refpolicy: Update to 20170204 release

This updates all of the common policies.  standard, minimum, mls and
targeted.

Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>

52 files changed, 593 insertions, 404 deletions

diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-2.20170204/ftp-add-ftpd_t-to-mlsfilewrite.patch
index 49da4b6..85c40a4 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/ftp-add-ftpd_t-to-mlsfilewrite.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/ftp-add-ftpd_t-to-mlsfilewrite.patch
@@ -17,15 +17,16 @@ root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name
 root@localhost:~#
 
 Signed-off-by: Roy Li <rongqing.li@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/contrib/ftp.te |    2 ++
  1 file changed, 2 insertions(+)
 
-diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
-index 544c512..12a31dd 100644
 --- a/policy/modules/contrib/ftp.te
 +++ b/policy/modules/contrib/ftp.te
-@@ -144,6 +144,8 @@ role ftpdctl_roles types ftpdctl_t;
+@@ -148,10 +148,12 @@ init_system_domain(ftpdctl_t, ftpdctl_ex
+ role ftpdctl_roles types ftpdctl_t;
+ 
  type ftpdctl_tmp_t;
  files_tmp_file(ftpdctl_tmp_t)
  
@@ -34,6 +35,5 @@ index 544c512..12a31dd 100644
  type sftpd_t;
  domain_type(sftpd_t)
  role system_r types sftpd_t;
--- 
-1.7.10.4
-
+ 
+ type xferlog_t;
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-clock.patch
index 3ff8f55..b2102af 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-clock.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-clock.patch
@@ -3,20 +3,18 @@ Subject: [PATCH] refpolicy: fix real path for clock
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/clock.fc | 1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
-index c5e05ca..a74c40c 100644
 --- a/policy/modules/system/clock.fc
 +++ b/policy/modules/system/clock.fc
-@@ -2,4 +2,5 @@
+@@ -1,6 +1,7 @@
+ 
  /etc/adjtime           --      gen_context(system_u:object_r:adjtime_t,s0)
  
  /sbin/hwclock          --      gen_context(system_u:object_r:hwclock_exec_t,s0)
 +/sbin/hwclock\.util-linux      --      gen_context(system_u:object_r:hwclock_exec_t,s0)
  
--- 
-1.7.11.7
-
+ /usr/sbin/hwclock      --      gen_context(system_u:object_r:hwclock_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-corecommands.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-corecommands.patch
index 24b67c3..3739059 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-corecommands.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-corecommands.patch
@@ -3,15 +3,16 @@ Subject: [PATCH] refpolicy: fix real path for corecommands
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/kernel/corecommands.fc | 1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index f051c4a..ab624f3 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
-@@ -153,6 +153,7 @@ ifdef(`distro_gentoo',`
+@@ -154,10 +154,11 @@ ifdef(`distro_gentoo',`
+ /sbin                          -d      gen_context(system_u:object_r:bin_t,s0)
+ /sbin/.*                               gen_context(system_u:object_r:bin_t,s0)
  /sbin/insmod_ksymoops_clean    --      gen_context(system_u:object_r:bin_t,s0)
  /sbin/mkfs\.cramfs             --      gen_context(system_u:object_r:bin_t,s0)
  /sbin/nologin                  --      gen_context(system_u:object_r:shell_exec_t,s0)
@@ -19,6 +20,5 @@ index f051c4a..ab624f3 100644
  
  #
  # /opt
--- 
-1.7.11.7
-
+ #
+ /opt/(.*/)?bin(/.*)?                   gen_context(system_u:object_r:bin_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-dmesg.patch
index db4c4d4..2a567da 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-dmesg.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-dmesg.patch
@@ -3,18 +3,16 @@ Subject: [PATCH] refpolicy: fix real path for dmesg
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/admin/dmesg.fc | 1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
-index d6cc2d9..7f3e5b0 100644
 --- a/policy/modules/admin/dmesg.fc
 +++ b/policy/modules/admin/dmesg.fc
-@@ -1,2 +1,3 @@
+@@ -1,4 +1,5 @@
  
  /bin/dmesg             --              gen_context(system_u:object_r:dmesg_exec_t,s0)
 +/bin/dmesg\.util-linux --              gen_context(system_u:object_r:dmesg_exec_t,s0)
--- 
-1.7.11.7
-
+ 
+ /usr/bin/dmesg         --              gen_context(system_u:object_r:dmesg_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-bind.patch
index 59ba5bc..3218c88 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-bind.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-bind.patch
@@ -6,15 +6,14 @@ Subject: [PATCH] refpolicy: fix real path for bind.
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/contrib/bind.fc |    2 ++
  1 file changed, 2 insertions(+)
 
-diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc
-index 2b9a3a1..fd45d53 100644
 --- a/policy/modules/contrib/bind.fc
 +++ b/policy/modules/contrib/bind.fc
-@@ -1,8 +1,10 @@
+@@ -1,10 +1,12 @@
  /etc/rc\.d/init\.d/named       --      gen_context(system_u:object_r:named_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/bind        --      gen_context(system_u:object_r:named_initrc_exec_t,s0)
  /etc/rc\.d/init\.d/unbound     --      gen_context(system_u:object_r:named_initrc_exec_t,s0)
@@ -25,6 +24,5 @@ index 2b9a3a1..fd45d53 100644
  /etc/bind/rndc\.key    --      gen_context(system_u:object_r:dnssec_t,s0)
  /etc/dnssec-trigger/dnssec_trigger_server\.key --      gen_context(system_u:object_r:dnssec_t,s0)
  /etc/named\.rfc1912\.zones     --      gen_context(system_u:object_r:named_conf_t,s0)
--- 
-1.7.9.5
-
+ /etc/named\.root\.hints        --      gen_context(system_u:object_r:named_conf_t,s0)
+ /etc/named\.conf       --      gen_context(system_u:object_r:named_conf_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_login.patch
index 427181e..dfb7544 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_login.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_login.patch
@@ -3,15 +3,14 @@ Subject: [PATCH] fix real path for login commands.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/authlogin.fc |    7 ++++---
  1 files changed, 4 insertions(+), 3 deletions(-)
 
-diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..c8dd17f 100644
 --- a/policy/modules/system/authlogin.fc
 +++ b/policy/modules/system/authlogin.fc
-@@ -1,5 +1,7 @@
+@@ -1,19 +1,21 @@
  
  /bin/login             --      gen_context(system_u:object_r:login_exec_t,s0)
 +/bin/login\.shadow     --      gen_context(system_u:object_r:login_exec_t,s0)
@@ -19,19 +18,20 @@ index 28ad538..c8dd17f 100644
  
  /etc/\.pwd\.lock       --      gen_context(system_u:object_r:shadow_t,s0)
  /etc/group\.lock       --      gen_context(system_u:object_r:shadow_t,s0)
-@@ -9,9 +11,9 @@
+ /etc/gshadow.*         --      gen_context(system_u:object_r:shadow_t,s0)
+ /etc/passwd\.lock      --      gen_context(system_u:object_r:shadow_t,s0)
+ /etc/shadow.*          --      gen_context(system_u:object_r:shadow_t,s0)
  
  /sbin/pam_console_apply         --     gen_context(system_u:object_r:pam_console_exec_t,s0)
  /sbin/pam_timestamp_check --   gen_context(system_u:object_r:pam_exec_t,s0)
 -/sbin/unix_chkpwd      --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
 -/sbin/unix_update      --      gen_context(system_u:object_r:updpwd_exec_t,s0)
 -/sbin/unix_verify      --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
-+/usr/sbin/unix_chkpwd  --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
-+/usr/sbin/unix_update  --      gen_context(system_u:object_r:updpwd_exec_t,s0)
-+/usr/sbin/unix_verify  --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
++/sbin/unix_chkpwd              --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
++/sbin/unix_update              --      gen_context(system_u:object_r:updpwd_exec_t,s0)
++/sbin/unix_verify              --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
  ifdef(`distro_suse', `
  /sbin/unix2_chkpwd     --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
  ')
--- 
-1.7.5.4
-
+ 
+ /usr/bin/login         --      gen_context(system_u:object_r:login_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_resolv.conf.patch
index 80cca67..b90b744 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_resolv.conf.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_resolv.conf.patch
@@ -3,15 +3,16 @@ Subject: [PATCH] fix real path for resolv.conf
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/sysnetwork.fc |    1 +
  1 files changed, 1 insertions(+), 0 deletions(-)
 
-diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 346a7cc..dec8632 100644
 --- a/policy/modules/system/sysnetwork.fc
 +++ b/policy/modules/system/sysnetwork.fc
-@@ -24,6 +24,7 @@ ifdef(`distro_debian',`
+@@ -23,10 +23,11 @@ ifdef(`distro_debian',`
+ /etc/ethers            --      gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/hosts             --      gen_context(system_u:object_r:net_conf_t,s0)
  /etc/hosts\.deny.*     --      gen_context(system_u:object_r:net_conf_t,s0)
  /etc/denyhosts.*       --      gen_context(system_u:object_r:net_conf_t,s0)
  /etc/resolv\.conf.*    --      gen_context(system_u:object_r:net_conf_t,s0)
@@ -19,6 +20,5 @@ index 346a7cc..dec8632 100644
  /etc/yp\.conf.*                --      gen_context(system_u:object_r:net_conf_t,s0)
  
  /etc/dhcp3(/.*)?               gen_context(system_u:object_r:dhcp_etc_t,s0)
--- 
-1.7.5.4
-
+ /etc/dhcp3?/dhclient.*         gen_context(system_u:object_r:dhcp_etc_t,s0)
+ 
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_shadow.patch
index 29ac2c3..9819c1d 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_shadow.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_shadow.patch
@@ -3,15 +3,16 @@ Subject: [PATCH] fix real path for shadow commands.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/admin/usermanage.fc |    6 ++++++
  1 file changed, 6 insertions(+)
 
-diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
-index f82f0ce..841ba9b 100644
 --- a/policy/modules/admin/usermanage.fc
 +++ b/policy/modules/admin/usermanage.fc
-@@ -4,11 +4,17 @@ ifdef(`distro_gentoo',`
+@@ -6,15 +6,21 @@ ifdef(`distro_debian',`
+ /etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0)
+ ')
  
  /usr/bin/chage         --      gen_context(system_u:object_r:passwd_exec_t,s0)
  /usr/bin/chfn          --      gen_context(system_u:object_r:chfn_exec_t,s0)
@@ -29,6 +30,5 @@ index f82f0ce..841ba9b 100644
  
  /usr/lib/cracklib_dict.* --    gen_context(system_u:object_r:crack_db_t,s0)
  
--- 
-1.7.9.5
-
+ /usr/sbin/crack_[a-z]* --      gen_context(system_u:object_r:crack_exec_t,s0)
+ /usr/sbin/cracklib-[a-z]* --   gen_context(system_u:object_r:crack_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_su.patch
index b0392ce..b8597f9 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fix-real-path_su.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_su.patch
@@ -6,20 +6,17 @@ Subject: [PATCH] fix real path for su.shadow command
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/admin/su.fc |    2 ++
  1 file changed, 2 insertions(+)
 
-diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
-index a563687..0f43827 100644
 --- a/policy/modules/admin/su.fc
 +++ b/policy/modules/admin/su.fc
-@@ -4,3 +4,5 @@
+@@ -2,5 +2,6 @@
+ /bin/su                        --      gen_context(system_u:object_r:su_exec_t,s0)
  
  /usr/(local/)?bin/ksu  --      gen_context(system_u:object_r:su_exec_t,s0)
  /usr/bin/kdesu         --      gen_context(system_u:object_r:su_exec_t,s0)
-+
+ /usr/bin/su            --      gen_context(system_u:object_r:su_exec_t,s0)
 +/bin/su.shadow         --      gen_context(system_u:object_r:su_exec_t,s0)
--- 
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fstools.patch
index 9c45694..66bef0f 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-fstools.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fstools.patch
@@ -12,11 +12,9 @@ Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
  policy/modules/system/fstools.fc |    9 +++++++++
  1 file changed, 9 insertions(+)
 
-diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index d10368d..f22761a 100644
 --- a/policy/modules/system/fstools.fc
 +++ b/policy/modules/system/fstools.fc
-@@ -1,6 +1,8 @@
+@@ -1,19 +1,23 @@
  /sbin/badblocks                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/blkid            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/sbin/blkid/.util-linux                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -25,20 +23,24 @@ index d10368d..f22761a 100644
  /sbin/cfdisk           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/dosfsck          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/dump             --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -9,9 +11,12 @@
+ /sbin/dumpe2fs         --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/e2fsck           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/e4fsck           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/e2label          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/fdisk            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/sbin/fdisk/.util-linux                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/findfs           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/findfs               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/fsck.*           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/hdparm           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/sbin/hdparm/.util-linux               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/install-mbr      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/jfs_.*           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/losetup.*                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -24,6 +29,7 @@
+ /sbin/lsraid           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/make_reiser4     --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -22,20 +26,22 @@
+ /sbin/mke4fs           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/mkfs.*           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/mkraid           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/mkreiserfs       --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/mkswap           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -46,25 +48,28 @@ index d10368d..f22761a 100644
  /sbin/parted           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partprobe                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partx            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -32,8 +38,10 @@
+ /sbin/raidautorun      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/raidstart                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/reiserfs(ck|tune)        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/resize.*fs       --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/scsi_info                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/sfdisk               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/sfdisk           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/swapoff          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/sbin/swapoff/.util-linux              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/swapon.*         --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/tune2fs          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/zdb              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -45,6 +53,7 @@
- 
- /usr/bin/partition_uuid        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/raw           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/zhack            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/zinject          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -83,10 +89,11 @@
+ /usr/sbin/parted               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/partprobe            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/partx                        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/raidautorun          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/raidstart            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/usr/sbin/raw          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/scsi_unique_id        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/syslinux      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- 
--- 
-1.7.9.5
-
+ /usr/sbin/reiserfs(ck|tune)    --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/resize.*fs           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/scsi_info            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/sfdisk               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/smartctl             --      gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ftpwho-dir.patch
index a7d434f..d58de6a 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-ftpwho-dir.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ftpwho-dir.patch
@@ -5,23 +5,23 @@ Upstream-Status: Pending
 ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it
 
 Signed-off-by: Roy Li <rongqing.li@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/contrib/ftp.fc |    2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/policy/modules/contrib/ftp.fc b/policy/modules/contrib/ftp.fc
-index ddb75c1..26fec47 100644
 --- a/policy/modules/contrib/ftp.fc
 +++ b/policy/modules/contrib/ftp.fc
-@@ -9,7 +9,7 @@
- 
+@@ -10,11 +10,11 @@
  /usr/kerberos/sbin/ftpd        --      gen_context(system_u:object_r:ftpd_exec_t,s0)
  
+ /usr/lib/systemd/system/proftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0)
+ /usr/lib/systemd/system/vsftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0)
+ 
 -/usr/sbin/ftpwho       --      gen_context(system_u:object_r:ftpd_exec_t,s0)
 +/usr/bin/ftpwho        --      gen_context(system_u:object_r:ftpd_exec_t,s0)
  /usr/sbin/in\.ftpd     --      gen_context(system_u:object_r:ftpd_exec_t,s0)
  /usr/sbin/muddleftpd   --      gen_context(system_u:object_r:ftpd_exec_t,s0)
  /usr/sbin/proftpd      --      gen_context(system_u:object_r:ftpd_exec_t,s0)
--- 
-1.7.10.4
-
+ /usr/sbin/vsftpd       --      gen_context(system_u:object_r:ftpd_exec_t,s0)
+ 
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-iptables.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-iptables.patch
index 89b1547..9e1196a 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-iptables.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-iptables.patch
@@ -3,22 +3,22 @@ Subject: [PATCH] refpolicy: fix real path for iptables
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/iptables.fc | 1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 14cffd2..84ac92b 100644
 --- a/policy/modules/system/iptables.fc
 +++ b/policy/modules/system/iptables.fc
-@@ -13,6 +13,7 @@
+@@ -14,10 +14,11 @@
+ /sbin/ipvsadm                  --      gen_context(system_u:object_r:iptables_exec_t,s0)
  /sbin/ipvsadm-restore          --      gen_context(system_u:object_r:iptables_exec_t,s0)
  /sbin/ipvsadm-save             --      gen_context(system_u:object_r:iptables_exec_t,s0)
+ /sbin/nft                      --      gen_context(system_u:object_r:iptables_exec_t,s0)
  /sbin/xtables-multi            --      gen_context(system_u:object_r:iptables_exec_t,s0)
 +/usr/sbin/xtables-multi                --      gen_context(system_u:object_r:iptables_exec_t,s0)
  
- /usr/sbin/ipchains.*           --      gen_context(system_u:object_r:iptables_exec_t,s0)
- /usr/sbin/iptables             --      gen_context(system_u:object_r:iptables_exec_t,s0)
--- 
-1.7.11.7
-
+ /usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+ /usr/lib/systemd/system/[^/]*ebtables.*         -- gen_context(system_u:object_r:iptables_unit_t,s0)
+ /usr/lib/systemd/system/[^/]*ip6tables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+ /usr/lib/systemd/system/[^/]*iptables.*        -- gen_context(system_u:object_r:iptables_unit_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-mta.patch
index bbd83ec..5d2b0cf 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-mta.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-mta.patch
@@ -6,15 +6,16 @@ Subject: [PATCH] refpolicy: fix real path for mta
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/contrib/mta.fc |    1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc
-index f42896c..0d4bcef 100644
 --- a/policy/modules/contrib/mta.fc
 +++ b/policy/modules/contrib/mta.fc
-@@ -22,6 +22,7 @@ HOME_DIR/\.maildir(/.*)?      gen_context(system_u:object_r:mail_home_rw_t,s0)
+@@ -20,10 +20,11 @@ HOME_DIR/\.maildir(/.*)?    gen_context(sys
+ /usr/lib/courier/bin/sendmail  --      gen_context(system_u:object_r:sendmail_exec_t,s0)
+ 
  /usr/sbin/rmail        --      gen_context(system_u:object_r:sendmail_exec_t,s0)
  /usr/sbin/sendmail\.postfix    --      gen_context(system_u:object_r:sendmail_exec_t,s0)
  /usr/sbin/sendmail(\.sendmail)?        --      gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -22,6 +23,5 @@ index f42896c..0d4bcef 100644
  /usr/sbin/ssmtp        --      gen_context(system_u:object_r:sendmail_exec_t,s0)
  
  /var/mail(/.*)?        gen_context(system_u:object_r:mail_spool_t,s0)
--- 
-1.7.9.5
-
+ 
+ /var/qmail/bin/sendmail        --      gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-netutils.patch
index b45d03e..b41e6e4 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-netutils.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-netutils.patch
@@ -3,22 +3,22 @@ Subject: [PATCH] refpolicy: fix real path for netutils
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/admin/netutils.fc | 1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
-index 407078f..f2ed3dc 100644
 --- a/policy/modules/admin/netutils.fc
 +++ b/policy/modules/admin/netutils.fc
-@@ -3,6 +3,7 @@
+@@ -1,10 +1,11 @@
+ /bin/ping.*            --      gen_context(system_u:object_r:ping_exec_t,s0)
+ /bin/tracepath.*               --      gen_context(system_u:object_r:traceroute_exec_t,s0)
  /bin/traceroute.*      --      gen_context(system_u:object_r:traceroute_exec_t,s0)
  
  /sbin/arping           --      gen_context(system_u:object_r:netutils_exec_t,s0)
 +/bin/arping            --      gen_context(system_u:object_r:netutils_exec_t,s0)
  
+ /usr/bin/arping                --      gen_context(system_u:object_r:netutils_exec_t,s0)
  /usr/bin/lft           --      gen_context(system_u:object_r:traceroute_exec_t,s0)
  /usr/bin/nmap          --      gen_context(system_u:object_r:traceroute_exec_t,s0)
--- 
-1.7.11.7
-
+ /usr/bin/ping.*        --      gen_context(system_u:object_r:ping_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-nscd.patch
index 1db328c..0adf7c2 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-nscd.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-nscd.patch
@@ -6,15 +6,14 @@ Subject: [PATCH] refpolicy: fix real path for nscd
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/contrib/nscd.fc |    1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/policy/modules/contrib/nscd.fc b/policy/modules/contrib/nscd.fc
-index ba64485..61a6f24 100644
 --- a/policy/modules/contrib/nscd.fc
 +++ b/policy/modules/contrib/nscd.fc
-@@ -1,6 +1,7 @@
+@@ -1,8 +1,9 @@
  /etc/rc\.d/init\.d/nscd        --      gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
  
  /usr/sbin/nscd --      gen_context(system_u:object_r:nscd_exec_t,s0)
@@ -22,6 +21,5 @@ index ba64485..61a6f24 100644
  
  /var/cache/nscd(/.*)?  gen_context(system_u:object_r:nscd_var_run_t,s0)
  
