losetup.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -88,17 +91,20 @@
- /usr/sbin/mkraid		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/mkreiserfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/mkswap		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/mkswap\.util-linux	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/parted		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/partprobe		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/partx			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/raidautorun		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/raidstart		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/raw		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/reiserfs(ck|tune)	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/resize.*fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/scsi_info		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/sfdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/smartctl		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/swapoff		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/swapoff\.util-linux	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/zdb			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -108,6 +114,12 @@
- /usr/sbin/zstreamdump		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/ztest			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- 
-+/usr/lib/busybox/sbin/blkid	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/lib/busybox/sbin/fdisk	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/lib/busybox/sbin/mkswap	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/lib/busybox/sbin/swapoff	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/lib/busybox/sbin/swapon	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+
- /var/swap			--	gen_context(system_u:object_r:swapfile_t,s0)
- 
- /var/log/fsck(/.*)?		gen_context(system_u:object_r:fsadm_log_t,s0)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch b/recipes-security/refpolicy/refpolicy-git/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch
deleted file mode 100644
index af24d90..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From f84b1809e45bf08ce2a603827de3ade876ce8683 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 17/34] policy/module/logging: Add the syslogd_t to trusted
- object
-
-We add the syslogd_t to trusted object, because other process need
-to have the right to connectto/sendto /dev/log.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Roy.Li <rongqing.li@windriver.com>
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/logging.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 38ccfe3a..c892f547 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -501,6 +501,7 @@ fs_getattr_all_fs(syslogd_t)
- fs_search_auto_mountpoints(syslogd_t)
- 
- mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
-+mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log
- 
- term_write_console(syslogd_t)
- # Allow syslog to a terminal
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch b/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
deleted file mode 100644
index 6dca744..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From ccb0b3884513829a2ab344f1682df6ea6ff4e7de Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 18/34] policy/module/logging: add rules for the symlink of
- /var/log
-
-/var/log is a symlink in poky, so we need allow rules for files to read
-lnk_file while doing search/list/delete/rw... in /var/log/ directory.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/logging.fc | 1 +
- policy/modules/system/logging.if | 6 ++++++
- policy/modules/system/logging.te | 2 ++
- 3 files changed, 9 insertions(+)
-
-diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 0cf108e0..5bec7e99 100644
---- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
-@@ -55,6 +55,7 @@ ifdef(`distro_suse', `
- /var/dnscache/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
- 
- /var/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
-+/var/log		-l	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
- /var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
- /var/log/dmesg		--	gen_context(system_u:object_r:var_log_t,s0)
- /var/log/syslog		--	gen_context(system_u:object_r:var_log_t,s0)
-diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 7b7644f7..0c7268ff 100644
---- a/policy/modules/system/logging.if
-+++ b/policy/modules/system/logging.if
-@@ -972,10 +972,12 @@ interface(`logging_append_all_inherited_logs',`
- interface(`logging_read_all_logs',`
- 	gen_require(`
- 		attribute logfile;
-+		type var_log_t;
- 	')
- 
- 	files_search_var($1)
- 	allow $1 logfile:dir list_dir_perms;
-+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
- 	read_files_pattern($1, logfile, logfile)
- ')
- 
-@@ -994,10 +996,12 @@ interface(`logging_read_all_logs',`
- interface(`logging_exec_all_logs',`
- 	gen_require(`
- 		attribute logfile;
-+		type var_log_t;
- 	')
- 
- 	files_search_var($1)
- 	allow $1 logfile:dir list_dir_perms;
-+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
- 	can_exec($1, logfile)
- ')
- 
-@@ -1099,6 +1103,7 @@ interface(`logging_read_generic_logs',`
- 
- 	files_search_var($1)
- 	allow $1 var_log_t:dir list_dir_perms;
-+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
- 	read_files_pattern($1, var_log_t, var_log_t)
- ')
- 
-@@ -1200,6 +1205,7 @@ interface(`logging_manage_generic_logs',`
- 
- 	files_search_var($1)
- 	manage_files_pattern($1, var_log_t, var_log_t)
-+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index c892f547..499a4552 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -161,6 +161,7 @@ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
- allow auditd_t auditd_log_t:dir setattr;
- manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
- allow auditd_t var_log_t:dir search_dir_perms;
-+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
- 
- manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
- manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
-@@ -288,6 +289,7 @@ allow audisp_remote_t self:capability { setpcap setuid };
- allow audisp_remote_t self:process { getcap setcap };
- allow audisp_remote_t self:tcp_socket create_socket_perms;
- allow audisp_remote_t var_log_t:dir search_dir_perms;
-+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
- 
- manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
- manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch b/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
deleted file mode 100644
index a494671..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 07456143d9478b345dbe480e1b418b744de96751 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 23 Aug 2013 11:20:00 +0800
-Subject: [PATCH 20/34] policy/module/logging: add domain rules for the subdir
- symlinks in /var/
-
-Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
-/var for poky, so we need allow rules for all domains to read these
-symlinks. Domains still need their practical allow rules to read the
-contents, so this is still a secure relax.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/domain.te | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index 1a55e3d2..babb794f 100644
---- a/policy/modules/kernel/domain.te
-+++ b/policy/modules/kernel/domain.te
-@@ -110,6 +110,9 @@ term_use_controlling_term(domain)
- # list the root directory
- files_list_root(domain)
- 
-+# Yocto/oe-core use some var volatile links
-+files_read_var_symlinks(domain)
-+
- ifdef(`hide_broken_symptoms',`
- 	# This check is in the general socket
- 	# listen code, before protocol-specific
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch b/recipes-security/refpolicy/refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch
deleted file mode 100644
index aa61a80..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From edcfc7eb98658352f3ffdeb8079517c54ba7f984 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 21/34] policy/module/files: add rules for the symlink of /tmp
-
-/tmp is a symlink in poky, so we need allow rules for files to read
-lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/files.fc | 1 +
- policy/modules/kernel/files.if | 8 ++++++++
- 2 files changed, 9 insertions(+)
-
-diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index c3496c21..05b1734b 100644
---- a/policy/modules/kernel/files.fc
-+++ b/policy/modules/kernel/files.fc
-@@ -176,6 +176,7 @@ HOME_ROOT/lost\+found/.*	<<none>>
- # /tmp
- #
- /tmp			-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-+/tmp			-l	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
- /tmp/.*				<<none>>
- /tmp/\.journal			<<none>>
- 
-diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f1c94411..eb067ad3 100644
---- a/policy/modules/kernel/files.if
-+++ b/policy/modules/kernel/files.if
-@@ -4350,6 +4350,7 @@ interface(`files_search_tmp',`
- 	')
- 
- 	allow $1 tmp_t:dir search_dir_perms;
-+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
-@@ -4386,6 +4387,7 @@ interface(`files_list_tmp',`
- 	')
- 
- 	allow $1 tmp_t:dir list_dir_perms;
-+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
-@@ -4422,6 +4424,7 @@ interface(`files_delete_tmp_dir_entry',`
- 	')
- 
- 	allow $1 tmp_t:dir del_entry_dir_perms;
-+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
-@@ -4440,6 +4443,7 @@ interface(`files_read_generic_tmp_files',`
- 	')
- 
- 	read_files_pattern($1, tmp_t, tmp_t)
-+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
-@@ -4458,6 +4462,7 @@ interface(`files_manage_generic_tmp_dirs',`
- 	')
- 
- 	manage_dirs_pattern($1, tmp_t, tmp_t)
-+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
-@@ -4476,6 +4481,7 @@ interface(`files_manage_generic_tmp_files',`
- 	')
- 
- 	manage_files_pattern($1, tmp_t, tmp_t)
-+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
-@@ -4512,6 +4518,7 @@ interface(`files_rw_generic_tmp_sockets',`
- 	')
- 
- 	rw_sock_files_pattern($1, tmp_t, tmp_t)
-+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
-@@ -4719,6 +4726,7 @@ interface(`files_tmp_filetrans',`
- 	')
- 
- 	filetrans_pattern($1, tmp_t, $2, $3, $4)
-+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch b/recipes-security/refpolicy/refpolicy-git/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch
deleted file mode 100644
index 68235b1..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From 938ae00d2358d6ebad8173fce274ebb70d95cf72 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 22/34] policy/module/terminals: add rules for bsdpty_device_t
- to complete pty devices.
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/terminal.if | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 61308843..a84787e6 100644
---- a/policy/modules/kernel/terminal.if
-+++ b/policy/modules/kernel/terminal.if
-@@ -623,9 +623,11 @@ interface(`term_getattr_generic_ptys',`
- interface(`term_dontaudit_getattr_generic_ptys',`
- 	gen_require(`
- 		type devpts_t;
-+		type bsdpty_device_t;
- 	')
- 
- 	dontaudit $1 devpts_t:chr_file getattr;
-+	dontaudit $1 bsdpty_device_t:chr_file getattr;
- ')
- ########################################
- ## <summary>
-@@ -641,11 +643,13 @@ interface(`term_dontaudit_getattr_generic_ptys',`
- interface(`term_ioctl_generic_ptys',`
- 	gen_require(`
- 		type devpts_t;
-+		type bsdpty_device_t;
- 	')
- 
- 	dev_list_all_dev_nodes($1)
- 	allow $1 devpts_t:dir search;
- 	allow $1 devpts_t:chr_file ioctl;
-+	allow $1 bsdpty_device_t:chr_file ioctl;
- ')
- 
- ########################################
-@@ -663,9 +667,11 @@ interface(`term_ioctl_generic_ptys',`
- interface(`term_setattr_generic_ptys',`
- 	gen_require(`
- 		type devpts_t;
-+		type bsdpty_device_t;
- 	')
- 
- 	allow $1 devpts_t:chr_file setattr;
-+	allow $1 bsdpty_device_t:chr_file setattr;
- ')
- 
- ########################################
-@@ -683,9 +689,11 @@ interface(`term_setattr_generic_ptys',`
- interface(`term_dontaudit_setattr_generic_ptys',`
- 	gen_require(`
- 		type devpts_t;
-+		type bsdpty_device_t;
- 	')
- 
- 	dontaudit $1 devpts_t:chr_file setattr;
-+	dontaudit $1 bsdpty_device_t:chr_file setattr;
- ')
- 
- ########################################
-@@ -703,11 +711,13 @@ interface(`term_dontaudit_setattr_generic_ptys',`
- interface(`term_use_generic_ptys',`
- 	gen_require(`
- 		type devpts_t;
-+		type bsdpty_device_t;
- 	')
- 
- 	dev_list_all_dev_nodes($1)
- 	allow $1 devpts_t:dir list_dir_perms;
- 	allow $1 devpts_t:chr_file { rw_term_perms lock append };
-+	allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
- ')
- 
- ########################################
-@@ -725,9 +735,11 @@ interface(`term_use_generic_ptys',`
- interface(`term_dontaudit_use_generic_ptys',`
- 	gen_require(`
- 		type devpts_t;
-+		type bsdpty_device_t;
- 	')
- 
- 	dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
-+	dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl };
- ')
- 
- #######################################
-@@ -743,10 +755,12 @@ interface(`term_dontaudit_use_generic_ptys',`
- interface(`term_setattr_controlling_term',`
- 	gen_require(`
- 		type devtty_t;
-+		type bsdpty_device_t;
- 	')
- 
- 	dev_list_all_dev_nodes($1)
- 	allow $1 devtty_t:chr_file setattr;
-+	allow $1 bsdpty_device_t:chr_file setattr;
- ')
- 
- ########################################
-@@ -763,10 +777,12 @@ interface(`term_setattr_controlling_term',`
- interface(`term_use_controlling_term',`
- 	gen_require(`
- 		type devtty_t;
-+		type bsdpty_device_t;
- 	')
- 
- 	dev_list_all_dev_nodes($1)
- 	allow $1 devtty_t:chr_file { rw_term_perms lock append };
-+	allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
- ')
- 
- #######################################
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch b/recipes-security/refpolicy/refpolicy-git/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch
deleted file mode 100644
index 06f9207..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 3f5a9b987211ef511bfd1c76b1a7dffad51fba0c Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 23/34] policy/module/terminals: don't audit tty_device_t in
- term_dontaudit_use_console.
-
-We should also not audit terminal to rw tty_device_t and fds in
-term_dontaudit_use_console.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/terminal.if | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index a84787e6..cf66da2f 100644
---- a/policy/modules/kernel/terminal.if
-+++ b/policy/modules/kernel/terminal.if
-@@ -335,9 +335,12 @@ interface(`term_use_console',`
- interface(`term_dontaudit_use_console',`
- 	gen_require(`
- 		type console_device_t;
-+		type tty_device_t;
- 	')
- 
-+	init_dontaudit_use_fds($1)
- 	dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
-+	dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
- ')
- 
- ########################################
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
deleted file mode 100644
index 01f6c8b..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From bc1f2fba24fb63cd9a65ec22b34fcc59798bbaff Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 24/34] policy/module/rpc: allow nfsd to exec shell commands.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/services/rpc.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index 47fa2fd0..d4209231 100644
---- a/policy/modules/services/rpc.te
-+++ b/policy/modules/services/rpc.te
-@@ -227,7 +227,7 @@ kernel_read_network_state(nfsd_t)
- kernel_dontaudit_getattr_core_if(nfsd_t)
- kernel_setsched(nfsd_t)
- kernel_request_load_module(nfsd_t)
--# kernel_mounton_proc(nfsd_t)
-+kernel_mounton_proc(nfsd_t)
- 
- corenet_sendrecv_nfs_server_packets(nfsd_t)
- corenet_tcp_bind_nfs_port(nfsd_t)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch b/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch
deleted file mode 100644
index 78a4328..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From f24c277f622d1ae72275525c6d5863f1ddce1d58 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 23 Aug 2013 12:01:53 +0800
-Subject: [PATCH 25/34] policy/module/rpc: fix policy for nfsserver to mount
- nfsd_fs_t.
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/filesystem.te | 1 +
- policy/modules/kernel/kernel.te     | 2 ++
- policy/modules/services/rpc.te      | 5 +++++
- policy/modules/services/rpcbind.te  | 5 +++++
- 4 files changed, 13 insertions(+)
-
-diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 41037951..b341ba83 100644
---- a/policy/modules/kernel/filesystem.te
-+++ b/policy/modules/kernel/filesystem.te
-@@ -129,6 +129,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
- 
- type nfsd_fs_t;
- fs_type(nfsd_fs_t)
-+files_mountpoint(nfsd_fs_t)
- genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
- 
- type nsfs_t;
-diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8e958074..7b81c732 100644
---- a/policy/modules/kernel/kernel.te
-+++ b/policy/modules/kernel/kernel.te
-@@ -334,6 +334,8 @@ mls_process_read_all_levels(kernel_t)
- mls_process_write_all_levels(kernel_t)
- mls_file_write_all_levels(kernel_t)
- mls_file_read_all_levels(kernel_t)
-+mls_socket_write_all_levels(kernel_t)
-+mls_fd_use_all_levels(kernel_t)
- 
- ifdef(`distro_redhat',`
- 	# Bugzilla 222337
-diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index d4209231..a2327b44 100644
---- a/policy/modules/services/rpc.te
-+++ b/policy/modules/services/rpc.te
-@@ -280,6 +280,11 @@ tunable_policy(`nfs_export_all_ro',`
- 
- optional_policy(`
- 	mount_exec(nfsd_t)
-+	# Should domtrans to mount_t while mounting nfsd_fs_t.
-+	mount_domtrans(nfsd_t)
-+	# nfsd_t need to chdir to /var/lib/nfs and read files.
-+	files_list_var(nfsd_t)
-+	rpc_read_nfs_state_data(nfsd_t)
- ')
- 
- ########################################
-diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
-index 5914af99..2055c114 100644
---- a/policy/modules/services/rpcbind.te
-+++ b/policy/modules/services/rpcbind.te
-@@ -75,6 +75,11 @@ logging_send_syslog_msg(rpcbind_t)
- 
- miscfiles_read_localization(rpcbind_t)
- 
-+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
-+# because the are running in different level. So add rules to allow this.
-+mls_socket_read_all_levels(rpcbind_t)
-+mls_socket_write_all_levels(rpcbind_t)
-+
- ifdef(`distro_debian',`
- 	term_dontaudit_use_unallocated_ttys(rpcbind_t)
- ')
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
deleted file mode 100644
index 257395a..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-From 06d2bad9325fdc6b0a73858bca7ba51fe591f39d Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Fri, 29 Mar 2019 11:16:37 -0400
-Subject: [PATCH 26/34] policy/module/sysfs: fix for new SELINUXMNT in /sys
-
-SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
-add rules to access sysfs.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/selinux.if | 19 +++++++++++++++++++
- 1 file changed, 19 insertions(+)
-
-diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
-index 6790e5d0..2c95db81 100644
---- a/policy/modules/kernel/selinux.if
-+++ b/policy/modules/kernel/selinux.if
-@@ -117,6 +117,9 @@ interface(`selinux_mount_fs',`
- 		type security_t;
- 	')
- 
-+	dev_getattr_sysfs($1)
-+	dev_search_sysfs($1)
-+
- 	allow $1 security_t:filesystem mount;
- ')
- 
-@@ -136,6 +139,9 @@ interface(`selinux_remount_fs',`
- 		type security_t;
- 	')
- 
-+	dev_getattr_sysfs($1)
-+	dev_search_sysfs($1)
-+
- 	allow $1 security_t:filesystem remount;
- ')
- 
-@@ -155,6 +161,9 @@ interface(`selinux_unmount_fs',`
- 	')
- 
- 	allow $1 security_t:filesystem unmount;
-+
-+	dev_getattr_sysfs($1)
-+	dev_search_sysfs($1)
- ')
- 
- ########################################
-@@ -217,6 +226,8 @@ interface(`selinux_dontaudit_getattr_dir',`
- 	')
- 
- 	dontaudit $1 security_t:dir getattr;
-+	dev_dontaudit_getattr_sysfs($1)
-+	dev_dontaudit_search_sysfs($1)
- ')
- 
- ########################################
-@@ -253,6 +264,7 @@ interface(`selinux_dontaudit_search_fs',`
- 		type security_t;
- 	')
- 
-+	dev_dontaudit_search_sysfs($1)
- 	dontaudit $1 security_t:dir search_dir_perms;
- ')
- 
-@@ -272,6 +284,7 @@ interface(`selinux_dontaudit_read_fs',`
- 		type security_t;
- 	')
- 
-+	dev_dontaudit_getattr_sysfs($1)
- 	dontaudit $1 security_t:dir search_dir_perms;
- 	dontaudit $1 security_t:file read_file_perms;
- ')
-@@ -361,6 +374,7 @@ interface(`selinux_read_policy',`
- 		type security_t;
- 	')
- 
-+	dev_getattr_sysfs($1)
- 	dev_search_sysfs($1)
- 	allow $1 security_t:dir list_dir_perms;
- 	allow $1 security_t:file read_file_perms;
-@@ -394,6 +408,7 @@ interface(`selinux_set_generic_booleans',`
- 		type security_t;
- 	')
- 
-+	dev_getattr_sysfs($1)
- 	dev_search_sysfs($1)
- 
- 	allow $1 security_t:dir list_dir_perms;
-@@ -431,6 +446,7 @@ interface(`selinux_set_all_booleans',`
- 		bool secure_mode_policyload;
- 	')
- 
-+	dev_getattr_sysfs($1)
- 	dev_search_sysfs($1)
- 
- 	allow $1 security_t:dir list_dir_perms;
-@@ -512,6 +528,7 @@ interface(`selinux_dontaudit_validate_context',`
- 		type security_t;
- 	')
- 
-+	dev_dontaudit_search_sysfs($1)
- 	dontaudit $1 security_t:dir list_dir_perms;
- 	dontaudit $1 security_t:file rw_file_perms;
- 	dontaudit $1 security_t:security check_context;
-@@ -533,6 +550,7 @@ interface(`selinux_compute_access_vector',`
- 		type security_t;
- 	')
- 
-+	dev_getattr_sysfs($1)
- 	dev_search_sysfs($1)
- 	allow $1 self:netlink_selinux_socket create_socket_perms;
- 	allow $1 security_t:dir list_dir_perms;
-@@ -629,6 +647,7 @@ interface(`selinux_compute_user_contexts',`
- 		type security_t;
- 	')
- 
-+	dev_getattr_sysfs($1)
- 	dev_search_sysfs($1)
- 	allow $1 security_t:dir list_dir_perms;
- 	allow $1 security_t:file rw_file_perms;
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-git/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch
deleted file mode 100644
index 23226a0..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 447036f5ead83977933b375f5587595b85307a7d Mon Sep 17 00:00:00 2001
-From: Roy Li <rongqing.li@windriver.com>
-Date: Sat, 15 Feb 2014 09:45:00 +0800
-Subject: [PATCH 27/34] policy/module/rpc: allow sysadm to run rpcinfo
-
-Upstream-Status: Pending
-
-type=AVC msg=audit(1392427946.976:264): avc:  denied  { connectto } for  pid=2111 comm="rpcinfo" path="/run/rpcbind.sock" scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tclass=unix_stream_socket
-type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null)
-
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/roles/sysadm.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2ae952bf..d781378f 100644
---- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -945,6 +945,7 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	rpcbind_stream_connect(sysadm_t)
- 	rpcbind_admin(sysadm_t, sysadm_r)
- ')
- 
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch b/recipes-security/refpolicy/refpolicy-git/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch
deleted file mode 100644
index 732eaaf..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 391ab30556a3276bac131b3d4bd6c5e52b49c77c Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 28/34] policy/module/userdomain: fix selinux utils to manage
- config files
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/selinuxutil.if | 1 +
- policy/modules/system/userdomain.if  | 4 ++++
- 2 files changed, 5 insertions(+)
-
-diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 20024993..0fdc8c10 100644
---- a/policy/modules/system/selinuxutil.if
-+++ b/policy/modules/system/selinuxutil.if
-@@ -674,6 +674,7 @@ interface(`seutil_manage_config',`
- 	')
- 
- 	files_search_etc($1)
-+	manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
- 	manage_files_pattern($1, selinux_config_t, selinux_config_t)
- 	read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
- ')
-diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 5221bd13..4cf987d1 100644
---- a/policy/modules/system/userdomain.if
-+++ b/policy/modules/system/userdomain.if
-@@ -1431,6 +1431,10 @@ template(`userdom_security_admin_template',`
- 	logging_read_audit_config($1)
- 
- 	seutil_manage_bin_policy($1)
-+	seutil_manage_default_contexts($1)
-+	seutil_manage_file_contexts($1)
-+	seutil_manage_module_store($1)
-+	seutil_manage_config($1)
- 	seutil_run_checkpolicy($1, $2)
- 	seutil_run_loadpolicy($1, $2)
- 	seutil_run_semanage($1, $2)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch b/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
deleted file mode 100644
index 14734b2..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From d97aef0ecdb2ff964b1ed3d0b18ce83c2ab42f14 Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Fri, 29 Mar 2019 11:30:27 -0400
-Subject: [PATCH 29/34] policy/module/selinuxutil: fix setfiles statvfs to get
- file count
-
-New setfiles will read /proc/mounts and use statvfs in
-file_system_count() to get file count of filesystems.
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/selinuxutil.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 8a1688cc..a9930e9e 100644
---- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -607,6 +607,7 @@ files_relabel_all_files(setfiles_t)
- files_read_usr_symlinks(setfiles_t)
- files_dontaudit_read_all_symlinks(setfiles_t)
- 
-+fs_getattr_all_fs(setfiles_t)
- fs_getattr_all_xattr_fs(setfiles_t)
- fs_getattr_cgroup(setfiles_t)
- fs_getattr_nfs(setfiles_t)
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch b/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
deleted file mode 100644
index aebdcb3..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 43eba9b9205c5e63f634d60ab8eb5302f7bf4408 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 23 Aug 2013 16:36:09 +0800
-Subject: [PATCH 30/34] policy/module/admin: fix dmesg to use /dev/kmsg as
- default input
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/admin/dmesg.if | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
-index e1973c78..739a4bc5 100644
---- a/policy/modules/admin/dmesg.if
-+++ b/policy/modules/admin/dmesg.if
-@@ -37,4 +37,5 @@ interface(`dmesg_exec',`
- 
- 	corecmd_search_bin($1)
- 	can_exec($1, dmesg_exec_t)
-+	dev_read_kmsg($1)
- ')
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch b/recipes-security/refpolicy/refpolicy-git/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch
deleted file mode 100644
index afba90f..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 2d81043e7c98b31b37a1ecd1f037a04c60e662aa Mon Sep 17 00:00:00 2001
-From: Roy Li <rongqing.li@windriver.com>
-Date: Mon, 10 Feb 2014 18:10:12 +0800
-Subject: [PATCH 31/34] policy/module/ftp: add ftpd_t to
- mls_file_write_all_levels
-
-Proftpd will create file under /var/run, but its mls is in high, and
-can not write to lowlevel
-
-Upstream-Status: Pending
-
-type=AVC msg=audit(1392347709.621:15): avc:  denied  { write } for  pid=545 comm="proftpd" name="/" dev="tmpfs" ino=5853 scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
-type=AVC msg=audit(1392347709.621:15): avc:  denied  { add_name } for  pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
-type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null)
-
-root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name
-   allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
-root@localhost:~#
-
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/services/ftp.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 29bc077c..d582cf80 100644
---- a/policy/modules/services/ftp.te
-+++ b/policy/modules/services/ftp.te
-@@ -150,6 +150,8 @@ role ftpdctl_roles types ftpdctl_t;
- type ftpdctl_tmp_t;
- files_tmp_file(ftpdctl_tmp_t)
- 
-+mls_file_write_all_levels(ftpd_t)
-+
- type sftpd_t;
- domain_type(sftpd_t)
- role system_r types sftpd_t;
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch b/recipes-security/refpolicy/refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch
deleted file mode 100644
index ced90be..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From ddb7393018483be0ce1cfc4734043b413e3b8a04 Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade@mentor.com>
-Date: Fri, 12 Jun 2015 19:37:52 +0530
-Subject: [PATCH 32/34] policy/module/init: update for systemd related allow
- rules
-
-It provide, the systemd support related allow rules
-
-Upstream-Status: Pending
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/init.te | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index f7635d6f..2e6b57a6 100644
---- a/policy/modules/system/init.te
-+++ b/policy/modules/system/init.te
-@@ -1418,3 +1418,8 @@ optional_policy(`
- 	userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
- 	userdom_dontaudit_write_user_tmp_files(systemprocess)
- ')
-+
-+# systemd related allow rules
-+allow kernel_t init_t:process dyntransition;
-+allow devpts_t device_t:filesystem associate;
-+allow init_t self:capability2 block_suspend;
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-git/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch b/recipes-security/refpolicy/refpolicy-git/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch
deleted file mode 100644
index 03b1439..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 2e2abdbc7a0e57a27518de0d879ecc84053203d8 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:36:44 +0800
-Subject: [PATCH 34/34] policy/module/apache: add rules for the symlink of
- /var/log - apache2
-
-We have added rules for the symlink of /var/log in logging.if,
-while apache.te uses /var/log but does not use the interfaces in
-logging.if. So still need add a individual rule for apache.te.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/services/apache.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 15c4ea53..596370b1 100644
---- a/policy/modules/services/apache.te
-+++ b/policy/modules/services/apache.te
-@@ -412,6 +412,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
- logging_log_filetrans(httpd_t, httpd_log_t, file)
- 
- allow httpd_t httpd_modules_t:dir list_dir_perms;
--- 
-2.19.1
-
diff --git a/recipes-security/refpolicy/refpolicy-mcs_2.20190201.bb b/recipes-security/refpolicy/refpolicy-mcs_2.20190201.bb
deleted file mode 100644
index 062727b..0000000
--- a/recipes-security/refpolicy/refpolicy-mcs_2.20190201.bb
+++ /dev/null
@@ -1,11 +0,0 @@
-SUMMARY = "MCS (Multi Category Security) variant of the SELinux policy"
-DESCRIPTION = "\
-This is the reference policy for SE Linux built with MCS support. \
-An MCS policy is the same as an MLS policy but with only one sensitivity \
-level. This is useful on systems where a hierarchical policy (MLS) isn't \
-needed (pretty much all systems) but the non-hierarchical categories are. \
-"
-
-POLICY_TYPE = "mcs"
-
-include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb
deleted file mode 100644
index 40abe35..0000000
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb
+++ /dev/null
@@ -1,81 +0,0 @@
-################################################################################
-# Note that -minimum specifically inherits from -targeted. Key policy pieces
-# will be missing if you do not preserve this relationship.
-include refpolicy-targeted_${PV}.bb
-
-SUMMARY = "SELinux minimum policy"
-DESCRIPTION = "\
-This is a minimum reference policy with just core policy modules, and \
-could be used as a base for customizing targeted policy. \
-Pretty much everything runs as initrc_t or unconfined_t so all of the \
-domains are unconfined. \
-"
-
-POLICY_NAME = "minimum"
-
-CORE_POLICY_MODULES = "unconfined \
-	selinuxutil \
-	storage \
-	sysnetwork \
-	application \
-	libraries \
-	miscfiles \
-	logging \
-	userdomain \
-	init \
-	mount \
-	modutils \
-	getty \
-	authlogin \
-	locallogin \
-	"
-#systemd dependent policy modules
-CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev fstools', '', d)}"
-
-# nscd caches libc-issued requests to the name service.
-# Without nscd.pp, commands want to use these caches will be blocked.
-EXTRA_POLICY_MODULES += "nscd"
-
-# pam_mail module enables checking and display of mailbox status upon
-# "login", so "login" process will access to /var/spool/mail.
-EXTRA_POLICY_MODULES += "mta"
-
-# sysnetwork requires type definitions (insmod_t, consoletype_t,
-# hostname_t, ping_t, netutils_t) from modules:
-EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils"
-
-POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
-
-# re-write the same func from refpolicy_common.inc
-prepare_policy_store () {
-	oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
-	POL_PRIORITY=100
-	POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
-	POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
-	POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
-
-	# Prepare to create policy store
-	mkdir -p ${POL_STORE}
-	mkdir -p ${POL_ACTIVE_MODS}
-
-	# get hll type from suffix on base policy module
-	HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
-	HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
-
-	for i in base ${POLICY_MODULES_MIN}; do
-		MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE}
-		MOD_DIR=${POL_ACTIVE_MODS}/${i}
-		mkdir -p ${MOD_DIR}
-		echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
-
-		if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then
-			${HLL_BIN} ${MOD_FILE} | bzip2 --stdout > ${MOD_DIR}/cil
-			bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2 ${MOD_FILE}
-		else
-			bunzip2 --stdout ${MOD_FILE} | \
-				${HLL_BIN} | \
-				bzip2 --stdout > ${MOD_DIR}/cil
-		fi
-		cp ${MOD_FILE} ${MOD_DIR}/hll
-	done
-}
diff --git a/recipes-security/refpolicy/refpolicy-minimum_git.bb b/recipes-security/refpolicy/refpolicy-minimum_git.bb
index 40abe35..67c3785 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_git.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_git.bb
@@ -11,26 +11,31 @@ Pretty much everything runs as initrc_t or unconfined_t so all of the \
 domains are unconfined. \
 "
 
+SRC_URI += " \
+        file://0001-refpolicy-minimum-make-sysadmin-module-optional.patch \
+        file://0002-refpolicy-minimum-make-xdg-module-optional.patch \
+        "
+
 POLICY_NAME = "minimum"
 
 CORE_POLICY_MODULES = "unconfined \
-	selinuxutil \
-	storage \
-	sysnetwork \
-	application \
-	libraries \
-	miscfiles \
-	logging \
-	userdomain \
-	init \
-	mount \
-	modutils \
-	getty \
-	authlogin \
-	locallogin \
-	"
-#systemd dependent policy modules
-CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev fstools', '', d)}"
+    selinuxutil \
+    storage \
+    sysnetwork \
+    application \
+    libraries \
+    miscfiles \
+    logging \
+    userdomain \
+    init \
+    mount \
+    modutils \
+    getty \
+    authlogin \
+    locallogin \
+    "
+# systemd dependent policy modules
+CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev fstools dbus', '', d)}"
 
 # nscd caches libc-issued requests to the name service.
 # Without nscd.pp, commands want to use these caches will be blocked.
@@ -44,38 +49,48 @@ EXTRA_POLICY_MODULES += "mta"
 # hostname_t, ping_t, netutils_t) from modules:
 EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils"
 
+# Add specific policy modules here that should be purged from the system
+# policy.  Purged modules will not be built and will not be installed on the
+# target.  To use them at some later time you must specifically build and load
+# the modules by hand on the target.
+#
+# USE WITH CARE!  With this feature it is easy to break your policy by purging
+# core modules (eg.  userdomain)
+# 
+# PURGE_POLICY_MODULES += "xdg xen"
+
 POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
 
-# re-write the same func from refpolicy_common.inc
-prepare_policy_store () {
-	oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
-	POL_PRIORITY=100
-	POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
-	POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
-	POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
+# Re-write the same func from refpolicy_common.inc
+prepare_policy_store() {
+    oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
+    POL_PRIORITY=100
+    POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
+    POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
+    POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
 
-	# Prepare to create policy store
-	mkdir -p ${POL_STORE}
-	mkdir -p ${POL_ACTIVE_MODS}
+    # Prepare to create policy store
+    mkdir -p ${POL_STORE}
+    mkdir -p ${POL_ACTIVE_MODS}
 
-	# get hll type from suffix on base policy module
-	HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
-	HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
+    # Get hll type from suffix on base policy module
+    HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
+    HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
 
-	for i in base ${POLICY_MODULES_MIN}; do
-		MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE}
-		MOD_DIR=${POL_ACTIVE_MODS}/${i}
-		mkdir -p ${MOD_DIR}
-		echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
+    for i in base ${POLICY_MODULES_MIN}; do
+        MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE}
+        MOD_DIR=${POL_ACTIVE_MODS}/${i}
+        mkdir -p ${MOD_DIR}
+        echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
 
-		if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then
-			${HLL_BIN} ${MOD_FILE} | bzip2 --stdout > ${MOD_DIR}/cil
-			bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2 ${MOD_FILE}
-		else
-			bunzip2 --stdout ${MOD_FILE} | \
-				${HLL_BIN} | \
-				bzip2 --stdout > ${MOD_DIR}/cil
-		fi
-		cp ${MOD_FILE} ${MOD_DIR}/hll
-	done
+        if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then
+            ${HLL_BIN} ${MOD_FILE} | bzip2 --stdout > ${MOD_DIR}/cil
+            bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2 ${MOD_FILE}
+        else
+            bunzip2 --stdout ${MOD_FILE} | \
+                ${HLL_BIN} | \
+                bzip2 --stdout > ${MOD_DIR}/cil
+        fi
+        cp ${MOD_FILE} ${MOD_DIR}/hll
+    done
 }
diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20190201.bb b/recipes-security/refpolicy/refpolicy-mls_2.20190201.bb
deleted file mode 100644
index 7388232..0000000
--- a/recipes-security/refpolicy/refpolicy-mls_2.20190201.bb
+++ /dev/null
@@ -1,10 +0,0 @@
-SUMMARY = "MLS (Multi Level Security) variant of the SELinux policy"
-DESCRIPTION = "\
-This is the reference policy for SE Linux built with MLS support. \
-It allows giving data labels such as \"Top Secret\" and preventing \
-such data from leaking to processes or files with lower classification. \
-"
-
-POLICY_TYPE = "mls"
-
-include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20190201.bb b/recipes-security/refpolicy/refpolicy-standard_2.20190201.bb
deleted file mode 100644
index 3674fdd..0000000
--- a/recipes-security/refpolicy/refpolicy-standard_2.20190201.bb
+++ /dev/null
@@ -1,8 +0,0 @@
-SUMMARY = "Standard variants of the SELinux policy"
-DESCRIPTION = "\
-This is the reference policy for SELinux built with type enforcement \
-only."
-
-POLICY_TYPE = "standard"
-
-include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb
deleted file mode 100644
index 1ecdb4e..0000000
--- a/recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb
+++ /dev/null
@@ -1,35 +0,0 @@
-SUMMARY = "SELinux targeted policy"
-DESCRIPTION = "\
-This is the targeted variant of the SELinux reference policy.  Most service \
-domains are locked down. Users and admins will login in with unconfined_t \
-domain, so they have the same access to the system as if SELinux was not \
-enabled. \
-"
-
-FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
-
-POLICY_NAME = "targeted"
-POLICY_TYPE = "mcs"
-POLICY_MLS_SENS = "0"
-
-include refpolicy_${PV}.inc
-
-SYSTEMD_REFPOLICY_PATCHES = " \
-	file://0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch \
-	file://0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \
-	file://0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \
-	file://0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \
-	file://0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch \
-	file://0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch \
-	file://0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch \
-	file://0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch \
-	file://0009-refpolicy-minimum-systemd-fix-for-syslog.patch \
-	"
-
-SYSVINIT_REFPOLICY_PATCHES = " \
-	file://0001-fix-update-alternatives-for-sysvinit.patch \
-	"
-
-SRC_URI += " \
-	${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${SYSTEMD_REFPOLICY_PATCHES}', '${SYSVINIT_REFPOLICY_PATCHES}', d)} \
-	"
diff --git a/recipes-security/refpolicy/refpolicy-targeted_git.bb b/recipes-security/refpolicy/refpolicy-targeted_git.bb
index 1ecdb4e..de81d46 100644
--- a/recipes-security/refpolicy/refpolicy-targeted_git.bb
+++ b/recipes-security/refpolicy/refpolicy-targeted_git.bb
@@ -6,30 +6,12 @@ domain, so they have the same access to the system as if SELinux was not \
 enabled. \
 "
 
-FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
-
 POLICY_NAME = "targeted"
 POLICY_TYPE = "mcs"
 POLICY_MLS_SENS = "0"
 
 include refpolicy_${PV}.inc
 
-SYSTEMD_REFPOLICY_PATCHES = " \
-	file://0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch \
-	file://0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \
-	file://0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \
-	file://0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \
-	file://0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch \
-	file://0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch \
-	file://0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch \
-	file://0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch \
-	file://0009-refpolicy-minimum-systemd-fix-for-syslog.patch \
-	"
-
-SYSVINIT_REFPOLICY_PATCHES = " \
-	file://0001-fix-update-alternatives-for-sysvinit.patch \
-	"
-
 SRC_URI += " \
-	${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${SYSTEMD_REFPOLICY_PATCHES}', '${SYSVINIT_REFPOLICY_PATCHES}', d)} \
-	"
+        file://0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch \
+        "
diff --git a/recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
index 5e38b8c..59169cb 100644
--- a/recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
+++ b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
@@ -1,23 +1,24 @@
-From ab97bea9248f62e735526292fc1253ebb1ecfa6c Mon Sep 17 00:00:00 2001
+From 9fdb576862d6a373b4a50e149fcfd4571e01dd1a Mon Sep 17 00:00:00 2001
 From: Joe MacDonald <joe_macdonald@mentor.com>
 Date: Thu, 28 Mar 2019 16:14:09 -0400
-Subject: [PATCH 01/34] fc/subs/volatile: alias common /var/volatile paths
+Subject: [PATCH] fc/subs/volatile: alias common /var/volatile paths
 
 Ensure /var/volatile paths get the appropriate base file context.
 
