refpolicy-git: clean up fallout from stable uprev

Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>

17 files changed, 98 insertions, 107 deletions

diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch
index 628e8a3..946dcc2 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch
@@ -10,8 +10,10 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 
 --- a/policy/modules/system/clock.fc
 +++ b/policy/modules/system/clock.fc
-@@ -1,3 +1,4 @@
+@@ -1,5 +1,6 @@
  /etc/adjtime           --      gen_context(system_u:object_r:adjtime_t,s0)
  
+ /usr/bin/hwclock       --      gen_context(system_u:object_r:hwclock_exec_t,s0)
+ 
 +/usr/sbin/hwclock\.util-linux  --      gen_context(system_u:object_r:hwclock_exec_t,s0)
  /usr/sbin/hwclock      --      gen_context(system_u:object_r:hwclock_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch
index fc54217..49f4960 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch
@@ -10,7 +10,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 
 --- a/policy/modules/system/authlogin.fc
 +++ b/policy/modules/system/authlogin.fc
-@@ -3,20 +3,19 @@
+@@ -3,10 +3,12 @@
  /etc/gshadow.*         --      gen_context(system_u:object_r:shadow_t,s0)
  /etc/passwd\.lock      --      gen_context(system_u:object_r:shadow_t,s0)
  /etc/shadow.*          --      gen_context(system_u:object_r:shadow_t,s0)
@@ -18,18 +18,8 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
  /usr/bin/login         --      gen_context(system_u:object_r:login_exec_t,s0)
 +/usr/bin/login\.shadow --      gen_context(system_u:object_r:login_exec_t,s0)
 +/usr/bin/login\.tinylogin      --      gen_context(system_u:object_r:login_exec_t,s0)
- 
- /usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0)
- 
- /usr/lib/utempter/utempter --  gen_context(system_u:object_r:utempter_exec_t,s0)
- 
- /usr/sbin/pam_console_apply    --      gen_context(system_u:object_r:pam_console_exec_t,s0)
- /usr/sbin/pam_timestamp_check   --     gen_context(system_u:object_r:pam_exec_t,s0)
--/usr/sbin/unix_chkpwd          --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
--/usr/sbin/unix_update          --      gen_context(system_u:object_r:updpwd_exec_t,s0)
--/usr/sbin/unix_verify          --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
- /usr/sbin/utempter             --      gen_context(system_u:object_r:utempter_exec_t,s0)
- /usr/sbin/validate             --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
- ifdef(`distro_suse', `
- /usr/sbin/unix2_chkpwd --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
- ')
+ /usr/bin/pam_console_apply     --      gen_context(system_u:object_r:pam_console_exec_t,s0)
+ /usr/bin/pam_timestamp_check   --      gen_context(system_u:object_r:pam_exec_t,s0)
+ /usr/bin/unix_chkpwd           --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ /usr/bin/unix_update           --      gen_context(system_u:object_r:updpwd_exec_t,s0)
+ /usr/bin/unix_verify           --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch
index a15a776..b441257 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch
@@ -10,7 +10,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 
 --- a/policy/modules/admin/usermanage.fc
 +++ b/policy/modules/admin/usermanage.fc
-@@ -2,15 +2,21 @@ ifdef(`distro_debian',`
+@@ -2,20 +2,24 @@ ifdef(`distro_debian',`
  /etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0)
  ')
  