--- 
-1.7.9.5
-
+ /var/db/nscd(/.*)?     gen_context(system_u:object_r:nscd_var_run_t,s0)
+ 
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-rpm.patch
index 7ba3380..9de7532 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-rpm.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-rpm.patch
@@ -6,20 +6,18 @@ Subject: [PATCH] refpolicy: fix real path for cpio
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/contrib/rpm.fc |    1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc
-index ebe91fc..539063c 100644
 --- a/policy/modules/contrib/rpm.fc
 +++ b/policy/modules/contrib/rpm.fc
-@@ -58,4 +58,5 @@ ifdef(`distro_redhat',`
+@@ -61,6 +61,7 @@ ifdef(`distro_redhat',`
+ /run/yum.*     --      gen_context(system_u:object_r:rpm_var_run_t,s0)
+ /run/PackageKit(/.*)?  gen_context(system_u:object_r:rpm_var_run_t,s0)
  
  ifdef(`enable_mls',`
  /usr/sbin/cpio --      gen_context(system_u:object_r:rpm_exec_t,s0)
 +/bin/cpio.cpio --      gen_context(system_u:object_r:rpm_exec_t,s0)
  ')
--- 
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-screen.patch
index 3218194..8ea210e 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-screen.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-screen.patch
@@ -6,22 +6,18 @@ Subject: [PATCH] refpolicy: fix real path for screen
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/contrib/screen.fc |    1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc
-index e7c2cf7..49ddca2 100644
 --- a/policy/modules/contrib/screen.fc
 +++ b/policy/modules/contrib/screen.fc
-@@ -3,6 +3,7 @@ HOME_DIR/\.screenrc     --      gen_context(system_u:object_r:screen_home_t,s0)
- HOME_DIR/\.tmux\.conf  --      gen_context(system_u:object_r:screen_home_t,s0)
+@@ -4,6 +4,7 @@ HOME_DIR/\.tmux\.conf   --      gen_context(sys
  
- /usr/bin/screen        --      gen_context(system_u:object_r:screen_exec_t,s0)
-+/usr/bin/screen-.*     --      gen_context(system_u:object_r:screen_exec_t,s0)
- /usr/bin/tmux  --      gen_context(system_u:object_r:screen_exec_t,s0)
+ /run/screen(/.*)?              gen_context(system_u:object_r:screen_runtime_t,s0)
+ /run/tmux(/.*)?                        gen_context(system_u:object_r:screen_runtime_t,s0)
  
- /var/run/screen(/.*)?  gen_context(system_u:object_r:screen_var_run_t,s0)
--- 
-1.7.9.5
-
+ /usr/bin/screen                --      gen_context(system_u:object_r:screen_exec_t,s0)
++/usr/bin/screen-.*     --      gen_context(system_u:object_r:screen_exec_t,s0)
+ /usr/bin/tmux          --      gen_context(system_u:object_r:screen_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ssh.patch
index 9aeb3a2..a01e2eb 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-ssh.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ssh.patch
@@ -3,22 +3,22 @@ Subject: [PATCH] refpolicy: fix real path for ssh
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/services/ssh.fc | 1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 078bcd7..9717428 100644
 --- a/policy/modules/services/ssh.fc
 +++ b/policy/modules/services/ssh.fc
-@@ -6,6 +6,7 @@ HOME_DIR/\.ssh(/.*)?                    gen_context(system_u:object_r:ssh_home_t,s0)
- /etc/ssh/ssh_host_rsa_key      --      gen_context(system_u:object_r:sshd_key_t,s0)
+@@ -2,10 +2,11 @@ HOME_DIR/\.ssh(/.*)?                  gen_context(syste
+ 
+ /etc/ssh/primes                        --      gen_context(system_u:object_r:sshd_key_t,s0)
+ /etc/ssh/ssh_host.*_key                --      gen_context(system_u:object_r:sshd_key_t,s0)
  
  /usr/bin/ssh                   --      gen_context(system_u:object_r:ssh_exec_t,s0)
 +/usr/bin/ssh\.openssh          --      gen_context(system_u:object_r:ssh_exec_t,s0)
  /usr/bin/ssh-agent             --      gen_context(system_u:object_r:ssh_agent_exec_t,s0)
  /usr/bin/ssh-keygen            --      gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
  
--- 
-1.7.11.7
-
+ /usr/lib/openssh/ssh-keysign   --      gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+ /usr/lib/ssh/ssh-keysign       --      gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-su.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-su.patch
index 358e4ef..e3d156e 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-su.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-su.patch
@@ -3,21 +3,18 @@ Subject: [PATCH] refpolicy: fix real path for su
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/admin/su.fc | 1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
-index 688abc2..a563687 100644
 --- a/policy/modules/admin/su.fc
 +++ b/policy/modules/admin/su.fc
-@@ -1,5 +1,6 @@
+@@ -1,6 +1,7 @@
  
  /bin/su                        --      gen_context(system_u:object_r:su_exec_t,s0)
 +/usr/bin/su            --      gen_context(system_u:object_r:su_exec_t,s0)
  
  /usr/(local/)?bin/ksu  --      gen_context(system_u:object_r:su_exec_t,s0)
  /usr/bin/kdesu         --      gen_context(system_u:object_r:su_exec_t,s0)
--- 
-1.7.11.7
-
+ /usr/bin/su            --      gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-subs_dist.patch
index cfec7d9..c5fdc51 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-subs_dist.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-subs_dist.patch
@@ -13,10 +13,14 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 
 --- a/config/file_contexts.subs_dist
 +++ b/config/file_contexts.subs_dist
-@@ -19,3 +19,13 @@
- /usr/local/lib64 /usr/lib
- /usr/local/lib /usr/lib
- /var/run/lock /var/lock
+@@ -21,5 +21,17 @@
+ 
+ # backward compatibility
+ # not for refpolicy intern, but for /var/run using applications,
+ # like systemd tmpfiles or systemd socket configurations
+ /var/run /run
++
++# Yocto compatibility
 +/var/volatile/log /var/log
 +/var/volatile/run /var/run
 +/var/volatile/cache /var/cache
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-sysnetwork.patch
index 64f497d..fa369ca 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-sysnetwork.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-sysnetwork.patch
@@ -7,15 +7,16 @@ Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/sysnetwork.fc |    4 ++++
  1 file changed, 4 insertions(+)
 
-diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index fbb935c..a194622 100644
 --- a/policy/modules/system/sysnetwork.fc
 +++ b/policy/modules/system/sysnetwork.fc
-@@ -4,6 +4,7 @@
+@@ -2,10 +2,11 @@
+ #
+ # /bin
  #
  /bin/ifconfig          --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
  /bin/ip                        --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
@@ -23,17 +24,19 @@ index fbb935c..a194622 100644
  
  #
  # /dev
-@@ -43,7 +44,9 @@ ifdef(`distro_redhat',`
+ #
+ ifdef(`distro_debian',`
+@@ -43,17 +44,19 @@ ifdef(`distro_redhat',`
+ /sbin/dhclient.*       --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
  /sbin/dhcdbd           --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
  /sbin/dhcpcd           --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
  /sbin/ethtool          --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/ethtool  --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
  /sbin/ifconfig         --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
 +/sbin/ifconfig\.net-tools  --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
  /sbin/ip               --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
  /sbin/ipx_configure    --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
  /sbin/ipx_interface    --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
-@@ -51,6 +54,7 @@ ifdef(`distro_redhat',`
+ /sbin/ipx_internal_net --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
  /sbin/iw               --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
  /sbin/iwconfig         --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
  /sbin/mii-tool         --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
@@ -41,6 +44,5 @@ index fbb935c..a194622 100644
  /sbin/pump             --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
  /sbin/tc               --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
  
--- 
-1.7.9.5
-
+ #
+ # /usr
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-udevd.patch
index c6c19be..8e2cb1b 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-udevd.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-udevd.patch
@@ -10,26 +10,29 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
  policy/modules/system/udev.fc |    2 ++
  1 file changed, 2 insertions(+)
 
-diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 40928d8..491bb23 100644
 --- a/policy/modules/system/udev.fc
 +++ b/policy/modules/system/udev.fc
-@@ -10,6 +10,7 @@
+@@ -8,10 +8,11 @@
+ 
+ /etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
  /etc/udev/scripts/.+ --        gen_context(system_u:object_r:udev_helper_exec_t,s0)
  
  /lib/udev/udev-acl --  gen_context(system_u:object_r:udev_exec_t,s0)
 +/lib/udev/udevd    --  gen_context(system_u:object_r:udev_exec_t,s0)
  
  ifdef(`distro_debian',`
+ /bin/udevadm   --      gen_context(system_u:object_r:udev_exec_t,s0)
  /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
-@@ -27,6 +28,7 @@ ifdef(`distro_redhat',`
+ ')
+@@ -26,10 +27,11 @@ ifdef(`distro_debian',`
+ ifdef(`distro_redhat',`
+ /sbin/start_udev --    gen_context(system_u:object_r:udev_exec_t,s0)
  ')
  
  /usr/bin/udevinfo --   gen_context(system_u:object_r:udev_exec_t,s0)
 +/usr/bin/udevadm  --   gen_context(system_u:object_r:udev_exec_t,s0)
  
- /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
- 
--- 
-1.7.9.5
-
+ /usr/sbin/udev         --      gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/sbin/udevadm      --      gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/sbin/udevd                --      gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/sbin/udevsend     --      gen_context(system_u:object_r:udev_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_hostname.patch
index cedb5b5..038cb1f 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_hostname.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_hostname.patch
@@ -6,18 +6,16 @@ Subject: [PATCH 3/4] fix update-alternatives for hostname
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/hostname.fc |    1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
-index 9dfecf7..4003b6d 100644
 --- a/policy/modules/system/hostname.fc
 +++ b/policy/modules/system/hostname.fc
-@@ -1,2 +1,3 @@
+@@ -1,4 +1,5 @@
  
  /bin/hostname          --      gen_context(system_u:object_r:hostname_exec_t,s0)
 +/bin/hostname\.net-tools       --      gen_context(system_u:object_r:hostname_exec_t,s0)
--- 
-1.7.9.5
-
+ 
+ /usr/bin/hostname      --      gen_context(system_u:object_r:hostname_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
index 868ee6b..2038110 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_sysklogd.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
@@ -9,16 +9,16 @@ for syslogd_t to read syslog_conf_t lnk_file is needed.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/logging.fc |    4 ++++
  policy/modules/system/logging.te |    1 +
  2 files changed, 5 insertions(+)
 
-diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index b50c5fe..c005f33 100644
 --- a/policy/modules/system/logging.fc
 +++ b/policy/modules/system/logging.fc
-@@ -2,19 +2,23 @@
+@@ -1,22 +1,26 @@
+ /dev/log               -s      gen_context(system_u:object_r:devlog_t,mls_systemhigh)
  
  /etc/rsyslog.conf              gen_context(system_u:object_r:syslog_conf_t,s0)
  /etc/syslog.conf               gen_context(system_u:object_r:syslog_conf_t,s0)
@@ -41,12 +41,14 @@ index b50c5fe..c005f33 100644
 +/sbin/syslogd\.sysklogd        --      gen_context(system_u:object_r:syslogd_exec_t,s0)
  /sbin/syslog-ng                --      gen_context(system_u:object_r:syslogd_exec_t,s0)
  
- /usr/sbin/klogd                --      gen_context(system_u:object_r:klogd_exec_t,s0)
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 87e3db2..2914b0b 100644
+ /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
+ /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
+ /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -371,6 +371,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
+@@ -388,10 +388,11 @@ allow syslogd_t self:unix_dgram_socket s
+ allow syslogd_t self:fifo_file rw_fifo_file_perms;
+ allow syslogd_t self:udp_socket create_socket_perms;
  allow syslogd_t self:tcp_socket create_stream_socket_perms;
  
  allow syslogd_t syslog_conf_t:file read_file_perms;
@@ -54,6 +56,5 @@ index 87e3db2..2914b0b 100644
  