-Upstream-Status: Pending
+Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- config/file_contexts.subs_dist | 10 ++++++++++
- 1 file changed, 10 insertions(+)
+ config/file_contexts.subs_dist | 6 ++++++
+ 1 file changed, 6 insertions(+)
 
 diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
-index 346d920e..be532d7f 100644
+index ba22ce7e7..23d4328f7 100644
 --- a/config/file_contexts.subs_dist
 +++ b/config/file_contexts.subs_dist
-@@ -31,3 +31,13 @@
+@@ -33,3 +33,9 @@
  # not for refpolicy intern, but for /var/run using applications,
  # like systemd tmpfiles or systemd socket configurations
  /var/run /run
@@ -26,11 +27,7 @@ index 346d920e..be532d7f 100644
 +# ensure the policy applied to the base filesystem objects are reflected in the
 +# volatile hierarchy.
 +/var/volatile/log /var/log
-+/var/volatile/run /var/run
-+/var/volatile/cache /var/cache
 +/var/volatile/tmp /var/tmp
-+/var/volatile/lock /var/lock
-+/var/volatile/run/lock /var/lock
 -- 
-2.19.1
+2.25.1
 
diff --git a/recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch
index 09a16fb..820d71e 100644
--- a/recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch
+++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch
@@ -1,44 +1,44 @@
-From a45624beb571ad5dadfca95d53ff69925c9f628c Mon Sep 17 00:00:00 2001
+From 2d04fadd54814ce01d143262f36edbf0b1700a9b Mon Sep 17 00:00:00 2001
 From: Joe MacDonald <joe_macdonald@mentor.com>
 Date: Fri, 5 Apr 2019 11:53:28 -0400
-Subject: [PATCH 33/34] refpolicy/minimum: make sysadmin module optional
+Subject: [PATCH] refpolicy-minimum: make sysadmin module optional
 
-init and locallogin modules have a depend for sysadm module because
-they have called sysadm interfaces(sysadm_shell_domtrans). Since
-sysadm is not a core module, we could make the sysadm_shell_domtrans
-calls optionally by optional_policy.
+The init and locallogin modules have a depend for sysadm module
+because they have called sysadm interfaces(sysadm_shell_domtrans).
+Since sysadm is not a core module, we could make the
+sysadm_shell_domtrans calls optionally by optional_policy.
 
 So, we could make the minimum policy without sysadm module.
 
-Upstream-Status: pending
+Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- policy/modules/system/init.te       | 16 +++++++++-------
+ policy/modules/system/init.te       | 14 ++++++++------
  policy/modules/system/locallogin.te |  4 +++-
- 2 files changed, 12 insertions(+), 8 deletions(-)
+ 2 files changed, 11 insertions(+), 7 deletions(-)
 
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 2e6b57a6..d8696580 100644
+index c2380d8b4..31f77cf43 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
-@@ -448,13 +448,15 @@ ifdef(`init_systemd',`
- 		modutils_domtrans(init_t)
+@@ -645,13 +645,15 @@ ifdef(`init_systemd',`
+ 		unconfined_write_keys(init_t)
  	')
  ',`
 -	tunable_policy(`init_upstart',`
 -		corecmd_shell_domtrans(init_t, initrc_t)
--	',`
++	optional_policy(`
++		tunable_policy(`init_upstart',`
++			corecmd_shell_domtrans(init_t, initrc_t)
+ 	',`
 -		# Run the shell in the sysadm role for single-user mode.
 -		# causes problems with upstart
 -		ifndef(`distro_debian',`
 -			sysadm_shell_domtrans(init_t)
-+	optional_policy(`
-+		tunable_policy(`init_upstart',`
-+			corecmd_shell_domtrans(init_t, initrc_t)
-+		',`
 +			# Run the shell in the sysadm role for single-user mode.
 +			# causes problems with upstart
 +			ifndef(`distro_debian',`
@@ -48,10 +48,10 @@ index 2e6b57a6..d8696580 100644
  	')
  ')
 diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index a56f3d1f..4c679ff3 100644
+index 8330be8a9..933e94b24 100644
 --- a/policy/modules/system/locallogin.te
 +++ b/policy/modules/system/locallogin.te
-@@ -266,7 +266,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -277,7 +277,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
  userdom_search_user_home_dirs(sulogin_t)
  userdom_use_user_ptys(sulogin_t)
  
@@ -63,5 +63,5 @@ index a56f3d1f..4c679ff3 100644
  # by default, sulogin does not use pam...
  # sulogin_pam might need to be defined otherwise
 -- 
-2.19.1
+2.25.1
 
diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch
new file mode 100644
index 0000000..f4e4809
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch
@@ -0,0 +1,81 @@
+From 15b4f9a17d1f45dc6e15e4a3b0e6490a9a518df6 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Mon, 20 Apr 2020 11:50:03 +0800
+Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux
+ user
+
+For targeted policy type, we define unconfined_u as the default selinux
+user for root and normal users, so users could login and run most
+commands and services on unconfined domains.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ config/appconfig-mcs/failsafe_context | 2 +-
+ config/appconfig-mcs/seusers          | 4 ++--
+ policy/modules/system/unconfined.te   | 5 +++++
+ policy/users                          | 6 +++---
+ 4 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context
+index 999abd9a3..a50bde775 100644
+--- a/config/appconfig-mcs/failsafe_context
++++ b/config/appconfig-mcs/failsafe_context
+@@ -1 +1 @@
+-sysadm_r:sysadm_t:s0
++unconfined_r:unconfined_t:s0
+diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
+index ce614b41b..c0903d98b 100644
+--- a/config/appconfig-mcs/seusers
++++ b/config/appconfig-mcs/seusers
+@@ -1,2 +1,2 @@
+-root:root:s0-mcs_systemhigh
+-__default__:user_u:s0
++root:unconfined_u:s0-mcs_systemhigh
++__default__:unconfined_u:s0
+diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
+index 6c9769b04..01c9a7243 100644
+--- a/policy/modules/system/unconfined.te
++++ b/policy/modules/system/unconfined.te
+@@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t;
+ type unconfined_execmem_exec_t alias ada_exec_t;
+ init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
+ role unconfined_r types unconfined_execmem_t;
++role unconfined_r types unconfined_t;
++role system_r types unconfined_t;
++role_transition system_r unconfined_exec_t unconfined_r;
++allow system_r unconfined_r;
++allow unconfined_r system_r;
+ 
+ ########################################
+ #
+diff --git a/policy/users b/policy/users
+index ca203758c..e737cd9cc 100644
+--- a/policy/users
++++ b/policy/users
+@@ -15,7 +15,7 @@
+ # and a user process should never be assigned the system user
+ # identity.
+ #
+-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
++gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ 
+ #
+ # user_u is a generic user identity for Linux users who have no
+@@ -43,7 +43,7 @@ ifdef(`direct_sysadm_daemon',`
+ # not in the sysadm_r.
+ #
+ ifdef(`direct_sysadm_daemon',`
+-	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
++	gen_user(root, sysadm, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ ',`
+-	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
++	gen_user(root, sysadm, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+ ')
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
index 22eab15..b6be830 100644
--- a/recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
+++ b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
@@ -1,31 +1,33 @@
-From a47fb4d6a25574d900213ef63b5c7e3ce7182419 Mon Sep 17 00:00:00 2001
+From a3269d08232045835f341e5796da66d9bf948aca Mon Sep 17 00:00:00 2001
 From: Joe MacDonald <joe_macdonald@mentor.com>
 Date: Thu, 28 Mar 2019 20:48:10 -0400
-Subject: [PATCH 02/34] fc/subs/busybox: set aliases for bin, sbin and usr
+Subject: [PATCH] fc/subs/busybox: set aliases for bin, sbin and usr
 
 The objects in /usr/lib/busybox/* should have the same policy applied as
 the corresponding objects in the / hierarchy.
 
+Upstream-Status: Inappropriate [embedded specific]
+
 Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- config/file_contexts.subs_dist | 7 +++++++
- 1 file changed, 7 insertions(+)
+ config/file_contexts.subs_dist | 6 ++++++
+ 1 file changed, 6 insertions(+)
 
 diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
-index be532d7f..04fca3c3 100644
+index 23d4328f7..690007f22 100644
 --- a/config/file_contexts.subs_dist
 +++ b/config/file_contexts.subs_dist
-@@ -41,3 +41,10 @@
+@@ -39,3 +39,9 @@
+ # volatile hierarchy.
+ /var/volatile/log /var/log
  /var/volatile/tmp /var/tmp
- /var/volatile/lock /var/lock
- /var/volatile/run/lock /var/lock
 +
 +# busybox aliases
 +# quickly match up the busybox built-in tree to the base filesystem tree
-+/usr/lib/busybox/bin /bin
-+/usr/lib/busybox/sbin /sbin
++/usr/lib/busybox/bin /usr/bin
++/usr/lib/busybox/sbin /usr/sbin
 +/usr/lib/busybox/usr /usr
-+
 -- 
-2.19.1
+2.25.1
 
diff --git a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch
new file mode 100644
index 0000000..cc8c0b7
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch
@@ -0,0 +1,40 @@
+From 39b825d24a34864c3d9bae684b083a9b656f641a Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Wed, 29 Sep 2021 11:08:49 +0800
+Subject: [PATCH] refpolicy-minimum: make xdg module optional
+
+The systemd module invokes xdg_config_content and xdg_data_content
+interfaces which are from xdg module. Since xdg is not a core module, we
+could make it optional in minimum policy.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/systemd.te | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index a0e6bb405..b1fc414ea 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -313,10 +313,14 @@ init_unit_file(systemd_user_manager_unit_t)
+ 
+ type systemd_conf_home_t;
+ init_unit_file(systemd_conf_home_t)
+-xdg_config_content(systemd_conf_home_t)
++optional_policy(`
++	xdg_config_content(systemd_conf_home_t)
++')
+ 
+ type systemd_data_home_t;
+-xdg_data_content(systemd_data_home_t)
++optional_policy(`
++	xdg_data_content(systemd_data_home_t)
++')
+ 
+ type systemd_user_runtime_notify_t;
+ userdom_user_runtime_content(systemd_user_runtime_notify_t)
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
index 77c6829..69ed556 100644
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
+++ b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
@@ -1,27 +1,26 @@
-From 85f5825111d4c6d6b276ed07fec2292804b97a39 Mon Sep 17 00:00:00 2001
+From a78f1bf10f489d1abe8a4db9c8ee29af6ac9d02c Mon Sep 17 00:00:00 2001
 From: Xin Ouyang <Xin.Ouyang@windriver.com>
 Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 04/34] fc/hostname: apply policy to common yocto hostname
+Subject: [PATCH] fc/hostname: apply policy to common yocto hostname
  alternatives
 
-Upstream-Status: Inappropriate [only for Yocto]
+Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- policy/modules/system/hostname.fc | 4 ++++
- 1 file changed, 4 insertions(+)
+ policy/modules/system/hostname.fc | 2 ++
+ 1 file changed, 2 insertions(+)
 
 diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
-index 83ddeb57..653e038d 100644
+index 83ddeb573..cf523bc4c 100644
 --- a/policy/modules/system/hostname.fc
 +++ b/policy/modules/system/hostname.fc
-@@ -1 +1,5 @@
+@@ -1 +1,3 @@
+ /usr/bin/hostname	--	gen_context(system_u:object_r:hostname_exec_t,s0)
 +/usr/bin/hostname\.net-tools	--	gen_context(system_u:object_r:hostname_exec_t,s0)
 +/usr/bin/hostname\.coreutils	--	gen_context(system_u:object_r:hostname_exec_t,s0)
-+/usr/lib/busybox/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
-+
- /usr/bin/hostname	--	gen_context(system_u:object_r:hostname_exec_t,s0)
 -- 
-2.19.1
+2.25.1
 
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
index 60d585b..1eac7ec 100644
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
+++ b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
@@ -1,30 +1,31 @@
-From ed53bb0452aab6aee11c6d6442b8524d3b27fa6f Mon Sep 17 00:00:00 2001
+From 0f549b970d42109994c5736e78f0b7d9267b1ae5 Mon Sep 17 00:00:00 2001
 From: Joe MacDonald <joe_macdonald@mentor.com>
 Date: Thu, 28 Mar 2019 21:37:32 -0400
-Subject: [PATCH 05/34] fc/bash: apply /usr/bin/bash context to /bin/bash.bash
+Subject: [PATCH] fc/bash: apply /usr/bin/bash context to /bin/bash.bash
 
 We include /bin/bash.bash as a valid alias for /bin/bash, so ensure we apply
 the proper context to the target for our policy.
 
-Upstream-Status: Inappropriate [only for Yocto]
+Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
  policy/modules/kernel/corecommands.fc | 1 +
  1 file changed, 1 insertion(+)
 
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index e7415cac..cf3848db 100644
+index 04d6caa80..7d2efef0a 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
-@@ -141,6 +141,7 @@ ifdef(`distro_gentoo',`
+@@ -147,6 +147,7 @@ ifdef(`distro_gentoo',`
+ /usr/bin(/.*)?				gen_context(system_u:object_r:bin_t,s0)
  /usr/bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/bash\.bash		--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/bash.bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/bin/git-shell		--	gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:bin_t,s0)
 -- 
-2.19.1
+2.25.1
 
diff --git a/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
new file mode 100644
index 0000000..4329a12
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
@@ -0,0 +1,29 @@
+From d9348cee43dd6d6e2ea971ef22c796956b9677fd Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 4 Apr 2019 10:45:03 -0400
+Subject: [PATCH] fc/resolv.conf: label resolv.conf in var/run/ properly
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/sysnetwork.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
+index 14505efe9..c9ec4e5ab 100644
+--- a/policy/modules/system/sysnetwork.fc
++++ b/policy/modules/system/sysnetwork.fc
+@@ -84,6 +84,7 @@ ifdef(`distro_redhat',`
+ /run/dhcpcd(/.*)?		gen_context(system_u:object_r:dhcpc_runtime_t,s0)
+ /run/netns	-d		gen_context(system_u:object_r:ifconfig_runtime_t,s0)
+ /run/netns/[^/]+	--	<<none>>
++/run/resolv\.conf.*    --  gen_context(system_u:object_r:net_conf_t,s0)
+ 
+ ifdef(`distro_gentoo',`
+ /var/lib/dhcpc(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0007-fc-login-apply-login-context-to-login.shadow.patch b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch
index 8c71c90..cdf71d6 100644
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0007-fc-login-apply-login-context-to-login.shadow.patch
+++ b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch
@@ -1,27 +1,28 @@
-From c1f7e3033057dfb613bd92d723094b06c00e82f8 Mon Sep 17 00:00:00 2001
+From df2801c3f9689d6c173dca05ee970756ba3b3d04 Mon Sep 17 00:00:00 2001
 From: Joe MacDonald <joe_macdonald@mentor.com>
 Date: Thu, 28 Mar 2019 21:43:53 -0400
-Subject: [PATCH 07/34] fc/login: apply login context to login.shadow
+Subject: [PATCH] fc/login: apply login context to login.shadow
 
-Upstream-Status: Inappropriate [only for Poky]
+Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
  policy/modules/system/authlogin.fc | 1 +
  1 file changed, 1 insertion(+)
 
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index e22945cd..a42bc0da 100644
+index adb53a05a..a25a9d607 100644
 --- a/policy/modules/system/authlogin.fc
 +++ b/policy/modules/system/authlogin.fc
-@@ -5,6 +5,7 @@
- /etc/shadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
+@@ -8,6 +8,7 @@
+ /etc/security/opasswd\.old	--	gen_context(system_u:object_r:shadow_history_t,s0)
  
  /usr/bin/login		--	gen_context(system_u:object_r:login_exec_t,s0)
-+/usr/bin/login\.shadow	--	gen_context(system_u:object_r:login_exec_t,s0)
++/usr/bin/login\.shadow		--	gen_context(system_u:object_r:login_exec_t,s0)
  /usr/bin/pam_console_apply	--	gen_context(system_u:object_r:pam_console_exec_t,s0)
  /usr/bin/pam_timestamp_check	--	gen_context(system_u:object_r:pam_exec_t,s0)
- /usr/bin/unix_chkpwd		--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ /usr/bin/tcb_convert		--	gen_context(system_u:object_r:updpwd_exec_t,s0)
 -- 
-2.19.1
+2.25.1
 
diff --git a/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch
new file mode 100644
index 0000000..db0d93a
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch
@@ -0,0 +1,25 @@
+From f274bbf18ef930a506c7fe7cc90c32698e51b318 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 21:59:18 -0400
+Subject: [PATCH] fc/hwclock: add hwclock alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/clock.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
+index 301965892..139485835 100644
+--- a/policy/modules/system/clock.fc
++++ b/policy/modules/system/clock.fc
+@@ -3,3 +3,4 @@
+ /usr/bin/hwclock	--	gen_context(system_u:object_r:hwclock_exec_t,s0)
+ 
+ /usr/sbin/hwclock	--	gen_context(system_u:object_r:hwclock_exec_t,s0)
++/usr/sbin/hwclock\.util-linux	--	gen_context(system_u:object_r:hwclock_exec_t,s0)
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
new file mode 100644
index 0000000..8030e93
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
@@ -0,0 +1,23 @@
+From c69e143640f73d13d82aa6cfcbfce64a02bcb13d Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 08:26:55 -0400
+Subject: [PATCH] fc/dmesg: apply policy to dmesg alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/admin/dmesg.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
+index e52fdfcf8..526b92ed2 100644
+--- a/policy/modules/admin/dmesg.fc
++++ b/policy/modules/admin/dmesg.fc
+@@ -1 +1,2 @@
+ /usr/bin/dmesg		--		gen_context(system_u:object_r:dmesg_exec_t,s0)
++/usr/bin/dmesg\.util-linux		--		gen_context(system_u:object_r:dmesg_exec_t,s0)
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch b/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch
index 09576fa..40b3e8d 100644
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch
@@ -1,27 +1,28 @@
-From 10548eeaba694ff4320fdcbddc9e6cbb71856280 Mon Sep 17 00:00:00 2001
+From 6cb433b296b2085bf1aa54c7722a8bcf7a69cba8 Mon Sep 17 00:00:00 2001
 From: Joe MacDonald <joe_macdonald@mentor.com>
 Date: Fri, 29 Mar 2019 09:20:58 -0400
-Subject: [PATCH 11/34] fc/ssh: apply policy to ssh alternatives
+Subject: [PATCH] fc/ssh: apply policy to ssh alternatives
 
-Upstream-Status: Pending
+Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
  policy/modules/services/ssh.fc | 1 +
  1 file changed, 1 insertion(+)
 
 diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 4ac3e733..1f453091 100644
+index 5c512e972..0448c1877 100644
 --- a/policy/modules/services/ssh.fc
 +++ b/policy/modules/services/ssh.fc
 @@ -4,6 +4,7 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
- /etc/ssh/ssh_host.*_key		--	gen_context(system_u:object_r:sshd_key_t,s0)
+ /etc/ssh/ssh_host.*_key(\.pub)?	--	gen_context(system_u:object_r:sshd_key_t,s0)
  
  /usr/bin/ssh			--	gen_context(system_u:object_r:ssh_exec_t,s0)
-+/usr/bin/ssh\.openssh		--	gen_context(system_u:object_r:ssh_exec_t,s0)
++/usr/bin/ssh\.openssh	--	gen_context(system_u:object_r:ssh_exec_t,s0)
  /usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)
  /usr/bin/ssh-keygen		--	gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
  /usr/bin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
 -- 
-2.19.1
+2.25.1
 
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch b/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch
index f02bd3a..6d1b362 100644
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch
@@ -1,48 +1,47 @@
-From 457f278717ef53e19392c40ea8645ca216c0ae83 Mon Sep 17 00:00:00 2001
+From 89f23ef679f8f0f842b7b41b85c48266d292bcfc Mon Sep 17 00:00:00 2001
 From: Xin Ouyang <Xin.Ouyang@windriver.com>
 Date: Tue, 9 Jun 2015 21:22:52 +0530
-Subject: [PATCH 12/34] fc/sysnetwork: apply policy to ip alternatives
+Subject: [PATCH] fc/sysnetwork: apply policy to network commands alternatives
 
-Upstream-Status: Pending
+Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
 Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- policy/modules/system/sysnetwork.fc | 10 ++++++++++
- 1 file changed, 10 insertions(+)
+ policy/modules/system/sysnetwork.fc | 4 ++++
+ 1 file changed, 4 insertions(+)
 
 diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index ac7c2dd1..4e441503 100644
+index c9ec4e5ab..4ca151524 100644
 --- a/policy/modules/system/sysnetwork.fc
 +++ b/policy/modules/system/sysnetwork.fc
-@@ -60,6 +60,8 @@ ifdef(`distro_redhat',`
+@@ -44,6 +44,7 @@ ifdef(`distro_redhat',`
+ /usr/bin/dhcpcd		        --	gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /usr/bin/ethtool		    --	gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/bin/ifconfig		    --	gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/bin/ifconfig\.net-tools		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/bin/ip			        --	gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/bin/ipx_configure		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/bin/ipx_interface		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
+@@ -60,13 +61,16 @@ ifdef(`distro_redhat',`
  /usr/sbin/dhcpcd		--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
  /usr/sbin/ethtool		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
  /usr/sbin/ifconfig		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/ifconfig\.net-tools	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/ip\.iproute2		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ifconfig\.net-tools		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
  /usr/sbin/ip			--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ip\.iproute2			--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
  /usr/sbin/ipx_configure		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
  /usr/sbin/ipx_interface		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
-@@ -67,9 +69,17 @@ ifdef(`distro_redhat',`
+ /usr/sbin/ipx_internal_net	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
  /usr/sbin/iw			--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
  /usr/sbin/iwconfig		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
  /usr/sbin/mii-tool		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/mii-tool\.net-tools	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/mii-tool\.net-tools		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
  /usr/sbin/pump			--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
  /usr/sbin/tc			--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
  
-+#
-+# /usr/lib/busybox
-+#
-+/usr/lib/busybox/bin/ifconfig	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/lib/busybox/bin/ip		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/lib/busybox/sbin/mii-tool	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+
- #
- # /var
- #
 -- 
-2.19.1
+2.25.1
 
diff --git a/recipes-security/refpolicy/refpolicy/0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy/0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
new file mode 100644
index 0000000..86fc796
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
@@ -0,0 +1,27 @@
+From 2fb2dc1ab37da9d6d1f885b7f4b3eae8db66844a Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 09:54:07 -0400
+Subject: [PATCH] fc/rpm: apply rpm_exec policy to cpio binaries
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/admin/rpm.fc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
+index 7efcf71de..2f83019f0 100644
+--- a/policy/modules/admin/rpm.fc
++++ b/policy/modules/admin/rpm.fc
+@@ -74,4 +74,6 @@ ifdef(`distro_redhat',`
+ 
+ ifdef(`enable_mls',`
+ /usr/sbin/cpio	--	gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/cpio	--	gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/cpio\.cpio	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+ ')
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0015-fc-su-apply-policy-to-su-alternatives.patch b/recipes-security/refpolicy/refpolicy/0012-fc-su-apply-policy-to-su-alternatives.patch
index c0fbb69..69e36e1 100644
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0015-fc-su-apply-policy-to-su-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0012-fc-su-apply-policy-to-su-alternatives.patch
@@ -1,26 +1,27 @@
-From d9f2d5857c1d558fa09f7e7864bba8427437bea6 Mon Sep 17 00:00:00 2001
+From 95920611d43a3e6352fc16fcac05977844d57398 Mon Sep 17 00:00:00 2001
 From: Wenzong Fan <wenzong.fan@windriver.com>
 Date: Thu, 13 Feb 2014 00:33:07 -0500
-Subject: [PATCH 15/34] fc/su: apply policy to su alternatives
+Subject: [PATCH] fc/su: apply policy to su alternatives
 
-Upstream-Status: Pending
+Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
  policy/modules/admin/su.fc | 2 ++
  1 file changed, 2 insertions(+)
 
 diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
-index 3375c969..435a6892 100644
+index 3375c9692..a9868cd58 100644
 --- a/policy/modules/admin/su.fc
 +++ b/policy/modules/admin/su.fc
 @@ -1,3 +1,5 @@
  /usr/(local/)?bin/ksu	--	gen_context(system_u:object_r:su_exec_t,s0)
  /usr/bin/kdesu		--	gen_context(system_u:object_r:su_exec_t,s0)
  /usr/bin/su		--	gen_context(system_u:object_r:su_exec_t,s0)
-+/usr/bin/su\.shadow	--	gen_context(system_u:object_r:su_exec_t,s0)
-+/usr/bin/su\.util-linux	--	gen_context(system_u:object_r:su_exec_t,s0)
++/usr/bin/su\.shadow		--	gen_context(system_u:object_r:su_exec_t,s0)
++/usr/bin/su\.util-linux		--	gen_context(system_u:object_r:su_exec_t,s0)
 -- 
-2.19.1
+2.25.1
 
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0016-fc-fstools-fix-real-path-for-fstools.patch b/recipes-security/refpolicy/refpolicy/0013-fc-fstools-fix-real-path-for-fstools.patch
index 34e9830..55f3175 100644
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0016-fc-fstools-fix-real-path-for-fstools.patch
+++ b/recipes-security/refpolicy/refpolicy/0013-fc-fstools-fix-real-path-for-fstools.patch
@@ -1,76 +1,74 @@
-From 5d8f2e090c9dbb270156c2f76f1614b03f3b0191 Mon Sep 17 00:00:00 2001
+From 8b5320fbdb29ab1bf601d9cf81ffe7ea7b9bc55f Mon Sep 17 00:00:00 2001
 From: Wenzong Fan <wenzong.fan@windriver.com>
 Date: Mon, 27 Jan 2014 03:54:01 -0500
-Subject: [PATCH 16/34] fc/fstools: fix real path for fstools
+Subject: [PATCH] fc/fstools: fix real path for fstools
 
-Upstream-Status: Pending
+Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
 Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- policy/modules/system/fstools.fc | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
+ policy/modules/system/fstools.fc | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
 
 diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index 8fbd5ce4..d719e22c 100644
+index 63423802d..124109a68 100644
 --- a/policy/modules/system/fstools.fc
 +++ b/policy/modules/system/fstools.fc
-@@ -58,6 +58,7 @@
+@@ -58,7 +58,9 @@
  /usr/sbin/addpart		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/badblocks		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/blkid			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/blkid\.util-linux	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/blkid\.util-linux			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/blockdev		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/blockdev\.util-linux		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/cfdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/clubufflush		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -72,10 +73,12 @@
+ /usr/sbin/delpart		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -72,10 +74,13 @@
  /usr/sbin/efibootmgr		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/fatsort		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/fdisk			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/fdisk\.util-linux	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/fdisk\.util-linux			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/findfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/findfs\.util-linux		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/fsck.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/gdisk			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/hdparm		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/hdparm\.util-linux	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/hdparm\.hdparm		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/install-mbr		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/jfs_.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/losetup.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -88,17 +91,20 @@
+@@ -83,13 +88,16 @@
+ /usr/sbin/make_reiser4		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkdosfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mke2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mke2fs\.e2fsprogs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mke4fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkfs.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/mkraid		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/mkreiserfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/mkswap		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/mkswap\.util-linux	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mkswap\.util-linux		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/parted		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/partprobe		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/partprobe\.parted		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/partx			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/raidautorun		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/raidstart		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/raw		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/reiserfs(ck|tune)	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/resize.*fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/scsi_info		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -99,8 +107,10 @@
  /usr/sbin/sfdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/smartctl		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/swapoff		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/swapoff\.util-linux	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/swapoff\.util-linux		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/tune2fs\.e2fsprogs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/zdb			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -108,6 +114,12 @@
- /usr/sbin/zstreamdump		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/ztest			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- 
-+/usr/lib/busybox/sbin/blkid	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/lib/busybox/sbin/fdisk	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/lib/busybox/sbin/mkswap	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/lib/busybox/sbin/swapoff	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/lib/busybox/sbin/swapon	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+
- /var/swap			--	gen_context(system_u:object_r:swapfile_t,s0)
- 
- /var/log/fsck(/.*)?		gen_context(system_u:object_r:fsadm_log_t,s0)
+ /usr/sbin/zhack			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/zinject		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 -- 
-2.19.1
+2.25.1
 
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0001-fix-update-alternatives-for-sysvinit.patch b/recipes-security/refpolicy/refpolicy/0014-fc-init-fix-update-alternatives-for-sysvinit.patch
index 62e7da1..73a0d8a 100644
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0001-fix-update-alternatives-for-sysvinit.patch
+++ b/recipes-security/refpolicy/refpolicy/0014-fc-init-fix-update-alternatives-for-sysvinit.patch
@@ -1,53 +1,55 @@
-From 83508f3365277c0ef8c570e744879b904de64cd7 Mon Sep 17 00:00:00 2001
+From 8eefd8242e8b08fee6886d6bba12c4af202890d0 Mon Sep 17 00:00:00 2001
 From: Xin Ouyang <Xin.Ouyang@windriver.com>
 Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] fix update-alternatives for sysvinit
+Subject: [PATCH] fc/init: fix update-alternatives for sysvinit
 
-Upstream-Status: Inappropriate [only for Poky]
+Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
  policy/modules/admin/shutdown.fc      | 1 +
- policy/modules/kernel/corecommands.fc | 1 +
+ policy/modules/kernel/corecommands.fc | 2 ++
  policy/modules/system/init.fc         | 1 +
- 3 files changed, 3 insertions(+)
+ 3 files changed, 4 insertions(+)
 
 diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc
-index 03a2230c..2ba049ff 100644
+index 89d682d36..354f4d1d9 100644
 --- a/policy/modules/admin/shutdown.fc
 +++ b/policy/modules/admin/shutdown.fc
-@@ -5,5 +5,6 @@
- /usr/lib/upstart/shutdown	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
+@@ -7,5 +7,6 @@
  
+ /usr/sbin/halt		--	gen_context(system_u:object_r:shutdown_exec_t,s0)
  /usr/sbin/shutdown	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
 +/usr/sbin/shutdown\.sysvinit	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
  