@@ -19,16 +19,32 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 +/usr/bin/chfn\.shadow  --      gen_context(system_u:object_r:chfn_exec_t,s0)
  /usr/bin/chsh          --      gen_context(system_u:object_r:chfn_exec_t,s0)
 +/usr/bin/chsh\.shadow  --      gen_context(system_u:object_r:chfn_exec_t,s0)
+ /usr/bin/crack_[a-z]*  --      gen_context(system_u:object_r:crack_exec_t,s0)
+ /usr/bin/cracklib-[a-z]* --    gen_context(system_u:object_r:crack_exec_t,s0)
  /usr/bin/gpasswd       --      gen_context(system_u:object_r:groupadd_exec_t,s0)
+ /usr/bin/groupadd      --      gen_context(system_u:object_r:groupadd_exec_t,s0)
+ /usr/bin/groupdel      --      gen_context(system_u:object_r:groupadd_exec_t,s0)
+ /usr/bin/groupmod      --      gen_context(system_u:object_r:groupadd_exec_t,s0)
+ /usr/bin/grpconv       --      gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/bin/grpunconv     --      gen_context(system_u:object_r:admin_passwd_exec_t,s0)
  /usr/bin/passwd                --      gen_context(system_u:object_r:passwd_exec_t,s0)
 +/usr/bin/passwd\.shadow        --      gen_context(system_u:object_r:passwd_exec_t,s0)
 +/usr/bin/passwd\.tinylogin     --      gen_context(system_u:object_r:passwd_exec_t,s0)
- /usr/bin/vigr          --      gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-+/sbin/vigr\.shadow     --      gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/bin/vipw          --      gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-+/sbin/vipw\.shadow     --      gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/bin/pwconv                --      gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/bin/pwunconv      --      gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/bin/useradd       --      gen_context(system_u:object_r:useradd_exec_t,s0)
+ /usr/bin/userdel       --      gen_context(system_u:object_r:useradd_exec_t,s0)
+ /usr/bin/usermod       --      gen_context(system_u:object_r:useradd_exec_t,s0)
+@@ -36,10 +40,12 @@ ifdef(`distro_debian',`
+ /usr/sbin/pwunconv     --      gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/sbin/useradd      --      gen_context(system_u:object_r:useradd_exec_t,s0)
+ /usr/sbin/userdel      --      gen_context(system_u:object_r:useradd_exec_t,s0)
+ /usr/sbin/usermod      --      gen_context(system_u:object_r:useradd_exec_t,s0)
+ /usr/sbin/vigr         --      gen_context(system_u:object_r:admin_passwd_exec_t,s0)
++/usr/sbin/vigr\.shadow --      gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/sbin/vipw         --      gen_context(system_u:object_r:admin_passwd_exec_t,s0)
++/usr/sbin/vipw\.shadow --      gen_context(system_u:object_r:admin_passwd_exec_t,s0)
  
- /usr/lib/cracklib_dict.* --    gen_context(system_u:object_r:crack_db_t,s0)
+ /usr/share/cracklib(/.*)?      gen_context(system_u:object_r:crack_db_t,s0)
  
- /usr/sbin/crack_[a-z]* --      gen_context(system_u:object_r:crack_exec_t,s0)
- /usr/sbin/cracklib-[a-z]* --   gen_context(system_u:object_r:crack_exec_t,s0)
+ /var/cache/cracklib(/.*)?      gen_context(system_u:object_r:crack_db_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch
index cf07b23..d887e96 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch
@@ -14,8 +14,8 @@ Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
 
 --- a/policy/modules/system/fstools.fc
 +++ b/policy/modules/system/fstools.fc
-@@ -4,10 +4,11 @@
- /usr/bin/syslinux      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -55,10 +55,11 @@
+ /usr/bin/ztest                 --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  
  /usr/sbin/addpart              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/badblocks            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -26,7 +26,7 @@ Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
  /usr/sbin/clubufflush          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/delpart              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/dosfsck              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -17,14 +18,16 @@
+@@ -68,14 +69,16 @@
  /usr/sbin/e4fsck               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/e2label              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/efibootmgr           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -43,7 +43,7 @@ Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
  /usr/sbin/losetup.*            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/lsraid               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/make_reiser4         --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -33,21 +36,24 @@
+@@ -84,21 +87,24 @@
  /usr/sbin/mke4fs               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/mkfs.*               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/mkraid               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch
index d58de6a..5ed7eae 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch
@@ -12,7 +12,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 
 --- a/policy/modules/contrib/ftp.fc
 +++ b/policy/modules/contrib/ftp.fc
-@@ -10,11 +10,11 @@
+@@ -15,11 +15,11 @@
  /usr/kerberos/sbin/ftpd        --      gen_context(system_u:object_r:ftpd_exec_t,s0)
  
  /usr/lib/systemd/system/proftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch
index 72b559f..b3e2846 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch
@@ -13,7 +13,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 
 --- a/policy/modules/contrib/mta.fc
 +++ b/policy/modules/contrib/mta.fc
-@@ -19,10 +19,11 @@ HOME_DIR/\.maildir(/.*)?    gen_context(sys
+@@ -23,10 +23,11 @@ HOME_DIR/\.maildir(/.*)?    gen_context(sys
  /usr/lib/courier/bin/sendmail  --      gen_context(system_u:object_r:sendmail_exec_t,s0)
  