  # Create and bind to /dev/log or /var/run/log.
  allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
--- 
-1.7.9.5
-
+ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+ 
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysvinit.patch
index 3a617d8..d8c1642 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-fc-update-alternatives_sysvinit.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysvinit.patch
@@ -6,17 +6,18 @@ Subject: [PATCH 1/4] fix update-alternatives for sysvinit
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/contrib/shutdown.fc    |    1 +
  policy/modules/kernel/corecommands.fc |    1 +
  policy/modules/system/init.fc         |    1 +
  3 files changed, 3 insertions(+)
 
-diff --git a/policy/modules/contrib/shutdown.fc b/policy/modules/contrib/shutdown.fc
-index a91f33b..90e51e0 100644
 --- a/policy/modules/contrib/shutdown.fc
 +++ b/policy/modules/contrib/shutdown.fc
-@@ -3,6 +3,7 @@
+@@ -1,10 +1,11 @@
+ /etc/nologin   --      gen_context(system_u:object_r:shutdown_etc_t,s0)
+ 
  /lib/upstart/shutdown  --      gen_context(system_u:object_r:shutdown_exec_t,s0)
  
  /sbin/shutdown --      gen_context(system_u:object_r:shutdown_exec_t,s0)
@@ -24,11 +25,13 @@ index a91f33b..90e51e0 100644
  
  /usr/lib/upstart/shutdown      --      gen_context(system_u:object_r:shutdown_exec_t,s0)
  
-diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index bcfdba7..87502a3 100644
+ /usr/sbin/shutdown     --      gen_context(system_u:object_r:shutdown_exec_t,s0)
+ 
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
-@@ -10,6 +10,7 @@
+@@ -8,10 +8,11 @@
+ /bin/bash2                     --      gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/fish                      --      gen_context(system_u:object_r:shell_exec_t,s0)
  /bin/ksh.*                     --      gen_context(system_u:object_r:shell_exec_t,s0)
  /bin/mksh                      --      gen_context(system_u:object_r:shell_exec_t,s0)
  /bin/mountpoint                        --      gen_context(system_u:object_r:bin_t,s0)
@@ -36,11 +39,13 @@ index bcfdba7..87502a3 100644
  /bin/sash                      --      gen_context(system_u:object_r:shell_exec_t,s0)
  /bin/tcsh                      --      gen_context(system_u:object_r:shell_exec_t,s0)
  /bin/yash                      --      gen_context(system_u:object_r:shell_exec_t,s0)
-diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index bc0ffc8..020b9fe 100644
+ /bin/zsh.*                     --      gen_context(system_u:object_r:shell_exec_t,s0)
+ 
 --- a/policy/modules/system/init.fc
 +++ b/policy/modules/system/init.fc
-@@ -30,6 +30,7 @@ ifdef(`distro_gentoo', `
+@@ -30,10 +30,11 @@ ifdef(`distro_gentoo', `
+ 
+ #
  # /sbin
  #
  /sbin/init(ng)?                --      gen_context(system_u:object_r:init_exec_t,s0)
@@ -48,6 +53,5 @@ index bc0ffc8..020b9fe 100644
  # because nowadays, /sbin/init is often a symlink to /sbin/upstart
  /sbin/upstart          --      gen_context(system_u:object_r:init_exec_t,s0)
  
--- 
-1.7.9.5
-
+ ifdef(`distro_gentoo', `
+ /sbin/rc               --      gen_context(system_u:object_r:rc_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-bsdpty_device_t.patch
index 9a3322f..7be7147 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-bsdpty_device_t.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-bsdpty_device_t.patch
@@ -6,15 +6,16 @@ Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices.
 Upstream-Status: Pending
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/kernel/terminal.if |   16 ++++++++++++++++
  1 file changed, 16 insertions(+)
 
-diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 771bce1..7519d0e 100644
 --- a/policy/modules/kernel/terminal.if
 +++ b/policy/modules/kernel/terminal.if
-@@ -531,9 +531,11 @@ interface(`term_dontaudit_manage_pty_dirs',`
+@@ -585,13 +585,15 @@ interface(`term_getattr_generic_ptys',`
+ ## </param>
+ #
  interface(`term_dontaudit_getattr_generic_ptys',`
         gen_require(`
                 type devpts_t;
@@ -26,7 +27,11 @@ index 771bce1..7519d0e 100644
  ')
  ########################################
  ## <summary>
-@@ -549,11 +551,13 @@ interface(`term_dontaudit_getattr_generic_ptys',`
+ ##     ioctl of generic pty devices.
+ ## </summary>
+@@ -603,15 +605,17 @@ interface(`term_dontaudit_getattr_generi
+ #
+ # cjp: added for ppp
  interface(`term_ioctl_generic_ptys',`
         gen_require(`
                 type devpts_t;
@@ -40,7 +45,11 @@ index 771bce1..7519d0e 100644
  ')
  
  ########################################
-@@ -571,9 +575,11 @@ interface(`term_ioctl_generic_ptys',`
+ ## <summary>
+ ##     Allow setting the attributes of
+@@ -625,13 +629,15 @@ interface(`term_ioctl_generic_ptys',`
+ #
+ # dwalsh: added for rhgb
  interface(`term_setattr_generic_ptys',`
         gen_require(`
                 type devpts_t;
@@ -52,7 +61,11 @@ index 771bce1..7519d0e 100644
  ')
  
  ########################################
-@@ -591,9 +597,11 @@ interface(`term_setattr_generic_ptys',`
+ ## <summary>
+ ##     Dontaudit setting the attributes of
+@@ -645,13 +651,15 @@ interface(`term_setattr_generic_ptys',`
+ #
+ # dwalsh: added for rhgb
  interface(`term_dontaudit_setattr_generic_ptys',`
         gen_require(`
                 type devpts_t;
@@ -64,7 +77,11 @@ index 771bce1..7519d0e 100644
  ')
  
  ########################################
-@@ -611,11 +619,13 @@ interface(`term_dontaudit_setattr_generic_ptys',`
+ ## <summary>
+ ##     Read and write the generic pty
+@@ -665,15 +673,17 @@ interface(`term_dontaudit_setattr_generi
+ ## </param>
+ #
  interface(`term_use_generic_ptys',`
         gen_require(`
                 type devpts_t;
@@ -78,7 +95,11 @@ index 771bce1..7519d0e 100644
  ')
  
  ########################################
-@@ -633,9 +643,11 @@ interface(`term_use_generic_ptys',`
+ ## <summary>
+ ##     Dot not audit attempts to read and
+@@ -687,13 +697,15 @@ interface(`term_use_generic_ptys',`
+ ## </param>
+ #
  interface(`term_dontaudit_use_generic_ptys',`
         gen_require(`
                 type devpts_t;
@@ -90,7 +111,11 @@ index 771bce1..7519d0e 100644
  ')
  
  #######################################
-@@ -651,10 +663,12 @@ interface(`term_dontaudit_use_generic_ptys',`
+ ## <summary>
+ ##     Set the attributes of the tty device
+@@ -705,14 +717,16 @@ interface(`term_dontaudit_use_generic_pt
+ ## </param>
+ #
  interface(`term_setattr_controlling_term',`
         gen_require(`
                 type devtty_t;
@@ -103,7 +128,11 @@ index 771bce1..7519d0e 100644
  ')
  
  ########################################
-@@ -671,10 +685,12 @@ interface(`term_setattr_controlling_term',`
+ ## <summary>
+ ##     Read and write the controlling
+@@ -725,14 +739,16 @@ interface(`term_setattr_controlling_term
+ ## </param>
+ #
  interface(`term_use_controlling_term',`
         gen_require(`
                 type devtty_t;
@@ -116,6 +145,5 @@ index 771bce1..7519d0e 100644
  ')
  
  #######################################
--- 
-1.7.9.5
-
+ ## <summary>
+ ##     Get the attributes of the pty multiplexor (/dev/ptmx).
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-syslogd_t-symlink.patch
index aa9734a..e90aab5 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-syslogd_t-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-syslogd_t-symlink.patch
@@ -8,15 +8,16 @@ syslogd_t.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/logging.te | 2 ++
  1 file changed, 2 insertions(+)
 
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 2ad9ea5..70427d8 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -384,6 +384,8 @@ rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
+@@ -404,10 +404,12 @@ rw_fifo_files_pattern(syslogd_t, var_log
+ files_search_spool(syslogd_t)
+ 
  # Allow access for syslog-ng
  allow syslogd_t var_log_t:dir { create setattr };
  
@@ -25,6 +26,5 @@ index 2ad9ea5..70427d8 100644
  # manage temporary files
  manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
--- 
-1.7.11.7
-
+ files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
+ 
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-tmp-symlink.patch
index 210c297..07ebf58 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-tmp-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-tmp-symlink.patch
@@ -9,16 +9,17 @@ lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/kernel/files.fc |    1 +
  policy/modules/kernel/files.if |    8 ++++++++
  2 files changed, 9 insertions(+), 0 deletions(-)
 
-diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 8796ca3..a0db748 100644
 --- a/policy/modules/kernel/files.fc
 +++ b/policy/modules/kernel/files.fc
-@@ -185,6 +185,7 @@ ifdef(`distro_debian',`
+@@ -191,10 +191,11 @@ ifdef(`distro_debian',`
+ 
+ #
  # /tmp
  #
  /tmp                   -d      gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
@@ -26,11 +27,13 @@ index 8796ca3..a0db748 100644
  /tmp/.*                                <<none>>
  /tmp/\.journal                 <<none>>
  
-diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index e1e814d..a7384b0 100644
+ /tmp/lost\+found       -d      gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+ /tmp/lost\+found/.*            <<none>>
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
-@@ -4199,6 +4199,7 @@ interface(`files_search_tmp',`
+@@ -4471,10 +4471,11 @@ interface(`files_search_tmp',`
+        gen_require(`
+                type tmp_t;
         ')
  
         allow $1 tmp_t:dir search_dir_perms;
@@ -38,7 +41,11 @@ index e1e814d..a7384b0 100644
  ')
  
  ########################################
-@@ -4235,6 +4236,7 @@ interface(`files_list_tmp',`
+ ## <summary>
+ ##     Do not audit attempts to search the tmp directory (/tmp).
+@@ -4507,10 +4508,11 @@ interface(`files_list_tmp',`
+        gen_require(`
+                type tmp_t;
         ')
  
         allow $1 tmp_t:dir list_dir_perms;
@@ -46,7 +53,11 @@ index e1e814d..a7384b0 100644
  ')
  