- /run/shutdown\.pid	--	gen_context(system_u:object_r:shutdown_var_run_t,s0)
+ /run/shutdown\.pid	--	gen_context(system_u:object_r:shutdown_runtime_t,s0)
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index cf3848db..86920167 100644
+index 7d2efef0a..9a5711a83 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
-@@ -149,6 +149,7 @@ ifdef(`distro_gentoo',`
+@@ -156,6 +156,8 @@ ifdef(`distro_gentoo',`
  /usr/bin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/bin/mksh			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/bin/mountpoint		--	gen_context(system_u:object_r:bin_t,s0)
-+/usr/bin/mountpoint\.sysvinit	--	gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/mountpoint\.sysvinit		--	gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/mountpoint\.util-linux		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/bin/nologin		--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/bin/sash			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/bin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 11a6ce93..93e9d2b4 100644
+index 07b12de2e..d99767ce8 100644
 --- a/policy/modules/system/init.fc
 +++ b/policy/modules/system/init.fc
-@@ -23,6 +23,7 @@ ifdef(`distro_gentoo',`
- # /usr
- #
- /usr/bin/init(ng)?	--	gen_context(system_u:object_r:init_exec_t,s0)
+@@ -49,6 +49,7 @@ ifdef(`distro_gentoo',`
+ /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
+ 
+ /usr/sbin/init(ng)?	--	gen_context(system_u:object_r:init_exec_t,s0)
 +/usr/sbin/init\.sysvinit	--	gen_context(system_u:object_r:init_exec_t,s0)
- /usr/bin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
- /usr/bin/sepg_ctl	--	gen_context(system_u:object_r:initrc_exec_t,s0)
- /usr/bin/systemd	--	gen_context(system_u:object_r:init_exec_t,s0)
+ /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+ /usr/sbin/upstart	--	gen_context(system_u:object_r:init_exec_t,s0)
+ 
 -- 
-2.19.1
+2.25.1
 
diff --git a/recipes-security/refpolicy/refpolicy/0015-fc-brctl-apply-policy-to-brctl-alternatives.patch b/recipes-security/refpolicy/refpolicy/0015-fc-brctl-apply-policy-to-brctl-alternatives.patch
new file mode 100644
index 0000000..e21e044
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0015-fc-brctl-apply-policy-to-brctl-alternatives.patch
@@ -0,0 +1,24 @@
+From e4bdaafd9684b3b46a6d0a417967f596fbdc36c2 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Fri, 15 Nov 2019 10:19:54 +0800
+Subject: [PATCH] fc/brctl: apply policy to brctl alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/admin/brctl.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/admin/brctl.fc b/policy/modules/admin/brctl.fc
+index ed472f095..2a852b0fd 100644
+--- a/policy/modules/admin/brctl.fc
++++ b/policy/modules/admin/brctl.fc
+@@ -1,3 +1,4 @@
+ /usr/bin/brctl	--	gen_context(system_u:object_r:brctl_exec_t,s0)
+ 
+ /usr/sbin/brctl	--	gen_context(system_u:object_r:brctl_exec_t,s0)
++/usr/sbin/brctl\.bridge-utils	--	gen_context(system_u:object_r:brctl_exec_t,s0)
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch
new file mode 100644
index 0000000..3020814
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch
@@ -0,0 +1,28 @@
+From 762b0bd9cc26627f7361d5db92ae1cb366c0858b Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Fri, 15 Nov 2019 10:21:51 +0800
+Subject: [PATCH] fc/corecommands: apply policy to nologin alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/kernel/corecommands.fc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
+index 9a5711a83..c9009af5f 100644
+--- a/policy/modules/kernel/corecommands.fc
++++ b/policy/modules/kernel/corecommands.fc
+@@ -311,6 +311,8 @@ ifdef(`distro_debian',`
+ /usr/sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/sbin/nologin		--	gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/sbin/nologin\.shadow		--	gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/sbin/nologin\.util-linux		--	gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch
new file mode 100644
index 0000000..cd3cb4b
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch
@@ -0,0 +1,25 @@
+From d312aa5ea1da9c19eb214a55acb2d2b5347ed68f Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Fri, 15 Nov 2019 10:43:28 +0800
+Subject: [PATCH] fc/locallogin: apply policy to sulogin alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/locallogin.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc
+index fc8d58507..59e6e9601 100644
+--- a/policy/modules/system/locallogin.fc
++++ b/policy/modules/system/locallogin.fc
+@@ -2,4 +2,5 @@
+ /usr/bin/sushell	--	gen_context(system_u:object_r:sulogin_exec_t,s0)
+ 
+ /usr/sbin/sulogin	--	gen_context(system_u:object_r:sulogin_exec_t,s0)
++/usr/sbin/sulogin\.util-linux	--	gen_context(system_u:object_r:sulogin_exec_t,s0)
+ /usr/sbin/sushell	--	gen_context(system_u:object_r:sulogin_exec_t,s0)
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch b/recipes-security/refpolicy/refpolicy/0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch
new file mode 100644
index 0000000..9009120
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch
@@ -0,0 +1,27 @@
+From 3085ae26b66d82f7c7b3db507153a5976ec26b48 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Fri, 15 Nov 2019 10:45:23 +0800
+Subject: [PATCH] fc/ntp: apply policy to ntpd alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/services/ntp.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc
+index 9243f3304..e13cf6a9b 100644
+--- a/policy/modules/services/ntp.fc
++++ b/policy/modules/services/ntp.fc
+@@ -25,6 +25,7 @@
+ /usr/lib/systemd/systemd-timesyncd	--	gen_context(system_u:object_r:ntpd_exec_t,s0)
+ 
+ /usr/sbin/ntpd				--	gen_context(system_u:object_r:ntpd_exec_t,s0)
++/usr/sbin/ntpd\.ntp				--	gen_context(system_u:object_r:ntpd_exec_t,s0)
+ /usr/sbin/ntpdate			--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
+ /usr/sbin/sntp				--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
+ 
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch b/recipes-security/refpolicy/refpolicy/0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch
new file mode 100644
index 0000000..9fc5b90
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch
@@ -0,0 +1,50 @@
+From 4f377178aff842dc4ce9c6e705a761478d21f4d3 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Fri, 15 Nov 2019 10:55:05 +0800
+Subject: [PATCH] fc/kerberos: apply policy to kerberos alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/services/kerberos.fc | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
+index df21fcc78..ce0166edd 100644
+--- a/policy/modules/services/kerberos.fc
++++ b/policy/modules/services/kerberos.fc
+@@ -12,6 +12,8 @@ HOME_DIR/\.k5login	--	gen_context(system_u:object_r:krb5_home_t,s0)
+ /etc/rc\.d/init\.d/kprop	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/krb524d	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/krb5kdc	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/krb5-admin-server	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/krb5-kdc	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+ 
+ /usr/bin/krb5kdc	--	gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+ /usr/bin/kadmind	--	gen_context(system_u:object_r:kadmind_exec_t,s0)
+@@ -26,6 +28,8 @@ HOME_DIR/\.k5login	--	gen_context(system_u:object_r:krb5_home_t,s0)
+ 
+ /usr/sbin/krb5kdc	--	gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+ /usr/sbin/kadmind	--	gen_context(system_u:object_r:kadmind_exec_t,s0)
++/usr/sbin/kadmin\.local	--	gen_context(system_u:object_r:kadmind_exec_t,s0)
++/usr/sbin/kpropd	--	gen_context(system_u:object_r:kpropd_exec_t,s0)
+ 
+ /usr/local/var/krb5kdc(/.*)?	gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+ /usr/local/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+@@ -41,6 +45,12 @@ HOME_DIR/\.k5login	--	gen_context(system_u:object_r:krb5_home_t,s0)
+ /var/kerberos/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+ /var/kerberos/krb5kdc/principal.*\.ok	--	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+ 
++/var/krb5kdc(/.*)?	gen_context(system_u:object_r:krb5kdc_conf_t,s0)
++/var/krb5kdc/from_master.*	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
++/var/krb5kdc/kadm5\.keytab	--	gen_context(system_u:object_r:krb5_keytab_t,s0)
++/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
++/var/krb5kdc/principal.*\.ok	--	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
++
+ /var/log/krb5kdc\.log.*	--	gen_context(system_u:object_r:krb5kdc_log_t,s0)
+ /var/log/kadmin\.log.*	--	gen_context(system_u:object_r:kadmind_log_t,s0)
+ /var/log/kadmind\.log.*	--	gen_context(system_u:object_r:kadmind_log_t,s0)
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0020-fc-ldap-apply-policy-to-ldap-alternatives.patch b/recipes-security/refpolicy/refpolicy/0020-fc-ldap-apply-policy-to-ldap-alternatives.patch
new file mode 100644
index 0000000..c2247c3
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0020-fc-ldap-apply-policy-to-ldap-alternatives.patch
@@ -0,0 +1,40 @@
+From 6de6e53b41602b50ebec3627ceede5e13bad3bb6 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Fri, 15 Nov 2019 11:06:13 +0800
+Subject: [PATCH] fc/ldap: apply policy to ldap alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/services/ldap.fc | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
+index 0a1d08d0f..65b202962 100644
+--- a/policy/modules/services/ldap.fc
++++ b/policy/modules/services/ldap.fc
+@@ -1,8 +1,10 @@
+ /etc/ldap/slapd\.conf	--	gen_context(system_u:object_r:slapd_etc_t,s0)
+ /etc/openldap/certs(/.*)?	gen_context(system_u:object_r:slapd_cert_t,s0)
+ /etc/openldap/slapd\.d(/.*)?	gen_context(system_u:object_r:slapd_db_t,s0)
++/etc/openldap/slapd\.conf	--	gen_context(system_u:object_r:slapd_etc_t,s0)
+ 
+ /etc/rc\.d/init\.d/ldap	--	gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/openldap	--	gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+ 
+ /usr/bin/slapd	--	gen_context(system_u:object_r:slapd_exec_t,s0)
+ 
+@@ -25,6 +27,9 @@
+ /var/log/ldap.*	gen_context(system_u:object_r:slapd_log_t,s0)
+ /var/log/slapd.*	gen_context(system_u:object_r:slapd_log_t,s0)
+ 
++/var/openldap(/.*)?	gen_context(system_u:object_r:slapd_db_t,s0)
++/var/openldap/replog(/.*)?	gen_context(system_u:object_r:slapd_replog_t,s0)
++
+ /run/ldapi	-s	gen_context(system_u:object_r:slapd_runtime_t,s0)
+ /run/openldap(/.*)?	gen_context(system_u:object_r:slapd_runtime_t,s0)
+ /run/slapd.*	-s	gen_context(system_u:object_r:slapd_runtime_t,s0)
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch b/recipes-security/refpolicy/refpolicy/0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch
new file mode 100644
index 0000000..9d3c2e1
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch
@@ -0,0 +1,37 @@
+From f523a63f9f209544b9a557e76e94354c23d93959 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Fri, 15 Nov 2019 11:13:16 +0800
+Subject: [PATCH] fc/postgresql: apply policy to postgresql alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/services/postgresql.fc | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
+index f31a52cf8..f9bf46870 100644
+--- a/policy/modules/services/postgresql.fc
++++ b/policy/modules/services/postgresql.fc
+@@ -27,6 +27,17 @@
+ /usr/lib/postgresql(-.*)?/(.*/)?bin/postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+ /usr/lib/postgresql(-.*)?/(.*/)?bin/postmaster		-l	gen_context(system_u:object_r:postgresql_exec_t,s0)
+ 
++/usr/bin/pg_archivecleanup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/pg_basebackup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/pg_controldata	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/pg_ctl		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/pg_resetxlog	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/pg_standby		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/pg_upgrade		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/pg_xlogdump		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/postmaster		-l	gen_context(system_u:object_r:postgresql_exec_t,s0)
++
+ ifdef(`distro_redhat', `
+ /usr/share/jonas/pgsql(/.*)?		gen_context(system_u:object_r:postgresql_db_t,s0)
+ ')
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0022-fc-screen-apply-policy-to-screen-alternatives.patch b/recipes-security/refpolicy/refpolicy/0022-fc-screen-apply-policy-to-screen-alternatives.patch
new file mode 100644
index 0000000..749c19a
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0022-fc-screen-apply-policy-to-screen-alternatives.patch
@@ -0,0 +1,25 @@
+From 57c6a0e69aa9d308ec23dc60dc2420ee5c62bf7f Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Fri, 15 Nov 2019 11:15:33 +0800
+Subject: [PATCH] fc/screen: apply policy to screen alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/apps/screen.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc
+index e51e01d97..238dc263e 100644
+--- a/policy/modules/apps/screen.fc
++++ b/policy/modules/apps/screen.fc
+@@ -7,4 +7,5 @@ HOME_DIR/\.tmux\.conf	--	gen_context(system_u:object_r:screen_home_t,s0)
+ /run/tmux(/.*)?			gen_context(system_u:object_r:screen_runtime_t,s0)
+ 
+ /usr/bin/screen		--	gen_context(system_u:object_r:screen_exec_t,s0)
++/usr/bin/screen-.*		--	gen_context(system_u:object_r:screen_exec_t,s0)
+ /usr/bin/tmux		--	gen_context(system_u:object_r:screen_exec_t,s0)
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch b/recipes-security/refpolicy/refpolicy/0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch
new file mode 100644
index 0000000..152d147
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch
@@ -0,0 +1,57 @@
+From f0706a85dca8801d87130102b701c7bc2fd7476d Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Fri, 15 Nov 2019 11:25:34 +0800
+Subject: [PATCH] fc/usermanage: apply policy to usermanage alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/admin/usermanage.fc | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
+index 7209a8dd0..c9dc1f000 100644
+--- a/policy/modules/admin/usermanage.fc
++++ b/policy/modules/admin/usermanage.fc
+@@ -4,8 +4,13 @@ ifdef(`distro_debian',`
+ 
+ /usr/bin/chage		--	gen_context(system_u:object_r:passwd_exec_t,s0)
+ /usr/bin/chfn		--	gen_context(system_u:object_r:chfn_exec_t,s0)
++/usr/bin/chfn\.shadow		--	gen_context(system_u:object_r:chfn_exec_t,s0)
++/usr/bin/chfn\.util-linux		--	gen_context(system_u:object_r:chfn_exec_t,s0)
+ /usr/bin/chpasswd	--	gen_context(system_u:object_r:passwd_exec_t,s0)
++/usr/bin/chpasswd\.shadow	--	gen_context(system_u:object_r:passwd_exec_t,s0)
+ /usr/bin/chsh		--	gen_context(system_u:object_r:chfn_exec_t,s0)
++/usr/bin/chsh\.shadow		--	gen_context(system_u:object_r:chfn_exec_t,s0)
++/usr/bin/chsh\.util-linux		--	gen_context(system_u:object_r:chfn_exec_t,s0)
+ /usr/bin/crack_[a-z]*	--	gen_context(system_u:object_r:crack_exec_t,s0)
+ /usr/bin/cracklib-[a-z]* --	gen_context(system_u:object_r:crack_exec_t,s0)
+ /usr/bin/gpasswd	--	gen_context(system_u:object_r:groupadd_exec_t,s0)
+@@ -15,6 +20,7 @@ ifdef(`distro_debian',`
+ /usr/bin/grpconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/bin/grpunconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/bin/passwd		--	gen_context(system_u:object_r:passwd_exec_t,s0)
++/usr/bin/passwd\.shadow		--	gen_context(system_u:object_r:passwd_exec_t,s0)
+ /usr/bin/pwconv		--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/bin/pwunconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/bin/useradd	--	gen_context(system_u:object_r:useradd_exec_t,s0)
+@@ -26,6 +32,7 @@ ifdef(`distro_debian',`
+ /usr/lib/cracklib_dict.* --	gen_context(system_u:object_r:crack_db_t,s0)
+ 
+ /usr/sbin/chpasswd	--	gen_context(system_u:object_r:passwd_exec_t,s0)
++/usr/sbin/chpasswd\.shadow	--	gen_context(system_u:object_r:passwd_exec_t,s0)
+ /usr/sbin/crack_[a-z]*	--	gen_context(system_u:object_r:crack_exec_t,s0)
+ /usr/sbin/cracklib-[a-z]* --	gen_context(system_u:object_r:crack_exec_t,s0)
+ /usr/sbin/gpasswd	--	gen_context(system_u:object_r:groupadd_exec_t,s0)
+@@ -41,6 +48,7 @@ ifdef(`distro_debian',`
+ /usr/sbin/usermod	--	gen_context(system_u:object_r:useradd_exec_t,s0)
+ /usr/sbin/vigr		--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/sbin/vipw		--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
++/usr/sbin/vipw\.shadow		--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ 
+ /usr/share/cracklib(/.*)?	gen_context(system_u:object_r:crack_db_t,s0)
+ 
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0024-fc-getty-add-file-context-to-start_getty.patch b/recipes-security/refpolicy/refpolicy/0024-fc-getty-add-file-context-to-start_getty.patch
new file mode 100644
index 0000000..3527e65
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0024-fc-getty-add-file-context-to-start_getty.patch
@@ -0,0 +1,27 @@
+From 2ff44df5a5da2246f2198741a05786e89ac9f4e3 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Fri, 15 Nov 2019 16:07:30 +0800
+Subject: [PATCH] fc/getty: add file context to start_getty
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/getty.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
+index 116ea6421..53ff6137b 100644
+--- a/policy/modules/system/getty.fc
++++ b/policy/modules/system/getty.fc
+@@ -4,6 +4,7 @@
+ /run/agetty\.reload	--	gen_context(system_u:object_r:getty_runtime_t,s0)
+ 
+ /usr/bin/.*getty	--	gen_context(system_u:object_r:getty_exec_t,s0)
++/usr/bin/start_getty	--	gen_context(system_u:object_r:bin_t,s0)
+ 
+ /usr/sbin/.*getty	--	gen_context(system_u:object_r:getty_exec_t,s0)
+ 
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0025-fc-vlock-apply-policy-to-vlock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0025-fc-vlock-apply-policy-to-vlock-alternatives.patch
new file mode 100644
index 0000000..331eab9
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0025-fc-vlock-apply-policy-to-vlock-alternatives.patch
@@ -0,0 +1,25 @@
+From 42676d53a9c8554ac3e05f826f23792edf8d3c27 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Wed, 18 Dec 2019 15:04:41 +0800
+Subject: [PATCH] fc/vlock: apply policy to vlock alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/apps/vlock.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/apps/vlock.fc b/policy/modules/apps/vlock.fc
+index f668cde9c..c4bc50984 100644
+--- a/policy/modules/apps/vlock.fc
++++ b/policy/modules/apps/vlock.fc
+@@ -1,4 +1,5 @@
+ /usr/bin/vlock		--	gen_context(system_u:object_r:vlock_exec_t,s0)
++/usr/bin/vlock\.kbd		--	gen_context(system_u:object_r:vlock_exec_t,s0)
+ /usr/bin/vlock-main	--	gen_context(system_u:object_r:vlock_exec_t,s0)
+ 
+ /usr/sbin/vlock-main	--	gen_context(system_u:object_r:vlock_exec_t,s0)
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch b/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch
new file mode 100644
index 0000000..0adb47f
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch
@@ -0,0 +1,64 @@
+From 3cf1f270369d7a2c75faf1a90d1485fe699dbbfe Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Tue, 30 Jun 2020 10:45:57 +0800
+Subject: [PATCH] fc: add fcontext for init scripts and systemd service files
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/services/cron.fc  | 1 +
+ policy/modules/services/rngd.fc  | 1 +
+ policy/modules/services/rpc.fc   | 2 ++
+ policy/modules/system/logging.fc | 1 +
+ 4 files changed, 5 insertions(+)
+
+diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
+index 827363d88..e8412396d 100644
+--- a/policy/modules/services/cron.fc
++++ b/policy/modules/services/cron.fc
+@@ -1,4 +1,5 @@
+ /etc/rc\.d/init\.d/(anacron|atd)	--	gen_context(system_u:object_r:crond_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/crond	--	gen_context(system_u:object_r:crond_initrc_exec_t,s0)
+ 
+ /etc/cron\.d(/.*)?	gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /etc/crontab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
+diff --git a/policy/modules/services/rngd.fc b/policy/modules/services/rngd.fc
+index 382c067f9..0ecc5acc4 100644
+--- a/policy/modules/services/rngd.fc
++++ b/policy/modules/services/rngd.fc
+@@ -1,4 +1,5 @@
+ /etc/rc\.d/init\.d/rngd	--	gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/rng-tools	--	gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
+ 
+ /usr/bin/rngd	--	gen_context(system_u:object_r:rngd_exec_t,s0)
+ 
+diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
+index 7edc09fac..7416fa39f 100644
+--- a/policy/modules/services/rpc.fc
++++ b/policy/modules/services/rpc.fc
+@@ -2,7 +2,9 @@
+ /etc/exports\.d(/.*)?		gen_context(system_u:object_r:exports_t,s0)
+ 
+ /etc/rc\.d/init\.d/nfs	--	gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/nfsserver	--	gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/nfslock	--	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/nfscommon	--	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/rpcidmapd	--	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+ 
+ /usr/bin/nfsdcld	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index 3b0dea51b..0ce2bec4b 100644
+--- a/policy/modules/system/logging.fc
++++ b/policy/modules/system/logging.fc
+@@ -24,6 +24,7 @@
+ /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
+ /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
+ /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
++/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
+ /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/lib/systemd/systemd-kmsg-syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
+ 
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0027-file_contexts.subs_dist-set-aliase-for-root-director.patch b/recipes-security/refpolicy/refpolicy/0027-file_contexts.subs_dist-set-aliase-for-root-director.patch
new file mode 100644
index 0000000..fbaa44e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0027-file_contexts.subs_dist-set-aliase-for-root-director.patch
@@ -0,0 +1,30 @@
+From 8b5ff44ba4a7819efb694cba6237bc572835628b Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Sun, 5 Apr 2020 22:03:45 +0800
+Subject: [PATCH] file_contexts.subs_dist: set aliase for /root directory
+
+The genhomedircon.py will expand /root directory to /home/root.
+Add an aliase for it
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ config/file_contexts.subs_dist | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
+index 690007f22..f80499ebf 100644
+--- a/config/file_contexts.subs_dist
++++ b/config/file_contexts.subs_dist
+@@ -45,3 +45,7 @@
+ /usr/lib/busybox/bin /usr/bin
+ /usr/lib/busybox/sbin /usr/sbin
+ /usr/lib/busybox/usr /usr
++
++# The genhomedircon.py will expand /root home directory to /home/root
++# Add an aliase for it
++/root /home/root
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0028-policy-modules-system-logging-add-rules-for-the-syml.patch b/recipes-security/refpolicy/refpolicy/0028-policy-modules-system-logging-add-rules-for-the-syml.patch
new file mode 100644
index 0000000..4e97d8a
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0028-policy-modules-system-logging-add-rules-for-the-syml.patch
@@ -0,0 +1,91 @@
+From 6f73afe1d8647bd917f6c06b46b0f0cebc276776 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] policy/modules/system/logging: add rules for the symlink of
+ /var/log
+
+/var/log is a symlink in poky, so we need allow rules for files to read
+lnk_file while doing search/list/delete/rw... in /var/log/ directory.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/logging.fc | 1 +
+ policy/modules/system/logging.if | 7 +++++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index 0ce2bec4b..8957366b0 100644
+--- a/policy/modules/system/logging.fc
++++ b/policy/modules/system/logging.fc
+@@ -53,6 +53,7 @@ ifdef(`distro_suse', `
+ /var/dnscache/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
+ 
+ /var/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
++/var/log		-l	gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/dmesg		--	gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/syslog		--	gen_context(system_u:object_r:var_log_t,s0)
+diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
+index 49028a0cb..4381d2e83 100644
+--- a/policy/modules/system/logging.if
++++ b/policy/modules/system/logging.if
+@@ -1091,10 +1091,12 @@ interface(`logging_append_all_inherited_logs',`
+ interface(`logging_read_all_logs',`
+ 	gen_require(`
+ 		attribute logfile;
++		type var_log_t;
+ 	')
+ 
+ 	files_search_var($1)
+ 	allow $1 logfile:dir list_dir_perms;
++	allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ 	read_files_pattern($1, logfile, logfile)
+ ')
+ 
+@@ -1175,6 +1177,7 @@ interface(`logging_manage_generic_log_dirs',`
+ 
+ 	files_search_var($1)
+ 	allow $1 var_log_t:dir manage_dir_perms;
++	allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -1195,6 +1198,7 @@ interface(`logging_relabel_generic_log_dirs',`
+ 
+ 	files_search_var($1)
+ 	allow $1 var_log_t:dir relabel_dir_perms;
++	allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -1215,6 +1219,7 @@ interface(`logging_read_generic_logs',`
+ 
+ 	files_search_var($1)
+ 	allow $1 var_log_t:dir list_dir_perms;
++	allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ 	read_files_pattern($1, var_log_t, var_log_t)
+ ')
+ 
+@@ -1316,6 +1321,7 @@ interface(`logging_manage_generic_logs',`
+ 
+ 	files_search_var($1)
+ 	manage_files_pattern($1, var_log_t, var_log_t)
++	allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -1334,6 +1340,7 @@ interface(`logging_watch_generic_logs_dir',`
+ 	')
+ 
+ 	allow $1 var_log_t:dir watch;
++	allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-syslogd-.patch
index a532316..cfef36b 100644
--- a/recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch
+++ b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-syslogd-.patch
@@ -1,33 +1,34 @@
-From b52614cce12e4a7d3437350bb35688d5470f92fc Mon Sep 17 00:00:00 2001
+From 9d4f8d201dbdea28a38b5faaef9abc016bcbaab3 Mon Sep 17 00:00:00 2001
 From: Joe MacDonald <joe_macdonald@mentor.com>
 Date: Fri, 29 Mar 2019 10:33:18 -0400
-Subject: [PATCH 19/34] policy/module/logging: add rules for syslogd symlink of
- /var/log
+Subject: [PATCH] policy/modules/system/logging: add rules for syslogd symlink
+ of /var/log
 
 We have added rules for the symlink of /var/log in logging.if, while
 syslogd_t uses /var/log but does not use the interfaces in logging.if. So
 still need add a individual rule for syslogd_t.
 
-Upstream-Status: Inappropriate [only for Poky]
+Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
  policy/modules/system/logging.te | 1 +
  1 file changed, 1 insertion(+)
 
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 499a4552..e6221a02 100644
+index 9d9a01fcc..45584dba6 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -417,6 +417,7 @@ files_search_spool(syslogd_t)
+@@ -425,6 +425,7 @@ files_search_spool(syslogd_t)
  
  # Allow access for syslog-ng
  allow syslogd_t var_log_t:dir { create setattr };
 +allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
  
  # for systemd but can not be conditional
- files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
+ files_runtime_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
 -- 
-2.19.1
+2.25.1
 
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch b/recipes-security/refpolicy/refpolicy/0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch
index 2546457..62c1593 100644
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch
+++ b/recipes-security/refpolicy/refpolicy/0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch
@@ -1,37 +1,39 @@
-From 437bb5a3318fd0fb268f6e015564b006135368d1 Mon Sep 17 00:00:00 2001
+From 1ed2b79828a7dd08079ec111b116f6d288450662 Mon Sep 17 00:00:00 2001
 From: Xin Ouyang <Xin.Ouyang@windriver.com>
 Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 21/34] policy/module/files: add rules for the symlink of /tmp
+Subject: [PATCH] policy/modules/kernel/files: add rules for the symlink of
+ /tmp
 
 /tmp is a symlink in poky, so we need allow rules for files to read
 lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
 
-Upstream-Status: Inappropriate [only for Poky]
+Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
  policy/modules/kernel/files.fc | 1 +
  policy/modules/kernel/files.if | 8 ++++++++
  2 files changed, 9 insertions(+)
 
 diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index c3496c21..05b1734b 100644
+index b1728d37c..c5012e6b4 100644
 --- a/policy/modules/kernel/files.fc
 +++ b/policy/modules/kernel/files.fc
-@@ -176,6 +176,7 @@ HOME_ROOT/lost\+found/.*	<<none>>
+@@ -172,6 +172,7 @@ HOME_ROOT/lost\+found/.*	<<none>>
  # /tmp
  #
  /tmp			-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-+/tmp			-l	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
++/tmp			-l	gen_context(system_u:object_r:tmp_t,s0)
  /tmp/.*				<<none>>
  /tmp/\.journal			<<none>>
  
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f1c94411..eb067ad3 100644
+index 472b5bb38..a2aa85b1c 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
-@@ -4350,6 +4350,7 @@ interface(`files_search_tmp',`
+@@ -4819,6 +4819,7 @@ interface(`files_search_tmp',`
  	')
  
  	allow $1 tmp_t:dir search_dir_perms;
@@ -39,7 +41,7 @@ index f1c94411..eb067ad3 100644
  ')
  
  ########################################
-@@ -4386,6 +4387,7 @@ interface(`files_list_tmp',`
+@@ -4855,6 +4856,7 @@ interface(`files_list_tmp',`
  	')
  
  	allow $1 tmp_t:dir list_dir_perms;
@@ -47,7 +49,7 @@ index f1c94411..eb067ad3 100644
  ')
  
  ########################################
-@@ -4422,6 +4424,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4891,6 +4893,7 @@ interface(`files_delete_tmp_dir_entry',`
  	')
  
  	allow $1 tmp_t:dir del_entry_dir_perms;
@@ -55,7 +57,7 @@ index f1c94411..eb067ad3 100644
  ')
  
  ########################################
-@@ -4440,6 +4443,7 @@ interface(`files_read_generic_tmp_files',`
+@@ -4909,6 +4912,7 @@ interface(`files_read_generic_tmp_files',`
  	')
  
  	read_files_pattern($1, tmp_t, tmp_t)
@@ -63,7 +65,7 @@ index f1c94411..eb067ad3 100644
  ')
  
  ########################################
-@@ -4458,6 +4462,7 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4927,6 +4931,7 @@ interface(`files_manage_generic_tmp_dirs',`
  	')
  
  	manage_dirs_pattern($1, tmp_t, tmp_t)
@@ -71,7 +73,7 @@ index f1c94411..eb067ad3 100644
  ')
  
  ########################################
-@@ -4476,6 +4481,7 @@ interface(`files_manage_generic_tmp_files',`
+@@ -4963,6 +4968,7 @@ interface(`files_manage_generic_tmp_files',`
  	')
  
  	manage_files_pattern($1, tmp_t, tmp_t)
@@ -79,7 +81,7 @@ index f1c94411..eb067ad3 100644
  ')
  
  ########################################
-@@ -4512,6 +4518,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4999,6 +5005,7 @@ interface(`files_rw_generic_tmp_sockets',`
  	')
  
  	rw_sock_files_pattern($1, tmp_t, tmp_t)
@@ -87,7 +89,7 @@ index f1c94411..eb067ad3 100644
  ')
  
  ########################################
-@@ -4719,6 +4726,7 @@ interface(`files_tmp_filetrans',`
+@@ -5206,6 +5213,7 @@ interface(`files_tmp_filetrans',`
  	')
  
  	filetrans_pattern($1, tmp_t, $2, $3, $4)
@@ -96,5 +98,5 @@ index f1c94411..eb067ad3 100644
  
  ########################################
 -- 
-2.19.1
+2.25.1
 
diff --git a/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch
new file mode 100644
index 0000000..e9e717b
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch
@@ -0,0 +1,41 @@
+From d7dfe01114f9a1449ce2efd792ddf4b18fe91a45 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures
+
+Fixes:
+avc:  denied  { read } for  pid=321 comm="auditd" name="log" dev="vda"
+ino=12552 scontext=system_u:system_r:auditd_t
+tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/logging.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 45584dba6..8bc70b81d 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -177,6 +177,7 @@ dontaudit auditd_t auditd_etc_t:file map;
+ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t auditd_log_t:dir setattr;
+ manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
++allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
+ allow auditd_t var_log_t:dir search_dir_perms;
+ 
+ manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
+@@ -306,6 +307,7 @@ optional_policy(`
+ allow audisp_remote_t self:capability { setpcap setuid };
+ allow audisp_remote_t self:process { getcap setcap };
+ allow audisp_remote_t self:tcp_socket create_socket_perms;
++allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
+ allow audisp_remote_t var_log_t:dir search_dir_perms;
+ 
+ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch b/recipes-security/refpolicy/refpolicy/0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch
index 887af46..b3dd24f 100644
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch
+++ b/recipes-security/refpolicy/refpolicy/0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch
@@ -1,22 +1,23 @@
-From fcf756e6906bba50d09224184d64ac56f40b6424 Mon Sep 17 00:00:00 2001
+From 3da00356bee8be72115652850d535c9ec5f1b333 Mon Sep 17 00:00:00 2001
 From: Xin Ouyang <Xin.Ouyang@windriver.com>
 Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 23/34] policy/module/terminals: don't audit tty_device_t in
- term_dontaudit_use_console.
+Subject: [PATCH] policy/modules/kernel/terminal: don't audit tty_device_t in
+ term_dontaudit_use_console
 
 We should also not audit terminal to rw tty_device_t and fds in
 term_dontaudit_use_console.
 