  /usr/sbin/rmail        --      gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch
index 922afa9..3cd766d 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch
@@ -13,7 +13,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 
 --- a/policy/modules/contrib/rpm.fc
 +++ b/policy/modules/contrib/rpm.fc
-@@ -57,6 +57,7 @@ ifdef(`distro_redhat',`
+@@ -67,6 +67,7 @@ ifdef(`distro_redhat',`
  /run/yum.*     --      gen_context(system_u:object_r:rpm_var_run_t,s0)
  /run/PackageKit(/.*)?  gen_context(system_u:object_r:rpm_var_run_t,s0)
  
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch
index 648b21b..f01e5aa 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch
@@ -19,6 +19,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 +/usr/bin/ssh\.openssh          --      gen_context(system_u:object_r:ssh_exec_t,s0)
  /usr/bin/ssh-agent             --      gen_context(system_u:object_r:ssh_agent_exec_t,s0)
  /usr/bin/ssh-keygen            --      gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
+ /usr/bin/sshd                  --      gen_context(system_u:object_r:sshd_exec_t,s0)
  
  /usr/lib/openssh/ssh-keysign   --      gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
- /usr/lib/ssh/ssh-keysign       --      gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch
index 0b148b5..88c8c45 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch
@@ -14,7 +14,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 
 --- a/policy/modules/system/sysnetwork.fc
 +++ b/policy/modules/system/sysnetwork.fc
-@@ -41,17 +41,20 @@ ifdef(`distro_redhat',`
+@@ -54,17 +54,20 @@ ifdef(`distro_redhat',`
  /usr/sbin/dhcdbd               --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
  /usr/sbin/dhcp6c               --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
  /usr/sbin/dhcpcd               --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch
index 2271a05..f53b551 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch
@@ -13,19 +13,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 
 --- a/policy/modules/system/udev.fc
 +++ b/policy/modules/system/udev.fc
-@@ -8,10 +8,11 @@
- 
- /etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
- /etc/udev/scripts/.+ --        gen_context(system_u:object_r:udev_helper_exec_t,s0)
- 
- /usr/bin/udevinfo --   gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/bin/udevadm  --   gen_context(system_u:object_r:udev_exec_t,s0)
- 
- ifdef(`distro_debian',`
- /usr/bin/udevadm       --      gen_context(system_u:object_r:udev_exec_t,s0)
- ')
- 
-@@ -30,10 +31,11 @@ ifdef(`distro_redhat',`
+@@ -32,10 +32,11 @@ ifdef(`distro_redhat',`
  /usr/sbin/start_udev --        gen_context(system_u:object_r:udev_exec_t,s0)
  ')
  
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch
index dfa67a6..77f7fad 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch
@@ -28,11 +28,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
  /etc/rc\.d/init\.d/rsyslog --  gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
  
- /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
- /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
- /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
- /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-@@ -15,14 +17,16 @@
+ /usr/bin/audispd       --      gen_context(system_u:object_r:audisp_exec_t,s0)
+ /usr/bin/audisp-remote --      gen_context(system_u:object_r:audisp_remote_exec_t,s0)
+ /usr/bin/auditctl      --      gen_context(system_u:object_r:auditctl_exec_t,s0)
+ /usr/bin/auditd                --      gen_context(system_u:object_r:auditd_exec_t,s0)
+@@ -27,14 +29,16 @@
  /usr/sbin/audispd      --      gen_context(system_u:object_r:audisp_exec_t,s0)
  /usr/sbin/audisp-remote        --      gen_context(system_u:object_r:audisp_remote_exec_t,s0)
  /usr/sbin/auditctl     --      gen_context(system_u:object_r:auditctl_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch
index 81fe141..3f6a5c8 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch
@@ -13,34 +13,36 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
  policy/modules/system/init.fc         |    1 +
  3 files changed, 3 insertions(+)
 
-Index: refpolicy/policy/modules/contrib/shutdown.fc
-===================================================================
---- refpolicy.orig/policy/modules/contrib/shutdown.fc
-+++ refpolicy/policy/modules/contrib/shutdown.fc
-@@ -3,5 +3,6 @@
+--- a/policy/modules/contrib/shutdown.fc
++++ b/policy/modules/contrib/shutdown.fc
+@@ -3,7 +3,8 @@
+ /usr/bin/shutdown      --      gen_context(system_u:object_r:shutdown_exec_t,s0)
+ 
  /usr/lib/upstart/shutdown      --      gen_context(system_u:object_r:shutdown_exec_t,s0)
  
  /usr/sbin/shutdown     --      gen_context(system_u:object_r:shutdown_exec_t,s0)
 +/usr/sbin/shutdown\.sysvinit   --      gen_context(system_u:object_r:shutdown_exec_t,s0)
  