  ########################################
-@@ -4271,6 +4273,7 @@ interface(`files_delete_tmp_dir_entry',`
+ ## <summary>
+ ##     Do not audit listing of the tmp directory (/tmp).
+@@ -4543,10 +4545,11 @@ interface(`files_delete_tmp_dir_entry',`
+        gen_require(`
+                type tmp_t;
         ')
  
         allow $1 tmp_t:dir del_entry_dir_perms;
@@ -54,7 +65,11 @@ index e1e814d..a7384b0 100644
  ')
  
  ########################################
-@@ -4289,6 +4292,7 @@ interface(`files_read_generic_tmp_files',`
+ ## <summary>
+ ##     Read files in the tmp directory (/tmp).
+@@ -4561,10 +4564,11 @@ interface(`files_read_generic_tmp_files'
+        gen_require(`
+                type tmp_t;
         ')
  
         read_files_pattern($1, tmp_t, tmp_t)
@@ -62,7 +77,11 @@ index e1e814d..a7384b0 100644
  ')
  
  ########################################
-@@ -4307,6 +4311,7 @@ interface(`files_manage_generic_tmp_dirs',`
+ ## <summary>
+ ##     Manage temporary directories in /tmp.
+@@ -4579,10 +4583,11 @@ interface(`files_manage_generic_tmp_dirs
+        gen_require(`
+                type tmp_t;
         ')
  
         manage_dirs_pattern($1, tmp_t, tmp_t)
@@ -70,7 +89,11 @@ index e1e814d..a7384b0 100644
  ')
  
  ########################################
-@@ -4325,6 +4330,7 @@ interface(`files_manage_generic_tmp_files',`
+ ## <summary>
+ ##     Manage temporary files and directories in /tmp.
+@@ -4597,10 +4602,11 @@ interface(`files_manage_generic_tmp_file
+        gen_require(`
+                type tmp_t;
         ')
  
         manage_files_pattern($1, tmp_t, tmp_t)
@@ -78,7 +101,11 @@ index e1e814d..a7384b0 100644
  ')
  
  ########################################
-@@ -4361,6 +4367,7 @@ interface(`files_rw_generic_tmp_sockets',`
+ ## <summary>
+ ##     Read symbolic links in the tmp directory (/tmp).
+@@ -4633,10 +4639,11 @@ interface(`files_rw_generic_tmp_sockets'
+        gen_require(`
+                type tmp_t;
         ')
  
         rw_sock_files_pattern($1, tmp_t, tmp_t)
@@ -86,7 +113,11 @@ index e1e814d..a7384b0 100644
  ')
  
  ########################################
-@@ -4550,6 +4557,7 @@ interface(`files_tmp_filetrans',`
+ ## <summary>
+ ##     Mount filesystems in the tmp directory (/tmp)
+@@ -4840,10 +4847,11 @@ interface(`files_tmp_filetrans',`
+        gen_require(`
+                type tmp_t;
         ')
  
         filetrans_pattern($1, tmp_t, $2, $3, $4)
@@ -94,6 +125,5 @@ index e1e814d..a7384b0 100644
  ')
  
  ########################################
--- 
-1.7.5.4
-
+ ## <summary>
+ ##     Delete the contents of /tmp.
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-cache-symlink.patch
index 18a92dd..b828b7a 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-cache-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-cache-symlink.patch
@@ -11,15 +11,16 @@ contents, so this is still a secure relax.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/kernel/domain.te |    3 +++
  1 file changed, 3 insertions(+)
 
-diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..9ffe6b0 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
-@@ -104,6 +104,9 @@ term_use_controlling_term(domain)
+@@ -108,10 +108,13 @@ dev_rw_zero(domain)
+ term_use_controlling_term(domain)
+ 
  # list the root directory
  files_list_root(domain)
  
@@ -29,6 +30,5 @@ index cf04cb5..9ffe6b0 100644
  ifdef(`hide_broken_symptoms',`
         # This check is in the general socket
         # listen code, before protocol-specific
--- 
-1.7.9.5
-
+        # listen function is called, so bad calls
+        # to listen on UDP sockets should be silenced
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
index 8bc40c4..8d22c21 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink-apache.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
@@ -10,15 +10,16 @@ logging.if. So still need add a individual rule for apache.te.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/contrib/apache.te |    1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
-index ec8bd13..06f2e95 100644
 --- a/policy/modules/contrib/apache.te
 +++ b/policy/modules/contrib/apache.te
-@@ -400,6 +400,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+@@ -409,10 +409,11 @@ allow httpd_t httpd_log_t:dir setattr_di
+ create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
  append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
  read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
  read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
@@ -26,6 +27,5 @@ index ec8bd13..06f2e95 100644
  logging_log_filetrans(httpd_t, httpd_log_t, file)
  
  allow httpd_t httpd_modules_t:dir list_dir_perms;
--- 
-1.7.9.5
-
+ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+ read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
index cbf0f7d..2e8e1f2 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
@@ -8,15 +8,16 @@ audisp_remote_t.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/logging.te | 1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 8426a49..2ad9ea5 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -262,6 +262,7 @@ allow audisp_remote_t self:capability { setuid setpcap };
+@@ -278,10 +278,11 @@ optional_policy(`
+ 
+ allow audisp_remote_t self:capability { setuid setpcap };
  allow audisp_remote_t self:process { getcap setcap };
  allow audisp_remote_t self:tcp_socket create_socket_perms;
  allow audisp_remote_t var_log_t:dir search_dir_perms;
@@ -24,6 +25,5 @@ index 8426a49..2ad9ea5 100644
  
  manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
  manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
--- 
-1.7.11.7
-
+ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
+ 
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch
index b06f3ef..a7161d5 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-rules-for-var-log-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch
@@ -9,17 +9,18 @@ lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/logging.fc |    1 +
  policy/modules/system/logging.if |   14 +++++++++++++-
  policy/modules/system/logging.te |    1 +
  3 files changed, 15 insertions(+), 1 deletion(-)
 
-diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index c005f33..9529e40 100644
 --- a/policy/modules/system/logging.fc
 +++ b/policy/modules/system/logging.fc
-@@ -41,6 +41,7 @@ ifdef(`distro_suse', `
+@@ -49,10 +49,11 @@ ifdef(`distro_suse', `
+ 
+ /var/axfrdns/log/main(/.*)?    gen_context(system_u:object_r:var_log_t,s0)
  /var/dnscache/log/main(/.*)?   gen_context(system_u:object_r:var_log_t,s0)
  
  /var/log               -d      gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
@@ -27,11 +28,13 @@ index c005f33..9529e40 100644
  /var/log/.*                    gen_context(system_u:object_r:var_log_t,s0)
  /var/log/boot\.log     --      gen_context(system_u:object_r:var_log_t,mls_systemhigh)
  /var/log/messages[^/]*         gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..9a6f599 100644
+ /var/log/secure[^/]*           gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/maillog[^/]*          gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 --- a/policy/modules/system/logging.if
 +++ b/policy/modules/system/logging.if
-@@ -136,12 +136,13 @@ interface(`logging_set_audit_parameters',`
+@@ -134,16 +134,17 @@ interface(`logging_set_audit_parameters'
+ ## </param>
+ ## <rolecap/>
  #
  interface(`logging_read_audit_log',`
         gen_require(`
@@ -46,7 +49,11 @@ index 4e94884..9a6f599 100644
  ')
  
  ########################################
-@@ -626,6 +627,7 @@ interface(`logging_search_logs',`
+ ## <summary>
+ ##     Execute auditctl in the auditctl domain.
+@@ -665,10 +666,11 @@ interface(`logging_search_logs',`
+                type var_log_t;
+        ')
  
         files_search_var($1)
         allow $1 var_log_t:dir search_dir_perms;
@@ -54,7 +61,11 @@ index 4e94884..9a6f599 100644
  ')
  
  #######################################
-@@ -663,6 +665,7 @@ interface(`logging_list_logs',`
+ ## <summary>
+ ##     Do not audit attempts to search the var log directory.
+@@ -702,10 +704,11 @@ interface(`logging_list_logs',`
+                type var_log_t;
+        ')
  
         files_search_var($1)
         allow $1 var_log_t:dir list_dir_perms;
@@ -62,7 +73,11 @@ index 4e94884..9a6f599 100644
  ')
  
  #######################################
-@@ -682,6 +685,7 @@ interface(`logging_rw_generic_log_dirs',`
+ ## <summary>
+ ##     Read and write the generic log directory (/var/log).
+@@ -721,10 +724,11 @@ interface(`logging_rw_generic_log_dirs',
+                type var_log_t;
+        ')
  
         files_search_var($1)
         allow $1 var_log_t:dir rw_dir_perms;
@@ -70,7 +85,11 @@ index 4e94884..9a6f599 100644
  ')
  
  #######################################
-@@ -793,10 +797,12 @@ interface(`logging_append_all_logs',`
+ ## <summary>
+ ##     Search through all log dirs.
+@@ -832,14 +836,16 @@ interface(`logging_append_all_logs',`
+ ## <rolecap/>
+ #
  interface(`logging_read_all_logs',`
         gen_require(`
                 attribute logfile;
@@ -83,7 +102,11 @@ index 4e94884..9a6f599 100644
         read_files_pattern($1, logfile, logfile)
  ')
  
-@@ -815,10 +821,12 @@ interface(`logging_read_all_logs',`
+ ########################################
+ ## <summary>
+@@ -854,14 +860,16 @@ interface(`logging_read_all_logs',`
+ # cjp: not sure why this is needed.  This was added
+ # because of logrotate.
  interface(`logging_exec_all_logs',`
         gen_require(`
                 attribute logfile;
@@ -96,7 +119,11 @@ index 4e94884..9a6f599 100644
         can_exec($1, logfile)
  ')
  
-@@ -880,6 +888,7 @@ interface(`logging_read_generic_logs',`
+ ########################################
+ ## <summary>
+@@ -919,10 +927,11 @@ interface(`logging_read_generic_logs',`
+                type var_log_t;
+        ')
  
         files_search_var($1)
         allow $1 var_log_t:dir list_dir_perms;
@@ -104,7 +131,11 @@ index 4e94884..9a6f599 100644
         read_files_pattern($1, var_log_t, var_log_t)
  ')
  
-@@ -900,6 +909,7 @@ interface(`logging_write_generic_logs',`
+ ########################################
+ ## <summary>
+@@ -939,10 +948,11 @@ interface(`logging_write_generic_logs',`
+                type var_log_t;
+        ')
  
         files_search_var($1)
         allow $1 var_log_t:dir list_dir_perms;
@@ -112,7 +143,11 @@ index 4e94884..9a6f599 100644
         write_files_pattern($1, var_log_t, var_log_t)
  ')
  
-@@ -938,6 +948,7 @@ interface(`logging_rw_generic_logs',`
+ ########################################
+ ## <summary>
+@@ -977,10 +987,11 @@ interface(`logging_rw_generic_logs',`
+                type var_log_t;
+        ')
  
         files_search_var($1)
         allow $1 var_log_t:dir list_dir_perms;
@@ -120,7 +155,11 @@ index 4e94884..9a6f599 100644
         rw_files_pattern($1, var_log_t, var_log_t)
  ')
  