-Upstream-Status: Inappropriate [only for Poky]
+Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
  policy/modules/kernel/terminal.if | 3 +++
  1 file changed, 3 insertions(+)
 
 diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index a84787e6..cf66da2f 100644
+index e5645c7c5..6e9f654ac 100644
 --- a/policy/modules/kernel/terminal.if
 +++ b/policy/modules/kernel/terminal.if
 @@ -335,9 +335,12 @@ interface(`term_use_console',`
@@ -33,5 +34,5 @@ index a84787e6..cf66da2f 100644
  
  ########################################
 -- 
-2.19.1
+2.25.1
 
diff --git a/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch b/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
new file mode 100644
index 0000000..073068e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
@@ -0,0 +1,34 @@
+From 8cbc09769a08cf3f5dcb611d471e5da298bde67c Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Wed, 1 Jul 2020 08:44:07 +0800
+Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create
+ directory with label rpcbind_runtime_t
+
+Fixes:
+avc:  denied  { create } for  pid=136 comm="rpcbind" name="rpcbind"
+scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/services/rpcbind.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
+index 137c21ece..2a712192b 100644
+--- a/policy/modules/services/rpcbind.te
++++ b/policy/modules/services/rpcbind.te
+@@ -25,7 +25,7 @@ files_type(rpcbind_var_lib_t)
+ # Local policy
+ #
+ 
+-allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
++allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config chown };
+ # net_admin is for SO_SNDBUFFORCE
+ dontaudit rpcbind_t self:capability net_admin;
+ allow rpcbind_t self:fifo_file rw_fifo_file_perms;
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-systemd-enable-support-for-sys.patch b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-systemd-enable-support-for-sys.patch
new file mode 100644
index 0000000..556069a
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-systemd-enable-support-for-sys.patch
@@ -0,0 +1,46 @@
+From 59b8730de7af45617a6125c7e23cecf896c30ce4 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Thu, 4 Feb 2016 06:03:19 -0500
+Subject: [PATCH] policy/modules/system/systemd: enable support for
+ systemd-tmpfiles to manage all non-security files
+
+Fixes:
+systemd-tmpfiles[226]: Failed to create directory or subvolume "/root/.ssh", ignoring: Permission denied
+systemd-tmpfiles[226]: Failed to create directory or subvolume "/var/lib/systemd/ephemeral-trees": Permission denied
+
+AVC avc:  denied  { relabelfrom } for  pid=226 comm="systemd-tmpfile"
+name="root" dev="vda" ino=643 scontext=system_u:system_r:systemd_tmpfiles_t
+tcontext=root:object_r:user_home_dir_t tclass=dir permissive=0
+
+AVC avc:  denied  { write } for  pid=226 comm="systemd-tmpfile"
+name="root" dev="vda" ino=643 scontext=system_u:system_r:systemd_tmpfiles_t
+tcontext=root:object_r:user_home_dir_t tclass=dir permissive=0
+
+AVC avc:  denied  { create } for  pid=226 comm="systemd-tmpfile"
+name="ephemeral-trees" scontext=system_u:system_r:systemd_tmpfiles_t
+tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/systemd.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index aa9198591..abc324cf1 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -10,7 +10,7 @@ policy_module(systemd)
+ ## Enable support for systemd-tmpfiles to manage all non-security files.
+ ## </p>
+ ## </desc>
+-gen_tunable(systemd_tmpfiles_manage_all, false)
++gen_tunable(systemd_tmpfiles_manage_all, true)
+ 
+ ## <desc>
+ ## <p>
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch
new file mode 100644
index 0000000..30c7d12
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch
@@ -0,0 +1,43 @@
+From feb50cfed6d7a08bb4e61b47f95df729a4fba9ea Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Sat, 30 Sep 2023 17:20:29 +0800
+Subject: [PATCH] policy/modules/system/logging: allow systemd-tmpfiles to
+ create /var/log/audit
+
+Fixes:
+systemd[1]: Starting Security Auditing Service...
+auditd[246]: Could not open dir /var/log/audit (No such file or directory)
+auditd[246]: The audit daemon is exiting.
+systemd[1]: auditd.service: Control process exited, code=exited, status=6/NOTCONFIGURED
+systemd[1]: auditd.service: Failed with result 'exit-code'.
+systemd[1]: Failed to start Security Auditing Service.
+
+AVC avc:  denied  { create } for  pid=224 comm="systemd-tmpfile"
+name="audit" scontext=system_u:system_r:systemd_tmpfiles_t
+tcontext=system_u:object_r:auditd_log_t tclass=dir permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/logging.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 8bc70b81d..3cab14381 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -27,6 +27,10 @@ type auditd_log_t;
+ files_security_file(auditd_log_t)
+ files_security_mountpoint(auditd_log_t)
+ 
++optional_policy(`
++	systemd_tmpfilesd_managed(auditd_log_t)
++')
++
+ type audit_spool_t;
+ files_security_file(audit_spool_t)
+ files_security_mountpoint(audit_spool_t)
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch b/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch
new file mode 100644
index 0000000..568f820
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch
@@ -0,0 +1,43 @@
+From c21d5186e0625fd83c9d674c3284cfd98c2f02b9 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Sat, 18 Dec 2021 09:26:43 +0800
+Subject: [PATCH] policy/modules/system/systemd: allow systemd_logind_t to read
+ the process state of all domains
+
+We encountered the following su runtime error:
+$ useradd user1
+$ passwd user1
+New password:
+Retype new password:
+passwd: password updated successfully
+$ su - user1
+Session terminated, terminating shell...Hangup
+
+Fixes:
+avc:  denied  { use } for  pid=344 comm="su"
+path="/run/systemd/sessions/c4.ref" dev="tmpfs" ino=661
+scontext=root:sysadm_r:sysadm_su_t
+tcontext=system_u:system_r:systemd_logind_t tclass=fd permissive=0
+
+Upstream-Status: Pending
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/systemd.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index abc324cf1..ffce3c0e8 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1006,6 +1006,7 @@ userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
+ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
+ userdom_setattr_user_ttys(systemd_logind_t)
+ userdom_use_user_ttys(systemd_logind_t)
++domain_read_all_domains_state(systemd_logind_t)
+ 
+ # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
+ # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch b/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch
new file mode 100644
index 0000000..7d29f23
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch
@@ -0,0 +1,36 @@
+From e561ad9a73c949768f0b4e91943a32f10a9f4acc Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Fri, 28 Oct 2022 11:56:09 +0800
+Subject: [PATCH] policy/modules/roles/sysadm: allow sysadm to use init file
+ descriptors
+
+Root can not login via console without this.
+
+Fixes:
+avc: denied { use } for pid=323 comm="sh" path="/dev/tty1"
+dev="devtmpfs" ino=21 scontext=root:sysadm_r:sysadm_t
+tcontext=system_u:system_r:init_t tclass=fd permissive=0
+
+Upstream-Status: Pending
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/roles/sysadm.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 08cc0e117..c08226dc3 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -95,6 +95,8 @@ ifdef(`init_systemd',`
+ 	# LookupDynamicUserByUID on org.freedesktop.systemd1.
+ 	init_dbus_chat(sysadm_t)
+ 
++	init_use_fds(sysadm_t)
++
+ 	# Allow sysadm to get the status of and set properties of other users,
+ 	# sessions, and seats on the system.
+ 	systemd_dbus_chat_logind(sysadm_t)
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch
new file mode 100644
index 0000000..9499e77
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch
@@ -0,0 +1,91 @@
+From 33164c889a759f4d4f2dc31244b9e2937cba854f Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Thu, 4 Feb 2021 10:48:54 +0800
+Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes
+
+Fixes:
+systemctl[277]: Failed to connect to bus: No medium found
+
+avc: denied { mknod } for  pid=297 comm="systemd" capability=27
+scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0
+
+avc: denied { bpf } for pid=297 comm="systemd" capability=39
+scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0
+
+avc: denied { sys_admin } for pid=297 comm="systemd" capability=21
+scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0
+
+avc: denied { perfmon } for pid=297 comm="systemd" capability=38
+scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/systemd.if    | 30 +++++++++++++++++++++++++++++
+ policy/modules/system/userdomain.if |  4 ++++
+ 2 files changed, 34 insertions(+)
+
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index 28f0ad089..d7219dc37 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -228,6 +228,36 @@ template(`systemd_role_template',`
+ 	')
+ ')
+ 
++######################################
++## <summary>
++##	Admin role for systemd --user
++## </summary>
++## <param name="prefix">
++##	<summary>
++##	Prefix for generated types
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The admin role.
++##	</summary>
++## </param>
++## <param name="userdomain">
++##	<summary>
++##	The amdin domain for the role.
++##	</summary>
++## </param>
++#
++template(`systemd_admin_role_extra',`
++	gen_require(`
++		type $1_systemd_t;
++	')
++
++	allow $1_systemd_t $3:process noatsecure;
++	allow $1_systemd_t self:capability { mknod sys_admin };
++	allow $1_systemd_t self:capability2 { bpf perfmon };
++')
++
+ ######################################
+ ## <summary>
+ ##   Allow the specified domain to be started as a daemon by the
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index 088cb87b2..504747917 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -1464,6 +1464,10 @@ template(`userdom_admin_user_template',`
+ 	optional_policy(`
+ 		userhelper_exec($1_t)
+ 	')
++
++	optional_policy(`
++		systemd_admin_role_extra($1, $1_r, $1_t)
++	')
+ ')
+ 
+ ########################################
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch
new file mode 100644
index 0000000..ab5b967
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch
@@ -0,0 +1,104 @@
+From b81fc26631ad56608eed244c3a07f6f9b0c7e8c7 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Fri, 8 Dec 2023 14:16:26 +0800
+Subject: [PATCH] policy/modules/system/authlogin: fix login errors after
+ enabling systemd DynamicUser
+
+Allow domains using PAM to read /etc/shadow to fix login errors after
+enabling systemd DynamicUser.
+
+Fixes:
+avc:  denied  { read } for  pid=434 comm="login" name="shadow"
+dev="sda2" ino=26314
+scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
+
+avc:  denied  { open } for  pid=434 comm="login" path="/etc/shadow"
+dev="sda2" ino=26314
+scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
+
+avc:  denied  { getattr } for  pid=434 comm="login" path="/etc/shadow"
+dev="sda2" ino=26314
+scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
+
+avc:  denied  { read } for  pid=457 comm="sshd" name="shadow" dev="sda2"
+ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
+
+avc:  denied  { open } for  pid=457 comm="sshd" path="/etc/shadow"
+dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
+
+avc:  denied  { getattr } for  pid=457 comm="sshd" path="/etc/shadow"
+dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/admin/su.if           | 4 ++--
+ policy/modules/system/authlogin.te   | 2 +-
+ policy/modules/system/selinuxutil.te | 2 ++
+ 3 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
+index dce1a0ea9..c55cdfc09 100644
+--- a/policy/modules/admin/su.if
++++ b/policy/modules/admin/su.if
+@@ -76,7 +76,7 @@ template(`su_restricted_domain_template', `
+ 	selinux_compute_access_vector($1_su_t)
+ 
+ 	auth_domtrans_chk_passwd($1_su_t)
+-	auth_dontaudit_read_shadow($1_su_t)
++	auth_read_shadow($1_su_t)
+ 	auth_use_nsswitch($1_su_t)
+ 	auth_create_faillog_files($1_su_t)
+ 	auth_rw_faillog($1_su_t)
+@@ -183,7 +183,7 @@ template(`su_role_template',`
+ 	selinux_use_status_page($1_su_t)
+ 
+ 	auth_domtrans_chk_passwd($1_su_t)
+-	auth_dontaudit_read_shadow($1_su_t)
++	auth_read_shadow($1_su_t)
+ 	auth_use_nsswitch($1_su_t)
+ 	auth_create_faillog_files($1_su_t)
+ 	auth_rw_faillog($1_su_t)
+diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
+index 3a5d1ac3e..f9d50a8d4 100644
+--- a/policy/modules/system/authlogin.te
++++ b/policy/modules/system/authlogin.te
+@@ -10,7 +10,7 @@ policy_module(authlogin)
+ ## Allow PAM usage.  If disabled, read access /etc/shadow is allowed for domains that normally use PAM.
+ ## </p>
+ ## </desc>
+-gen_tunable(authlogin_pam, true)
++gen_tunable(authlogin_pam, false)
+ 
+ ## <desc>
+ ## <p>
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index 3eedf82c3..875f0a02f 100644
+--- a/policy/modules/system/selinuxutil.te
++++ b/policy/modules/system/selinuxutil.te
+@@ -247,6 +247,7 @@ allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_re
+ read_files_pattern(newrole_t, default_context_t, default_context_t)
+ read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
+ 
++kernel_getattr_proc(newrole_t)
+ kernel_read_system_state(newrole_t)
+ kernel_read_kernel_sysctls(newrole_t)
+ kernel_dontaudit_getattr_proc(newrole_t)
+@@ -290,6 +291,7 @@ auth_use_nsswitch(newrole_t)
+ auth_run_chk_passwd(newrole_t, newrole_roles)
+ auth_run_upd_passwd(newrole_t, newrole_roles)
+ auth_rw_faillog(newrole_t)
++auth_read_shadow(newrole_t)
+ 
+ # Write to utmp.
+ init_rw_utmp(newrole_t)
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd-logind-t.patch b/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd-logind-t.patch
new file mode 100644
index 0000000..4322590
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd-logind-t.patch
@@ -0,0 +1,38 @@
+From 1b8a639bfdce84c9b39cd9e89b6da4c1d06cc7ab Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Sun, 4 Feb 2024 19:40:32 +0800
+Subject: [PATCH] policy/modules/system/systemd: allow systemd-logind to
+ inherit local login file descriptors
+
+Fix reboot timeout error:
+$ reboot
+Failed to set wall message, ignoring: Failed to activate service 'org.freedesktop.login1': timed out (service_start_timeout=25000ms)
+Call to Reboot failed: Failed to activate service 'org.freedesktop.login1': timed out (service_start_timeout=25000ms)
+
+avc:  denied  { use } for  pid=287 comm="systemd-logind"
+path="anon_inode:[pidfd]" dev="anon_inodefs" ino=1044
+scontext=system_u:system_r:systemd_logind_t
+tcontext=system_u:system_r:local_login_t tclass=fd permissive=0
+
+Upstream-Status: Pending
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/systemd.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index ffce3c0e8..03aeb8515 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -973,6 +973,7 @@ init_stop_system(systemd_logind_t)
+ miscfiles_read_localization(systemd_logind_t)
+ 
+ locallogin_read_state(systemd_logind_t)
++locallogin_use_fds(systemd_logind_t)
+ 
+ seutil_libselinux_linked(systemd_logind_t)
+ seutil_read_default_contexts(systemd_logind_t)
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch b/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch
new file mode 100644
index 0000000..5ced4ae
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch
@@ -0,0 +1,35 @@
+From 53a770736133d84be9cab23732811f96304bf737 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Sat, 15 Feb 2014 04:22:47 -0500
+Subject: [PATCH] policy/modules/system/mount: make mount_t domain MLS trusted
+ for writing to processes up to its clearance
+
+Fixes:
+avc:  denied  { setsched } for  pid=148 comm="mount"
+scontext=system_u:system_r:mount_t:s0-s15:c0.c1023
+tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process
+permissive=1
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signen-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/mount.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index 8cd51d563..3fc37619e 100644
+--- a/policy/modules/system/mount.te
++++ b/policy/modules/system/mount.te
+@@ -117,6 +117,7 @@ fs_dontaudit_write_all_image_files(mount_t)
+ 
+ mls_file_read_all_levels(mount_t)
+ mls_file_write_all_levels(mount_t)
++mls_process_write_to_clearance(mount_t)
+ 
+ selinux_get_enforce_mode(mount_t)
+ 
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
new file mode 100644
index 0000000..07a11ea
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
@@ -0,0 +1,40 @@
+From 93225203c2a3a767cd1319d6620da1fd1f91b25f Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Mon, 28 Jan 2019 14:05:18 +0800
+Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance
+
+The two new rules make sysadm_t domain MLS trusted for:
+ - reading from files at all levels.
+ - writing to processes up to its clearance(s0-s15).
+
+With default MLS policy, root user would login as sysadm_t:s0 by
+default. Most processes will run in sysadm_t:s0 because no
+domtrans/rangetrans rules, as a result, even root could not access
+high level files/processes.
+
+So with the two new rules, root user could work easier in MLS policy.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/roles/sysadm.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index c08226dc3..4f3207d52 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -48,6 +48,8 @@ logging_watch_all_logs(sysadm_t)
+ logging_watch_audit_log(sysadm_t)
+ 
+ mls_process_read_all_levels(sysadm_t)
++mls_file_read_all_levels(sysadm_t)
++mls_process_write_to_clearance(sysadm_t)
+ 
+ selinux_read_policy(sysadm_t)
+ 
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch b/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch
new file mode 100644
index 0000000..a0b5cbc
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch
@@ -0,0 +1,48 @@
+From 3b260a0dc07f61b9bf873a8ac976430c80a653c3 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Fri, 23 Aug 2013 12:01:53 +0800
+Subject: [PATCH] policy/modules/services/rpc: make nfsd_t domain MLS trusted
+ for reading from files up to its clearance
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/kernel/kernel.te    | 2 ++
+ policy/modules/services/rpcbind.te | 5 +++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index 887ca3332..f6ca775e6 100644
+--- a/policy/modules/kernel/kernel.te
++++ b/policy/modules/kernel/kernel.te
+@@ -380,6 +380,8 @@ mls_process_read_all_levels(kernel_t)
+ mls_process_write_all_levels(kernel_t)
+ mls_file_write_all_levels(kernel_t)
+ mls_file_read_all_levels(kernel_t)
++mls_socket_write_all_levels(kernel_t)
++mls_fd_use_all_levels(kernel_t)
+ 
+ ifdef(`distro_redhat',`
+ 	# Bugzilla 222337
+diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
+index 2a712192b..923e48db7 100644
+--- a/policy/modules/services/rpcbind.te
++++ b/policy/modules/services/rpcbind.te
+@@ -73,6 +73,11 @@ logging_send_syslog_msg(rpcbind_t)
+ 
+ miscfiles_read_localization(rpcbind_t)
+ 
++# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
++# because they are running in different level. So add rules to allow this.
++mls_socket_read_all_levels(rpcbind_t)
++mls_socket_write_all_levels(rpcbind_t)
++
+ ifdef(`distro_debian',`
+ 	term_dontaudit_use_unallocated_ttys(rpcbind_t)
+ ')
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0044-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0044-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch
new file mode 100644
index 0000000..c5943cb
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0044-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch
@@ -0,0 +1,36 @@
+From faad8b18adb9a4f155ec0ec6317522baffff9117 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Tue, 30 Jun 2020 10:18:20 +0800
+Subject: [PATCH] policy/modules/admin/dmesg: make dmesg_t MLS trusted reading
+ from files up to its clearance
+
+Fixes:
+avc:  denied  { read } for  pid=255 comm="dmesg" name="kmsg"
+dev="devtmpfs" ino=10032
+scontext=system_u:system_r:dmesg_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/admin/dmesg.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
+index f1da315a9..89478c38e 100644
+--- a/policy/modules/admin/dmesg.te
++++ b/policy/modules/admin/dmesg.te
+@@ -52,6 +52,8 @@ miscfiles_read_localization(dmesg_t)
+ userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
+ userdom_use_user_terminals(dmesg_t)
+ 
++mls_file_read_to_clearance(dmesg_t)
++
+ optional_policy(`
+ 	seutil_sigchld_newrole(dmesg_t)
+ ')
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0045-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0045-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
new file mode 100644
index 0000000..a6db8ca
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0045-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
@@ -0,0 +1,76 @@
+From 2892de4636a61c237688d73c277edbf7a46163ab Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Fri, 13 Oct 2017 07:20:40 +0000
+Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for
+ lowering the level of files
+
+The boot process hangs with the error while using MLS policy:
+
+  [!!!!!!] Failed to mount API filesystems, freezing.
+  [    4.085349] systemd[1]: Freezing execution.
+
+Make kernel_t mls trusted for lowering the level of files to fix below
+avc denials and remove the hang issue.
+
+  op=security_validate_transition seresult=denied \
+  oldcontext=system_u:object_r:device_t:s15:c0.c1023 \
+  newcontext=system_u:object_r:device_t:s0 \
+  taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir
+  systemd[1]: Unable to fix SELinux security context of /dev: Operation not permitted
+
+  avc: denied { create } for pid=1 comm="systemd" name="shm" \
+  scontext=system_u:system_r:kernel_t:s15:c0.c1023 \
+  tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
+  systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory
+
+  avc: denied { create } for pid=1 comm="systemd" name="pts" \
+  scontext=system_u:system_r:kernel_t:s15:c0.c1023 \
+  tcontext=system_u:object_r:devpts_t:s0-s15:c0.c1023 tclass=dir permissive=0
+
+  op=security_validate_transition seresult=denied \
+  oldcontext=system_u:object_r:unlabeled_t:s0 \
+  newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \
+  taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir
+
+  op=security_validate_transition seresult=denied \
+  oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \
+  newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \
+  taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir
+  systemd[1]: Unable to fix SELinux security context of /run: Operation not permitted
+
+  op=security_validate_transition seresult=denied \
+  oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \
+  newcontext=system_u:object_r:cgroup_t:s0 \
+  taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir
+  systemd[1]: Unable to fix SELinux security context of /sys/fs/cgroup: Operation not permitted
+
+  avc: denied { create } for pid=1 comm="systemd" name="pstore" \
+  scontext=system_u:system_r:kernel_t:s15:c0.c1023 \
+  tcontext=system_u:object_r:pstore_t:s0 tclass=dir permissive=0
+
+Reference: https://bugzilla.redhat.com/show_bug.cgi?id=667370
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/kernel/kernel.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index f6ca775e6..b4b089823 100644
+--- a/policy/modules/kernel/kernel.te
++++ b/policy/modules/kernel/kernel.te
+@@ -382,6 +382,8 @@ mls_file_write_all_levels(kernel_t)
+ mls_file_read_all_levels(kernel_t)
+ mls_socket_write_all_levels(kernel_t)
+ mls_fd_use_all_levels(kernel_t)
++# https://bugzilla.redhat.com/show_bug.cgi?id=667370
++mls_file_downgrade(kernel_t)
+ 
+ ifdef(`distro_redhat',`
+ 	# Bugzilla 222337
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
new file mode 100644
index 0000000..b996aa3
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
@@ -0,0 +1,46 @@
+From f2ff5081b1a98272c803ccfd24aeea91e8d5c368 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Fri, 15 Jan 2016 03:47:05 -0500
+Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for
+ lowering/raising the leve of files
+
+Fix security_validate_transition issues:
+
+  op=security_validate_transition seresult=denied \
+  oldcontext=system_u:object_r:device_t:s15:c0.c1023 \
+  newcontext=system_u:object_r:device_t:s0 \
+  taskcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \
+  tclass=dir
+
+  op=security_validate_transition seresult=denied \
+  oldcontext=system_u:object_r:var_run_t:s0 \
+  newcontext=system_u:object_r:var_log_t:s0-s15:c0.c1023 \
+  taskcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \
+  tclass=dir
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/init.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 809019873..be9c75155 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -238,6 +238,10 @@ mls_process_write_all_levels(init_t)
+ mls_fd_use_all_levels(init_t)
+ mls_process_set_level(init_t)
+ 
++# MLS trusted for lowering/raising the level of files
++mls_file_downgrade(init_t)
++mls_file_upgrade(init_t)
++
+ # the following one is needed for libselinux:is_selinux_enabled()
+ # otherwise the call fails and sysvinit tries to load the policy
+ # again when using the initramfs
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-systemd-make-systemd-tmpfiles_.patch b/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
new file mode 100644
index 0000000..1b90ba6
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
@@ -0,0 +1,63 @@
+From 3fab5273a7721e603f2034badeaf73949aaa59a2 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Thu, 4 Feb 2016 06:03:19 -0500
+Subject: [PATCH] policy/modules/system/systemd: make systemd-tmpfiles_t domain
+ MLS trusted for raising/lowering the level of files
+
+Fixes:
+  avc: denied { search } for pid=92 comm="systemd-tmpfile" name="1" \
+  dev="proc" ino=7987 \
+  scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
+  tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \
+  tclass=dir
+
+  avc: denied { search } for pid=92 comm="systemd-tmpfile" \
+  name="journal" dev="tmpfs" ino=8226 \
+  scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
+  tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 \
+  tclass=dir
+
+  avc: denied { write } for pid=92 comm="systemd-tmpfile" \
+  name="kmsg" dev="devtmpfs" ino=7242 \
+  scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
+  tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 \
+  tclass=chr_file
+
+  avc: denied { read } for pid=92 comm="systemd-tmpfile" \
+  name="kmod.conf" dev="tmpfs" ino=8660 \
+  scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
+  tcontext=system_u:object_r:var_run_t:s0 \
+  tclass=file
+
+  avc: denied { search } for pid=92 comm="systemd-tmpfile" \
+  name="kernel" dev="proc" ino=8731 \
+  scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
+  tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/systemd.te | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 03aeb8515..e483d8aea 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1877,6 +1877,11 @@ sysnet_relabel_config(systemd_tmpfiles_t)
+ 
+ systemd_log_parse_environment(systemd_tmpfiles_t)
+ 
++mls_file_write_all_levels(systemd_tmpfiles_t)
++mls_file_read_all_levels(systemd_tmpfiles_t)
++mls_file_downgrade(systemd_tmpfiles_t)
++mls_file_upgrade(systemd_tmpfiles_t)
++
+ userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
+ userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
+ 
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-systemd-systemd-make-systemd_-.patch b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-systemd-systemd-make-systemd_-.patch
new file mode 100644
index 0000000..e3d5db1
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-systemd-systemd-make-systemd_-.patch
@@ -0,0 +1,91 @@
+From 4eaa766ef11cb053f010bcde5121e76031aae799 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Thu, 18 Jun 2020 09:59:58 +0800
+Subject: [PATCH] policy/modules/system/systemd: systemd-*: make systemd_*_t
+ MLS trusted for writing/reading from files up to its clearance
+
+Fixes:
+audit: type=1400 audit(1592892455.376:3): avc:  denied  { write } for
+pid=120 comm="systemd-gpt-aut" name="kmsg" dev="devtmpfs" ino=10032
+scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+
+audit: type=1400 audit(1592892455.381:4): avc:  denied  { write } for
+pid=119 comm="systemd-getty-g" name="kmsg" dev="devtmpfs" ino=10032
+scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+
+avc:  denied  { read } for  pid=125 comm="systemd-gpt-aut" name="sdb"
+dev="devtmpfs" ino=42
+scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023
+tclass=blk_file permissive=0
+
+avc:  denied  { write } for  pid=233 comm="systemd-rfkill" name="kmsg"
+dev="devtmpfs" ino=2060
+scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+
+avc:  denied  { write } for  pid=354 comm="systemd-backlig" name="kmsg"
+dev="devtmpfs" ino=3081
+scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/systemd.te | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index e483d8aea..a0e6bb405 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -391,6 +391,9 @@ files_search_var_lib(systemd_backlight_t)
+ fs_getattr_all_fs(systemd_backlight_t)
+ fs_search_cgroup_dirs(systemd_backlight_t)
+ 
++mls_file_read_to_clearance(systemd_backlight_t)
++mls_file_write_to_clearance(systemd_backlight_t)
++
+ #######################################
+ #
+ # Binfmt local policy
+@@ -560,6 +563,9 @@ term_use_unallocated_ttys(systemd_generator_t)
+ 
+ udev_read_runtime_files(systemd_generator_t)
+ 
++mls_file_read_to_clearance(systemd_generator_t)
++mls_file_write_to_clearance(systemd_generator_t)
++
+ ifdef(`distro_gentoo',`
+ 	corecmd_shell_entry_type(systemd_generator_t)
+ ')
+@@ -1009,6 +1015,9 @@ userdom_setattr_user_ttys(systemd_logind_t)
+ userdom_use_user_ttys(systemd_logind_t)
+ domain_read_all_domains_state(systemd_logind_t)
+ 
++mls_file_read_all_levels(systemd_logind_t)
++mls_file_write_all_levels(systemd_logind_t)
++
+ # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
+ # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
+ # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
+@@ -1591,6 +1600,9 @@ udev_read_runtime_files(systemd_rfkill_t)
+ 
+ systemd_log_parse_environment(systemd_rfkill_t)
+ 
++mls_file_read_to_clearance(systemd_rfkill_t)
++mls_file_write_to_clearance(systemd_rfkill_t)
++
+ #########################################
+ #
+ # Resolved local policy
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch b/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-logging-add-the-syslogd_t-to-t.patch
index 8455c08..6ea1efd 100644
--- a/recipes-security/refpolicy/refpolicy-2.20190201/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch
+++ b/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-logging-add-the-syslogd_t-to-t.patch
@@ -1,33 +1,36 @@
-From 628281e2e192269468cbe2c2818b6cab40975532 Mon Sep 17 00:00:00 2001
+From de58aa981e1c05ce06938704089c7c87c765add6 Mon Sep 17 00:00:00 2001
 From: Xin Ouyang <Xin.Ouyang@windriver.com>
 Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 17/34] policy/module/logging: Add the syslogd_t to trusted
+Subject: [PATCH] policy/modules/system/logging: add the syslogd_t to trusted
  object
 
 We add the syslogd_t to trusted object, because other process need
 to have the right to connectto/sendto /dev/log.
 
-Upstream-Status: Inappropriate [only for Poky]
+Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Roy.Li <rongqing.li@windriver.com>
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- policy/modules/system/logging.te | 1 +
- 1 file changed, 1 insertion(+)
+ policy/modules/system/logging.te | 3 +++
+ 1 file changed, 3 insertions(+)
 
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 07ed546d..a7b69932 100644
+index 3cab14381..caf319f04 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -501,6 +501,7 @@ fs_getattr_all_fs(syslogd_t)
+@@ -491,6 +491,9 @@ fs_getattr_all_fs(syslogd_t)
  fs_search_auto_mountpoints(syslogd_t)
  
  mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
++mls_socket_write_all_levels(syslogd_t) # Need to be able to sendto dgram
 +mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log
++mls_fd_use_all_levels(syslogd_t)
  
  term_write_console(syslogd_t)
  # Allow syslog to a terminal
 -- 
-2.19.1
+2.25.1
 
diff --git a/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
new file mode 100644
index 0000000..9089cb2
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
@@ -0,0 +1,33 @@
+From a9ceec99a527007a91ba6685d0b86c327fbb6443 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Tue, 28 May 2019 16:41:37 +0800
+Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for
+ writing to keys at all levels
+
+Fixes:
+type=AVC msg=audit(1559024138.454:31): avc:  denied  { link } for
+pid=190 comm="(mkdir)" scontext=system_u:system_r:init_t:s0-s15:c0.c1023
+tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=key permissive=1
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/init.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index be9c75155..458906ac5 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -237,6 +237,7 @@ mls_file_write_all_levels(init_t)
+ mls_process_write_all_levels(init_t)
+ mls_fd_use_all_levels(init_t)
+ mls_process_set_level(init_t)
++mls_key_write_all_levels(init_t)
+ 
+ # MLS trusted for lowering/raising the level of files
+ mls_file_downgrade(init_t)
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-all-init_t-to-read-any-le.patch b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-all-init_t-to-read-any-le.patch
new file mode 100644
index 0000000..687e1c9
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-all-init_t-to-read-any-le.patch
@@ -0,0 +1,40 @@
+From 980d9d3f3c3e1e3517971715c351ec7b747105d0 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Wed, 3 Feb 2016 04:16:06 -0500
+Subject: [PATCH] policy/modules/system/init: all init_t to read any level
+ sockets
+
+Fixes:
+  avc: denied { listen } for pid=1 comm="systemd" \
+  path="/run/systemd/journal/stdout" \
+  scontext=system_u:system_r:init_t:s0-s15:c0.c1023 \
+  tcontext=system_u:system_r:syslogd_t:s15:c0.c1023 \
+  tclass=unix_stream_socket permissive=1
+
+  systemd[1]: Failded to listen on Journal Socket
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/init.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 458906ac5..c2380d8b4 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -243,6 +243,9 @@ mls_key_write_all_levels(init_t)
+ mls_file_downgrade(init_t)
+ mls_file_upgrade(init_t)
+ 
++# MLS trusted for reading from sockets at any level
++mls_socket_read_all_levels(init_t)
++
+ # the following one is needed for libselinux:is_selinux_enabled()
+ # otherwise the call fails and sysvinit tries to load the policy
+ # again when using the initramfs
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-logging-allow-auditd_t-to-writ.patch b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-logging-allow-auditd_t-to-writ.patch
new file mode 100644
index 0000000..64a1dfc
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-logging-allow-auditd_t-to-writ.patch
@@ -0,0 +1,39 @@
+From 2b64eabf0cf8982bbb3c537e84fc3a99085858d3 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Thu, 25 Feb 2016 04:25:08 -0500
+Subject: [PATCH] policy/modules/system/logging: allow auditd_t to write socket
+ at any level
+
+Allow auditd_t to write init_t:unix_stream_socket at any level.
+
+Fixes:
+  avc: denied { write } for pid=748 comm="auditd" \
+  path="socket:[17371]" dev="sockfs" ino=17371 \
+  scontext=system_u:system_r:auditd_t:s15:c0.c1023 \
+  tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \
+  tclass=unix_stream_socket permissive=1
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/logging.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index caf319f04..25e1d1397 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -235,6 +235,8 @@ miscfiles_read_localization(auditd_t)
+ 
+ mls_file_read_all_levels(auditd_t)
+ mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
++mls_fd_use_all_levels(auditd_t)
++mls_socket_write_all_levels(auditd_t)
+ 
+ seutil_dontaudit_read_config(auditd_t)
+ 
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0053-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0053-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
new file mode 100644
index 0000000..4f3253d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0053-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
@@ -0,0 +1,31 @@
+From 35351cd7cb07622b5e43254b95d7801a5669358d Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Thu, 31 Oct 2019 17:35:59 +0800
+Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for
+ writing to keys at all levels.
+
+Fixes:
+systemd-udevd[216]: regulatory.0: Process '/usr/sbin/crda' failed with exit code 254.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/kernel/kernel.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index b4b089823..5835d28b2 100644
+--- a/policy/modules/kernel/kernel.te
++++ b/policy/modules/kernel/kernel.te
+@@ -384,6 +384,7 @@ mls_socket_write_all_levels(kernel_t)
+ mls_fd_use_all_levels(kernel_t)
+ # https://bugzilla.redhat.com/show_bug.cgi?id=667370
+ mls_file_downgrade(kernel_t)
++mls_key_write_all_levels(kernel_t)
+ 
+ ifdef(`distro_redhat',`
+ 	# Bugzilla 222337
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
new file mode 100644
index 0000000..5118ef8
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
@@ -0,0 +1,30 @@
+From 6d6e2d34ec63771a01ef258c98f1ad49efdc2f67 Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li@windriver.com>
+Date: Sat, 22 Feb 2014 13:35:38 +0800
+Subject: [PATCH] policy/modules/system/setrans: allow setrans_t use fd at any
+ level
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/setrans.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
+index 12e66aad9..5510f7fac 100644
+--- a/policy/modules/system/setrans.te
++++ b/policy/modules/system/setrans.te
+@@ -69,6 +69,8 @@ mls_net_receive_all_levels(setrans_t)
+ mls_socket_write_all_levels(setrans_t)
+ mls_process_read_all_levels(setrans_t)
+ mls_socket_read_all_levels(setrans_t)
++mls_fd_use_all_levels(setrans_t)
++mls_trusted_object(setrans_t)
+ 
+ selinux_compute_access_vector(setrans_t)
+ 
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
new file mode 100644
index 0000000..3e75257
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
@@ -0,0 +1,42 @@
+From 3d5751659380eb04b63f8fc1e6113132dd1310d7 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Mon, 22 Feb 2021 11:28:12 +0800
+Subject: [PATCH] policy/modules/system/systemd: make *_systemd_t MLS trusted
+ for writing/reading from files at all levels
+
+Fixes:
+avc:  denied  { search } for  pid=1148 comm="systemd" name="journal"
+dev="tmpfs" ino=206
+scontext=root:sysadm_r:sysadm_systemd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
+permissive=0
+avc:  denied  { write } for  pid=1148 comm="systemd" name="kmsg"
+dev="devtmpfs" ino=3081
+scontext=root:sysadm_r:sysadm_systemd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/systemd.if | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index d7219dc37..7717e0034 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -226,6 +226,9 @@ template(`systemd_role_template',`
+ 		xdg_read_config_files($1_systemd_t)
+ 		xdg_read_data_files($1_systemd_t)
+ 	')
++
++	mls_file_read_all_levels($1_systemd_t)
++	mls_file_write_all_levels($1_systemd_t)
+ ')
+ 
+ ######################################
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-logging-make-syslogd_runtime_t.patch b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-logging-make-syslogd_runtime_t.patch
new file mode 100644
index 0000000..d07fa91
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-logging-make-syslogd_runtime_t.patch
@@ -0,0 +1,48 @@
+From 2476910f6d7f116148bb9311498b5c98692c1ef3 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Sat, 18 Dec 2021 17:31:45 +0800
+Subject: [PATCH] policy/modules/system/logging: make syslogd_runtime_t MLS
+ trusted.
+
+Make syslogd_runtime_t MLS trusted to allow all levels to read and write
+the object.
+
+Fixes:
+avc:  denied  { search } for  pid=314 comm="useradd" name="journal"
+dev="tmpfs" ino=34 scontext=root:sysadm_r:useradd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
+permissive=0
+
+avc:  denied  { search } for  pid=319 comm="passwd" name="journal"
+dev="tmpfs" ino=34 scontext=root:sysadm_r:passwd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
+permissive=0
+
+avc:  denied  { search } for pid=374 comm="rpc.statd" name="journal"
+dev="tmpfs" ino=9854 scontext=system_u:system_r:rpcd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 tclass=dir
+permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/logging.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 25e1d1397..ba0fd10e0 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -456,6 +456,8 @@ allow syslogd_t syslogd_runtime_t:file map;
+ manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
+ files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file)
+ 
++mls_trusted_object(syslogd_runtime_t)
++
+ kernel_read_system_state(syslogd_t)
+ kernel_read_network_state(syslogd_t)
+ kernel_read_kernel_sysctls(syslogd_t)
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20190201.inc b/recipes-security/refpolicy/refpolicy_2.20190201.inc
deleted file mode 100644
index 822c0f3..0000000
--- a/recipes-security/refpolicy/refpolicy_2.20190201.inc
+++ /dev/null
@@ -1,7 +0,0 @@
-SRC_URI = "https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20190201/refpolicy-${PV}.tar.bz2"
-SRC_URI[md5sum] = "76a7a455289c9216ee0fbb8de71c9799"
-SRC_URI[sha256sum] = "5e4daee61d89dfdc8c7bf369f81c99845931e337916dc6401e301c5de57ea336"
-
-FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20190201:"
-
-include refpolicy_common.inc
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 137ccee..6ea1fc2 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -1,91 +1,113 @@
-DEFAULT_ENFORCING ??= "enforcing"
-
 SECTION = "admin"
-LICENSE = "GPLv2"
+LICENSE = "GPL-2.0-only"
 
 LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833"
 
-PROVIDES += "virtual/refpolicy"
-RPROVIDES_${PN} += "refpolicy"
+PROVIDES = "virtual/refpolicy"
+RPROVIDES:${PN} = "refpolicy"
 
 # Specific config files for Poky
-SRC_URI += "file://customizable_types  \
-	    file://setrans-mls.conf  \
-	    file://setrans-mcs.conf  \
-	   "
+SRC_URI += "file://customizable_types \
+            file://setrans-mls.conf \
+            file://setrans-mcs.conf \
+           "
 