  /run/shutdown\.pid     --      gen_context(system_u:object_r:shutdown_var_run_t,s0)
-Index: refpolicy/policy/modules/kernel/corecommands.fc
-===================================================================
---- refpolicy.orig/policy/modules/kernel/corecommands.fc
-+++ refpolicy/policy/modules/kernel/corecommands.fc
-@@ -144,6 +144,7 @@ ifdef(`distro_gentoo',`
+--- a/policy/modules/kernel/corecommands.fc
++++ b/policy/modules/kernel/corecommands.fc
+@@ -144,10 +144,11 @@ ifdef(`distro_gentoo',`
+ /usr/bin/insmod_ksymoops_clean --      gen_context(system_u:object_r:bin_t,s0)
  /usr/bin/ksh.*                 --      gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/mkfs\.cramfs          --      gen_context(system_u:object_r:bin_t,s0)
  /usr/bin/mksh                  --      gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/bin/mountpoint            --      gen_context(system_u:object_r:bin_t,s0)
 +/usr/bin/mountpoint\.sysvinit  --      gen_context(system_u:object_r:bin_t,s0)
+ /usr/bin/nologin               --      gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/bin/sash                  --      gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/sesh                  --      gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/bin/scponly               --      gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/tcsh                  --      gen_context(system_u:object_r:shell_exec_t,s0)
-Index: refpolicy/policy/modules/system/init.fc
-===================================================================
---- refpolicy.orig/policy/modules/system/init.fc
-+++ refpolicy/policy/modules/system/init.fc
-@@ -39,6 +39,7 @@ ifdef(`distro_gentoo', `
+ /usr/bin/scponlyc              --      gen_context(system_u:object_r:shell_exec_t,s0)
+--- a/policy/modules/system/init.fc
++++ b/policy/modules/system/init.fc
+@@ -40,10 +40,11 @@ ifdef(`distro_gentoo', `
+ 
+ /usr/libexec/dcc/start-.* --   gen_context(system_u:object_r:initrc_exec_t,s0)
  /usr/libexec/dcc/stop-.* --    gen_context(system_u:object_r:initrc_exec_t,s0)
  
  /usr/sbin/init(ng)?    --      gen_context(system_u:object_r:init_exec_t,s0)
@@ -48,3 +50,5 @@ Index: refpolicy/policy/modules/system/init.fc
  /usr/sbin/open_init_pty        --      gen_context(system_u:object_r:initrc_exec_t,s0)
  /usr/sbin/upstart      --      gen_context(system_u:object_r:init_exec_t,s0)
  
+ ifdef(`distro_gentoo', `
+ /usr/sbin/rc           --      gen_context(system_u:object_r:rc_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
index 19342f5..75a5fa2 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
@@ -18,7 +18,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 
 --- a/policy/modules/system/logging.fc
 +++ b/policy/modules/system/logging.fc
-@@ -39,10 +39,11 @@ ifdef(`distro_suse', `
+@@ -51,10 +51,11 @@ ifdef(`distro_suse', `
  
  /var/axfrdns/log/main(/.*)?    gen_context(system_u:object_r:var_log_t,s0)
  /var/dnscache/log/main(/.*)?   gen_context(system_u:object_r:var_log_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
index 3a8a95e..b33e84b 100644
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
+++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
@@ -19,10 +19,10 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
-@@ -300,16 +300,18 @@ ifdef(`init_systemd',`
+@@ -344,17 +344,19 @@ ifdef(`init_systemd',`
  
         optional_policy(`
-                modutils_domtrans_insmod(init_t)
+                modutils_domtrans(init_t)
         ')
  ',`
 -       tunable_policy(`init_upstart',`
@@ -30,32 +30,25 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 -       ',`
 -               # Run the shell in the sysadm role for single-user mode.
 -               # causes problems with upstart
--               sysadm_shell_domtrans(init_t)
+-               ifndef(`distro_debian',`
+-                       sysadm_shell_domtrans(init_t)
 +       optional_policy(`
 +               tunable_policy(`init_upstart',`
 +                       corecmd_shell_domtrans(init_t, initrc_t)
 +               ',`
 +                       # Run the shell in the sysadm role for single-user mode.
 +                       # causes problems with upstart
-+                       sysadm_shell_domtrans(init_t)
-+               ')
++                       ifndef(`distro_debian',`
++                               sysadm_shell_domtrans(init_t)
++                       ')
+                ')
         ')
  ')
  