-@@ -960,6 +971,7 @@ interface(`logging_manage_generic_logs',`
+ ########################################
+ ## <summary>
+@@ -999,10 +1010,11 @@ interface(`logging_manage_generic_logs',
+                type var_log_t;
+        ')
  
         files_search_var($1)
         manage_files_pattern($1, var_log_t, var_log_t)
@@ -128,18 +167,19 @@ index 4e94884..9a6f599 100644
  ')
  
  ########################################
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 2ab0a49..2795d89 100644
+ ## <summary>
+ ##     All of the rules required to administrate
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -139,6 +139,7 @@ allow auditd_t auditd_etc_t:file read_file_perms;
+@@ -151,10 +151,11 @@ allow auditd_t auditd_etc_t:file read_fi
+ 
  manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t auditd_log_t:dir setattr;
  manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
  allow auditd_t var_log_t:dir search_dir_perms;
 +allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
  
  manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
  manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
--- 
-1.7.9.5
-
+ files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
+ 
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-syslogd_t-to-trusted-object.patch
index 92b1592..dc623d3 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-add-syslogd_t-to-trusted-object.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-syslogd_t-to-trusted-object.patch
@@ -10,15 +10,16 @@ Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Roy.Li <rongqing.li@windriver.com>
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/logging.te |    1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 2914b0b..2ab0a49 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -450,6 +450,7 @@ fs_getattr_all_fs(syslogd_t)
+@@ -477,10 +477,11 @@ files_var_lib_filetrans(syslogd_t, syslo
+ 
+ fs_getattr_all_fs(syslogd_t)
  fs_search_auto_mountpoints(syslogd_t)
  
  mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
@@ -26,6 +27,5 @@ index 2914b0b..2ab0a49 100644
  
  term_write_console(syslogd_t)
  # Allow syslog to a terminal
--- 
-1.7.9.5
-
+ term_write_unallocated_ttys(syslogd_t)
+ 
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-nfsd-to-exec-shell-commands.patch
index e77a730..ca2796f 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-nfsd-to-exec-shell-commands.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-nfsd-to-exec-shell-commands.patch
@@ -6,16 +6,17 @@ Subject: [PATCH] allow nfsd to exec shell commands.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/contrib/rpc.te   |    2 +-
  policy/modules/kernel/kernel.if |   18 ++++++++++++++++++
  2 files changed, 19 insertions(+), 1 deletions(-)
 
-diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
-index 9566932..5605205 100644
 --- a/policy/modules/contrib/rpc.te
 +++ b/policy/modules/contrib/rpc.te
-@@ -203,7 +203,7 @@ kernel_read_network_state(nfsd_t)
+@@ -222,11 +222,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
+ 
+ kernel_read_network_state(nfsd_t)
  kernel_dontaudit_getattr_core_if(nfsd_t)
  kernel_setsched(nfsd_t)
  kernel_request_load_module(nfsd_t)
@@ -24,11 +25,13 @@ index 9566932..5605205 100644
  
  corenet_sendrecv_nfs_server_packets(nfsd_t)
  corenet_tcp_bind_nfs_port(nfsd_t)
-diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..8a669c5 100644
+ corenet_udp_bind_nfs_port(nfsd_t)
+ 
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
-@@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',`
+@@ -844,10 +844,28 @@ interface(`kernel_unmount_proc',`
+        allow $1 proc_t:filesystem unmount;
+ ')
  
  ########################################
  ## <summary>
@@ -53,6 +56,5 @@ index 649e458..8a669c5 100644
  ##     Get the attributes of the proc filesystem.
  ## </summary>
  ## <param name="domain">
--- 
-1.7.5.4
-
+ ##     <summary>
+ ##     Domain allowed access.
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-setfiles_t-to-read-symlinks.patch
index 9ef61b4..d28bde0 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-setfiles_t-to-read-symlinks.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-setfiles_t-to-read-symlinks.patch
@@ -7,15 +7,16 @@ Upstream-Status: Pending
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/selinuxutil.te |    3 +++
  1 file changed, 3 insertions(+)
 
-diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 9058dd8..f998491 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
-@@ -552,6 +552,9 @@ files_relabel_all_files(setfiles_t)
+@@ -553,10 +553,13 @@ files_read_etc_files(setfiles_t)
+ files_list_all(setfiles_t)
+ files_relabel_all_files(setfiles_t)
  files_read_usr_symlinks(setfiles_t)
  files_dontaudit_read_all_symlinks(setfiles_t)
  
@@ -25,6 +26,5 @@ index 9058dd8..f998491 100644
  fs_getattr_all_xattr_fs(setfiles_t)
  fs_list_all(setfiles_t)
  fs_search_auto_mountpoints(setfiles_t)
--- 
-1.7.9.5
-
+ fs_relabelfrom_noxattr_fs(setfiles_t)
+ 
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-sysadm-to-run-rpcinfo.patch
index ec3dbf4..a1fda13 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-allow-sysadm-to-run-rpcinfo.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-sysadm-to-run-rpcinfo.patch
@@ -9,15 +9,16 @@ type=AVC msg=audit(1392427946.976:264): avc:  denied  { connectto } for  pid=211
 type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null)
 
 Signed-off-by: Roy Li <rongqing.li@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/roles/sysadm.te |    4 ++++
  1 file changed, 4 insertions(+)
 
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 1767217..5502c6a 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
-@@ -413,6 +413,10 @@ optional_policy(`
+@@ -1169,10 +1169,14 @@ optional_policy(`
+        virt_admin(sysadm_t, sysadm_r)
+        virt_stream_connect(sysadm_t)
  ')
  
  optional_policy(`
@@ -28,6 +29,5 @@ index 1767217..5502c6a 100644
         vmware_role(sysadm_r, sysadm_t)
  ')
  
--- 
-1.7.10.4
-
+ optional_policy(`
+        vnstatd_admin(sysadm_t, sysadm_r)
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-don-t-audit-tty_device_t.patch
index 82370d8..346872a 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-don-t-audit-tty_device_t.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-don-t-audit-tty_device_t.patch
@@ -9,15 +9,16 @@ term_dontaudit_use_console.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/kernel/terminal.if |    3 +++
  1 file changed, 3 insertions(+)
 
-diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 7519d0e..45de1ac 100644
 --- a/policy/modules/kernel/terminal.if
 +++ b/policy/modules/kernel/terminal.if
-@@ -299,9 +299,12 @@ interface(`term_use_console',`
+@@ -297,13 +297,16 @@ interface(`term_use_console',`
+ ## </param>
+ #
  interface(`term_dontaudit_use_console',`
         gen_require(`
                 type console_device_t;
@@ -30,6 +31,5 @@ index 7519d0e..45de1ac 100644
  ')
  
  ########################################
--- 
-1.7.9.5
-
+ ## <summary>
+ ##     Set the attributes of the console
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
index d6c8dbf..8443e31 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
@@ -4,26 +4,27 @@ Date: Fri, 23 Aug 2013 16:36:09 +0800
 Subject: [PATCH] fix dmesg to use /dev/kmsg as default input
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/admin/dmesg.if |    1 +
  policy/modules/admin/dmesg.te |    2 ++
  2 files changed, 3 insertions(+)
 
-diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
-index e1973c7..739a4bc 100644
 --- a/policy/modules/admin/dmesg.if
 +++ b/policy/modules/admin/dmesg.if
-@@ -37,4 +37,5 @@ interface(`dmesg_exec',`
+@@ -35,6 +35,7 @@ interface(`dmesg_exec',`
+                type dmesg_exec_t;
+        ')
  
         corecmd_search_bin($1)
         can_exec($1, dmesg_exec_t)
 +       dev_read_kmsg($1)
  ')
-diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
-index 72bc6d8..c591aea 100644
 --- a/policy/modules/admin/dmesg.te
 +++ b/policy/modules/admin/dmesg.te
-@@ -28,6 +28,8 @@ kernel_read_proc_symlinks(dmesg_t)
+@@ -28,10 +28,12 @@ kernel_read_proc_symlinks(dmesg_t)
+ # for when /usr is not mounted:
+ kernel_dontaudit_search_unlabeled(dmesg_t)
  
  dev_read_sysfs(dmesg_t)
  
@@ -32,6 +33,5 @@ index 72bc6d8..c591aea 100644
  fs_search_auto_mountpoints(dmesg_t)
  
  term_dontaudit_use_console(dmesg_t)
--- 
-1.7.9.5
-
+ 
+ domain_use_interactive_fds(dmesg_t)
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-new-SELINUXMNT-in-sys.patch
index 7e92b64..58903ce 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-new-SELINUXMNT-in-sys.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-new-SELINUXMNT-in-sys.patch
@@ -14,11 +14,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
  policy/modules/kernel/selinux.if |   34 ++++++++++++++++++++++++++++++++--
  1 file changed, 32 insertions(+), 2 deletions(-)
 
-Index: refpolicy/policy/modules/kernel/selinux.if
-===================================================================
---- refpolicy.orig/policy/modules/kernel/selinux.if
-+++ refpolicy/policy/modules/kernel/selinux.if
-@@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',`
+--- a/policy/modules/kernel/selinux.if
++++ b/policy/modules/kernel/selinux.if
+@@ -56,10 +56,14 @@ interface(`selinux_labeled_boolean',`
+ interface(`selinux_get_fs_mount',`
+        gen_require(`
                 type security_t;
         ')
  
@@ -29,7 +29,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
         # starting in libselinux 2.0.5, init_selinuxmnt() will
         # attempt to short circuit by checking if SELINUXMNT
         # (/selinux) is already a selinuxfs
-@@ -88,6 +92,7 @@ interface(`selinux_dontaudit_get_fs_moun
+        allow $1 security_t:filesystem getattr;
+ 
+@@ -86,10 +90,11 @@ interface(`selinux_get_fs_mount',`
+ interface(`selinux_dontaudit_get_fs_mount',`
+        gen_require(`
                 type security_t;
         ')
  
@@ -37,7 +41,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
         # starting in libselinux 2.0.5, init_selinuxmnt() will
         # attempt to short circuit by checking if SELINUXMNT
         # (/selinux) is already a selinuxfs
-@@ -117,6 +122,8 @@ interface(`selinux_mount_fs',`
+        dontaudit $1 security_t:filesystem getattr;
+ 
+@@ -115,10 +120,12 @@ interface(`selinux_dontaudit_get_fs_moun
+ interface(`selinux_mount_fs',`
+        gen_require(`
                 type security_t;
         ')
  
@@ -46,7 +54,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
         allow $1 security_t:filesystem mount;
  ')
  
-@@ -136,6 +143,8 @@ interface(`selinux_remount_fs',`
+ ########################################
+ ## <summary>
+@@ -134,10 +141,12 @@ interface(`selinux_mount_fs',`
+ interface(`selinux_remount_fs',`
+        gen_require(`
                 type security_t;
         ')
  