 # Base patches applied to all Yocto-based platforms.  Your own version of
 # refpolicy should provide a version of these and place them in your own
 # refpolicy-${PV} directory.
 SRC_URI += " \
-	file://0001-fc-subs-volatile-alias-common-var-volatile-paths.patch \
-	file://0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch \
-	file://0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch \
-	file://0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch \
-	file://0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch \
-	file://0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch \
-	file://0007-fc-login-apply-login-context-to-login.shadow.patch \
-	file://0008-fc-bind-fix-real-path-for-bind.patch \
-	file://0009-fc-hwclock-add-hwclock-alternatives.patch \
-	file://0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \
-	file://0011-fc-ssh-apply-policy-to-ssh-alternatives.patch \
-	file://0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch \
-	file://0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch \
-	file://0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \
-	file://0015-fc-su-apply-policy-to-su-alternatives.patch \
-	file://0016-fc-fstools-fix-real-path-for-fstools.patch \
-	file://0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch \
-	file://0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch \
-	file://0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch \
-	file://0020-policy-module-logging-add-domain-rules-for-the-subdi.patch \
-	file://0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch \
-	file://0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch \
-	file://0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch \
-	file://0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch \
-	file://0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch \
-	file://0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch \
-	file://0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch \
-	file://0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch \
-	file://0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch \
-	file://0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch \
-	file://0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch \
-	file://0032-policy-module-init-update-for-systemd-related-allow-.patch \
-	file://0033-refpolicy-minimum-make-sysadmin-module-optional.patch \
-	file://0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch \
-   "
+        file://0001-fc-subs-volatile-alias-common-var-volatile-paths.patch \
+        file://0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch \
+        file://0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch \
+        file://0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch \
+        file://0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch \
+        file://0006-fc-login-apply-login-context-to-login.shadow.patch \
+        file://0007-fc-hwclock-add-hwclock-alternatives.patch \
+        file://0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \
+        file://0009-fc-ssh-apply-policy-to-ssh-alternatives.patch \
+        file://0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch \
+        file://0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \
+        file://0012-fc-su-apply-policy-to-su-alternatives.patch \
+        file://0013-fc-fstools-fix-real-path-for-fstools.patch \
+        file://0014-fc-init-fix-update-alternatives-for-sysvinit.patch \
+        file://0015-fc-brctl-apply-policy-to-brctl-alternatives.patch \
+        file://0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch \
+        file://0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch \
+        file://0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch \
+        file://0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch \
+        file://0020-fc-ldap-apply-policy-to-ldap-alternatives.patch \
+        file://0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch \
+        file://0022-fc-screen-apply-policy-to-screen-alternatives.patch \
+        file://0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch \
+        file://0024-fc-getty-add-file-context-to-start_getty.patch \
+        file://0025-fc-vlock-apply-policy-to-vlock-alternatives.patch \
+        file://0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch \
+        file://0027-file_contexts.subs_dist-set-aliase-for-root-director.patch \
+        file://0028-policy-modules-system-logging-add-rules-for-the-syml.patch \
+        file://0029-policy-modules-system-logging-add-rules-for-syslogd-.patch \
+        file://0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch \
+        file://0031-policy-modules-system-logging-fix-auditd-startup-fai.patch \
+        file://0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \
+        file://0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \
+        file://0034-policy-modules-system-systemd-enable-support-for-sys.patch \
+        file://0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch \
+        file://0036-policy-modules-system-systemd-allow-systemd_logind_t.patch \
+        file://0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \
+        file://0038-policy-modules-system-systemd-systemd-user-fixes.patch \
+        file://0039-policy-modules-system-authlogin-fix-login-errors-aft.patch \
+        file://0040-policy-modules-system-systemd-allow-systemd-logind-t.patch \
+        file://0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \
+        file://0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \
+        file://0043-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch \
+        file://0044-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \
+        file://0045-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
+        file://0046-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
+        file://0047-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \
+        file://0048-policy-modules-system-systemd-systemd-make-systemd_-.patch \
+        file://0049-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \
+        file://0050-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
+        file://0051-policy-modules-system-init-all-init_t-to-read-any-le.patch \
+        file://0052-policy-modules-system-logging-allow-auditd_t-to-writ.patch \
+        file://0053-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
+        file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
+        file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
+        file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \
+        "
 
 S = "${WORKDIR}/refpolicy"
 
-CONFFILES_${PN} += "${sysconfdir}/selinux/config"
-FILES_${PN} += " \
-	${sysconfdir}/selinux/${POLICY_NAME}/ \
-	${datadir}/selinux/${POLICY_NAME}/*.pp \
-	${localstatedir}/lib/selinux/${POLICY_NAME}/ \
-	"
-FILES_${PN}-dev =+ " \
-        ${datadir}/selinux/${POLICY_NAME}/include/ \
-        ${sysconfdir}/selinux/sepolgen.conf \
-"
+CONFFILES:${PN} = "${sysconfdir}/selinux/config"
+FILES:${PN} += " \
+    ${sysconfdir}/selinux/${POLICY_NAME}/ \
+    ${datadir}/selinux/${POLICY_NAME}/*.pp \
+    ${localstatedir}/lib/selinux/${POLICY_NAME}/ \
+    "
+FILES:${PN}-dev =+ " \
+    ${datadir}/selinux/${POLICY_NAME}/include/ \
+    ${sysconfdir}/selinux/sepolgen.conf \
+    "
 
 EXTRANATIVEPATH += "bzip2-native"
 
-DEPENDS += "bzip2-replacement-native checkpolicy-native policycoreutils-native semodule-utils-native m4-native"
+DEPENDS = "bzip2-replacement-native checkpolicy-native policycoreutils-native semodule-utils-native m4-native"
 
-RDEPENDS_${PN}-dev =+ " \
-        python \
-"
+RDEPENDS:${PN}-dev = " \
+    python3-core \
+    "
 
 PACKAGE_ARCH = "${MACHINE_ARCH}"
 
-inherit pythonnative
+inherit python3native
 
 PARALLEL_MAKE = ""
 
+DEFAULT_ENFORCING ??= "enforcing"
+
 POLICY_NAME ?= "${POLICY_TYPE}"
-POLICY_DISTRO ?= "redhat"
+POLICY_DISTRO ?= "debian"
 POLICY_UBAC ?= "n"
 POLICY_UNK_PERMS ?= "allow"
-POLICY_DIRECT_INITRC ?= "n"
+POLICY_DIRECT_INITRC ?= "y"
 POLICY_SYSTEMD ?= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'y', 'n', d)}"
 POLICY_MONOLITHIC ?= "n"
 POLICY_CUSTOM_BUILDOPT ?= ""
@@ -94,73 +116,83 @@ POLICY_MLS_SENS ?= "16"
 POLICY_MLS_CATS ?= "1024"
 POLICY_MCS_CATS ?= "1024"
 
-EXTRA_OEMAKE += "NAME=${POLICY_NAME} \
-	TYPE=${POLICY_TYPE} \
-	DISTRO=${POLICY_DISTRO} \
-	UBAC=${POLICY_UBAC} \
-	UNK_PERMS=${POLICY_UNK_PERMS} \
-	DIRECT_INITRC=${POLICY_DIRECT_INITRC} \
-	SYSTEMD=${POLICY_SYSTEMD} \
-	MONOLITHIC=${POLICY_MONOLITHIC} \
-	CUSTOM_BUILDOPT=${POLICY_CUSTOM_BUILDOPT} \
-	QUIET=${POLICY_QUIET} \
-	MLS_SENS=${POLICY_MLS_SENS} \
-	MLS_CATS=${POLICY_MLS_CATS} \
-	MCS_CATS=${POLICY_MCS_CATS}"
+EXTRA_OEMAKE = "NAME=${POLICY_NAME} \
+    TYPE=${POLICY_TYPE} \
+    DISTRO=${POLICY_DISTRO} \
+    UBAC=${POLICY_UBAC} \
+    UNK_PERMS=${POLICY_UNK_PERMS} \
+    DIRECT_INITRC=${POLICY_DIRECT_INITRC} \
+    SYSTEMD=${POLICY_SYSTEMD} \
+    MONOLITHIC=${POLICY_MONOLITHIC} \
+    CUSTOM_BUILDOPT=${POLICY_CUSTOM_BUILDOPT} \
+    QUIET=${POLICY_QUIET} \
+    MLS_SENS=${POLICY_MLS_SENS} \
+    MLS_CATS=${POLICY_MLS_CATS} \
+    MCS_CATS=${POLICY_MCS_CATS}"
 
 EXTRA_OEMAKE += "tc_usrbindir=${STAGING_BINDIR_NATIVE}"
 EXTRA_OEMAKE += "OUTPUT_POLICY=`${STAGING_BINDIR_NATIVE}/checkpolicy -V | cut -d' ' -f1`"
 EXTRA_OEMAKE += "CC='${BUILD_CC}' CFLAGS='${BUILD_CFLAGS}' PYTHON='${PYTHON}'"
 
-python __anonymous () {
+python __anonymous() {
     import re
 
-    # make sure DEFAULT_ENFORCING is something sane
+    # Make sure DEFAULT_ENFORCING is something sane
     if not re.match('^(enforcing|permissive|disabled)$',
-                    d.getVar('DEFAULT_ENFORCING', True),
+                    d.getVar('DEFAULT_ENFORCING'),
                     flags=0):
         d.setVar('DEFAULT_ENFORCING', 'permissive')
 }
 
+disable_policy_modules() {
+    for module in ${PURGE_POLICY_MODULES} ; do
+        sed -i "s/^\(\<${module}\>\) *= *.*$/\1 = off/" ${S}/policy/modules.conf
+    done
+}
+
 do_compile() {
-	oe_runmake conf
-	oe_runmake policy
+    if [ -f "${WORKDIR}/modules.conf" ] ; then
+        cp -f ${WORKDIR}/modules.conf ${S}/policy/modules.conf
+    fi
+    oe_runmake conf
+    disable_policy_modules
+    oe_runmake policy
 }
 
-prepare_policy_store () {
-	oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
-	POL_PRIORITY=100
-	POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
-	POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
-	POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
-
-	# Prepare to create policy store
-	mkdir -p ${POL_STORE}
-	mkdir -p ${POL_ACTIVE_MODS}
-
-	# get hll type from suffix on base policy module
-	HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
-	HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
-
-	for i in ${POL_SRC}/*.${HLL_TYPE}; do
-		MOD_NAME=$(basename $i | sed "s/\.${HLL_TYPE}$//")
-		MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME}
-		mkdir -p ${MOD_DIR}
-		echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
-		if ! bzip2 -t $i >/dev/null 2>&1; then
-			${HLL_BIN} $i | bzip2 --stdout > ${MOD_DIR}/cil
-			bzip2 -f $i && mv -f $i.bz2 $i
-		else
-			bunzip2 --stdout $i | \
-				${HLL_BIN} | \
-				bzip2 --stdout > ${MOD_DIR}/cil
-		fi
-		cp $i ${MOD_DIR}/hll
-	done
+prepare_policy_store() {
+    oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
+    POL_PRIORITY=100
+    POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
+    POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
+    POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
+
+    # Prepare to create policy store
+    mkdir -p ${POL_STORE}
+    mkdir -p ${POL_ACTIVE_MODS}
+
+    # Get hll type from suffix on base policy module
+    HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
+    HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
+
+    for i in ${POL_SRC}/*.${HLL_TYPE}; do
+        MOD_NAME=$(basename $i | sed "s/\.${HLL_TYPE}$//")
+        MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME}
+        mkdir -p ${MOD_DIR}
+        echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
+        if ! bzip2 -t $i >/dev/null 2>&1; then
+            ${HLL_BIN} $i | bzip2 --stdout > ${MOD_DIR}/cil
+            bzip2 -f $i && mv -f $i.bz2 $i
+        else
+            bunzip2 --stdout $i | \
+                ${HLL_BIN} | \
+                bzip2 --stdout > ${MOD_DIR}/cil
+        fi
+        cp $i ${MOD_DIR}/hll
+    done
 }
 
-rebuild_policy () {
-	cat <<-EOF > ${D}${sysconfdir}/selinux/semanage.conf
+rebuild_policy() {
+    cat <<-EOF > ${D}${sysconfdir}/selinux/semanage.conf
 module-store = direct
 [setfiles]
 path = ${STAGING_DIR_NATIVE}${base_sbindir_native}/setfiles
@@ -171,32 +203,32 @@ path = ${STAGING_DIR_NATIVE}${sbindir_native}/sefcontext_compile
 args = \$@
 [end]
 
-policy-version = 30
+policy-version = 33
 EOF
 
-	# Create policy store and build the policy
-	semodule -p ${D} -s ${POLICY_NAME} -n -B
-	rm -f ${D}${sysconfdir}/selinux/semanage.conf
-	# no need to leave final dir created by semanage laying around
-	rm -rf ${D}${localstatedir}/lib/selinux/final
+    # Create policy store and build the policy
+    semodule -p ${D} -s ${POLICY_NAME} -n -B
+    rm -f ${D}${sysconfdir}/selinux/semanage.conf
+    # No need to leave final dir created by semanage laying around
+    rm -rf ${D}${localstatedir}/lib/selinux/final
 }
 
-install_misc_files () {
-	cat ${WORKDIR}/customizable_types >> \
-		${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/customizable_types
+install_misc_files() {
+    cat ${WORKDIR}/customizable_types >> \
+        ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/customizable_types
 
-	# install setrans.conf for mls/mcs policy
-	if [ -f ${WORKDIR}/setrans-${POLICY_TYPE}.conf ]; then
-		install -m 0644 ${WORKDIR}/setrans-${POLICY_TYPE}.conf \
-			${D}${sysconfdir}/selinux/${POLICY_NAME}/setrans.conf
-	fi
+    # Install setrans.conf for mls/mcs policy
+    if [ -f ${WORKDIR}/setrans-${POLICY_TYPE}.conf ]; then
+        install -m 0644 ${WORKDIR}/setrans-${POLICY_TYPE}.conf \
+            ${D}${sysconfdir}/selinux/${POLICY_NAME}/setrans.conf
+    fi
 
-	# install policy headers
-	oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
+    # Install policy headers
+    oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
 }
 
-install_config () {
-	echo "\
+install_config() {
+    echo "\
 # This file controls the state of SELinux on the system.
 # SELINUX= can take one of these three values:
 #     enforcing - SELinux security policy is enforced.
@@ -211,22 +243,22 @@ SELINUX=${DEFAULT_ENFORCING}
 #     mcs - Multi Category Security protection.
 SELINUXTYPE=${POLICY_NAME}
 " > ${WORKDIR}/config
-	install -d ${D}/${sysconfdir}/selinux
-	install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
+    install -d ${D}/${sysconfdir}/selinux
+    install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
 }
 
-do_install () {
-	prepare_policy_store
-	rebuild_policy
-	install_misc_files
-	install_config
+do_install() {
+    prepare_policy_store
+    rebuild_policy
+    install_misc_files
+    install_config
 }
 
-do_install_append(){
-	# While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
-	echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
+do_install:append() {
+    # While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
+    echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
 }
 
-sysroot_stage_all_append () {
-	sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
+sysroot_stage_all:append() {
+    sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
 }
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc
index 8aeaf27..322c277 100644
--- a/recipes-security/refpolicy/refpolicy_git.inc
+++ b/recipes-security/refpolicy/refpolicy_git.inc
@@ -1,9 +1,11 @@
-PV = "2.20190201+git${SRCPV}"
+PV = "2.20240226+git"
 
-SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=git;branch=master;name=refpolicy;destsuffix=refpolicy"
+SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=main;name=refpolicy;destsuffix=refpolicy"
 
-SRCREV_refpolicy ?= "df696a325404b84c2c931c85356510005e5e6916"
+SRCREV_refpolicy ?= "6507eebc238b4495b1e0d3baa2bc0bb737f9819a"
 
-FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-git:"
+UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)"
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/refpolicy:"
 
 include refpolicy_common.inc
diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.service b/recipes-security/selinux-scripts/selinux-autorelabel/selinux-autorelabel.service
index 9520f6e..3c2a576 100644
--- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.service
+++ b/recipes-security/selinux-scripts/selinux-autorelabel/selinux-autorelabel.service
@@ -8,4 +8,4 @@ Type=oneshot
 ExecStart=/usr/bin/selinux-autorelabel.sh
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=sysinit.target
diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh b/recipes-security/selinux-scripts/selinux-autorelabel/selinux-autorelabel.sh
index 154dad1..25b6921 100644
--- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
+++ b/recipes-security/selinux-scripts/selinux-autorelabel/selinux-autorelabel.sh
@@ -3,16 +3,19 @@
 /usr/sbin/selinuxenabled 2>/dev/null || exit 0
 
 FIXFILES=/sbin/fixfiles
+SETENFORCE=/usr/sbin/setenforce
 
-if ! test -x ${FIXFILES}; then
-	echo "${FIXFILES} is missing in the system."
+for i in ${FIXFILES} ${SETENFORCE}; do
+	test -x $i && continue
+	echo "$i is missing in the system."
 	echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
 	exit 1
-fi
+done
 
 # If /.autorelabel placed, the whole file system should be relabeled
 if [ -f /.autorelabel ]; then
 	echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
+	${SETENFORCE} 0
 	${FIXFILES} -F -f relabel
 	/bin/rm -f /.autorelabel
 	echo " * Relabel done, rebooting the system."
diff --git a/recipes-security/selinux/selinux-autorelabel_0.1.bb b/recipes-security/selinux-scripts/selinux-autorelabel_0.1.bb
index 4eb2b4e..9fd066c 100644
--- a/recipes-security/selinux/selinux-autorelabel_0.1.bb
+++ b/recipes-security/selinux-scripts/selinux-autorelabel_0.1.bb
@@ -7,7 +7,7 @@ file is present.\
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
 
-${PN}_RDEPENDS = " \
+RDEPENDS:${PN} = " \
     policycoreutils-setfiles \
 "
 
@@ -18,3 +18,9 @@ SRC_URI = "file://${BPN}.sh \
 INITSCRIPT_PARAMS = "start 01 S ."
 
 require selinux-initsh.inc
+
+do_install:append() {
+    if ${@bb.utils.contains('FIRST_BOOT_RELABEL', '1', 'true', 'false', d)}; then
+        echo "# first boot relabelling" > ${D}/.autorelabel
+    fi
+}
diff --git a/recipes-security/selinux/selinux-init/selinux-init.service b/recipes-security/selinux-scripts/selinux-init/selinux-init.service
index 49c6d98..91b3e72 100644
--- a/recipes-security/selinux/selinux-init/selinux-init.service
+++ b/recipes-security/selinux-scripts/selinux-init/selinux-init.service
@@ -9,4 +9,4 @@ Type=oneshot
 ExecStart=/usr/bin/selinux-init.sh
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=sysinit.target
diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh b/recipes-security/selinux-scripts/selinux-init/selinux-init.sh
index ead4f00..f93d231 100644
--- a/recipes-security/selinux/selinux-init/selinux-init.sh
+++ b/recipes-security/selinux-scripts/selinux-init/selinux-init.sh
@@ -33,18 +33,6 @@ check_rootfs()
 	/sbin/shutdown -f -h now
 }
 
-# If first booting, the security context type of init would be
-# "kernel_t", and the whole file system should be relabeled.
-if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
-	echo "Checking SELinux security contexts:"
-	check_rootfs
-	echo " * First booting, filesystem will be relabeled..."
-	test -x /etc/init.d/auditd && /etc/init.d/auditd start
-	${SETENFORCE} 0
-	${RESTORECON} -RF /
-	${RESTORECON} -F /
-	echo " * Relabel done, rebooting the system."
-	/sbin/reboot
-fi
+# sysvinit firstboot relabel placeholder HERE
 
 exit 0
diff --git a/recipes-security/selinux-scripts/selinux-init/selinux-init.sh.sysvinit b/recipes-security/selinux-scripts/selinux-init/selinux-init.sh.sysvinit
new file mode 100644
index 0000000..d4f3f71
--- /dev/null
+++ b/recipes-security/selinux-scripts/selinux-init/selinux-init.sh.sysvinit
@@ -0,0 +1,14 @@
+# Contents will be added to selinux-init.sh to support relabelling with sysvinit
+# If first booting, the security context type of init would be
+# "kernel_t", and the whole file system should be relabeled.
+if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
+	echo "Checking SELinux security contexts:"
+	check_rootfs
+	echo " * First booting, filesystem will be relabeled..."
+	test -x /etc/init.d/auditd && /etc/init.d/auditd start
+	${SETENFORCE} 0
+	${RESTORECON} -RF /
+	${RESTORECON} -F /
+	echo " * Relabel done, rebooting the system."
+	/sbin/reboot
+fi
diff --git a/recipes-security/selinux/selinux-init_0.1.bb b/recipes-security/selinux-scripts/selinux-init_0.1.bb
index 38b5900..c97316e 100644
--- a/recipes-security/selinux/selinux-init_0.1.bb
+++ b/recipes-security/selinux-scripts/selinux-init_0.1.bb
@@ -7,16 +7,18 @@ boot time. \
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
 
-${PN}_RDEPENDS = " \
+RDEPENDS:${PN} = " \
     coreutils \
     libselinux-bin \
     policycoreutils-secon \
     policycoreutils-setfiles \
 "
 
-SRC_URI = "file://${BPN}.sh \
-		file://${BPN}.service \
-	"
+SRC_URI = " \
+    file://${BPN}.sh \
+    file://${BPN}.sh.sysvinit \
+    file://${BPN}.service \
+"
 
 INITSCRIPT_PARAMS = "start 01 S ."
 
diff --git a/recipes-security/selinux-scripts/selinux-initsh.inc b/recipes-security/selinux-scripts/selinux-initsh.inc
new file mode 100644
index 0000000..f6a3d85
--- /dev/null
+++ b/recipes-security/selinux-scripts/selinux-initsh.inc
@@ -0,0 +1,41 @@
+S ?= "${WORKDIR}"
+SECTION ?= "base"
+
+# Default is for script name to be the same as the recipe name.
+# Script must have .sh suffix.
+SELINUX_SCRIPT_SRC ?= "${BPN}"
+SELINUX_SCRIPT_DST ?= "${SELINUX_SCRIPT_SRC}"
+
+INITSCRIPT_NAME ?= "${SELINUX_SCRIPT_DST}"
+INITSCRIPT_PARAMS ?= "start 00 S ."
+
+CONFFILES:${PN} += "${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}"
+
+PACKAGE_ARCH ?= "${MACHINE_ARCH}"
+
+inherit update-rc.d systemd
+
+SYSTEMD_SERVICE:${PN} = "${SELINUX_SCRIPT_SRC}.service"
+
+FILES:${PN} += "/.autorelabel"
+
+do_install () {
+	install -d ${D}${sysconfdir}/init.d/
+	install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}
+	# Insert the relabelling code which is only needed with sysvinit
+	sed -i -e '/HERE/r ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh.sysvinit' \
+	       -e '/.*HERE$/d' -e '/.*Contents.*sysvinit/d' \
+	       ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}
+
+    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+        install -d ${D}${systemd_unitdir}/system
+        install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service ${D}${systemd_unitdir}/system
+        install -d ${D}${bindir}
+        install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${bindir}
+        sed -i -e '/.*HERE$/d' ${D}${bindir}/${SELINUX_SCRIPT_SRC}.sh
+    fi
+}
+
+sysroot_stage_all:append () {
+	sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
+}
diff --git a/recipes-security/selinux/selinux-labeldev/selinux-labeldev.service b/recipes-security/selinux-scripts/selinux-labeldev/selinux-labeldev.service
index d45ecbc..96142a3 100644
--- a/recipes-security/selinux/selinux-labeldev/selinux-labeldev.service
+++ b/recipes-security/selinux-scripts/selinux-labeldev/selinux-labeldev.service
@@ -8,4 +8,4 @@ Type=oneshot
 ExecStart=/usr/bin/selinux-labeldev.sh
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=sysinit.target
diff --git a/recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh b/recipes-security/selinux-scripts/selinux-labeldev/selinux-labeldev.sh
index 62e7a42..62e7a42 100644
--- a/recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh
+++ b/recipes-security/selinux-scripts/selinux-labeldev/selinux-labeldev.sh
diff --git a/recipes-security/selinux/selinux-labeldev_0.1.bb b/recipes-security/selinux-scripts/selinux-labeldev_0.1.bb
index 8eb5db4..d29efec 100644
--- a/recipes-security/selinux/selinux-labeldev_0.1.bb
+++ b/recipes-security/selinux-scripts/selinux-labeldev_0.1.bb
@@ -4,7 +4,7 @@ DESCRIPTION = "Set SELinux labels for /dev."
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
 
-${PN}_RDEPENDS = " \
+RDEPENDS:${PN} = " \
     coreutils \
     libselinux-bin \
     policycoreutils-setfiles \
diff --git a/recipes-security/selinux/checkpolicy_2.8.bb b/recipes-security/selinux/checkpolicy_2.8.bb
deleted file mode 100644
index 05e738e..0000000
--- a/recipes-security/selinux/checkpolicy_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "5d23a3209048c8cf70f3c13c4ce4245f"
-SRC_URI[sha256sum] = "9dec811c24b88e58c3bf741365eacf1dbb945531a2fcb8f284aacf68098194c8"
diff --git a/recipes-security/selinux/checkpolicy.inc b/recipes-security/selinux/checkpolicy_3.6.bb
index 1d84ebb..60f506d 100644
--- a/recipes-security/selinux/checkpolicy.inc
+++ b/recipes-security/selinux/checkpolicy_3.6.bb
@@ -5,18 +5,19 @@ required for building policies. It uses libsepol to generate the \
 binary policy. checkpolicy uses the static libsepol since it deals \
 with low level details of the policy that have not been \
 encapsulated/abstracted by a proper shared library interface."
-
 SECTION = "base"
-LICENSE = "GPLv2+"
+LICENSE = "GPL-2.0-or-later"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=393a5ca445f6965873eca0259a17f833"
+
+require selinux_common.inc
 
-DEPENDS += "libsepol bison-native flex-native"
+DEPENDS = "libsepol bison-native"
 
-EXTRA_OEMAKE += "LEX='flex'"
-EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a"
+S = "${WORKDIR}/git/checkpolicy"
 
-do_install_append() {
-	install test/dismod ${D}/${bindir}/sedismod
-	install test/dispol ${D}/${bindir}/sedispol
+do_install:append() {
+    install test/dismod ${D}/${bindir}/sedismod
+    install test/dispol ${D}/${bindir}/sedispol
 }
 
