refpolicy: update git recipes

The targeted, mls and minimum recipes had fallen far behind the upstream refpolicy repository. Refresh all patches and discard ones that are obviously no longer needed. This should not have any functional change on the policies. Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
author: Joe MacDonald <joe_macdonald@mentor.com> 2017-05-03 21:05:44 -0400
committer: Joe MacDonald <joe_macdonald@mentor.com> 2017-05-03 21:05:44 -0400
commit: 0cfdbb47aafef9e9af562c9dffebd0aefefe5457 (patch)
tree: 3ab165035cc90e193aeb0de686fb3a80fa4d9285 /recipes-security/refpolicy/refpolicy-git
parent: 849cd74b5ff3c915356ae7411746194728594212 (diff)
download: meta-selinux-0cfdbb47aafef9e9af562c9dffebd0aefefe5457.tar.gz
39 files changed, 318 insertions, 394 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch
index 4830566..85c40a4 100644
--- a/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch
+++ b/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch
@@ -17,6 +17,7 @@ root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name
 root@localhost:~#
 Signed-off-by: Roy Li <rongqing.li@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/contrib/ftp.te |    2 ++
 1 file changed, 2 insertions(+)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch
index b36c209..628e8a3 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch
@@ -3,17 +3,15 @@ Subject: [PATCH] refpolicy: fix real path for clock
 Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/clock.fc |    1 +
 1 file changed, 1 insertion(+)
 --- a/policy/modules/system/clock.fc
 +++ b/policy/modules/system/clock.fc
-@@ -1,6 +1,7 @@
+@@ -1,3 +1,4 @@
- 
 /etc/adjtime           --      gen_context(system_u:object_r:adjtime_t,s0)
 
- /sbin/hwclock          --      gen_context(system_u:object_r:hwclock_exec_t,s0)
+/usr/sbin/hwclock\.util-linux  --      gen_context(system_u:object_r:hwclock_exec_t,s0)
-+/sbin/hwclock\.util-linux      --      gen_context(system_u:object_r:hwclock_exec_t,s0)
- 
 /usr/sbin/hwclock      --      gen_context(system_u:object_r:hwclock_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch
index 6995bb5..689c75b 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch
@@ -3,15 +3,13 @@ Subject: [PATCH] refpolicy: fix real path for dmesg
 Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/admin/dmesg.fc |    1 +
 1 file changed, 1 insertion(+)
 --- a/policy/modules/admin/dmesg.fc
 +++ b/policy/modules/admin/dmesg.fc
-@@ -1,4 +1,5 @@
+@@ -1 +1,2 @@
- 
+/usr/bin/dmesg\.util-linux     --              gen_context(system_u:object_r:dmesg_exec_t,s0)
- /bin/dmesg             --              gen_context(system_u:object_r:dmesg_exec_t,s0)
-+/bin/dmesg\.util-linux --              gen_context(system_u:object_r:dmesg_exec_t,s0)
- 
 /usr/bin/dmesg         --              gen_context(system_u:object_r:dmesg_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch
index a96b4a7..3218c88 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch
@@ -6,6 +6,7 @@ Subject: [PATCH] refpolicy: fix real path for bind.
 Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/contrib/bind.fc |    2 ++
 1 file changed, 2 insertions(+)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch
index d97d58e..fc54217 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch
@@ -3,31 +3,33 @@ Subject: [PATCH] fix real path for login commands.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/authlogin.fc |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)
 --- a/policy/modules/system/authlogin.fc
 +++ b/policy/modules/system/authlogin.fc
-@@ -1,19 +1,18 @@
+@@ -3,20 +3,19 @@
- 
- /bin/login             --      gen_context(system_u:object_r:login_exec_t,s0)
-+/bin/login\.shadow     --      gen_context(system_u:object_r:login_exec_t,s0)
-+/bin/login\.tinylogin  --      gen_context(system_u:object_r:login_exec_t,s0)
- 
- /etc/\.pwd\.lock       --      gen_context(system_u:object_r:shadow_t,s0)
- /etc/group\.lock       --      gen_context(system_u:object_r:shadow_t,s0)
 /etc/gshadow.*         --      gen_context(system_u:object_r:shadow_t,s0)
 /etc/passwd\.lock      --      gen_context(system_u:object_r:shadow_t,s0)
 /etc/shadow.*          --      gen_context(system_u:object_r:shadow_t,s0)
 