@@ -55,7 +67,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
         allow $1 security_t:filesystem remount;
  ')
  
-@@ -154,6 +163,8 @@ interface(`selinux_unmount_fs',`
+ ########################################
+ ## <summary>
+@@ -152,10 +161,12 @@ interface(`selinux_remount_fs',`
+ interface(`selinux_unmount_fs',`
+        gen_require(`
                 type security_t;
         ')
  
@@ -64,7 +80,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
         allow $1 security_t:filesystem unmount;
  ')
  
-@@ -172,6 +183,8 @@ interface(`selinux_getattr_fs',`
+ ########################################
+ ## <summary>
+@@ -170,10 +181,12 @@ interface(`selinux_unmount_fs',`
+ interface(`selinux_getattr_fs',`
+        gen_require(`
                 type security_t;
         ')
  
@@ -73,7 +93,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
         allow $1 security_t:filesystem getattr;
  
         dev_getattr_sysfs($1)
-@@ -194,6 +207,7 @@ interface(`selinux_dontaudit_getattr_fs'
+        dev_search_sysfs($1)
+ ')
+@@ -192,10 +205,11 @@ interface(`selinux_getattr_fs',`
+ interface(`selinux_dontaudit_getattr_fs',`
+        gen_require(`
                 type security_t;
         ')
  
@@ -81,7 +105,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
         dontaudit $1 security_t:filesystem getattr;
  
         dev_dontaudit_getattr_sysfs($1)
-@@ -216,6 +230,7 @@ interface(`selinux_dontaudit_getattr_dir
+        dev_dontaudit_search_sysfs($1)
+ ')
+@@ -214,10 +228,11 @@ interface(`selinux_dontaudit_getattr_fs'
+ interface(`selinux_dontaudit_getattr_dir',`
+        gen_require(`
                 type security_t;
         ')
  
@@ -89,7 +117,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
         dontaudit $1 security_t:dir getattr;
  ')
  
-@@ -234,6 +249,7 @@ interface(`selinux_search_fs',`
+ ########################################
+ ## <summary>
+@@ -232,10 +247,11 @@ interface(`selinux_dontaudit_getattr_dir
+ interface(`selinux_search_fs',`
+        gen_require(`
                 type security_t;
         ')
  
@@ -97,7 +129,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
         dev_search_sysfs($1)
         allow $1 security_t:dir search_dir_perms;
  ')
-@@ -253,6 +269,7 @@ interface(`selinux_dontaudit_search_fs',
+ 
+ ########################################
+@@ -251,10 +267,11 @@ interface(`selinux_search_fs',`
+ interface(`selinux_dontaudit_search_fs',`
+        gen_require(`
                 type security_t;
         ')
  
@@ -105,7 +141,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
         dontaudit $1 security_t:dir search_dir_perms;
  ')
  
-@@ -272,6 +289,7 @@ interface(`selinux_dontaudit_read_fs',`
+ ########################################
+ ## <summary>
+@@ -270,10 +287,11 @@ interface(`selinux_dontaudit_search_fs',
+ interface(`selinux_dontaudit_read_fs',`
+        gen_require(`
                 type security_t;
         ')
  
@@ -113,7 +153,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
         dontaudit $1 security_t:dir search_dir_perms;
         dontaudit $1 security_t:file read_file_perms;
  ')
-@@ -293,6 +311,7 @@ interface(`selinux_get_enforce_mode',`
+ 
+ ########################################
+@@ -291,10 +309,11 @@ interface(`selinux_dontaudit_read_fs',`
+ interface(`selinux_get_enforce_mode',`
+        gen_require(`
                 type security_t;
         ')
  
@@ -121,7 +165,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
         dev_search_sysfs($1)
         allow $1 security_t:dir list_dir_perms;
         allow $1 security_t:file read_file_perms;
-@@ -361,6 +380,7 @@ interface(`selinux_read_policy',`
+ ')
+ 
+@@ -359,10 +378,11 @@ interface(`selinux_load_policy',`
+ interface(`selinux_read_policy',`
+        gen_require(`
                 type security_t;
         ')
  
@@ -129,7 +177,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
         dev_search_sysfs($1)
         allow $1 security_t:dir list_dir_perms;
         allow $1 security_t:file read_file_perms;
-@@ -426,6 +446,7 @@ interface(`selinux_set_generic_booleans'
+        allow $1 security_t:security read_policy;
+ ')
+@@ -424,10 +444,11 @@ interface(`selinux_set_boolean',`
+ interface(`selinux_set_generic_booleans',`
+        gen_require(`
                 type security_t;
         ')
  
@@ -137,7 +189,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
         dev_search_sysfs($1)
  
         allow $1 security_t:dir list_dir_perms;
-@@ -463,6 +484,7 @@ interface(`selinux_set_all_booleans',`
+        allow $1 security_t:file rw_file_perms;
+ 
+@@ -461,10 +482,11 @@ interface(`selinux_set_all_booleans',`
+                type security_t, secure_mode_policyload_t;
+                attribute boolean_type;
                 bool secure_mode_policyload;
         ')
  
@@ -145,7 +201,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
         dev_search_sysfs($1)
  
         allow $1 security_t:dir list_dir_perms;
-@@ -522,6 +544,7 @@ interface(`selinux_validate_context',`
+        allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
+        allow $1 secure_mode_policyload_t:file read_file_perms;
+@@ -520,10 +542,11 @@ interface(`selinux_set_parameters',`
+ interface(`selinux_validate_context',`
+        gen_require(`
                 type security_t;
         ')
  
@@ -153,7 +213,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
         dev_search_sysfs($1)
         allow $1 security_t:dir list_dir_perms;
         allow $1 security_t:file rw_file_perms;
-@@ -544,6 +567,7 @@ interface(`selinux_dontaudit_validate_co
+        allow $1 security_t:security check_context;
+ ')
+@@ -542,10 +565,11 @@ interface(`selinux_validate_context',`
+ interface(`selinux_dontaudit_validate_context',`
+        gen_require(`
                 type security_t;
         ')
  
@@ -161,7 +225,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
         dontaudit $1 security_t:dir list_dir_perms;
         dontaudit $1 security_t:file rw_file_perms;
         dontaudit $1 security_t:security check_context;
-@@ -565,6 +589,7 @@ interface(`selinux_compute_access_vector
+ ')
+ 
+@@ -563,10 +587,11 @@ interface(`selinux_dontaudit_validate_co
+ interface(`selinux_compute_access_vector',`
+        gen_require(`
                 type security_t;
         ')
  
@@ -169,7 +237,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
         dev_search_sysfs($1)
         allow $1 security_t:dir list_dir_perms;
         allow $1 security_t:file rw_file_perms;
-@@ -660,6 +685,13 @@ interface(`selinux_compute_user_contexts
+        allow $1 security_t:security compute_av;
+ ')
+@@ -658,10 +683,17 @@ interface(`selinux_compute_relabel_conte
+ interface(`selinux_compute_user_contexts',`
+        gen_require(`
                 type security_t;
         ')
  
@@ -183,3 +255,5 @@ Index: refpolicy/policy/modules/kernel/selinux.if
         dev_search_sysfs($1)
         allow $1 security_t:dir list_dir_perms;
         allow $1 security_t:file rw_file_perms;
+        allow $1 security_t:security compute_user;
+ ')
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
index f04ebec..883daf8 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
@@ -14,23 +14,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
  policy/modules/kernel/kernel.te     |    2 ++
  4 files changed, 13 insertions(+)
 
---- a/policy/modules/contrib/rpc.te
-+++ b/policy/modules/contrib/rpc.te
-@@ -263,6 +263,11 @@ tunable_policy(`nfs_export_all_ro',`
- 
- optional_policy(`
-        mount_exec(nfsd_t)
-+       # Should domtrans to mount_t while mounting nfsd_fs_t.
-+       mount_domtrans(nfsd_t)
-+       # nfsd_t need to chdir to /var/lib/nfs and read files.
-+       files_list_var(nfsd_t)
-+       rpc_read_nfs_state_data(nfsd_t)
- ')
- 
- ########################################
 --- a/policy/modules/contrib/rpcbind.te
 +++ b/policy/modules/contrib/rpcbind.te
-@@ -70,6 +70,11 @@ logging_send_syslog_msg(rpcbind_t)
+@@ -71,8 +71,13 @@ auth_use_nsswitch(rpcbind_t)
+ 
+ logging_send_syslog_msg(rpcbind_t)
  
  miscfiles_read_localization(rpcbind_t)
  
@@ -42,20 +30,44 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
  ifdef(`distro_debian',`
         term_dontaudit_use_unallocated_ttys(rpcbind_t)
  ')
+--- a/policy/modules/contrib/rpc.te
++++ b/policy/modules/contrib/rpc.te
+@@ -275,10 +275,15 @@ tunable_policy(`nfs_export_all_ro',`
+        files_read_non_auth_files(nfsd_t)
+ ')
+ 
+ optional_policy(`
+        mount_exec(nfsd_t)
++       # Should domtrans to mount_t while mounting nfsd_fs_t.
++       mount_domtrans(nfsd_t)
++       # nfsd_t need to chdir to /var/lib/nfs and read files.
++       files_list_var(nfsd_t)
++       rpc_read_nfs_state_data(nfsd_t)
+ ')
+ 
+ ########################################
+ #
+ # GSSD local policy
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
-@@ -119,6 +119,7 @@ genfscon mvfs / gen_context(system_u:obj
+@@ -127,10 +127,11 @@ fs_noxattr_type(mvfs_t)
+ allow mvfs_t self:filesystem associate;
+ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
  
  type nfsd_fs_t;
  fs_type(nfsd_fs_t)
 +files_mountpoint(nfsd_fs_t)
  genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
  
- type oprofilefs_t;
+ type nsfs_t;
+ fs_type(nsfs_t)
+ genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
-@@ -293,6 +293,8 @@ mls_process_read_up(kernel_t)
- mls_process_write_down(kernel_t)
+@@ -324,10 +324,12 @@ mcs_process_set_categories(kernel_t)
+ 
+ mls_process_read_all_levels(kernel_t)
+ mls_process_write_all_levels(kernel_t)
  mls_file_write_all_levels(kernel_t)
  mls_file_read_all_levels(kernel_t)
 +mls_socket_write_all_levels(kernel_t)
@@ -63,3 +75,5 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
  
  ifdef(`distro_redhat',`
         # Bugzilla 222337
+        fs_rw_tmpfs_chr_files(kernel_t)
+ ')
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-setfiles-statvfs-get-file-count.patch
index 0b8cc5d..1cfd80b 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-setfiles-statvfs-get-file-count.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-setfiles-statvfs-get-file-count.patch
@@ -10,15 +10,16 @@ Upstream-Status: pending
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/selinuxutil.te |    2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index f998491..1a4e565 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
-@@ -555,7 +555,7 @@ files_dontaudit_read_all_symlinks(setfiles_t)
+@@ -556,11 +556,11 @@ files_read_usr_symlinks(setfiles_t)
+ files_dontaudit_read_all_symlinks(setfiles_t)
+ 
  # needs to be able to read symlinks to make restorecon on symlink working
  files_read_all_symlinks(setfiles_t)
  