 BBCLASSEXTEND = "native"
diff --git a/recipes-security/selinux/libselinux-python_3.6.bb b/recipes-security/selinux/libselinux-python_3.6.bb
new file mode 100644
index 0000000..3c5c489
--- /dev/null
+++ b/recipes-security/selinux/libselinux-python_3.6.bb
@@ -0,0 +1,57 @@
+SUMMARY = "SELinux library and simple utilities"
+DESCRIPTION = "libselinux provides an API for SELinux applications to get and set \
+process and file security contexts and to obtain security policy \
+decisions.  Required for any applications that use the SELinux API."
+SECTION = "base"
+LICENSE = "PD"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0"
+
+require selinux_common.inc
+
+inherit python3targetconfig pkgconfig
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/libselinux:"
+SRC_URI += "\
+        file://0001-Makefile-fix-python-modules-install-path-for-multili.patch \
+        file://0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch \
+        file://0003-libselinux-restore-drop-the-obsolete-LSF-transitiona.patch \
+        "
+
+S = "${WORKDIR}/git/libselinux"
+
+DEPENDS = "libsepol libpcre2 swig-native python3-setuptools-scm-native"
+DEPENDS:append:libc-musl = " fts"
+
+RDEPENDS:${PN} = "libselinux python3-core python3-shell"
+
+def get_policyconfigarch(d):
+    import re
+    target = d.getVar('TARGET_ARCH')
+    p = re.compile('i.86')
+    target = p.sub('i386',target)
+    return "ARCH=%s" % (target)
+
+EXTRA_OEMAKE = "${@get_policyconfigarch(d)}"
+EXTRA_OEMAKE:append:libc-musl = " FTS_LDLIBS=-lfts"
+
+FILES:${PN} = "${PYTHON_SITEPACKAGES_DIR}/*"
+INSANE_SKIP:${PN} = "dev-so"
+
+do_compile() {
+    oe_runmake pywrap -j1 \
+        PYLIBVER='python${PYTHON_BASEVERSION}' \
+        PYINC='-I${STAGING_INCDIR}/${PYLIBVER}' \
+        PYLIBS='-L${STAGING_LIBDIR}/${PYLIBVER} -l${PYLIBVER}'
+}
+
+do_install() {
+    oe_runmake install-pywrap \
+        DESTDIR=${D} \
+        PREFIX=${prefix}
+        PYLIBVER='python${PYTHON_BASEVERSION}' \
+        PYTHONLIBDIR='${PYTHON_SITEPACKAGES_DIR}'
+
+    # Fix buildpaths issue
+    sed -i -e 's,${WORKDIR},,g' \
+        ${D}${PYTHON_SITEPACKAGES_DIR}/selinux-${PV}.dist-info/direct_url.json
+}
diff --git a/recipes-security/selinux/libselinux.inc b/recipes-security/selinux/libselinux.inc
deleted file mode 100644
index 6e115e3..0000000
--- a/recipes-security/selinux/libselinux.inc
+++ /dev/null
@@ -1,44 +0,0 @@
-SUMMARY = "SELinux library and simple utilities"
-DESCRIPTION = "libselinux provides an API for SELinux applications to get and set \
-process and file security contexts and to obtain security policy \
-decisions.  Required for any applications that use the SELinux API."
-SECTION = "base"
-LICENSE = "PD"
-
-inherit lib_package pythonnative
-
-DEPENDS += "libsepol python libpcre swig-native"
-DEPENDS_append_libc-musl = " fts"
-RDEPENDS_${PN}-python += "python-core python-shell"
-
-PACKAGES += "${PN}-python"
-FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*"
-FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/selinux/.debug/*"
-
-def get_policyconfigarch(d):
-    import re
-    target = d.getVar('TARGET_ARCH', True)
-    p = re.compile('i.86')
-    target = p.sub('i386',target)
-    return "ARCH=%s" % (target)
-EXTRA_OEMAKE += "${@get_policyconfigarch(d)}"
-
-EXTRA_OEMAKE += "LDFLAGS='${LDFLAGS} -lpcre' LIBSEPOLA='${STAGING_LIBDIR}/libsepol.a'"
-EXTRA_OEMAKE_append_libc-musl = " FTS_LDLIBS=-lfts"
-
-do_compile_append() {
-    oe_runmake pywrap -j1 \
-            INCLUDEDIR='${STAGING_INCDIR}' \
-            LIBDIR='${STAGING_LIBDIR}' \
-            PYINC='-I${STAGING_INCDIR}/python${PYTHON_BASEVERSION}'
-}
-
-do_install_append() {
-    oe_runmake install-pywrap swigify \
-            PYTHONLIBDIR=${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages
-    if ! ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','false',d)}; then
-        rm -rf ${D}${base_sbindir}
-    fi
-}
-
-BBCLASSEXTEND = "native"
diff --git a/recipes-security/selinux/libselinux/0001-Makefile-fix-python-modules-install-path-for-multili.patch b/recipes-security/selinux/libselinux/0001-Makefile-fix-python-modules-install-path-for-multili.patch
new file mode 100644
index 0000000..b307b6f
--- /dev/null
+++ b/recipes-security/selinux/libselinux/0001-Makefile-fix-python-modules-install-path-for-multili.patch
@@ -0,0 +1,28 @@
+From dff260851ccecf9723a6ddfce0103e09f3ba4613 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Mon, 13 Apr 2020 12:44:23 +0800
+Subject: [PATCH] Makefile: fix python modules install path for multilib
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ src/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/Makefile b/src/Makefile
+index d3b981f..265f1be 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -191,7 +191,7 @@ install: all
+ 	ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
+ 
+ install-pywrap: pywrap
+-	CFLAGS="$(CPPFLAGS) $(CFLAGS) $(SWIG_CFLAGS)" $(PYTHON) -m pip install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR) --ignore-installed --no-deps` $(PYTHON_SETUP_ARGS) .
++	CFLAGS="$(CPPFLAGS) $(CFLAGS) $(SWIG_CFLAGS)" $(PYTHON) -m pip install --prefix=$(PREFIX) --root $(DESTDIR) --ignore-installed --no-deps $(PYTHON_SETUP_ARGS) .
+ 	install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
+ 	ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux$(PYCEXT) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT)
+ 
+-- 
+2.25.1
+
diff --git a/recipes-security/selinux/libselinux/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch b/recipes-security/selinux/libselinux/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
deleted file mode 100644
index 46cfaaf..0000000
--- a/recipes-security/selinux/libselinux/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 37f3299e8f5c468fe692f36356c2c35f968b6aee Mon Sep 17 00:00:00 2001
-From: Robert Yang <liezhi.yang@windriver.com>
-Date: Thu, 18 Feb 2016 02:39:16 +0000
-Subject: [PATCH] src/Makefile: fix includedir in libselinux.pc
-
-Upstream-Status: Pending
-
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- src/Makefile | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/Makefile b/src/Makefile
-index 977b5c8..92a4289 100644
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -156,6 +156,7 @@ $(LIBSO): $(LOBJS)
- 
- $(LIBPC): $(LIBPC).in ../VERSION
- 	sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):; s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@
-+	sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:${libdir}:; s:@includedir@:${prefix}/include:; s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@
- 
- selinuxswig_python_exception.i: ../include/selinux/selinux.h
- 	bash -e exception.sh > $@ || (rm -f $@ ; false)
--- 
-2.7.4
-
diff --git a/recipes-security/selinux/libselinux/0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch b/recipes-security/selinux/libselinux/0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch
new file mode 100644
index 0000000..7ebe64f
--- /dev/null
+++ b/recipes-security/selinux/libselinux/0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch
@@ -0,0 +1,52 @@
+From 303d8dfe53fcd02ea5818f976369cdb629bc1114 Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Date: Fri, 25 Oct 2019 13:37:14 +0200
+Subject: [PATCH] Do not use PYCEXT, and rely on the installed file name
+
+PYCEXT is computed by asking the Python intrepreter what is the
+file extension used for native Python modules.
+
+Unfortunately, when cross-compiling, the host Python doesn't give the
+proper result: it gives the result matching the build machine, and not
+the target machine. Due to this, the symlink has an incorrect name,
+and doesn't point to the .so file that was actually built/installed.
+
+To address this and keep things simple, this patch just changes the ln
+invocation to rely on the name of the _selinux*.so Python module that
+was installed.
+
+[Upstream: https://github.com/SELinuxProject/selinux/pull/184]
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+
+Upstream-Status: Denied [https://patchwork.kernel.org/patch/11212405/]
+
+[Refreshed for 3.0]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/Makefile | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/Makefile b/src/Makefile
+index 265f1be..47e51d6 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -15,7 +15,6 @@ INCLUDEDIR ?= $(PREFIX)/include
+ PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
+ PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX))
+ PYTHONLIBDIR ?= $(shell $(PYTHON) -c "import sysconfig; print(sysconfig.get_path('platlib', vars={'platbase': '$(PREFIX)', 'base': '$(PREFIX)'}))")
+-PYCEXT ?= $(shell $(PYTHON) -c 'import importlib.machinery;print(importlib.machinery.EXTENSION_SUFFIXES[0])')
+ RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]')
+ RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -L" + RbConfig::CONFIG["archlibdir"] + " " + RbConfig::CONFIG["LIBRUBYARG_SHARED"]')
+ RUBYINSTALL ?= $(shell $(RUBY) -e 'puts RbConfig::CONFIG["vendorarchdir"]')
+@@ -193,7 +192,7 @@ install: all
+ install-pywrap: pywrap
+ 	CFLAGS="$(CPPFLAGS) $(CFLAGS) $(SWIG_CFLAGS)" $(PYTHON) -m pip install --prefix=$(PREFIX) --root $(DESTDIR) --ignore-installed --no-deps $(PYTHON_SETUP_ARGS) .
+ 	install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
+-	ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux$(PYCEXT) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT)
++	ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux*.so $(DESTDIR)$(PYTHONLIBDIR)/
+ 
+ install-rubywrap: rubywrap
+ 	test -d $(DESTDIR)$(RUBYINSTALL) || install -m 755 -d $(DESTDIR)$(RUBYINSTALL) 
+-- 
+2.25.1
+
diff --git a/recipes-security/selinux/libselinux/0003-libselinux-restore-drop-the-obsolete-LSF-transitiona.patch b/recipes-security/selinux/libselinux/0003-libselinux-restore-drop-the-obsolete-LSF-transitiona.patch
new file mode 100644
index 0000000..0cd8f20
--- /dev/null
+++ b/recipes-security/selinux/libselinux/0003-libselinux-restore-drop-the-obsolete-LSF-transitiona.patch
@@ -0,0 +1,40 @@
+From 6c2af45ec8cff9b282d599dc098db0ca127bdc59 Mon Sep 17 00:00:00 2001
+From: Renato Caldas <renato@calgera.com>
+Date: Thu, 29 Jun 2023 13:59:11 +0100
+Subject: [PATCH] libselinux: restore: drop the obsolete LSF transitional API.
+
+The preferred way to enable LSF support on 32 bit systems is to define
+_FILE_OFFSET_BITS=64 when building selinux.
+
+Upstream-Status: Submitted [https://github.com/SELinuxProject/selinux/pull/401]
+
+Signed-off-by: Renato Caldas <renato@calgera.com>
+---
+ src/selinux_restorecon.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/selinux_restorecon.c b/src/selinux_restorecon.c
+index 38f10f1..5b3d035 100644
+--- a/src/selinux_restorecon.c
++++ b/src/selinux_restorecon.c
+@@ -436,7 +436,7 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
+ 	file_spec_t *prevfl, *fl;
+ 	uint32_t h;
+ 	int ret;
+-	struct stat64 sb;
++	struct stat sb;
+ 
+ 	__pthread_mutex_lock(&fl_mutex);
+ 
+@@ -450,7 +450,7 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
+ 	for (prevfl = &fl_head[h], fl = fl_head[h].next; fl;
+ 	     prevfl = fl, fl = fl->next) {
+ 		if (ino == fl->ino) {
+-			ret = lstat64(fl->file, &sb);
++			ret = lstat(fl->file, &sb);
+ 			if (ret < 0 || sb.st_ino != ino) {
+ 				freecon(fl->con);
+ 				free(fl->file);
+-- 
+2.25.1
+
diff --git a/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch b/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch
deleted file mode 100644
index ad18cf5..0000000
--- a/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From d0aaf391ab30b253aa22ef6547a039bcac840fc6 Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe.macdonald@windriver.com>
-Date: Tue, 15 Oct 2013 10:14:41 -0400
-Subject: [PATCH] libselinux: define FD_CLOEXEC as necessary
-
-In truly old systems, even FD_CLOEXEC may not be defined.  Produce a
-warning and duplicate the #define for FD_CLOEXEC found in
-asm-generic/fcntl.h on more modern platforms.
-
-Uptream-Status: Inappropriate
-
-Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
-
----
- src/setrans_client.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/src/setrans_client.c b/src/setrans_client.c
-index fa188a8..a94f02c 100644
---- a/src/setrans_client.c
-+++ b/src/setrans_client.c
-@@ -39,6 +39,11 @@ static pthread_key_t destructor_key;
- static int destructor_key_initialized = 0;
- static __thread char destructor_initialized;
- 
-+#ifndef FD_CLOEXEC
-+#warning FD_CLOEXEC undefined on this platform, this may leak file descriptors
-+#define FD_CLOEXEC 1
-+#endif
-+
- /*
-  * setransd_open
-  *
diff --git a/recipes-security/selinux/libselinux/libselinux-drop-Wno-unused-but-set-variable.patch b/recipes-security/selinux/libselinux/libselinux-drop-Wno-unused-but-set-variable.patch
deleted file mode 100644
index d58e4eb..0000000
--- a/recipes-security/selinux/libselinux/libselinux-drop-Wno-unused-but-set-variable.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 865b8c40b331235ce2c9df1fcbbb3876c9b79338 Mon Sep 17 00:00:00 2001
-From: Randy MacLeod <Randy.MacLeod@windriver.com>
-Date: Tue, 30 Apr 2013 17:28:34 -0400
-Subject: [PATCH] libselinux: drop flag: -Wno-unused-but-set-variable
-
-Upstream status: inappropriate (older compilers only).
-
-Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
-
----
- src/Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/Makefile b/src/Makefile
-index 2408fae..a89c0f7 100644
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -96,7 +96,7 @@ PCRE_LDLIBS ?= -lpcre
- 
- override CFLAGS += -I../include -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS)
- 
--SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \
-+SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-parameter \
- 		-Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations
- 
- RANLIB ?= ranlib
diff --git a/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch b/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch
deleted file mode 100644
index 6394bf0..0000000
--- a/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 802d224953294463fa9bc793e46f664ecfea057a Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe.macdonald@windriver.com>
-Date: Fri, 11 Oct 2013 09:56:25 -0400
-Subject: [PATCH] libselinux: make O_CLOEXEC optional
-
-Various commits in the selinux tree in the current release added O_CLOEXEC
-to open() calls in an attempt to address file descriptor leaks as
-described:
-
-   http://danwalsh.livejournal.com/53603.html
-
-However O_CLOEXEC isn't available on all platforms, so make it a
-compile-time option and generate a warning when it is not available.  The
-actual impact of leaking these file descriptors is minimal, though it does
-produce curious AVC Denied messages.
-
-Uptream-Status: Inappropriate [O_CLOEXEC has been in Linux since 2007 and POSIX since 2008]
-
-Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-
----
- src/procattr.c  | 16 ++++++++++++++--
- src/sestatus.c  |  8 +++++++-
- src/stringrep.c |  8 +++++++-
- 3 files changed, 28 insertions(+), 4 deletions(-)
-
-diff --git a/src/procattr.c b/src/procattr.c
-index 48dd8af..8bf8432 100644
---- a/src/procattr.c
-+++ b/src/procattr.c
-@@ -79,7 +79,13 @@ static int openattr(pid_t pid, const char *attr, int flags)
- 		rc = asprintf(&path, "/proc/thread-self/attr/%s", attr);
- 		if (rc < 0)
- 			return -1;
--		fd = open(path, flags | O_CLOEXEC);
-+		fd = open(path, flags
-+#ifdef O_CLOEXEC
-+			  | O_CLOEXEC
-+#else
-+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors
-+#endif
-+			);
- 		if (fd >= 0 || errno != ENOENT)
- 			goto out;
- 		free(path);
-@@ -92,7 +98,13 @@ static int openattr(pid_t pid, const char *attr, int flags)
- 	if (rc < 0)
- 		return -1;
- 
--	fd = open(path, flags | O_CLOEXEC);
-+	fd = open(path, flags
-+#ifdef O_CLOEXEC
-+		  | O_CLOEXEC
-+#else
-+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors
-+#endif
-+		);
- out:
- 	free(path);
- 	return fd;
-diff --git a/src/sestatus.c b/src/sestatus.c
-index ed29dc5..0cb15b6 100644
---- a/src/sestatus.c
-+++ b/src/sestatus.c
-@@ -268,7 +268,13 @@ int selinux_status_open(int fallback)
- 		return -1;
- 
- 	snprintf(path, sizeof(path), "%s/status", selinux_mnt);
--	fd = open(path, O_RDONLY | O_CLOEXEC);
-+	fd = open(path, O_RDONLY
-+#ifdef O_CLOEXEC
-+             | O_CLOEXEC
-+#else
-+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors
-+#endif
-+             );
- 	if (fd < 0)
- 		goto error;
- 
-diff --git a/src/stringrep.c b/src/stringrep.c
-index 2d83f96..17e9232 100644
---- a/src/stringrep.c
-+++ b/src/stringrep.c
-@@ -105,7 +105,13 @@ static struct discover_class_node * discover_class(const char *s)
- 		struct stat m;
- 
- 		snprintf(path, sizeof path, "%s/class/%s/perms/%s", selinux_mnt,s,dentry->d_name);
--		fd = open(path, O_RDONLY | O_CLOEXEC);
-+		fd = open(path, O_RDONLY
-+#ifdef O_CLOEXEC
-+                | O_CLOEXEC
-+#else
-+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors
-+#endif
-+                );
- 		if (fd < 0)
- 			goto err4;
- 
diff --git a/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch b/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch
deleted file mode 100644
index febced7..0000000
--- a/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From e630805d15a3b8d09330353f87a7e4a9fcc9998a Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe.macdonald@windriver.com>
-Date: Tue, 15 Oct 2013 10:07:43 -0400
-Subject: [PATCH] libselinux: make SOCK_CLOEXEC optional
-
-libselinux/src/setrans_client.c checks for the existence of SOCK_CLOEXEC
-before using it, however libselinux/src/avc_internal.c does not.  Since
-SOCK_CLOEXEC suffers the same problem as O_CLOEXEC on some older
-platforms, we need to ensure we protect the references it it in the same
-way.
-
-Uptream-Status: Inappropriate
-
-Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
-
----
- src/avc_internal.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/src/avc_internal.c b/src/avc_internal.c
-index 49cecc9..148cc83 100644
---- a/src/avc_internal.c
-+++ b/src/avc_internal.c
-@@ -60,7 +60,13 @@ int avc_netlink_open(int blocking)
- 	int len, rc = 0;
- 	struct sockaddr_nl addr;
- 
--	fd = socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_SELINUX);
-+	fd = socket(PF_NETLINK, SOCK_RAW
-+#ifdef SOCK_CLOEXEC
-+               | SOCK_CLOEXEC
-+#else
-+#warning SOCK_CLOEXEC undefined on this platform, this may leak file descriptors
-+#endif
-+               , NETLINK_SELINUX);
- 	if (fd < 0) {
- 		rc = fd;
- 		goto out;
diff --git a/recipes-security/selinux/libselinux_2.8.bb b/recipes-security/selinux/libselinux_2.8.bb
deleted file mode 100644
index 5de4607..0000000
--- a/recipes-security/selinux/libselinux_2.8.bb
+++ /dev/null
@@ -1,15 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0"
-
-SRC_URI[md5sum] = "56057e60192b21122c1aede8ff723ca2"
-SRC_URI[sha256sum] = "31db96ec7643ce10912b3c3f98506a08a9116dcfe151855fd349c3fda96187e1"
-
-SRC_URI += "\
-        file://libselinux-drop-Wno-unused-but-set-variable.patch \
-        file://libselinux-make-O_CLOEXEC-optional.patch \
-        file://libselinux-make-SOCK_CLOEXEC-optional.patch \
-        file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
-        file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
-        "
diff --git a/recipes-security/selinux/libselinux_3.6.bb b/recipes-security/selinux/libselinux_3.6.bb
new file mode 100644
index 0000000..b0dcde6
--- /dev/null
+++ b/recipes-security/selinux/libselinux_3.6.bb
@@ -0,0 +1,33 @@
+SUMMARY = "SELinux library and simple utilities"
+DESCRIPTION = "libselinux provides an API for SELinux applications to get and set \
+process and file security contexts and to obtain security policy \
+decisions.  Required for any applications that use the SELinux API."
+SECTION = "base"
+LICENSE = "PD"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0"
+
+require selinux_common.inc
+
+inherit lib_package pkgconfig
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/libselinux:"
+SRC_URI += "\
+        file://0003-libselinux-restore-drop-the-obsolete-LSF-transitiona.patch \
+        "
+
+S = "${WORKDIR}/git/libselinux"
+
+DEPENDS = "libsepol libpcre2"
+DEPENDS:append:libc-musl = " fts"
+
+def get_policyconfigarch(d):
+    import re
+    target = d.getVar('TARGET_ARCH')
+    p = re.compile('i.86')
+    target = p.sub('i386',target)
+    return "ARCH=%s" % (target)
+
+EXTRA_OEMAKE = "${@get_policyconfigarch(d)}"
+EXTRA_OEMAKE:append:libc-musl = " FTS_LDLIBS=-lfts"
+
+BBCLASSEXTEND = "native"
diff --git a/recipes-security/selinux/libsemanage.inc b/recipes-security/selinux/libsemanage.inc
deleted file mode 100644
index be0a5f1..0000000
--- a/recipes-security/selinux/libsemanage.inc
+++ /dev/null
@@ -1,47 +0,0 @@
-SUMMARY = "SELinux binary policy manipulation library"
-DESCRIPTION = "libsemanage provides an API for the manipulation of SELinux binary policies. \
-It is used by checkpolicy (the policy compiler) and similar tools, as well \
-as by programs like load_policy that need to perform specific transformations \
-on binary policies such as customizing policy boolean settings."
-SECTION = "base"
-LICENSE = "LGPLv2.1+"
-
-inherit lib_package python-dir
-
-DEPENDS += "libsepol libselinux bzip2 python bison-native flex-native swig-native"
-DEPENDS_append_class-target += "audit"
-
-PACKAGES =+ "${PN}-python"
-
-# For /usr/libexec/selinux/semanage_migrate_store
-RDEPENDS_${PN}-python += "python"
-
-FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/* \
-                      ${libexecdir}/selinux/semanage_migrate_store"
-FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/.debug/*"
-
-EXTRA_OEMAKE_class-native += "DISABLE_AUDIT=y"
-
-do_compile_append() {
-    oe_runmake pywrap \
-            INCLUDEDIR='${STAGING_INCDIR}' \
-            LIBDIR='${STAGING_LIBDIR}' \
-            PYLIBVER='python${PYTHON_BASEVERSION}' \
-            PYINC='-I${STAGING_INCDIR}/$(PYLIBVER)' \
-            PYLIB='-L${STAGING_LIBDIR}/$(PYLIBVER) -l$(PYLIBVER)' \
-            PYTHONLIBDIR='${PYLIB}'
-}
-
-do_install_append() {
-    oe_runmake install-pywrap swigify \
-            PYCEXT='.so' \
-            PYTHONLIBDIR='${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages' \
-            PYLIBVER='python${PYTHON_BASEVERSION}' \
-            PYLIBDIR='${D}/${libdir}/$(PYLIBVER)'
-
-    # Update "policy-version" for semanage.conf
-    sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 30/' \
-	${D}/etc/selinux/semanage.conf
-}
-
-BBCLASSEXTEND = "native"
diff --git a/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch b/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
deleted file mode 100644
index 73613d3..0000000
--- a/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From e773c0952b06370d81e9b113f9b0b3388e323e52 Mon Sep 17 00:00:00 2001
-From: Robert Yang <liezhi.yang@windriver.com>
-Date: Thu, 18 Feb 2016 02:39:16 +0000
-Subject: [PATCH] src/Makefile: fix includedir in libselinux.pc
-
-Upstream-Status: Pending
-
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- src/Makefile | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/Makefile b/src/Makefile
-index dea751e..4af4568 100644
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -93,6 +93,7 @@ $(LIBSO): $(LOBJS)
- 
- $(LIBPC): $(LIBPC).in ../VERSION
- 	sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
-+	sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:${libdir}:; s:@includedir@:${prefix}/include:' < $< > $@
- 
- semanageswig_python_exception.i: ../include/semanage/semanage.h
- 	bash -e exception.sh > $@ || (rm -f $@ ; false)
--- 
-2.7.4
-
diff --git a/recipes-security/selinux/libsemanage/libsemanage-Fix-execve-segfaults-on-Ubuntu.patch b/recipes-security/selinux/libsemanage/libsemanage-Fix-execve-segfaults-on-Ubuntu.patch
index e3c2f82..daaeb3b 100644
--- a/recipes-security/selinux/libsemanage/libsemanage-Fix-execve-segfaults-on-Ubuntu.patch
+++ b/recipes-security/selinux/libsemanage/libsemanage-Fix-execve-segfaults-on-Ubuntu.patch
@@ -1,4 +1,4 @@
-From c87bef28e768e2f6bc8612a768ebf9099d156576 Mon Sep 17 00:00:00 2001
+From a91134e98ba4b3b6645d12bb68a07976b60f86c8 Mon Sep 17 00:00:00 2001
 From: Xin Ouyang <Xin.Ouyang@windriver.com>
 Date: Mon, 26 Mar 2012 15:15:16 +0800
 Subject: [PATCH] libsemanage: Fix execve segfaults on Ubuntu.
@@ -9,15 +9,18 @@ Such as "make load" while building refpolicy.
 
 http://oss.tresys.com/pipermail/refpolicy/2011-December/004859.html
 
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
  src/semanage_store.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/semanage_store.c b/src/semanage_store.c
-index 6158d08..1923f0f 100644
+index 27c5d34..519f298 100644
 --- a/src/semanage_store.c
 +++ b/src/semanage_store.c
-@@ -1405,7 +1405,7 @@ static int semanage_exec_prog(semanage_handle_t * sh,
+@@ -1470,7 +1470,7 @@ static int semanage_exec_prog(semanage_handle_t * sh,
  	if (forkval == 0) {
  		/* child process.  file descriptors will be closed
  		 * because they were set as close-on-exec. */
@@ -26,3 +29,6 @@ index 6158d08..1923f0f 100644
  		_exit(EXIT_FAILURE);	/* if execve() failed */
  	}
  
+-- 
+2.25.1
+
diff --git a/recipes-security/selinux/libsemanage/libsemanage-allow-to-disable-audit-support.patch b/recipes-security/selinux/libsemanage/libsemanage-allow-to-disable-audit-support.patch
index 205bc97..e9df8be 100644
--- a/recipes-security/selinux/libsemanage/libsemanage-allow-to-disable-audit-support.patch
+++ b/recipes-security/selinux/libsemanage/libsemanage-allow-to-disable-audit-support.patch
@@ -1,12 +1,11 @@
-From 8981b979e36afe2d8384b63c3f48fa8854d1983a Mon Sep 17 00:00:00 2001
+From c96010440e7a2a87787a535fd0f9ccf26a2b4a5e Mon Sep 17 00:00:00 2001
 From: Wenzong Fan <wenzong.fan@windriver.com>
 Date: Mon, 20 Jan 2014 03:53:48 -0500
 Subject: [PATCH] libsemanage: allow to disable audit support
 
-Upstream-Status: Pending
+Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-
 ---
  src/Makefile        | 10 +++++++++-
  src/seusers_local.c | 13 +++++++++++++
@@ -14,11 +13,11 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
  3 files changed, 31 insertions(+), 2 deletions(-)
 
 diff --git a/src/Makefile b/src/Makefile
-index d457208..e8831ab 100644
+index d525996..2f5e159 100644
 --- a/src/Makefile
 +++ b/src/Makefile
-@@ -29,6 +29,14 @@ ifeq ($(DEBUG),1)
- 	export LDFLAGS = -g
+@@ -27,6 +27,14 @@ ifeq ($(DEBUG),1)
+ 	export LDFLAGS ?= -g
  endif
  
 +DISABLE_AUDIT ?= n
@@ -32,17 +31,17 @@ index d457208..e8831ab 100644
  LEX = flex
  LFLAGS = -s
  YACC = bison
-@@ -91,7 +99,7 @@ $(LIBA): $(OBJS)
+@@ -90,7 +98,7 @@ $(LIBA): $(OBJS)
  	$(RANLIB) $@
  
  $(LIBSO): $(LOBJS)
--	$(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol -laudit -lselinux -lbz2 -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs
-+	$(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol $(LIBAUDIT) -lselinux -lbz2 -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs
+-	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol -laudit -lselinux -lbz2 -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs
++	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol $(LIBAUDIT) -lselinux -lbz2 -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs
  	ln -sf $@ $(TARGET)
  
  $(LIBPC): $(LIBPC).in ../VERSION
 diff --git a/src/seusers_local.c b/src/seusers_local.c
-index 42c3a8b..9ee31e2 100644
+index 795a33d..6539cdf 100644
 --- a/src/seusers_local.c
 +++ b/src/seusers_local.c
 @@ -8,7 +8,11 @@ typedef struct semanage_seuser record_t;
@@ -57,7 +56,7 @@ index 42c3a8b..9ee31e2 100644
  #include <errno.h>
  #include "user_internal.h"
  #include "seuser_internal.h"
-@@ -51,6 +55,7 @@ static char *semanage_user_roles(semanage_handle_t * handle, const char *sename)
+@@ -56,6 +60,7 @@ static char *semanage_user_roles(semanage_handle_t * handle, const char *sename)
  	return roles;
  }
  
@@ -65,7 +64,7 @@ index 42c3a8b..9ee31e2 100644
  static int semanage_seuser_audit(semanage_handle_t * handle,
  			  const semanage_seuser_t * seuser,
  			  const semanage_seuser_t * previous,
-@@ -114,6 +119,7 @@ err:
+@@ -120,6 +125,7 @@ err:
  	free(proles);
  	return rc;
  }
@@ -73,7 +72,7 @@ index 42c3a8b..9ee31e2 100644
  
  int semanage_seuser_modify_local(semanage_handle_t * handle,
  				 const semanage_seuser_key_t * key,
-@@ -158,8 +164,11 @@ int semanage_seuser_modify_local(semanage_handle_t * handle,
+@@ -164,8 +170,11 @@ int semanage_seuser_modify_local(semanage_handle_t * handle,
  	(void) semanage_seuser_query(handle, key, &previous);
  	handle->msg_callback = callback;
  	rc = dbase_modify(handle, dconfig, key, new);
@@ -85,7 +84,7 @@ index 42c3a8b..9ee31e2 100644
  err:
  	if (previous)
  		semanage_seuser_free(previous);
-@@ -175,8 +184,12 @@ int semanage_seuser_del_local(semanage_handle_t * handle,
+@@ -181,8 +190,12 @@ int semanage_seuser_del_local(semanage_handle_t * handle,
  	dbase_config_t *dconfig = semanage_seuser_dbase_local(handle);
  	rc = dbase_del(handle, dconfig, key);
  	semanage_seuser_query(handle, key, &seuser);
@@ -99,10 +98,10 @@ index 42c3a8b..9ee31e2 100644
  		semanage_seuser_free(seuser);
  	return rc;
 diff --git a/tests/Makefile b/tests/Makefile
-index 2ef8d30..50d582a 100644
+index 69f49a3..f914492 100644
 --- a/tests/Makefile
 +++ b/tests/Makefile
-@@ -6,10 +6,18 @@ SOURCES = $(sort $(wildcard *.c))
+@@ -4,10 +4,18 @@ CILS = $(sort $(wildcard *.cil))
  
  ###########################################################################
  
@@ -120,5 +119,8 @@ index 2ef8d30..50d582a 100644
 -override LDLIBS += -lcunit -lbz2 -laudit -lselinux -lsepol
 +override LDLIBS += -lcunit -lbz2 $(LIBAUDIT) -lselinux -lsepol
  
- OBJECTS = $(SOURCES:.c=.o) 
- 
+ OBJECTS = $(SOURCES:.c=.o)
+ POLICIES = $(CILS:.cil=.policy)
+-- 
+2.25.1
+
diff --git a/recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch b/recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch
deleted file mode 100644
index 8b15a80..0000000
--- a/recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 0e97e4d19627f78bf04445cd51902ccf4f7cf239 Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe.macdonald@windriver.com>
-Date: Tue, 15 Oct 2013 10:17:38 -0400
-Subject: [PATCH] libsemanage: define FD_CLOEXEC as necessary
-
-In truly old systems, even FD_CLOEXEC may not be defined.  Produce a
-warning and duplicate the #define for FD_CLOEXEC found in
-asm-generic/fcntl.h on more modern platforms.
-
-Uptream-Status: Inappropriate
-
-Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
-
----
- libsemanage/src/semanage_store.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
-index 1923f0f..f7a8760 100644
---- a/libsemanage/src/semanage_store.c
-+++ b/libsemanage/src/semanage_store.c
-@@ -66,6 +66,11 @@ typedef struct dbase_policydb dbase_t;
- 
- #define TRUE 1
- 
-+#ifndef FD_CLOEXEC
-+#warning FD_CLOEXEC undefined on this platform, this may leak file descriptors
-+#define FD_CLOEXEC 1
-+#endif
-+
- enum semanage_file_defs {
- 	SEMANAGE_ROOT,
- 	SEMANAGE_TRANS_LOCK,
diff --git a/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch b/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch
index ea7ba20..d880e1e 100644
--- a/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch
+++ b/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch
@@ -1,4 +1,4 @@
-From 4376342a5382df384cb387e2a63eaf0bddb51d26 Mon Sep 17 00:00:00 2001
+From 7af73c1684ce0e30ce0cd58b51708bde1e3a1984 Mon Sep 17 00:00:00 2001
 From: Joe MacDonald <joe@deserted.net>
 Date: Wed, 7 May 2014 11:36:27 -0400
 Subject: [PATCH] libsemanage: disable expand-check on policy load
@@ -12,16 +12,15 @@ Upstream-Status: Denied [upstream developers want to preserve the default
                  checking: http://marc.info/?l=selinux&m=121794804217721&w=2]
 
 Signed-off-by: Joe MacDonald <joe@deserted.net>
-
 ---
  src/semanage.conf | 4 ++++
  1 file changed, 4 insertions(+)
 
 diff --git a/src/semanage.conf b/src/semanage.conf
-index dc8d46b..254f156 100644
+index 98d769b..708fa8c 100644
 --- a/src/semanage.conf
 +++ b/src/semanage.conf
-@@ -39,3 +39,7 @@ module-store = direct
+@@ -40,3 +40,7 @@ module-store = direct
  # By default, semanage will generate policies for the SELinux target.
  # To build policies for Xen, uncomment the following line.
  #target-platform = xen
@@ -29,3 +28,6 @@ index dc8d46b..254f156 100644
 +# Don't check the entire policy hierarchy when inserting / expanding a policy
 +# module.  This results in a significant speed-up in policy loading.
 +expand-check=0
+-- 
+2.25.1
+
diff --git a/recipes-security/selinux/libsemanage/libsemanage-drop-Wno-unused-but-set-variable.patch b/recipes-security/selinux/libsemanage/libsemanage-drop-Wno-unused-but-set-variable.patch
deleted file mode 100644
index cf88150..0000000
--- a/recipes-security/selinux/libsemanage/libsemanage-drop-Wno-unused-but-set-variable.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 3f65789f172003c499f24f00d73a42867fccd277 Mon Sep 17 00:00:00 2001
-From: Randy MacLeod <Randy.MacLeod@windriver.com>
-Date: Tue, 30 Apr 2013 23:15:57 -0400
-Subject: [PATCH] libselinux: drop flag: -Wno-unused-but-set-variable
-
-Upstream status: inappropriate (older compilers only).
-
-Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
-
----
- src/Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/Makefile b/src/Makefile
-index fdb178f..d457208 100644
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -58,7 +58,7 @@ OBJS= $(patsubst %.c,%.o,$(SRCS)) conf-scan.o conf-parse.o
- LOBJS= $(patsubst %.c,%.lo,$(SRCS)) conf-scan.lo conf-parse.lo
- CFLAGS ?= -Werror -Wall -W -Wundef -Wshadow -Wmissing-noreturn -Wmissing-format-attribute
- 
--SWIG_CFLAGS += -Wno-error -Wno-unused-but-set-variable -Wno-unused-variable -Wno-shadow \
-+SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-shadow \
- 		-Wno-unused-parameter
- 
- override CFLAGS += -I../include -D_GNU_SOURCE
diff --git a/recipes-security/selinux/libsemanage/libsemanage-fix-path-nologin.patch b/recipes-security/selinux/libsemanage/libsemanage-fix-path-nologin.patch
deleted file mode 100644
index 43c5382..0000000
--- a/recipes-security/selinux/libsemanage/libsemanage-fix-path-nologin.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 1f8164e044f2f727b08c28a69bea19cbf49b071b Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 8 Feb 2013 15:16:07 +0800
-Subject: [PATCH] libsemange: fix incorrect path for nologin
-
-shadow package of oe-core and Debian has installed nologin into
-/usr/sbin, so fix this path.
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-
----
- src/genhomedircon.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/genhomedircon.c b/src/genhomedircon.c
-index b9a74b7..d574ee2 100644
---- a/src/genhomedircon.c
-+++ b/src/genhomedircon.c
-@@ -60,7 +60,7 @@
- 
- /* other paths */
- #define PATH_SHELLS_FILE "/etc/shells"
--#define PATH_NOLOGIN_SHELL "/sbin/nologin"
-+#define PATH_NOLOGIN_SHELL "/usr/sbin/nologin"
- 
- /* comments written to context file */
- #define COMMENT_FILE_CONTEXT_HEADER "#\n#\n# " \
-@@ -395,7 +395,7 @@ static semanage_list_t *get_home_dirs(genhomedircon_settings_t * s)
- 
- 			/* NOTE: old genhomedircon printed a warning on match */
- 			if (hand.matched) {
--				WARN(s->h_semanage, "%s homedir %s or its parent directory conflicts with a file context already specified in the policy.  This usually indicates an incorrectly defined system account.  If it is a system account please make sure its uid is less than %u or greater than %u or its login shell is /sbin/nologin.", pwbuf->pw_name, pwbuf->pw_dir, minuid, maxuid);
-+				WARN(s->h_semanage, "%s homedir %s or its parent directory conflicts with a file context already specified in the policy.  This usually indicates an incorrectly defined system account.  If it is a system account please make sure its uid is less than %u or greater than %u or its login shell is /usr/sbin/nologin.", pwbuf->pw_name, pwbuf->pw_dir, minuid, maxuid);
- 			} else {
- 				if (semanage_list_push(&homedir_list, path))
- 					goto fail;
diff --git a/recipes-security/selinux/libsemanage_2.8.bb b/recipes-security/selinux/libsemanage_2.8.bb
deleted file mode 100644
index 38942e3..0000000
--- a/recipes-security/selinux/libsemanage_2.8.bb
+++ /dev/null
@@ -1,18 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
-
-SRC_URI[md5sum] = "62ed7bb2ede677a735f2750751677a4f"
-SRC_URI[sha256sum] = "1c0de8d2c51e5460926c21e371105c84a39087dfd8f8e9f0cc1d017e4cbea8e2"
-
-SRC_URI += "\
-	file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch \
-	file://libsemanage-fix-path-nologin.patch \
-	file://libsemanage-drop-Wno-unused-but-set-variable.patch \
-	file://libsemanage-define-FD_CLOEXEC-as-necessary.patch;striplevel=2 \
-	file://libsemanage-allow-to-disable-audit-support.patch \
-	file://libsemanage-disable-expand-check-on-policy-load.patch \
-	file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
-	"
-FILES_${PN} += "/usr/libexec"
diff --git a/recipes-security/selinux/libsemanage_3.6.bb b/recipes-security/selinux/libsemanage_3.6.bb
new file mode 100644
index 0000000..93eb870
--- /dev/null
+++ b/recipes-security/selinux/libsemanage_3.6.bb
@@ -0,0 +1,56 @@
+SUMMARY = "SELinux binary policy manipulation library"
+DESCRIPTION = "libsemanage provides an API for the manipulation of SELinux binary policies. \
+It is used by checkpolicy (the policy compiler) and similar tools, as well \
+as by programs like load_policy that need to perform specific transformations \
+on binary policies such as customizing policy boolean settings."
+SECTION = "base"
+LICENSE = "LGPL-2.1-or-later"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=a6f89e2100d9b6cdffcea4f398e37343"
+
+require selinux_common.inc
+
+inherit lib_package python3native
+
+SRC_URI += "file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch \
+            file://libsemanage-allow-to-disable-audit-support.patch \
+            file://libsemanage-disable-expand-check-on-policy-load.patch \
+           "
+
+DEPENDS = "libsepol libselinux python3 bison-native swig-native"
+
+DEPENDS:append:class-target = " audit"
+
+S = "${WORKDIR}/git/libsemanage"
+
+EXTRA_OEMAKE:class-native = "DISABLE_AUDIT=y"
+
+PACKAGES =+ "${PN}-python"
+
+# For /usr/libexec/selinux/semanage_migrate_store
+RDEPENDS:${PN}-python = "python3-core"
+
+FILES:${PN}-python = "${PYTHON_SITEPACKAGES_DIR}/* \
+                      ${libexecdir}/selinux/semanage_migrate_store"
+FILES:${PN}-dbg += "${PYTHON_SITEPACKAGES_DIR}/.debug/*"
+FILES:${PN} += "${libexecdir}"
+
+do_compile:append() {
+    oe_runmake pywrap \
+        PYLIBVER='python${PYTHON_BASEVERSION}' \
+        PYINC='-I${STAGING_INCDIR}/${PYLIBVER}' \
+        PYLIBS='-L${STAGING_LIBDIR}/${PYLIBVER} -l${PYLIBVER}'
+}
+
+do_install:append() {
+    oe_runmake install-pywrap \
+        DESTDIR=${D} \
+        PYCEXT='.so' \
+        PYLIBVER='python${PYTHON_BASEVERSION}' \
+        PYTHONLIBDIR='${PYTHON_SITEPACKAGES_DIR}'
+
+    # Update "policy-version" for semanage.conf
+    sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 33/' \
+        ${D}/etc/selinux/semanage.conf
+}
+
+BBCLASSEXTEND = "native"
diff --git a/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch b/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch
deleted file mode 100644
index 987fdab..0000000
--- a/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 074dbf2f104d1a6ea1aa048600f44f9701c70a60 Mon Sep 17 00:00:00 2001
-From: Robert Yang <liezhi.yang@windriver.com>
-Date: Thu, 18 Feb 2016 02:04:59 +0000
-Subject: [PATCH] src/Makefile: fix includedir in libsepol.pc
-
-Upstream-Status: Pending
-
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- src/Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/Makefile b/src/Makefile
-index ccb7023..2bb6290 100644
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -51,7 +51,7 @@ $(LIBSO): $(LOBJS) $(LIBMAP)
- 	ln -sf $@ $(TARGET) 
- 
- $(LIBPC): $(LIBPC).in ../VERSION
--	sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
-+	sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:${libdir}:; s:@includedir@:${prefix}/include:' < $< > $@
- 
- $(LIBMAP): $(LIBMAP).in
- ifneq ($(DISABLE_CIL),y)
--- 
-2.7.4
-
diff --git a/recipes-security/selinux/libsepol_2.8.bb b/recipes-security/selinux/libsepol_2.8.bb
deleted file mode 100644
index d1f905b..0000000
--- a/recipes-security/selinux/libsepol_2.8.bb
+++ /dev/null
@@ -1,9 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
-
-SRC_URI[md5sum] = "c19aa9dde1e78d1c2bd3109579e4d484"
-SRC_URI[sha256sum] = "3ad6916a8352bef0bad49acc8037a5f5b48c56f94e4cb4e1959ca475fa9d24d6"
-
-SRC_URI += "file://0001-src-Makefile-fix-includedir-in-libsepol.pc.patch"
diff --git a/recipes-security/selinux/libsepol.inc b/recipes-security/selinux/libsepol_3.6.bb
index a8ee749..0c28e9b 100644
--- a/recipes-security/selinux/libsepol.inc
+++ b/recipes-security/selinux/libsepol_3.6.bb
@@ -4,14 +4,15 @@ It is used by checkpolicy (the policy compiler) and similar tools, as well \
 as by programs like load_policy that need to perform specific transformations \
 on binary policies such as customizing policy boolean settings."
 SECTION = "base"
-LICENSE = "LGPLv2+"
+LICENSE = "LGPL-2.0-or-later"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=a6f89e2100d9b6cdffcea4f398e37343"
+
+require selinux_common.inc
 
 inherit lib_package
 
-# Change RANLIB for cross compiling, use host-tools $(AR) rather than
-# local ranlib.
-EXTRA_OEMAKE += "RANLIB='$(AR) s'"
+S = "${WORKDIR}/git/libsepol"
 
-DEPENDS += "flex-native"
+DEPENDS = "flex-native"
 
 BBCLASSEXTEND = "native"
diff --git a/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch b/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch
index 805d7e5..74ae879 100644
--- a/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch
+++ b/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch
@@ -1,21 +1,23 @@
-commit 54875dcb50f5e40fc86d6fe98dde244bfe4751af
-Author: Joe MacDonald <joe_macdonald@mentor.com>
-Date:   Fri Aug 7 15:16:45 2015 -0400
+From 580a625e9e1266d92c248a5e3f471d12d42c149b Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 7 Aug 2015 15:16:45 -0400
+Subject: [PATCH] mcstrans: remove dependency on bash in initscript
 
-    mcstrans: remove dependency on bash in initscript
+There were no apparent bashisms in mcstrans.init, so remove the
+dependency on bash.
 