- /sbin/pam_console_apply         --     gen_context(system_u:object_r:pam_console_exec_t,s0)
+ /usr/bin/login         --      gen_context(system_u:object_r:login_exec_t,s0)
- /sbin/pam_timestamp_check --   gen_context(system_u:object_r:pam_exec_t,s0)
+/usr/bin/login\.shadow --      gen_context(system_u:object_r:login_exec_t,s0)
-/sbin/unix_chkpwd      --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/usr/bin/login\.tinylogin      --      gen_context(system_u:object_r:login_exec_t,s0)
-/sbin/unix_update      --      gen_context(system_u:object_r:updpwd_exec_t,s0)
+ 
-/sbin/unix_verify      --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ /usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0)
+ 
+ /usr/lib/utempter/utempter --  gen_context(system_u:object_r:utempter_exec_t,s0)
+ 
+ /usr/sbin/pam_console_apply    --      gen_context(system_u:object_r:pam_console_exec_t,s0)
+ /usr/sbin/pam_timestamp_check   --     gen_context(system_u:object_r:pam_exec_t,s0)
+-/usr/sbin/unix_chkpwd          --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+-/usr/sbin/unix_update          --      gen_context(system_u:object_r:updpwd_exec_t,s0)
+-/usr/sbin/unix_verify          --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ /usr/sbin/utempter             --      gen_context(system_u:object_r:utempter_exec_t,s0)
+ /usr/sbin/validate             --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
 ifdef(`distro_suse', `
- /sbin/unix2_chkpwd     --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ /usr/sbin/unix2_chkpwd --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
 ')
- 
- /usr/bin/login         --      gen_context(system_u:object_r:login_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch
index c1cd74d..cd79f45 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch
@@ -3,13 +3,14 @@ Subject: [PATCH] fix real path for resolv.conf
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/sysnetwork.fc |    1 +
 1 file changed, 1 insertion(+)
 --- a/policy/modules/system/sysnetwork.fc
 +++ b/policy/modules/system/sysnetwork.fc
-@@ -23,10 +23,11 @@ ifdef(`distro_debian',`
+@@ -17,10 +17,11 @@ ifdef(`distro_debian',`
 /etc/ethers            --      gen_context(system_u:object_r:net_conf_t,s0)
 /etc/hosts             --      gen_context(system_u:object_r:net_conf_t,s0)
 /etc/hosts\.deny.*     --      gen_context(system_u:object_r:net_conf_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch
index d74f524..a15a776 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch
@@ -3,13 +3,14 @@ Subject: [PATCH] fix real path for shadow commands.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/admin/usermanage.fc |    6 ++++++
 1 file changed, 6 insertions(+)
 --- a/policy/modules/admin/usermanage.fc
 +++ b/policy/modules/admin/usermanage.fc
-@@ -6,15 +6,21 @@ ifdef(`distro_debian',`
+@@ -2,15 +2,21 @@ ifdef(`distro_debian',`
 /etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0)
 ')
 