  ifdef(`distro_debian',`
-        fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
-@@ -1109,6 +1111,6 @@ optional_policy(`
- ')
- 
- # systemd related allow rules
- allow kernel_t init_t:process dyntransition;
- allow devpts_t device_t:filesystem associate;
--allow init_t self:capability2 block_suspend;
-\ No newline at end of file
-+allow init_t self:capability2 block_suspend;
 --- a/policy/modules/system/locallogin.te
 +++ b/policy/modules/system/locallogin.te
-@@ -244,11 +244,13 @@ seutil_read_default_contexts(sulogin_t)
+@@ -260,11 +260,13 @@ seutil_read_default_contexts(sulogin_t)
  userdom_use_unpriv_users_fds(sulogin_t)
  
  userdom_search_user_home_dirs(sulogin_t)
@@ -66,7 +59,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 +       sysadm_shell_domtrans(sulogin_t)
 +')
  
- # suse and debian do not use pam with sulogin...
- ifdef(`distro_suse', `define(`sulogin_no_pam')')
- ifdef(`distro_debian', `define(`sulogin_no_pam')')
- 
+ # by default, sulogin does not use pam...
+ # sulogin_pam might need to be defined otherwise
+ ifdef(`sulogin_pam', `
+        selinux_get_fs_mount(sulogin_t)
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch
index 1dc9911..17a8199 100644
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch
+++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch
@@ -25,7 +25,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
-@@ -1268,16 +1268,16 @@ interface(`init_spec_domtrans_script',`
+@@ -1430,16 +1430,16 @@ interface(`init_spec_domtrans_script',`
  ##     </summary>
  ## </param>
  #
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
index f28ab74..29d3e2d 100644
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
+++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
@@ -30,21 +30,21 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 +
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
-@@ -41,10 +41,11 @@ init_reload(sysadm_t)
- init_reboot_system(sysadm_t)
- init_shutdown_system(sysadm_t)
- init_start_generic_units(sysadm_t)
- init_stop_generic_units(sysadm_t)
- init_reload_generic_units(sysadm_t)
+@@ -37,10 +37,11 @@ ubac_process_exempt(sysadm_t)
+ ubac_file_exempt(sysadm_t)
+ ubac_fd_exempt(sysadm_t)
+ 
+ init_exec(sysadm_t)
+ init_admin(sysadm_t)
 +init_script_role_transition(sysadm_r)
  
+ selinux_read_policy(sysadm_t)
+ 
  # Add/remove user home directories
  userdom_manage_user_home_dirs(sysadm_t)
- userdom_home_filetrans_user_home_dir(sysadm_t)
- 
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
-@@ -1232,30 +1232,31 @@ interface(`init_script_file_entry_type',
+@@ -1394,30 +1394,31 @@ interface(`init_script_file_entry_type',
  ##     </summary>
  ## </param>
  #
@@ -80,7 +80,7 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
  
  ########################################
  ## <summary>
-@@ -1267,22 +1268,23 @@ interface(`init_spec_domtrans_script',`
+@@ -1429,22 +1430,23 @@ interface(`init_spec_domtrans_script',`
  ##     </summary>
  ## </param>
  #
@@ -108,11 +108,11 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
  
  ########################################
  ## <summary>
-@@ -2502,5 +2504,34 @@ interface(`init_reload_all_units',`
-                class service reload;
-        ')
- 
-        allow $1 systemdunit:service reload;
+@@ -2972,5 +2974,34 @@ interface(`init_admin',`
+        init_stop_all_units($1)
+        init_stop_generic_units($1)
+        init_stop_system($1)
+        init_telinit($1)
  ')
 +
 +########################################
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc
index b320e4d..21e3a4c 100644
--- a/recipes-security/refpolicy/refpolicy_git.inc
+++ b/recipes-security/refpolicy/refpolicy_git.inc
@@ -20,13 +20,11 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
             file://poky-fc-dmesg.patch \
             file://poky-fc-fstools.patch \
             file://poky-fc-mta.patch \
-            file://poky-fc-nscd.patch \
             file://poky-fc-screen.patch \
             file://poky-fc-ssh.patch \
             file://poky-fc-sysnetwork.patch \
             file://poky-fc-udevd.patch \
             file://poky-fc-rpm.patch \
-            file://poky-fc-ftpwho-dir.patch \
             file://poky-fc-fix-real-path_su.patch \
             file://refpolicy-update-for_systemd.patch \
            "