-    There were no apparent bashisms in mcstrans.init, so remove the dependency
-    on bash.
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 
-    Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
-
-Upstream-Status: Pending
+Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- src/mcstrans.init |    2 +-
+ src/mcstrans.init | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
+diff --git a/src/mcstrans.init b/src/mcstrans.init
+index 2804ec0..8b4737d 100644
 --- a/src/mcstrans.init
 +++ b/src/mcstrans.init
 @@ -1,4 +1,4 @@
@@ -24,3 +26,6 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
  #
  # mcstransd        This starts and stops mcstransd
  #
+-- 
+2.25.1
+
diff --git a/recipes-security/selinux/mcstrans/0001-mcstrans-fix-the-init-script.patch b/recipes-security/selinux/mcstrans/mcstrans-fix-the-init-script.patch
index 5f7163d..a560722 100644
--- a/recipes-security/selinux/mcstrans/0001-mcstrans-fix-the-init-script.patch
+++ b/recipes-security/selinux/mcstrans/mcstrans-fix-the-init-script.patch
@@ -1,17 +1,21 @@
-[PATCH] mcstrans: fix the init script
-
-Upstream-Status: Inappropriate [embedded specific]
+From 123d5b6413905bfad535a072ff0ab5a495cb2a2a Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li@windriver.com>
+Date: Wed, 6 Nov 2019 22:13:33 +0800
+Subject: [PATCH] mcstrans: fix the init script
 
 replace daemon with start-stop-daemon, due to not daemon functions
 
+Upstream-Status: Inappropriate [embedded specific]
+
 Signed-off-by: Roy Li <rongqing.li@windriver.com>
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
  src/mcstrans.init | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/mcstrans.init b/src/mcstrans.init
-index 2804ec0..c660290 100644
+index 8b4737d..86c89ea 100644
 --- a/src/mcstrans.init
 +++ b/src/mcstrans.init
 @@ -51,7 +51,7 @@ start(){
@@ -24,5 +28,5 @@ index 2804ec0..c660290 100644
  	echo
  	if test $RETVAL = 0 ; then
 -- 
-1.9.1
+2.25.1
 
diff --git a/recipes-security/selinux/mcstrans_2.8.bb b/recipes-security/selinux/mcstrans_2.8.bb
deleted file mode 100644
index 8923c3c..0000000
--- a/recipes-security/selinux/mcstrans_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
-
-SRC_URI[md5sum] = "3a0edb2a8b6a255199824abd58c0906c"
-SRC_URI[sha256sum] = "ec6ea65660550ed6bbd2a834725ba7526ac53599753d7b95072e4afd4afc14e4"
diff --git a/recipes-security/selinux/mcstrans.inc b/recipes-security/selinux/mcstrans_3.6.bb
index 2568c8d..4a8482f 100644
--- a/recipes-security/selinux/mcstrans.inc
+++ b/recipes-security/selinux/mcstrans_3.6.bb
@@ -1,20 +1,30 @@
+
 SUMMARY = "Daemon to translate SELinux MCS/MLS sensitivity labels"
 DESCRIPTION = "\
 mcstrans provides an translation daemon to translate SELinux categories \
 from internal representations to user defined representation."
-
 SECTION = "base"
-LICENSE = "GPLv2+"
+LICENSE = "GPL-2.0-or-later"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=94d55d512a9ba36caa9b7df079bae19f"
+
+require selinux_common.inc
+
+inherit pkgconfig systemd update-rc.d
 
 SRC_URI += "file://mcstrans-de-bashify.patch \
-            file://0001-mcstrans-fix-the-init-script.patch \
-"
+            file://mcstrans-fix-the-init-script.patch \
+           "
+
+DEPENDS = "libsepol libselinux libcap"
 
-inherit systemd update-rc.d
+EXTRA_OEMAKE = "SBINDIR=${base_sbindir} \
+                INITDIR=${sysconfdir}/init.d \
+                SYSTEMDDIR=${systemd_unitdir} \
+               "
 
-DEPENDS += "libsepol libselinux libcap"
+S = "${WORKDIR}/git/mcstrans"
 
-do_install_append() {
+do_install:append() {
     install -d ${D}${sbindir}
     install -m 755 utils/untranscon ${D}${sbindir}/
     install -m 755 utils/transcon ${D}${sbindir}/
@@ -26,18 +36,18 @@ do_install_append() {
     else
         install -d ${D}${sysconfdir}/default/volatiles
         echo "d root root 0755 /var/run/setrans none" \
-            >${D}${sysconfdir}/default/volatiles/volatiles.80_mcstrans
+            >${D}${sysconfdir}/default/volatiles/80_mcstrans
     fi
     install -d ${D}${datadir}/mcstrans
     cp -r share/* ${D}${datadir}/mcstrans/.
 }
 
-SYSTEMD_SERVICE_mcstrans = "mcstrans.service"
+SYSTEMD_SERVICE:mcstrans = "mcstrans.service"
 INITSCRIPT_PACKAGES = "mcstrans"
-INITSCRIPT_NAME_mcstrans = "mcstrans"
-INITSCRIPT_PARAMS_mcstrans = "defaults"
+INITSCRIPT_NAME:mcstrans = "mcstrans"
+INITSCRIPT_PARAMS:mcstrans = "defaults"
 
-pkg_postinst_mcstrans () {
+pkg_postinst:mcstrans () {
     if [ -z "$D" ]; then
         if command -v systemd-tmpfiles >/dev/null; then
             systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/setrans.conf
diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc
deleted file mode 100644
index 85ff164..0000000
--- a/recipes-security/selinux/policycoreutils.inc
+++ /dev/null
@@ -1,182 +0,0 @@
-SUMMARY = "SELinux policy core utilities"
-DESCRIPTION = "policycoreutils contains the policy core utilities that are required \
-for basic operation of a SELinux system.  These utilities include \
-load_policy to load policies, setfiles to label filesystems, newrole \
-to switch roles, and run_init to run /etc/init.d scripts in the proper \
-context."
-SECTION = "base"
-LICENSE = "GPLv2+"
-
-SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
-            file://policycoreutils-fixfiles-de-bashify.patch \
-           "
-
-PAM_SRC_URI = "file://pam.d/newrole \
-               file://pam.d/run_init \
-"
-
-DEPENDS += "libsepol libselinux libsemanage libcap gettext-native"
-EXTRA_DEPENDS = "libcap-ng libcgroup"
-DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native']}"
-
-inherit selinux pythonnative
-
-RDEPENDS_${BPN}-fixfiles += "\
-	${BPN}-setfiles \
-	grep \
-	findutils \
-"
-RDEPENDS_${BPN}-genhomedircon += "\
-	${BPN}-genhomedircon \
-	${BPN}-semodule \
-"
-RDEPENDS_${BPN}-loadpolicy += "\
-	libselinux \
-	libsepol \
-"
-RDEPENDS_${BPN}-newrole += "\
-	libcap-ng \
-	libselinux \
-"
-RDEPENDS_${BPN}-runinit += "libselinux"
-RDEPENDS_${BPN}-secon += "libselinux"
-RDEPENDS_${BPN}-semodule += "\
-	libsepol \
-	libselinux \
-	libsemanage \
-"
-# static link to libsepol
-RDEPENDS_${BPN}-semodule-expand += "libsepol libselinux"
-RDEPENDS_${BPN}-semodule-link += "libsepol libselinux"
-RDEPENDS_${BPN}-semodule-package += "libsepol libselinux"
-RDEPENDS_${BPN}-sestatus += "libselinux"
-RDEPENDS_${BPN}-setfiles += "\
-	libselinux \
-	libsepol \
-"
-RDEPENDS_${BPN}-setsebool += "\
-	libsepol \
-	libselinux \
-	libsemanage \
-"
-RDEPENDS_${BPN} += "selinux-python"
-
-WARN_QA_remove = " unsafe-references-in-scripts"
-ERROR_QA_remove = " unsafe-references-in-scripts"
-
-
-PACKAGES =+ "\
-	${PN}-fixfiles \
-	${PN}-genhomedircon \
-	${PN}-hll \
-	${PN}-loadpolicy \
-	${PN}-newrole \
-	${PN}-runinit \
-	${PN}-secon \
-	${PN}-semodule \
-	${PN}-sestatus \
-	${PN}-setfiles \
-	${PN}-setsebool \
-"
-FILES_${PN}-fixfiles += "${base_sbindir}/fixfiles"
-FILES_${PN}-genhomedircon += "${base_sbindir}/genhomedircon"
-FILES_${PN}-loadpolicy += "\
-	${base_sbindir}/load_policy \
-"
-FILES_${PN}-newrole += "\
-	${bindir}/newrole \
-	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/newrole', '', d)} \
-"
-FILES_${PN}-runinit += "\
-	${base_sbindir}/run_init \
-	${base_sbindir}/open_init_pty \
-	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/run_init', '', d)} \
-"
-FILES_${PN}-dbg += "${prefix}/libexec/selinux/hll/.debug"
-FILES_${PN}-secon += "${bindir}/secon"
-FILES_${PN}-semodule += "${base_sbindir}/semodule"
-FILES_${PN}-hll += "${prefix}/libexec/selinux/hll/*"
-FILES_${PN}-sestatus += "\
-	${base_sbindir}/sestatus \
-	${sysconfdir}/sestatus.conf \
-"
-FILES_${PN}-setfiles += "\
-	${base_sbindir}/restorecon \
-	${base_sbindir}/setfiles \
-"
-FILES_${PN}-setsebool += "\
-	${base_sbindir}/setsebool \
-	${datadir}/bash-completion/completions/setsebool \
-"
-
-export STAGING_INCDIR
-export STAGING_LIBDIR
-export BUILD_SYS
-export HOST_SYS
-
-PACKAGECONFIG_class-target ?= "\
-        ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)} \
-        audit \
-"
-
-PACKAGECONFIG[libpam] = ",,libpam,"
-PACKAGECONFIG[audit] = ",,audit,"
-
-EXTRA_OEMAKE += "\
-        ${@bb.utils.contains('PACKAGECONFIG', 'libpam', 'PAMH=y', 'PAMH=', d)} \
-        ${@bb.utils.contains('PACKAGECONFIG', 'audit', 'AUDITH=y', 'AUDITH=', d)} \
-        INOTIFYH=n \
-        PREFIX=${D} \
-        SBINDIR=${base_sbindir} \
-"
-
-BBCLASSEXTEND = "native"
-
-PCU_NATIVE_CMDS = "setfiles semodule hll"
-
-do_compile_class-native() {
-	for PCU_CMD in ${PCU_NATIVE_CMDS} ; do
-		oe_runmake -C $PCU_CMD \
-			INCLUDEDIR='${STAGING_INCDIR}' \
-			LIBDIR='${STAGING_LIBDIR}'
-	done
-}
-
-sysroot_stage_dirs_append_class-native() {
-	cp -R $from/${prefix}/libexec $to/${prefix}/libexec
-}
-
-do_compile_prepend() {
-	export PYTHON=python
-	export PYLIBVER='python${PYTHON_BASEVERSION}'
-	export PYTHON_CPPFLAGS="-I${STAGING_INCDIR}/${PYLIBVER}"
-	export PYTHON_LDFLAGS="${STAGING_LIBDIR}/lib${PYLIBVER}.so"
-	export PYTHON_SITE_PKG="${libdir}/${PYLIBVER}/site-packages"
-}
-
-do_install_prepend() {
-	export PYTHON=python
-	export SBINDIR="${D}/${base_sbindir}"
-}
-
-do_install_class-native() {
-	for PCU_CMD in ${PCU_NATIVE_CMDS} ; do
-	     oe_runmake -C $PCU_CMD install \
-			DESTDIR="${D}" \
-			PREFIX="${prefix}" \
-			SBINDIR="${base_sbindir}"
-	done
-}
-
-do_install_append_class-target() {
-	if [ -e ${WORKDIR}/pam.d ]; then
-		install -d ${D}${sysconfdir}/pam.d/
-		install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/
-	fi
-
-	# /var/lib/selinux is involved by seobject.py:
-	#   + dirname = "/var/lib/selinux"
-	# and it's required for running command:
-	#   $ semanage permissive [OPTS]
-	install -d ${D}${localstatedir}/lib/selinux
-}
diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-fixfiles-de-bashify.patch b/recipes-security/selinux/policycoreutils/policycoreutils-fixfiles-de-bashify.patch
index 70cdd4f..5dcb5e4 100644
--- a/recipes-security/selinux/policycoreutils/policycoreutils-fixfiles-de-bashify.patch
+++ b/recipes-security/selinux/policycoreutils/policycoreutils-fixfiles-de-bashify.patch
@@ -1,4 +1,4 @@
-From 25ca94680f2fe20f49b80e8b5b180a0dbb903f17 Mon Sep 17 00:00:00 2001
+From 624d6231ca9daf494e33352d562ff97cb0219f2d Mon Sep 17 00:00:00 2001
 From: Joe MacDonald <joe_macdonald@mentor.com>
 Date: Fri, 20 Feb 2015 17:00:19 -0500
 Subject: [PATCH] fixfiles: de-bashify
@@ -10,7 +10,7 @@ necessarily the best option here.  Introducing a second invocation of rpm
 is minimal overhead on an operation that should happen very infrequently,
 so we'll try that instead.
 
-Upstream-Status: Pending
+Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
@@ -19,7 +19,7 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
  1 file changed, 14 insertions(+), 9 deletions(-)
 
 diff --git a/scripts/fixfiles b/scripts/fixfiles
-index 1aa330f..a10837d 100755
+index 166af6f..a23cdc6 100755
 --- a/scripts/fixfiles
 +++ b/scripts/fixfiles
 @@ -1,4 +1,4 @@
@@ -51,7 +51,7 @@ index 1aa330f..a10837d 100755
  	  exclude_from_relabelling="$exclude_from_relabelling -e $i"
  	done < /etc/selinux/fixfiles_exclude_dirs
      fi
-@@ -138,7 +139,7 @@ fi
+@@ -140,7 +141,7 @@ fi
  # Log directories excluded from relabelling by configuration file
  #
  LogExcluded() {
@@ -60,7 +60,7 @@ index 1aa330f..a10837d 100755
      echo "skipping the directory $i"
  done
  }
-@@ -201,8 +202,12 @@ fi
+@@ -203,8 +204,12 @@ fi
  }
  
  rpmlist() {
@@ -74,8 +74,8 @@ index 1aa330f..a10837d 100755
 +    fi
  }
  
- #
-@@ -276,7 +281,7 @@ relabel() {
+ # unmount tmp bind mount before exit
+@@ -315,7 +320,7 @@ relabel() {
  	exit 1
      fi
  
@@ -85,5 +85,5 @@ index 1aa330f..a10837d 100755
  	return
      fi
 -- 
-2.13.0
+2.25.1
 
diff --git a/recipes-security/selinux/policycoreutils_2.8.bb b/recipes-security/selinux/policycoreutils_2.8.bb
deleted file mode 100644
index 85f6ff0..0000000
--- a/recipes-security/selinux/policycoreutils_2.8.bb
+++ /dev/null
@@ -1,8 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "da5ceb9c7e1e6f8c573731031b91cffe"
-SRC_URI[sha256sum] = "986553a235f27bee7ad7c2b7c35ea51eb2ee68e2cf03b661b1585de101bc1099"
-
diff --git a/recipes-security/selinux/policycoreutils_3.6.bb b/recipes-security/selinux/policycoreutils_3.6.bb
new file mode 100644
index 0000000..c106ee7
--- /dev/null
+++ b/recipes-security/selinux/policycoreutils_3.6.bb
@@ -0,0 +1,179 @@
+SUMMARY = "SELinux policy core utilities"
+DESCRIPTION = "policycoreutils contains the policy core utilities that are required \
+for basic operation of a SELinux system.  These utilities include \
+load_policy to load policies, setfiles to label filesystems, newrole \
+to switch roles, and run_init to run /etc/init.d scripts in the proper \
+context."
+SECTION = "base"
+LICENSE = "GPL-2.0-or-later"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=393a5ca445f6965873eca0259a17f833"
+
+require selinux_common.inc
+
+SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
+            file://policycoreutils-fixfiles-de-bashify.patch \
+           "
+
+PAM_SRC_URI = "file://pam.d/newrole \
+               file://pam.d/run_init \
+              "
+
+DEPENDS = "libsepol libselinux libsemanage gettext-native"
+DEPENDS:append:class-target = " libcap-ng"
+
+S = "${WORKDIR}/git/policycoreutils"
+
+inherit selinux python3native
+
+RDEPENDS:${PN}-fixfiles = "\
+    ${PN}-setfiles \
+    grep \
+    findutils \
+"
+RDEPENDS:${PN}-genhomedircon = "\
+    ${PN}-semodule \
+"
+RDEPENDS:${PN}-loadpolicy = "\
+    libselinux \
+    libsepol \
+"
+RDEPENDS:${PN}-newrole = "\
+    libcap-ng \
+    libselinux \
+"
+RDEPENDS:${PN}-runinit = "libselinux"
+RDEPENDS:${PN}-secon = "libselinux"
+RDEPENDS:${PN}-semodule = "\
+    libsepol \
+    libselinux \
+    libsemanage \
+"
+RDEPENDS:${PN}-sestatus = "libselinux"
+RDEPENDS:${PN}-setfiles = "\
+    libselinux \
+    libsepol \
+"
+RDEPENDS:${PN}-setsebool = "\
+    libsepol \
+    libselinux \
+    libsemanage \
+"
+RDEPENDS:${PN}:class-target = "selinux-python"
+
+PACKAGES =+ "\
+    ${PN}-fixfiles \
+    ${PN}-genhomedircon \
+    ${PN}-hll \
+    ${PN}-loadpolicy \
+    ${PN}-newrole \
+    ${PN}-runinit \
+    ${PN}-secon \
+    ${PN}-semodule \
+    ${PN}-sestatus \
+    ${PN}-setfiles \
+    ${PN}-setsebool \
+"
+FILES:${PN}-fixfiles = "${base_sbindir}/fixfiles"
+FILES:${PN}-genhomedircon = "${base_sbindir}/genhomedircon"
+FILES:${PN}-loadpolicy = "\
+    ${base_sbindir}/load_policy \
+"
+FILES:${PN}-newrole = "\
+    ${bindir}/newrole \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/newrole', '', d)} \
+"
+FILES:${PN}-runinit = "\
+    ${base_sbindir}/run_init \
+    ${base_sbindir}/open_init_pty \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/run_init', '', d)} \
+"
+FILES:${PN}-dbg += "${prefix}/libexec/selinux/hll/.debug"
+FILES:${PN}-secon = "${bindir}/secon"
+FILES:${PN}-semodule = "${base_sbindir}/semodule"
+FILES:${PN}-hll = "${prefix}/libexec/selinux/hll/*"
+FILES:${PN}-sestatus = "\
+    ${base_sbindir}/sestatus \
+    ${sysconfdir}/sestatus.conf \
+"
+FILES:${PN}-setfiles = "\
+    ${base_sbindir}/restorecon \
+    ${base_sbindir}/restorecon_xattr \
+    ${base_sbindir}/setfiles \
+"
+FILES:${PN}-setsebool = "\
+    ${base_sbindir}/setsebool \
+    ${datadir}/bash-completion/completions/setsebool \
+"
+
+export STAGING_INCDIR
+export STAGING_LIBDIR
+export BUILD_SYS
+export HOST_SYS
+
+PACKAGECONFIG:class-target ?= "\
+        ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)} \
+        audit \
+"
+PACKAGECONFIG:class-native ?= ""
+
+PACKAGECONFIG[libpam] = ",,libpam,"
+PACKAGECONFIG[audit] = ",,audit,"
+
+EXTRA_OEMAKE = "\
+        ${@bb.utils.contains('PACKAGECONFIG', 'libpam', 'PAMH=y', 'PAMH=', d)} \
+        ${@bb.utils.contains('PACKAGECONFIG', 'audit', 'AUDITH=y', 'AUDITH=', d)} \
+        INOTIFYH=n \
+        PREFIX=${prefix} \
+        SBINDIR=${base_sbindir} \
+"
+
+BBCLASSEXTEND = "native"
+
+PCU_NATIVE_CMDS = "setfiles semodule hll"
+
+do_compile:prepend() {
+    export PYTHON=python3
+    export PYLIBVER='python${PYTHON_BASEVERSION}'
+    export PYTHON_CPPFLAGS="-I${STAGING_INCDIR}/${PYLIBVER}"
+    export PYTHON_LDFLAGS="${STAGING_LIBDIR}/lib${PYLIBVER}.so"
+    export PYTHON_SITE_PKG="${PYTHON_SITEPACKAGES_DIR}"
+}
+
+do_compile:class-native() {
+    for PCU_CMD in ${PCU_NATIVE_CMDS} ; do
+        oe_runmake -C $PCU_CMD \
+            INCLUDEDIR='${STAGING_INCDIR}' \
+            LIBDIR='${STAGING_LIBDIR}'
+    done
+}
+
+sysroot_stage_dirs:append:class-native() {
+    cp -R $from/${prefix}/libexec $to/${prefix}/libexec
+}
+
+do_install:prepend() {
+    export PYTHON=python3
+    export SBINDIR="${D}/${base_sbindir}"
+}
+
+do_install:class-native() {
+    for PCU_CMD in ${PCU_NATIVE_CMDS} ; do
+        oe_runmake -C $PCU_CMD install \
+            DESTDIR="${D}" \
+            PREFIX="${prefix}" \
+            SBINDIR="${base_sbindir}"
+    done
+}
+
+do_install:append:class-target() {
+    if [ -e ${WORKDIR}/pam.d ]; then
+        install -d ${D}${sysconfdir}/pam.d/
+        install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/
+    fi
+
+    # /var/lib/selinux is involved by seobject.py:
+    #   + dirname = "/var/lib/selinux"
+    # and it's required for running command:
+    #   $ semanage permissive [OPTS]
+    install -d ${D}${localstatedir}/lib/selinux
+}
diff --git a/recipes-security/selinux/restorecond.inc b/recipes-security/selinux/restorecond.inc
deleted file mode 100644
index d168303..0000000
--- a/recipes-security/selinux/restorecond.inc
+++ /dev/null
@@ -1,24 +0,0 @@
-SUMMARY = "Daemon to watch for file creation and set default file context"
-DESCRIPTION = "\
-The restorecond daemon uses inotify to watch files listed in the \
-/etc/selinux/restorecond.conf, when they are created, this daemon \
-will make sure they have the correct file context associated with \
-the policy."
-
-SECTION = "base"
-LICENSE = "GPLv2+"
-
-SRC_URI += "file://policycoreutils-make-O_CLOEXEC-optional.patch \
-"
-
-inherit systemd update-rc.d
-
-DEPENDS += "libsepol libselinux libpcre dbus-glib glib-2.0 pkgconfig-native"
-
-FILES_${PN} += "${datadir}/dbus-1/services/org.selinux.Restorecond.service \
-"
-
-SYSTEMD_SERVICE_restorecond = "restorecond.service"
-INITSCRIPT_PACKAGES = "restorecond"
-INITSCRIPT_NAME_restorecond = "restorecond"
-INITSCRIPT_PARAMS_restorecond = "defaults"
diff --git a/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch b/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch
deleted file mode 100644
index ab1a10a..0000000
--- a/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-Subject: [PATCH] policycoreutils: make O_CLOEXEC optional
-
-Various commits in the selinux tree in the current release added O_CLOEXEC
-to open() calls in an attempt to address file descriptor leaks as
-described:
-
-   http://danwalsh.livejournal.com/53603.html
-
-However O_CLOEXEC isn't available on all platforms, so make it a
-compile-time option and generate a warning when it is not available.  The
-actual impact of leaking these file descriptors is minimal, though it does
-produce curious AVC Denied messages.
-
-Uptream-Status: Inappropriate [O_CLOEXEC has been in Linux since 2007 and POSIX since 2008]
-
-Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
----
- user.c |    8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/user.c b/user.c
-index 2c28676..6235772 100644
---- a/user.c
-+++ b/user.c
-@@ -202,7 +202,13 @@ static int local_server() {
- 			perror("asprintf");
- 		return -1;
- 	}
--	local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR);
-+	local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW
-+	#ifdef O_CLOEXEC
-+		| O_CLOEXEC
-+	#else
-+		#warning O_CLOEXEC undefined on this platform, this may leak file descriptors
-+	#endif
-+		, S_IRUSR | S_IWUSR);
- 	if (debug_mode)
- 		g_warning ("Lock file: %s", ptr);
- 
--- 
-1.7.9.5
-
diff --git a/recipes-security/selinux/restorecond_2.8.bb b/recipes-security/selinux/restorecond_2.8.bb
deleted file mode 100644
index 4a83a23..0000000
--- a/recipes-security/selinux/restorecond_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "cfe4e4d6184623fdcb9bc2681e693abb"
-SRC_URI[sha256sum] = "323cab1128e5308cd85fea0e5c98e3c8973e1ada0b659f2fce76187e192271bf"
diff --git a/recipes-security/selinux/restorecond_3.6.bb b/recipes-security/selinux/restorecond_3.6.bb
new file mode 100644
index 0000000..8e57283
--- /dev/null
+++ b/recipes-security/selinux/restorecond_3.6.bb
@@ -0,0 +1,37 @@
+SUMMARY = "Daemon to watch for file creation and set default file context"
+DESCRIPTION = "\
+The restorecond daemon uses inotify to watch files listed in the \
+/etc/selinux/restorecond.conf, when they are created, this daemon \
+will make sure they have the correct file context associated with \
+the policy."
+SECTION = "base"
+LICENSE = "GPL-2.0-or-later"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=393a5ca445f6965873eca0259a17f833"
+
+require selinux_common.inc
+
+inherit pkgconfig systemd update-rc.d
+
+DEPENDS = "libsepol libselinux glib-2.0"
+
+EXTRA_OEMAKE = "SYSTEMDSYSTEMUNITDIR=${systemd_system_unitdir} \
+                 SYSTEMDUSERUNITDIR=${systemd_user_unitdir} \
+                "
+
+S = "${WORKDIR}/git/restorecond"
+
+FILES:${PN} += "${datadir}/dbus-1/services/org.selinux.Restorecond.service \
+                ${systemd_user_unitdir}/* \
+               "
+
+SYSTEMD_SERVICE:restorecond = "restorecond.service"
+INITSCRIPT_PACKAGES = "restorecond"
+INITSCRIPT_NAME:restorecond = "restorecond"
+INITSCRIPT_PARAMS:restorecond = "defaults"
+
+do_install:append() {
+    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'false', 'true', d)}; then
+        # remove /usr/lib/systemd/user
+        rm -rf ${D}${nonarch_libdir}
+    fi
+}
diff --git a/recipes-security/selinux/secilc_2.8.bb b/recipes-security/selinux/secilc_2.8.bb
deleted file mode 100644
index 89e0684..0000000
--- a/recipes-security/selinux/secilc_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=5fb82e8deb357d4e5fd8f3fed01d2f38"
-
-SRC_URI[md5sum] = "a3c363545842aadc6645a94112b476e7"
-SRC_URI[sha256sum] = "cfe15f2e06b3013c9dfc46cf42234ff07fb61866c4c29d739eb8858f83b214d4"
diff --git a/recipes-security/selinux/secilc.inc b/recipes-security/selinux/secilc_3.6.bb
index e263f11..5e0da3f 100644
--- a/recipes-security/selinux/secilc.inc
+++ b/recipes-security/selinux/secilc_3.6.bb
@@ -2,10 +2,14 @@ SUMMARY = "SELinux Common Intermediate Language (CIL) compiler"
 DESCRIPTION = "\
 This package contains secilc, the SELinux Common Intermediate \
 Language (CIL) compiler."
-
 SECTION = "base"
-LICENSE = "BSD"
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=c7e802b9a3b0c2c852669864c08b9138"
+
+require selinux_common.inc
+
+DEPENDS = "libsepol xmlto-native"
 
-DEPENDS += "libsepol xmlto-native"
+S = "${WORKDIR}/git/secilc"
 
 BBCLASSEXTEND = "native"
diff --git a/recipes-security/selinux/selinux-dbus_2.8.bb b/recipes-security/selinux/selinux-dbus_2.8.bb
deleted file mode 100644
index 5091624..0000000
--- a/recipes-security/selinux/selinux-dbus_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "23f0264df3ed123904a17d71f2a5b325"
-SRC_URI[sha256sum] = "3339cb9cd77579bab6158afc054409c3bf952e282ef957ea732b19c9f4697bc6"
diff --git a/recipes-security/selinux/selinux-dbus.inc b/recipes-security/selinux/selinux-dbus_3.6.bb
index 1b66136..b1198af 100644
--- a/recipes-security/selinux/selinux-dbus.inc
+++ b/recipes-security/selinux/selinux-dbus_3.6.bb
@@ -1,13 +1,17 @@
 SUMMARY = "SELinux dbus service files"
 DESCRIPTION = "\
 Provide SELinux dbus service files and scripts."
-
 SECTION = "base"
-LICENSE = "GPLv2+"
+LICENSE = "GPL-2.0-or-later"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=393a5ca445f6965873eca0259a17f833"
+
+require selinux_common.inc
+
+S = "${WORKDIR}/git/dbus"
 
-RDEPENDS_${PN} += "python selinux-python-sepolicy"
+RDEPENDS:${PN} = "python3-core selinux-python-sepolicy"
 
-FILES_${PN} += "\
+FILES:${PN} += "\
         ${datadir}/system-config-selinux/selinux_server.py \
         ${datadir}/polkit-1/actions/org.selinux.policy \
         ${datadir}/dbus-1/system-services/org.selinux.service \
diff --git a/recipes-security/selinux/selinux-gui_2.8.bb b/recipes-security/selinux/selinux-gui_2.8.bb
deleted file mode 100644
index 2c0fcd8..0000000
--- a/recipes-security/selinux/selinux-gui_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "52000c14ffa86840220915bd1d777845"
-SRC_URI[sha256sum] = "17acd3004f01f92b288cc1322317d7964f5039fb26ba1542b6713a7147a2351d"
diff --git a/recipes-security/selinux/selinux-gui.inc b/recipes-security/selinux/selinux-gui_3.6.bb
index 1096f3f..fbd5e70 100644
--- a/recipes-security/selinux/selinux-gui.inc
+++ b/recipes-security/selinux/selinux-gui_3.6.bb
@@ -2,13 +2,18 @@ SUMMARY = "SELinux GUI tools"
 DESCRIPTION = "\
 Provide SELinux Management tool (system-config-selinux) and SELinux \
 Policy Generation Tool (selinux-polgengui)"
-
 SECTION = "base"
-LICENSE = "GPLv2+"
+LICENSE = "GPL-2.0-or-later"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=393a5ca445f6965873eca0259a17f833"
+
+require selinux_common.inc
+
+S = "${WORKDIR}/git/gui"
 
-RDEPENDS_${PN} += "python"
+DEPENDS = "gettext-native"
+RDEPENDS:${PN} = "python3-core"
 
-FILES_${PN} += " \
+FILES:${PN} += " \
         ${datadir}/system-config-selinux/* \
         ${datadir}/icons/hicolor/* \
         ${datadir}/polkit-1/actions/org.selinux.config.policy \
diff --git a/recipes-security/selinux/selinux-initsh.inc b/recipes-security/selinux/selinux-initsh.inc
deleted file mode 100644
index bcdd449..0000000
--- a/recipes-security/selinux/selinux-initsh.inc
+++ /dev/null
@@ -1,35 +0,0 @@
-S ?= "${WORKDIR}"
-SECTION ?= "base"
-
-# Default is for script name to be the same as the recipe name.
-# Script must have .sh suffix.
-SELINUX_SCRIPT_SRC ?= "${BPN}"
-SELINUX_SCRIPT_DST ?= "${SELINUX_SCRIPT_SRC}"
-
-INITSCRIPT_NAME ?= "${SELINUX_SCRIPT_DST}"
-INITSCRIPT_PARAMS ?= "start 00 S ."
-
-CONFFILES_${PN} += "${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}"
-
-PACKAGE_ARCH ?= "${MACHINE_ARCH}"
-
-inherit update-rc.d systemd
-
-SYSTEMD_SERVICE_${PN} = "${SELINUX_SCRIPT_SRC}.service"
-
-do_install () {
-	install -d ${D}${sysconfdir}/init.d/
-	install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}
-
-	install -d ${D}${systemd_unitdir}/system
-	install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service ${D}${systemd_unitdir}/system
-
-	if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
-		install -d ${D}${bindir}
-		install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${bindir}
-	fi
-}
-
-sysroot_stage_all_append () {
-	sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
-}
diff --git a/recipes-security/selinux/selinux-python.inc b/recipes-security/selinux/selinux-python.inc
deleted file mode 100644
index c774de4..0000000
--- a/recipes-security/selinux/selinux-python.inc
+++ /dev/null
@@ -1,108 +0,0 @@
-SUMMARY = "Python modules and various SELinux utilities."
-DESCRIPTION = "\
-This package contains Python modules sepolgen, sepolicy; And the \
-SELinux utilities audit2allow, chcat, semanage ..."
-
-SECTION = "base"
-LICENSE = "GPLv2+"
-
-SRC_URI += "file://fix-sepolicy-install-path.patch \
-            file://fix-TypeError-for-seobject.py.patch \
-            file://process-ValueError-for-sepolicy-seobject.patch \
-"
-
-inherit python-dir
-
-DEPENDS += "python-native libsepol"
-RDEPENDS_${BPN}-audit2allow += "\
-        python-textutils \
-        libselinux-python \
-        ${BPN}-sepolgen \
-"
-RDEPENDS_${BPN}-chcat += "\
-        python-codecs \
-        python-shell \
-        python-stringold \
-        python-unixadmin \
-        libselinux-python \
-        ${BPN} \
-"
-RDEPENDS_${BPN} += "\
-        python-codecs \
-        python-io \
-        python-ipy \
-        python-re \
-        python-stringold \
-        python-syslog \
-        python-unixadmin \
-        libselinux-python \
-        libsemanage-python \
-        setools \
-"
-RDEPENDS_${BPN}-semanage += "\
-        python-core \
-        python-ipy \
-        python-compression \
-        python-xml \
-        libselinux-python \
-        ${BPN} \
-"
-RDEPENDS_${BPN}-sepolicy += "\
-        python-argparse \
-        python-codecs \
-        python-core \
-        python-syslog \
-        ${BPN} \
-"
-RDEPENDS_${BPN}-sepolgen-ifgen += "\
-        python \
-        libselinux-python \
-"
-
-PACKAGES =+ "\
-        ${PN}-audit2allow \
-        ${PN}-sepolgen-ifgen \
-        ${PN}-chcat \
-        ${PN}-semanage \
-        ${PN}-sepolgen \
-        ${PN}-sepolicy \
-"
-FILES_${PN}-audit2allow = "\
-        ${bindir}/audit2allow \
-        ${bindir}/audit2why \
-"
-FILES_${PN}-chcat = "\
-        ${bindir}/chcat \
-"
-FILES_${PN}-semanage = "\
-        ${sbindir}/semanage \
-        ${datadir}/bash-completion/completions/semanage \
-"
-# The ${bindir}/sepolgen is a symlink to ${bindir}/sepolicy
-FILES_${PN}-sepolicy += "\
-        ${bindir}/sepolgen \
-        ${bindir}/sepolicy \
-        ${datadir}/bash-completion/completions/sepolicy \
-"
-FILES_${PN}-sepolgen-ifgen += "\
-        ${bindir}/sepolgen-ifgen \
-        ${bindir}/sepolgen-ifgen-attr-helper \
-"
-FILES_${PN}-sepolgen += "\
-        ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolgen* \
-        ${localstatedir}/lib/sepolgen/perm_map \
-"
-# Map to policycoreutils-python in 2.6
-FILES_${PN} += "\
-        ${libdir}/python${PYTHON_BASEVERSION}/site-packages/seobject.py* \
-        ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy*.egg-info \
-        ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/* \
-"
-
-EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a"
-do_install() {
-        oe_runmake DESTDIR=${D} \
-                LIBDIR="${libdir}" \
-                PYTHONLIBDIR='${libdir}/python${PYTHON_BASEVERSION}/site-packages' \
-                install
-}
diff --git a/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch b/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch
deleted file mode 100644
index 62cdeee..0000000
--- a/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 98c2944ffa3e35095187e1df9ff33498bbd0fa54 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Tue, 1 Apr 2014 02:53:36 -0400
-Subject: [PATCH] policycoreutils: fix TypeError for seobject.py
-
-File "/usr/lib64/python2.7/site-packages/seobject.py", line 109, in log
-  message += " sename=" + sename
-TypeError: cannot concatenate 'str' and 'NoneType' objects
-
-Uptream-Status: Pending
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-
----
- semanage/seobject.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/semanage/seobject.py b/semanage/seobject.py
-index 70fd192..23ab77e 100644
---- a/semanage/seobject.py
-+++ b/semanage/seobject.py
-@@ -146,7 +146,7 @@ except:
- 
-         def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
-             message = " %s name=%s" % (msg, name)
--            if sename != "":
-+            if sename != "" and sename != None:
-                 message += " sename=" + sename
-             if oldsename != "":
-                 message += " oldsename=" + oldsename
diff --git a/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch b/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch
index 6f68c94..bc048c1 100644
--- a/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch
+++ b/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch
@@ -1,39 +1,30 @@
-From c1aae6cc131371729f098e4b0aa02142a85b5890 Mon Sep 17 00:00:00 2001
+From fb449373ae92a05c324895cd7daee1461a0f0349 Mon Sep 17 00:00:00 2001
 From: Xin Ouyang <Xin.Ouyang@windriver.com>
 Date: Mon, 23 Sep 2013 21:17:59 +0800
-Subject: [PATCH] policycoreutils: fix install path for new pymodule sepolicy
+Subject: [PATCH] sepolicy: fix install path for new pymodule sepolicy
 