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch
index 23484de..41c32df 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch
@@ -6,17 +6,15 @@ Subject: [PATCH] fix real path for su.shadow command
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/admin/su.fc |    2 ++
 1 file changed, 2 insertions(+)
 --- a/policy/modules/admin/su.fc
 +++ b/policy/modules/admin/su.fc
-@@ -3,5 +3,7 @@
+@@ -1,3 +1,4 @@
- /usr/bin/su            --      gen_context(system_u:object_r:su_exec_t,s0)
- 
 /usr/(local/)?bin/ksu  --      gen_context(system_u:object_r:su_exec_t,s0)
 /usr/bin/kdesu         --      gen_context(system_u:object_r:su_exec_t,s0)
 /usr/bin/su            --      gen_context(system_u:object_r:su_exec_t,s0)
-+
+/usr/bin/su.shadow             --      gen_context(system_u:object_r:su_exec_t,s0)
-+/bin/su.shadow         --      gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch
index 5d3aa76..cf07b23 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch
@@ -14,62 +14,57 @@ Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
 --- a/policy/modules/system/fstools.fc
 +++ b/policy/modules/system/fstools.fc
-@@ -1,19 +1,23 @@
+@@ -4,10 +4,11 @@
- /sbin/badblocks                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/blkid            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/blkid/.util-linux                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/blockdev         --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/blockdev/.util-linux             --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/cfdisk           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/dosfsck          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/dump             --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/dumpe2fs         --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/e2fsck           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/e4fsck           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/e2label          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/fdisk            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/fdisk/.util-linux                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/findfs           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/fsck.*           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/hdparm           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/hdparm/.util-linux               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/install-mbr      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/jfs_.*           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/losetup.*                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/lsraid           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/make_reiser4     --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -22,20 +26,22 @@
- /sbin/mke4fs           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkfs.*           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkraid           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkreiserfs       --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkswap           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/mkswap/.util-linux               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/parted           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/partprobe                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/partx            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/raidautorun      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/raidstart                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/reiserfs(ck|tune)        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/resize.*fs       --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/scsi_info                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/sfdisk           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/swapoff          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/swapoff/.util-linux              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/swapon.*         --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/tune2fs          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/zdb              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/zhack            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/zinject          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -43,10 +49,11 @@
- /sbin/zstreamdump      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/ztest            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- 
- /usr/bin/partition_uuid        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/raw           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/raw          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/scsi_unique_id        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/syslinux      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 
 /usr/sbin/addpart              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/badblocks            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/blkid                        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/blkid/.util-linux            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/blockdev             --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/cfdisk               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/clubufflush          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/delpart              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/dosfsck              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -17,14 +18,16 @@
+ /usr/sbin/e4fsck               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/e2label              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/efibootmgr           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fatsort              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fdisk                        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/fdisk/.util-linux            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/findfs               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fsck.*               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/gdisk                        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/hdparm               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/hdparm/.util-linux           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/install-mbr          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/jfs_.*               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/losetup.*            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/lsraid               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/make_reiser4         --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -33,21 +36,24 @@
+ /usr/sbin/mke4fs               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkfs.*               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkraid               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkreiserfs           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkswap               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/mkswap/.util-linux           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/parted               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/partprobe            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/partx                        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/raidautorun          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/raidstart            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/raw          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/reiserfs(ck|tune)    --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/resize.*fs           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/scsi_info            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/sfdisk               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/smartctl             --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/swapoff              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/swapoff/.util-linux          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/swapon.*             --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/tune2fs              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/zdb                  --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/zhack                        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/zinject              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch
index b4ba2e2..d58de6a 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch
@@ -5,6 +5,7 @@ Upstream-Status: Pending
 ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it
 Signed-off-by: Roy Li <rongqing.li@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/contrib/ftp.fc |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch
index 1a8fbe3..72b559f 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch
@@ -6,13 +6,14 @@ Subject: [PATCH] refpolicy: fix real path for mta
 Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/contrib/mta.fc |    1 +
 1 file changed, 1 insertion(+)
 --- a/policy/modules/contrib/mta.fc
 +++ b/policy/modules/contrib/mta.fc
-@@ -20,10 +20,11 @@ HOME_DIR/\.maildir(/.*)?    gen_context(sys
+@@ -19,10 +19,11 @@ HOME_DIR/\.maildir(/.*)?    gen_context(sys
 /usr/lib/courier/bin/sendmail  --      gen_context(system_u:object_r:sendmail_exec_t,s0)
 