@@ -27,6 +28,5 @@ index f998491..1a4e565 100644
  fs_list_all(setfiles_t)
  fs_search_auto_mountpoints(setfiles_t)
  fs_relabelfrom_noxattr_fs(setfiles_t)
--- 
-1.7.9.5
-
+ 
+ mls_file_read_all_levels(setfiles_t)
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-seutils-manage-config-files.patch
index be33bf1..fba7759 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/poky-policy-fix-seutils-manage-config-files.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-seutils-manage-config-files.patch
@@ -6,16 +6,17 @@ Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files
 Upstream-Status: Pending
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/selinuxutil.if |    1 +
  policy/modules/system/userdomain.if  |    4 ++++
  2 files changed, 5 insertions(+)
 
-diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..db03ca1 100644
 --- a/policy/modules/system/selinuxutil.if
 +++ b/policy/modules/system/selinuxutil.if
-@@ -680,6 +680,7 @@ interface(`seutil_manage_config',`
+@@ -753,10 +753,11 @@ interface(`seutil_manage_config',`
+        gen_require(`
+                type selinux_config_t;
         ')
  
         files_search_etc($1)
@@ -23,11 +24,13 @@ index 3822072..db03ca1 100644
         manage_files_pattern($1, selinux_config_t, selinux_config_t)
         read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
  ')
-diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index b4a691d..20c8bf8 100644
+ 
+ #######################################
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
-@@ -1277,6 +1277,10 @@ template(`userdom_security_admin_template',`
+@@ -1327,10 +1327,14 @@ template(`userdom_security_admin_templat
+        logging_read_audit_log($1)
+        logging_read_generic_logs($1)
         logging_read_audit_config($1)
  
         seutil_manage_bin_policy($1)
@@ -38,6 +41,5 @@ index b4a691d..20c8bf8 100644
         seutil_run_checkpolicy($1, $2)
         seutil_run_loadpolicy($1, $2)
         seutil_run_semanage($1, $2)
--- 
-1.7.9.5
-
+        seutil_run_setfiles($1, $2)
+ 
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/refpolicy-update-for_systemd.patch
index 2ae4185..41b9c2b 100644
--- a/recipes-security/refpolicy/refpolicy-2.20151208/refpolicy-update-for_systemd.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/refpolicy-update-for_systemd.patch
@@ -6,15 +6,16 @@ Subject: [PATCH] refpolicy: update for systemd related allow rules
 It provide, the systemd support related allow rules
 
 Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/init.te |    5 +++++
  1 file changed, 5 insertions(+)
 
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index c8f007d..a9675f6 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
-@@ -929,3 +929,8 @@ optional_policy(`
+@@ -1105,5 +1105,10 @@ optional_policy(`
+ ')
+ 
  optional_policy(`
         zebra_read_config(initrc_t)
  ')
@@ -24,6 +25,3 @@ index c8f007d..a9675f6 100644
 +allow devpts_t device_t:filesystem associate;
 +allow init_t self:capability2 block_suspend;
 \ No newline at end of file
--- 
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-mcs_2.20151208.bb b/recipes-security/refpolicy/refpolicy-mcs_2.20170204.bb
index 062727b..062727b 100644
--- a/recipes-security/refpolicy/refpolicy-mcs_2.20151208.bb
+++ b/recipes-security/refpolicy/refpolicy-mcs_2.20170204.bb
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20170204.bb
index da6626e..da6626e 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20170204.bb
diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20151208.bb b/recipes-security/refpolicy/refpolicy-mls_2.20170204.bb
index 7388232..7388232 100644
--- a/recipes-security/refpolicy/refpolicy-mls_2.20151208.bb
+++ b/recipes-security/refpolicy/refpolicy-mls_2.20170204.bb
diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20151208.bb b/recipes-security/refpolicy/refpolicy-standard_2.20170204.bb
index 3674fdd..3674fdd 100644
--- a/recipes-security/refpolicy/refpolicy-standard_2.20151208.bb
+++ b/recipes-security/refpolicy/refpolicy-standard_2.20170204.bb
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
index b33e84b..3a8a95e 100644
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
+++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
@@ -19,10 +19,10 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
-@@ -344,17 +344,19 @@ ifdef(`init_systemd',`
+@@ -300,16 +300,18 @@ ifdef(`init_systemd',`
  
         optional_policy(`
-                modutils_domtrans(init_t)
+                modutils_domtrans_insmod(init_t)
         ')
  ',`
 -       tunable_policy(`init_upstart',`
@@ -30,25 +30,32 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 -       ',`
 -               # Run the shell in the sysadm role for single-user mode.
 -               # causes problems with upstart
--               ifndef(`distro_debian',`
--                       sysadm_shell_domtrans(init_t)
+-               sysadm_shell_domtrans(init_t)
 +       optional_policy(`
 +               tunable_policy(`init_upstart',`
 +                       corecmd_shell_domtrans(init_t, initrc_t)
 +               ',`
 +                       # Run the shell in the sysadm role for single-user mode.
 +                       # causes problems with upstart
-+                       ifndef(`distro_debian',`
-+                               sysadm_shell_domtrans(init_t)
-+                       ')
-                ')
++                       sysadm_shell_domtrans(init_t)
++               ')
         ')
  ')
  
  ifdef(`distro_debian',`
+        fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
+@@ -1109,6 +1111,6 @@ optional_policy(`
+ ')
+ 
+ # systemd related allow rules
+ allow kernel_t init_t:process dyntransition;
+ allow devpts_t device_t:filesystem associate;
+-allow init_t self:capability2 block_suspend;
+\ No newline at end of file
++allow init_t self:capability2 block_suspend;
 --- a/policy/modules/system/locallogin.te
 +++ b/policy/modules/system/locallogin.te
-@@ -260,11 +260,13 @@ seutil_read_default_contexts(sulogin_t)
+@@ -244,11 +244,13 @@ seutil_read_default_contexts(sulogin_t)
  userdom_use_unpriv_users_fds(sulogin_t)
  
  userdom_search_user_home_dirs(sulogin_t)
@@ -59,7 +66,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 +       sysadm_shell_domtrans(sulogin_t)
 +')
  
- # by default, sulogin does not use pam...
- # sulogin_pam might need to be defined otherwise
- ifdef(`sulogin_pam', `
-        selinux_get_fs_mount(sulogin_t)
+ # suse and debian do not use pam with sulogin...
+ ifdef(`distro_suse', `define(`sulogin_no_pam')')
+ ifdef(`distro_debian', `define(`sulogin_no_pam')')
+ 
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch
index 17a8199..1dc9911 100644
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch
+++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch
@@ -25,7 +25,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
-@@ -1430,16 +1430,16 @@ interface(`init_spec_domtrans_script',`
+@@ -1268,16 +1268,16 @@ interface(`init_spec_domtrans_script',`
  ##     </summary>
  ## </param>
  #
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
index 29d3e2d..f28ab74 100644
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
+++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
@@ -30,21 +30,21 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 +
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
-@@ -37,10 +37,11 @@ ubac_process_exempt(sysadm_t)
- ubac_file_exempt(sysadm_t)
- ubac_fd_exempt(sysadm_t)
- 
- init_exec(sysadm_t)
- init_admin(sysadm_t)
+@@ -41,10 +41,11 @@ init_reload(sysadm_t)
+ init_reboot_system(sysadm_t)
+ init_shutdown_system(sysadm_t)
+ init_start_generic_units(sysadm_t)
+ init_stop_generic_units(sysadm_t)
+ init_reload_generic_units(sysadm_t)
 +init_script_role_transition(sysadm_r)
  
- selinux_read_policy(sysadm_t)
- 
  # Add/remove user home directories
  userdom_manage_user_home_dirs(sysadm_t)
+ userdom_home_filetrans_user_home_dir(sysadm_t)
+ 
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
-@@ -1394,30 +1394,31 @@ interface(`init_script_file_entry_type',
+@@ -1232,30 +1232,31 @@ interface(`init_script_file_entry_type',
  ##     </summary>
  ## </param>
  #
@@ -80,7 +80,7 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
  
  ########################################
  ## <summary>
-@@ -1429,22 +1430,23 @@ interface(`init_spec_domtrans_script',`
+@@ -1267,22 +1268,23 @@ interface(`init_spec_domtrans_script',`
  ##     </summary>
  ## </param>
  #
@@ -108,11 +108,11 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
  
  ########################################
  ## <summary>
-@@ -2972,5 +2974,34 @@ interface(`init_admin',`
-        init_stop_all_units($1)
-        init_stop_generic_units($1)
-        init_stop_system($1)
-        init_telinit($1)
+@@ -2502,5 +2504,34 @@ interface(`init_reload_all_units',`
+                class service reload;
+        ')
+ 
+        allow $1 systemdunit:service reload;
  ')
 +
 +########################################
diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20151208.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20170204.bb
index f795bf7..f795bf7 100644
--- a/recipes-security/refpolicy/refpolicy-targeted_2.20151208.bb
+++ b/recipes-security/refpolicy/refpolicy-targeted_2.20170204.bb
diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc b/recipes-security/refpolicy/refpolicy_2.20170204.inc
index ce90b13..48e6cd6 100644
--- a/recipes-security/refpolicy/refpolicy_2.20151208.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20170204.inc
@@ -1,8 +1,8 @@
 SRC_URI = "https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2;"
-SRC_URI[md5sum] = "7b1ca12e9ea0254508391559cb8f2c41"
-SRC_URI[sha256sum] = "2dd2f45a7132137afe8302805c3b7839739759b9ab73dd1815c01afe34ac99de"
+SRC_URI[md5sum] = "76a7a455289c9216ee0fbb8de71c9799"
+SRC_URI[sha256sum] = "5e4daee61d89dfdc8c7bf369f81c99845931e337916dc6401e301c5de57ea336"
 
-FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20151208:"
+FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20170204:"
 
 # Fix file contexts for Poky
 SRC_URI += "file://poky-fc-subs_dist.patch \
@@ -14,16 +14,13 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
             file://poky-fc-fix-real-path_shadow.patch \
             file://poky-fc-fix-bind.patch \
             file://poky-fc-clock.patch \
-            file://poky-fc-corecommands.patch \
             file://poky-fc-dmesg.patch \
             file://poky-fc-fstools.patch \
-            file://poky-fc-iptables.patch \
             file://poky-fc-mta.patch \
             file://poky-fc-netutils.patch \
             file://poky-fc-nscd.patch \
             file://poky-fc-screen.patch \
             file://poky-fc-ssh.patch \
-            file://poky-fc-su.patch \
             file://poky-fc-sysnetwork.patch \
             file://poky-fc-udevd.patch \
             file://poky-fc-rpm.patch \