-Uptream-Status: Pending
+Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- sepolicy/Makefile | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
+ sepolicy/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/sepolicy/Makefile b/sepolicy/Makefile
-index fb8a132..a6ee749 100644
+index 1a26cfd..6e40691 100644
 --- a/sepolicy/Makefile
 +++ b/sepolicy/Makefile
-@@ -8,6 +8,8 @@ BASHCOMPLETIONDIR ?= $(PREFIX)/share/bash-completion/completions
- CFLAGS ?= -Wall -Werror -Wextra -W
- override CFLAGS += -DPACKAGE="policycoreutils" -DSHARED -shared
- 
-+PYLIBVER ?= $(shell python -c 'import sys;print "python%d.%d" % sys.version_info[0:2]')
-+
- BASHCOMPLETIONS=sepolicy-bash-completion.sh
- 
- all: python-build
-@@ -26,7 +28,7 @@ test:
+@@ -27,7 +27,7 @@ test:
  	@$(PYTHON) test_sepolicy.py -v
  
  install:
--	$(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
-+	$(PYTHON) setup.py install --prefix=$(PREFIX) --install-lib $(DESTDIR)$(LIBDIR)/$(PYLIBVER)/site-packages
+-	$(PYTHON) -m pip install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR) --ignore-installed --no-deps` $(PYTHON_SETUP_ARGS) .
++	$(PYTHON) -m pip install --prefix=$(PREFIX) --root $(DESTDIR) --ignore-installed --no-deps $(PYTHON_SETUP_ARGS) .
  	[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
  	install -m 755 sepolicy.py $(DESTDIR)$(BINDIR)/sepolicy
  	(cd $(DESTDIR)$(BINDIR); ln -sf sepolicy sepolgen)
 -- 
-2.7.4
+2.25.1
 
diff --git a/recipes-security/selinux/selinux-python/process-ValueError-for-sepolicy-seobject.patch b/recipes-security/selinux/selinux-python/process-ValueError-for-sepolicy-seobject.patch
deleted file mode 100644
index b0bcd1d..0000000
--- a/recipes-security/selinux/selinux-python/process-ValueError-for-sepolicy-seobject.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 1a8bd0ca13746b5241af5736dee9a25ab360652b Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Sun, 30 Mar 2014 22:25:59 -0400
-Subject: [PATCH] semanage: process ValueError for sepolicy, seobject
-
-The sepolicy, seobject modules raise many unprocessed ValueError, just
-process them in semanage to make the script proivdes error message but
-not error trace.
-
-Uptream-Status: Pending
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-
----
- semanage/semanage | 11 +++++++----
- 1 file changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/semanage/semanage b/semanage/semanage
-index 313537c..2977dd0 100644
---- a/semanage/semanage
-+++ b/semanage/semanage
-@@ -25,8 +25,14 @@
- 
- import traceback
- import argparse
--import seobject
- import sys
-+try:
-+    import seobject
-+    import sepolicy
-+except ValueError, e:
-+    print "Error: %s\n" % e
-+    sys.exit(1)
-+
- PROGNAME = "policycoreutils"
- try:
-     import gettext
-@@ -73,9 +79,6 @@ usage_interface_dict = {' --add': ('-t TYPE', '-r RANGE', 'interface'), ' --modi
- usage_boolean = "semanage boolean [-h] [-n] [-N] [-S STORE] ["
- usage_boolean_dict = {' --modify': ('(', '--on', '|', '--off', ')', 'boolean'), ' --list': ('-C',), '  --extract': ('',), ' --deleteall': ('',)}
- 
--import sepolicy
--
--
- class CheckRole(argparse.Action):
- 
-     def __call__(self, parser, namespace, value, option_string=None):
diff --git a/recipes-security/selinux/selinux-python_2.8.bb b/recipes-security/selinux/selinux-python_2.8.bb
deleted file mode 100644
index d63fdef..0000000
--- a/recipes-security/selinux/selinux-python_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "bd9850808203c76f07efd396bde790e3"
-SRC_URI[sha256sum] = "e69f5e24820cb247a3d881a9c90efba1e64d76af863c82fb81bc3b87ed71e238"
diff --git a/recipes-security/selinux/selinux-python_3.6.bb b/recipes-security/selinux/selinux-python_3.6.bb
new file mode 100644
index 0000000..79125d0
--- /dev/null
+++ b/recipes-security/selinux/selinux-python_3.6.bb
@@ -0,0 +1,122 @@
+SUMMARY = "Python modules and various SELinux utilities."
+DESCRIPTION = "\
+This package contains Python modules sepolgen, sepolicy; And the \
+SELinux utilities audit2allow, chcat, semanage ..."
+SECTION = "base"
+LICENSE = "GPL-2.0-or-later"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=393a5ca445f6965873eca0259a17f833"
+
+require selinux_common.inc
+
+inherit python3targetconfig
+
+SRC_URI += "file://fix-sepolicy-install-path.patch \
+           "
+
+S = "${WORKDIR}/git/python"
+
+DEPENDS = "libsepol libselinux gettext-native python3-setuptools-scm-native"
+
+RDEPENDS:${PN} = "\
+        python3-core \
+        python3-codecs \
+        python3-io \
+        python3-ipy \
+        python3-stringold \
+        python3-syslog \
+        python3-unixadmin \
+        libselinux-python \
+        libsemanage-python \
+        setools \
+"
+RDEPENDS:${PN}-audit2allow = "\
+        python3-core \
+        libselinux-python \
+        ${PN}-sepolgen \
+"
+RDEPENDS:${PN}-chcat = "\
+        python3-core \
+        python3-codecs \
+        python3-shell \
+        python3-stringold \
+        python3-unixadmin \
+        libselinux-python \
+        ${PN} \
+"
+RDEPENDS:${PN}-semanage = "\
+        python3-core \
+        python3-ipy \
+        python3-compression \
+        python3-xml \
+        python3-misc \
+        libselinux-python \
+        audit-python \
+        ${PN} \
+"
+RDEPENDS:${PN}-sepolicy = "\
+        binutils \
+        python3-core \
+        python3-codecs \
+        python3-distro \
+        python3-syslog \
+        python3-multiprocessing \
+        ${PN} \
+"
+RDEPENDS:${PN}-sepolgen-ifgen = "\
+        python3-core \
+        libselinux-python \
+"
+
+PACKAGES =+ "\
+        ${PN}-audit2allow \
+        ${PN}-sepolgen-ifgen \
+        ${PN}-chcat \
+        ${PN}-semanage \
+        ${PN}-sepolgen \
+        ${PN}-sepolicy \
+"
+FILES:${PN}-audit2allow = "\
+        ${bindir}/audit2allow \
+        ${bindir}/audit2why \
+"
+FILES:${PN}-chcat = "\
+        ${bindir}/chcat \
+"
+FILES:${PN}-semanage = "\
+        ${sbindir}/semanage \
+        ${datadir}/bash-completion/completions/semanage \
+"
+# The ${bindir}/sepolgen is a symlink to ${bindir}/sepolicy
+FILES:${PN}-sepolicy = "\
+        ${bindir}/sepolgen \
+        ${bindir}/sepolicy \
+        ${datadir}/bash-completion/completions/sepolicy \
+"
+FILES:${PN}-sepolgen-ifgen = "\
+        ${bindir}/sepolgen-ifgen \
+        ${bindir}/sepolgen-ifgen-attr-helper \
+"
+FILES:${PN}-sepolgen = "\
+        ${PYTHON_SITEPACKAGES_DIR}/sepolgen* \
+        ${localstatedir}/lib/sepolgen/perm_map \
+"
+
+FILES:${PN} += "\
+        ${PYTHON_SITEPACKAGES_DIR}/seobject.py* \
+        ${PYTHON_SITEPACKAGES_DIR}/sepolicy*.dist-info \
+        ${PYTHON_SITEPACKAGES_DIR}/sepolicy/* \
+"
+
+do_install() {
+    oe_runmake DESTDIR="${D}" \
+        PYLIBVER='python${PYTHON_BASEVERSION}' \
+        PYTHONLIBDIR='${PYTHON_SITEPACKAGES_DIR}' \
+        install
+
+    # Remove .pyc files
+    find ${D} -name *.pyc -delete
+
+    # Fix buildpaths issue
+    sed -i -e 's,${WORKDIR},,g' \
+        ${D}${PYTHON_SITEPACKAGES_DIR}/sepolicy-${PV}.dist-info/direct_url.json
+}
diff --git a/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch b/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch
index 18cef4b..6258b7c 100644
--- a/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch
+++ b/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch
@@ -1,4 +1,4 @@
-From d3e778e0062ca441c80e2a3ef2b508f5566e1f70 Mon Sep 17 00:00:00 2001
+From d592d59eb4e7dbf8ce6dc84b3f4c0026fd7cc60c Mon Sep 17 00:00:00 2001
 From: Joe MacDonald <joe_macdonald@mentor.com>
 Date: Fri, 20 Feb 2015 21:07:47 -0500
 Subject: [PATCH] sandbox: de-bashify
@@ -6,13 +6,14 @@ Subject: [PATCH] sandbox: de-bashify
 There's no bashisms apparent in either the sandbox initscript nor the
 sandboxX script, so point them at /bin/sh instead.
 
-Upstream-Status: Pending
+Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- sandbox/sandbox.init | 2 +-
- sandbox/sandboxX.sh  | 2 +-
+ sandbox.init | 2 +-
+ sandboxX.sh  | 2 +-
  2 files changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/sandbox.init b/sandbox.init
@@ -36,5 +37,5 @@ index eaa500d..8755d75 100644
  context=`id -Z | secon -t -l -P`
  export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`"
 -- 
-1.9.1
+2.25.1
 
diff --git a/recipes-security/selinux/selinux-sandbox_2.8.bb b/recipes-security/selinux/selinux-sandbox_2.8.bb
deleted file mode 100644
index 1eb6c2d..0000000
--- a/recipes-security/selinux/selinux-sandbox_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "957f5d0fc7724f93f502d1d632568894"
-SRC_URI[sha256sum] = "025f84f76e07b7bfc9ba1e9215f4ddb646d41a2e935a65e07560feaa6fc20ef3"
diff --git a/recipes-security/selinux/selinux-sandbox.inc b/recipes-security/selinux/selinux-sandbox_3.6.bb
index 8616dd7..2cb55d6 100644
--- a/recipes-security/selinux/selinux-sandbox.inc
+++ b/recipes-security/selinux/selinux-sandbox_3.6.bb
@@ -3,26 +3,29 @@ DESCRIPTION = "\
 Run application within a tightly confined SELinux domain. The default \
 sandbox domain only allows applications the ability to read and write \
 stdin, stdout and any other file descriptors handed to it."
-
 SECTION = "base"
-LICENSE = "GPLv2+"
+LICENSE = "GPL-2.0-or-later"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=393a5ca445f6965873eca0259a17f833"
+
+require selinux_common.inc
 
 SRC_URI += "file://sandbox-de-bashify.patch \
-"
+           "
+
+S = "${WORKDIR}/git/sandbox"
 
-DEPENDS += "libcap-ng libselinux"
+DEPENDS = "libselinux libcap-ng gettext-native"
 
-RDEPENDS_${PN} += "\
-        python-math \
-        python-shell \
-        python-subprocess \
-        python-textutils \
-        python-unixadmin \
+RDEPENDS:${PN} = "\
+        python3-core \
+        python3-math \
+        python3-shell \
+        python3-unixadmin \
         libselinux-python \
         selinux-python \
 "
 
-FILES_${PN} += "\
+FILES:${PN} += "\
         ${datadir}/sandbox/sandboxX.sh \
         ${datadir}/sandbox/start \
 "
diff --git a/recipes-security/selinux/selinux_20180524.inc b/recipes-security/selinux/selinux_20180524.inc
deleted file mode 100644
index b36b333..0000000
--- a/recipes-security/selinux/selinux_20180524.inc
+++ /dev/null
@@ -1,5 +0,0 @@
-SELINUX_RELEASE = "20180524"
-
-SRC_URI = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/${SELINUX_RELEASE}/${BPN}-${PV}.tar.gz"
-
-include selinux_common.inc
diff --git a/recipes-security/selinux/selinux_common.inc b/recipes-security/selinux/selinux_common.inc
index 383f62d..cecb0b5 100644
--- a/recipes-security/selinux/selinux_common.inc
+++ b/recipes-security/selinux/selinux_common.inc
@@ -1,17 +1,21 @@
 HOMEPAGE = "https://github.com/SELinuxProject"
 
+SRC_URI = "git://github.com/SELinuxProject/selinux.git;branch=main;protocol=https"
+SRCREV = "97fa708d867ecb26e8d1c766760947f8e3b9e59a"
+
+UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)"
+
 do_compile() {
-    oe_runmake all \
-            INCLUDEDIR='${STAGING_INCDIR}' \
-            LIBDIR='${STAGING_LIBDIR}'
+    oe_runmake all
 }
 
 do_install() {
     oe_runmake install \
-            DESTDIR="${D}" \
-            PREFIX="${prefix}" \
-            INCLUDEDIR="${includedir}" \
-            LIBDIR="${libdir}" \
-            SHLIBDIR="${base_libdir}" \
-            SYSTEMDDIR="${systemd_unitdir}"
+        DESTDIR="${D}" \
+        PREFIX="${prefix}" \
+        INCLUDEDIR="${includedir}" \
+        LIBDIR="${libdir}" \
+        SHLIBDIR="${base_libdir}"
 }
+
+CVE_PRODUCT ?= "kernel:selinux"
diff --git a/recipes-security/selinux/semodule-utils_2.8.bb b/recipes-security/selinux/semodule-utils_2.8.bb
deleted file mode 100644
index c56f776..0000000
--- a/recipes-security/selinux/semodule-utils_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "51c69e612481ce971e2ae825139d2ca0"
-SRC_URI[sha256sum] = "44f59c13070c637440b143ceab4dfe1efb9018b1e47828dd8789def74c1ccadf"
diff --git a/recipes-security/selinux/semodule-utils.inc b/recipes-security/selinux/semodule-utils_3.6.bb
index 23cbd14..0c1c189 100644
--- a/recipes-security/selinux/semodule-utils.inc
+++ b/recipes-security/selinux/semodule-utils_3.6.bb
@@ -2,23 +2,25 @@ SUMMARY = "Utilities to manipulate SELinux policy module package"
 DESCRIPTION = "\
 The utilities to create, expand, link and show the dependencies between \
 the SELinux policy module packages."
-
 SECTION = "base"
-LICENSE = "GPLv2+"
+LICENSE = "GPL-2.0-or-later"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=393a5ca445f6965873eca0259a17f833"
+
+require selinux_common.inc
 
-DEPENDS += "libsepol"
-RDEPENDS_${PN}-dev = ""
+DEPENDS = "libsepol"
 
-EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a"
+S = "${WORKDIR}/git/semodule-utils"
 
 PACKAGES =+ "\
         ${PN}-semodule-expand \
         ${PN}-semodule-link \
         ${PN}-semodule-package \
 "
-FILES_${PN}-semodule-expand += "${bindir}/semodule_expand"
-FILES_${PN}-semodule-link += "${bindir}/semodule_link"
-FILES_${PN}-semodule-package += "\
+
+FILES:${PN}-semodule-expand = "${bindir}/semodule_expand"
+FILES:${PN}-semodule-link = "${bindir}/semodule_link"
+FILES:${PN}-semodule-package = "\
         ${bindir}/semodule_package \
         ${bindir}/semodule_unpackage \
 "
diff --git a/recipes-security/setools/setools/Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch b/recipes-security/setools/setools/Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch
deleted file mode 100644
index a5af041..0000000
--- a/recipes-security/setools/setools/Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-Upstream-Status: Backport [https://github.com/TresysTechnology/setools/commit/e41adf0]
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-From e41adf01647c695b80b112b337e76021bb9f30c3 Mon Sep 17 00:00:00 2001
-From: Laurent Bigonville <bigon@bigon.be>
-Date: Tue, 26 Sep 2017 15:15:30 +0200
-Subject: [PATCH] Fix build failure with GCC 7 due to possible truncation of
- snprintf output
-
-setools fails to build under GCC7 -Wformat -Werror with the following error:
-
-x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -Wno-sign-compare -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibqpol -Ilibqpol/include -I/usr/include/python3.6m -c libqpol/policy_extend.c -o build/temp.linux-amd64-3.6/libqpol/policy_extend.o -Werror -Wextra -Waggregate-return -Wfloat-equal -Wformat -Wformat=2 -Winit-self -Wmissing-format-attribute -Wmissing-include-dirs -Wnested-externs -Wold-style-definition -Wpointer-arith -Wredundant-decls -Wstrict-prototypes -Wunknown-pragmas -Wwrite-strings -Wno-missing-field-initializers -Wno-unused-parameter -Wno-cast-qual -Wno-shadow -Wno-unreachable-code -fno-exceptions
-libqpol/policy_extend.c: In function 'policy_extend':
-libqpol/policy_extend.c:161:27: error: '%04zd' directive output may be truncated writing between 4 and 10 bytes into a region of size 5 [-Werror=format-truncation=]
-    snprintf(buff, 9, "@ttr%04zd", i + 1);
-                           ^~~~~
-libqpol/policy_extend.c:161:22: note: directive argument in the range [1, 4294967295]
-    snprintf(buff, 9, "@ttr%04zd", i + 1);
-                      ^~~~~~~~~~~
-
-Increase the size of the buffer to avoid collisions
-
-Closes: https://github.com/TresysTechnology/setools/issues/174
-Signed-off-by: Laurent Bigonville <bigon@bigon.be>
----
- libqpol/policy_extend.c | 16 ++++++++--------
- 1 file changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/libqpol/policy_extend.c b/libqpol/policy_extend.c
-index 742819b..739e184 100644
---- a/libqpol/policy_extend.c
-+++ b/libqpol/policy_extend.c
-@@ -110,7 +110,7 @@ static int qpol_policy_remove_bogus_aliases(qpol_policy_t * policy)
-  *  Builds data for the attributes and inserts them into the policydb.
-  *  This function modifies the policydb. Names created for attributes
-  *  are of the form @ttr<value> where value is the value of the attribute
-- *  as a four digit number (prepended with 0's as needed).
-+ *  as a ten digit number (prepended with 0's as needed).
-  *  @param policy The policy from which to read the attribute map and
-  *  create the type data for the attributes. This policy will be altered
-  *  by this function.
-@@ -125,7 +125,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t * policy)
- 	uint32_t bit = 0, count = 0;
- 	ebitmap_node_t *node = NULL;
- 	type_datum_t *tmp_type = NULL, *orig_type;
--	char *tmp_name = NULL, buff[10];
-+	char *tmp_name = NULL, buff[16];
- 	int error = 0, retv;
- 
- 	INFO(policy, "%s", "Generating attributes for policy. (Step 4 of 5)");
-@@ -137,7 +137,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t * policy)
- 
- 	db = &policy->p->p;
- 
--	memset(&buff, 0, 10 * sizeof(char));
-+	memset(&buff, 0, 16 * sizeof(char));
- 
- 	for (i = 0; i < db->p_types.nprim; i++) {
- 		/* skip types */
-@@ -158,7 +158,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t * policy)
- 		 * with this attribute */
- 		/* Does not exist */
- 		if (db->p_type_val_to_name[i] == NULL){
--			snprintf(buff, 9, "@ttr%04zd", i + 1);
-+			snprintf(buff, 15, "@ttr%010zd", i + 1);
- 			tmp_name = strdup(buff);
- 			if (!tmp_name) {
- 				error = errno;
-@@ -240,7 +240,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t * policy)
-  *  Builds data for empty attributes and inserts them into the policydb.
-  *  This function modifies the policydb. Names created for the attributes
-  *  are of the form @ttr<value> where value is the value of the attribute
-- *  as a four digit number (prepended with 0's as needed).
-+ *  as a ten digit number (prepended with 0's as needed).
-  *  @param policy The policy to which to add type data for attributes.
-  *  This policy will be altered by this function.
-  *  @return Returns 0 on success and < 0 on failure; if the call fails,
-@@ -251,7 +251,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t * policy)
- static int qpol_policy_fill_attr_holes(qpol_policy_t * policy)
- {
- 	policydb_t *db = NULL;
--	char *tmp_name = NULL, buff[10];
-+	char *tmp_name = NULL, buff[16];
- 	int error = 0, retv = 0;
- 	ebitmap_t tmp_bmap = { NULL, 0 };
- 	type_datum_t *tmp_type = NULL;
-@@ -265,12 +265,12 @@ static int qpol_policy_fill_attr_holes(qpol_policy_t * policy)
- 
- 	db = &policy->p->p;
- 
--	memset(&buff, 0, 10 * sizeof(char));
-+	memset(&buff, 0, 16 * sizeof(char));
- 
- 	for (i = 0; i < db->p_types.nprim; i++) {
- 		if (db->type_val_to_struct[i])
- 			continue;
--		snprintf(buff, 9, "@ttr%04zd", i + 1);
-+		snprintf(buff, 15, "@ttr%010zd", i + 1);
- 		tmp_name = strdup(buff);
- 		if (!tmp_name) {
- 			error = errno;
--- 
-2.20.1
-
diff --git a/recipes-security/setools/setools/setools4-fix-cross-compiling-errors-for-powerpc-mips.patch b/recipes-security/setools/setools/setools4-fix-cross-compiling-errors-for-powerpc-mips.patch
deleted file mode 100644
index 9a6b818..0000000
--- a/recipes-security/setools/setools/setools4-fix-cross-compiling-errors-for-powerpc-mips.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From dc86d880ae0d66233679112a2bf0115c39df68f1 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Fri, 17 Feb 2017 08:57:35 +0000
-Subject: [meta-selinux][PATCH] setools4: fix cross-compiling errors for powerpc, mips
-
-Fix build errors:
-| libqpol/policy.c: In function 'qpol_binpol_version':
-| libqpol/policy.c:95:24: error: implicit declaration of function 'bswap_32' [-Werror=implicit-function-declaration]
-| #define le32_to_cpu(x) bswap_32(x)
-
-Upstream-Status: Pending
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
----
- libqpol/policy.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/libqpol/policy.c b/libqpol/policy.c
-index ae3acb5..b5b87f9 100644
---- a/libqpol/policy.c
-+++ b/libqpol/policy.c
-@@ -45,6 +45,10 @@
- # include <asm/types.h>
- #endif
- 
-+#if defined(_ARCH_PPC) || defined(mips)
-+#include <byteswap.h>
-+#endif
-+
- #include <sepol/debug.h>
- #include <sepol/handle.h>
- #include <sepol/policydb/flask_types.h>
--- 
-2.11.0
-
diff --git a/recipes-security/setools/setools/setools4-fixes-for-cross-compiling.patch b/recipes-security/setools/setools/setools4-fixes-for-cross-compiling.patch
index 5c43c49..cdaa45c 100644
--- a/recipes-security/setools/setools/setools4-fixes-for-cross-compiling.patch
+++ b/recipes-security/setools/setools/setools4-fixes-for-cross-compiling.patch
@@ -1,7 +1,7 @@
-From a104374147b398838edc04e937c92e762ea3f5d9 Mon Sep 17 00:00:00 2001
+From 673bac44ce13f475845e0b69dc73bfaa5a0866aa Mon Sep 17 00:00:00 2001
 From: Wenzong Fan <wenzong.fan@windriver.com>
 Date: Tue, 14 Feb 2017 06:32:35 +0000
-Subject: [meta-selinux][PATCH] setools4: fixes for cross compiling
+Subject: [PATCH] setools4: fixes for cross compiling
 
 * search libsepol from $STAGING_LIBDIR
 * fix manual install path as '/usr/share/man/man1'
@@ -9,32 +9,24 @@ Subject: [meta-selinux][PATCH] setools4: fixes for cross compiling
 Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- setup.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
+ setup.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/setup.py b/setup.py
-index 2ca44c9..300ff70 100644
+index 5584e55..057bbb5 100644
 --- a/setup.py
 +++ b/setup.py
-@@ -77,7 +77,7 @@ class BuildExtCommand(build_ext):
-         build_ext.run(self)
+@@ -79,7 +79,7 @@ class QtHelpCommand(Command):
  
  
--base_lib_dirs = ['.', '/usr/lib64', '/usr/lib', '/usr/local/lib']
-+base_lib_dirs = [os.environ["STAGING_LIBDIR"]]
- include_dirs = ['libqpol', 'libqpol/include']
+ # Library linkage
+-lib_dirs = ['.', '/usr/lib64', '/usr/lib', '/usr/local/lib']
++lib_dirs = [os.environ["STAGING_LIBDIR"]]
+ include_dirs = []
  
- try:
-@@ -182,7 +182,7 @@ setup(name='setools',
-                 'build_qhc': QtHelpCommand},
-       packages=['setools', 'setools.diff', 'setools.policyrep', 'setoolsgui', 'setoolsgui.apol'],
-       scripts=['apol', 'sediff', 'seinfo', 'seinfoflow', 'sesearch', 'sedta'],
--      data_files=[(join(sys.prefix, 'share/man/man1'), glob.glob("man/*.1"))],
-+      data_files=[('/usr/share/man/man1', glob.glob("man/*.1"))],
-       package_data={'': ['*.ui', '*.qhc', '*.qch'], 'setools': ['perm_map']},
-       ext_modules=ext_py_mods,
-       test_suite='tests',
+ with suppress(KeyError):
 -- 
-2.13.0
+2.25.1
 
diff --git a/recipes-security/setools/setools_4.1.1.bb b/recipes-security/setools/setools_4.1.1.bb
deleted file mode 100644
index c5a2d34..0000000
--- a/recipes-security/setools/setools_4.1.1.bb
+++ /dev/null
@@ -1,37 +0,0 @@
-SUMMARY = "Policy analysis tools for SELinux"
-DESCRIPTION = "\
-SETools is a collection of graphical tools, command-line tools, and \
-libraries designed to facilitate SELinux policy analysis. \
-\n\
-This meta-package depends upon the main packages necessary to run \
-SETools."
-SECTION = "base"
-LICENSE = "GPLv2 & LGPLv2.1"
-
-SRC_URI = "https://github.com/TresysTechnology/setools/archive/${PV}.tar.gz;downloadfilename=setools-${PV}.tar.gz \
-           file://setools4-fixes-for-cross-compiling.patch \
-           file://setools4-fix-cross-compiling-errors-for-powerpc-mips.patch \
-           file://Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch \
-"
-
-SRC_URI[md5sum] = "54cf5c0ca2aa4ef7c6ac153981af34cd"
-SRC_URI[sha256sum] = "46a927ea2b163cbe1d35cc35da43e45853e13720c7e02d4cf75a498783c19610"
-
-LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=83a5eb6974c11f30785e90d0eeccf40c \
-                    file://${S}/COPYING.GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
-                    file://${S}/COPYING.LGPL;md5=4fbd65380cdd255951079008b364516c"
-
-DEPENDS += "bison-native flex-native swig-native python libsepol"
-
-RDEPENDS_${PN} += "python-networkx python-enum34 python-decorator python-setuptools \
-                   python-logging python-json python-argparse libselinux-python"
-
-RPROVIDES_${PN} += "${PN}-console"
-
-inherit setuptools
-
-do_install_append() {
-	# Need PyQt5 support, disable gui tools
-	rm -f ${D}${bindir}/apol
-	rm -rf ${D}${libdir}/${PYTHON_DIR}/site-packages/setoolsgui
-}
diff --git a/recipes-security/setools/setools_4.4.4.bb b/recipes-security/setools/setools_4.4.4.bb
new file mode 100644
index 0000000..37bb86a
--- /dev/null
+++ b/recipes-security/setools/setools_4.4.4.bb
@@ -0,0 +1,38 @@
+SUMMARY = "Policy analysis tools for SELinux"
+DESCRIPTION = "\
+SETools is a collection of graphical tools, command-line tools, and \
+libraries designed to facilitate SELinux policy analysis."
+SECTION = "base"
+LICENSE = "GPL-2.0-only & LGPL-2.1-only"
+
+SRC_URI = "git://github.com/SELinuxProject/${BPN}.git;branch=4.4;protocol=https \
+           file://setools4-fixes-for-cross-compiling.patch \
+          "
+SRCREV = "a04b015459512d0460ff6bc50f28d746861f4a0b"
+
+LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=69a7b68f0a4a570d7c0c43465333ecbc \
+                    file://${S}/COPYING.GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
+                    file://${S}/COPYING.LGPL;md5=4fbd65380cdd255951079008b364516c"
+
+S = "${WORKDIR}/git"
+
+DEPENDS = "python3-cython-native libsepol libselinux"
+
+RDEPENDS:${PN} = "python3-networkx python3-setuptools \
+                  python3-logging libselinux-python"
+
+RPROVIDES:${PN} = "${PN}-console"
+
+inherit setuptools3
+
+do_install:prepend() {
+    sed -i -e 's:${RECIPE_SYSROOT}::g' ${S}/setools/policyrep.c
+}
+
+do_install:append() {
+    # Need PyQt5 support, disable gui tools
+    rm -f ${D}${bindir}/apol
+    rm -rf ${D}${libdir}/${PYTHON_DIR}/site-packages/setoolsgui
+    rm -rf ${D}${libdir}/${PYTHON_DIR}/site-packages/setools/__pycache__
+    rm -rf ${D}${libdir}/${PYTHON_DIR}/site-packages/setools/*/__pycache__
+}
diff --git a/recipes-support/attr/attr_selinux.inc b/recipes-support/attr/attr_selinux.inc
index ba0314e..efc18b2 100644
--- a/recipes-support/attr/attr_selinux.inc
+++ b/recipes-support/attr/attr_selinux.inc
@@ -1,5 +1,3 @@
-inherit selinux
-
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
 
 SRC_URI += "file://fix-ptest-failures-when-selinux-enabled.patch"
diff --git a/recipes-support/gnupg/gnupg_selinux.inc b/recipes-support/gnupg/gnupg_selinux.inc
index 12571b4..eee1731 100644
--- a/recipes-support/gnupg/gnupg_selinux.inc
+++ b/recipes-support/gnupg/gnupg_selinux.inc
@@ -1,3 +1,2 @@
 inherit enable-selinux
-# gnupg will not build with libselinux, so remove the depend
-PACKAGECONFIG[selinux] = "--enable-selinux-support,--disable-selinux-support,,"
+PACKAGECONFIG[selinux] = "--enable-selinux-support,--disable-selinux-support,libselinux"
diff --git a/recipes-support/libpcre/libpcre_%.bbappend b/recipes-support/libpcre/libpcre_%.bbappend
deleted file mode 100644
index 7719d3b..0000000
--- a/recipes-support/libpcre/libpcre_%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/recipes-support/libpcre/libpcre_selinux.inc b/recipes-support/libpcre/libpcre_selinux.inc
deleted file mode 100644
index 3810078..0000000
--- a/recipes-support/libpcre/libpcre_selinux.inc
+++ /dev/null
@@ -1,18 +0,0 @@
-do_install_append () {
-	# This code creates libpcre for both the dev machine (SDK native)
-	# and for cross-compiling (machine arch). For Linux (SDK Linux native
-	# + all machine arch), symlinks to the .so files have to be created,
-	# but not for the Windows SDK native.
-	if [ ${TARGET_OS} != "mingw32" ]; then
-		if [ ! ${D}${libdir} -ef ${D}${base_libdir} -a -e ${D}${libdir}/libpcre.so ]; then
-			realsofile=`readlink ${D}${libdir}/libpcre.so`
-			mkdir -p ${D}/${base_libdir}/
-			mv -f ${D}${libdir}/libpcre.so.* ${D}${base_libdir}/
-			relpath=${@os.path.relpath("${base_libdir}", "${libdir}")}
-			ln -sf ${relpath}/${realsofile} ${D}${libdir}/libpcre.so
-			ln -sf ${relpath}/${realsofile} ${D}${libdir}/libpcre.so.1
-		fi
-	fi
-}
-
-FILES_${PN} += "${base_libdir}/libpcre.so.*"
diff --git a/virtualization-layer/recipes-containers/lxc/lxc_%.bbappend b/virtualization-layer/recipes-containers/lxc/lxc_%.bbappend
deleted file mode 100644
index 74e22b3..0000000
--- a/virtualization-layer/recipes-containers/lxc/lxc_%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)}