 /usr/sbin/rmail        --      gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-netutils.patch
deleted file mode 100644
index fea90ad..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-netutils.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for netutils
-Upstream-Status: Inappropriate [configuration]
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
- policy/modules/admin/netutils.fc |    1 +
- 1 file changed, 1 insertion(+)
--- a/policy/modules/admin/netutils.fc
-+++ b/policy/modules/admin/netutils.fc
-@@ -1,10 +1,11 @@
- /bin/ping.*            --      gen_context(system_u:object_r:ping_exec_t,s0)
- /bin/tracepath.*               --      gen_context(system_u:object_r:traceroute_exec_t,s0)
- /bin/traceroute.*      --      gen_context(system_u:object_r:traceroute_exec_t,s0)
- 
- /sbin/arping           --      gen_context(system_u:object_r:netutils_exec_t,s0)
-+/bin/arping            --      gen_context(system_u:object_r:netutils_exec_t,s0)
- 
- /usr/bin/arping                --      gen_context(system_u:object_r:netutils_exec_t,s0)
- /usr/bin/lft           --      gen_context(system_u:object_r:traceroute_exec_t,s0)
- /usr/bin/nmap          --      gen_context(system_u:object_r:traceroute_exec_t,s0)
- /usr/bin/ping.*        --      gen_context(system_u:object_r:ping_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch
index 5fe5062..0adf7c2 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch
@@ -6,6 +6,7 @@ Subject: [PATCH] refpolicy: fix real path for nscd
 Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/contrib/nscd.fc |    1 +
 1 file changed, 1 insertion(+)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch
index 8680f19..922afa9 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch
@@ -6,13 +6,14 @@ Subject: [PATCH] refpolicy: fix real path for cpio
 Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/contrib/rpm.fc |    1 +
 1 file changed, 1 insertion(+)
 --- a/policy/modules/contrib/rpm.fc
 +++ b/policy/modules/contrib/rpm.fc
-@@ -61,6 +61,7 @@ ifdef(`distro_redhat',`
+@@ -57,6 +57,7 @@ ifdef(`distro_redhat',`
 /run/yum.*     --      gen_context(system_u:object_r:rpm_var_run_t,s0)
 /run/PackageKit(/.*)?  gen_context(system_u:object_r:rpm_var_run_t,s0)
 
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch
index a7301e9..8ea210e 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch
@@ -6,20 +6,18 @@ Subject: [PATCH] refpolicy: fix real path for screen
 Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/contrib/screen.fc |    1 +
 1 file changed, 1 insertion(+)
 --- a/policy/modules/contrib/screen.fc
 +++ b/policy/modules/contrib/screen.fc
-@@ -1,9 +1,10 @@
+@@ -4,6 +4,7 @@ HOME_DIR/\.tmux\.conf   --      gen_context(sys
- HOME_DIR/\.screen(/.*)?        gen_context(system_u:object_r:screen_home_t,s0)
- HOME_DIR/\.screenrc    --      gen_context(system_u:object_r:screen_home_t,s0)
- HOME_DIR/\.tmux\.conf  --      gen_context(system_u:object_r:screen_home_t,s0)
 
- /usr/bin/screen        --      gen_context(system_u:object_r:screen_exec_t,s0)
+ /run/screen(/.*)?              gen_context(system_u:object_r:screen_runtime_t,s0)
-+/usr/bin/screen-.*     --      gen_context(system_u:object_r:screen_exec_t,s0)
+ /run/tmux(/.*)?                        gen_context(system_u:object_r:screen_runtime_t,s0)
- /usr/bin/tmux  --      gen_context(system_u:object_r:screen_exec_t,s0)
 
- /run/screen(/.*)?      gen_context(system_u:object_r:screen_var_run_t,s0)
+ /usr/bin/screen                --      gen_context(system_u:object_r:screen_exec_t,s0)
- /run/tmux(/.*)?        gen_context(system_u:object_r:screen_var_run_t,s0)
+/usr/bin/screen-.*     --      gen_context(system_u:object_r:screen_exec_t,s0)
+ /usr/bin/tmux          --      gen_context(system_u:object_r:screen_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch
index 35bbc9e..648b21b 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch
@@ -3,6 +3,7 @@ Subject: [PATCH] refpolicy: fix real path for ssh
 Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/services/ssh.fc |    1 +
 1 file changed, 1 insertion(+)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch
index f82f359..8aec193 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch
@@ -13,7 +13,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 --- a/config/file_contexts.subs_dist
 +++ b/config/file_contexts.subs_dist
-@@ -21,5 +21,16 @@
+@@ -26,5 +26,16 @@
 
 # backward compatibility
 # not for refpolicy intern, but for /var/run using applications,
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch
index 7f8f368..0b148b5 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch
@@ -7,41 +7,31 @@ Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/sysnetwork.fc |    3 +++
 1 file changed, 3 insertions(+)
 --- a/policy/modules/system/sysnetwork.fc
 +++ b/policy/modules/system/sysnetwork.fc
-@@ -2,10 +2,11 @@
+@@ -41,17 +41,20 @@ ifdef(`distro_redhat',`
- #
+ /usr/sbin/dhcdbd               --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
- # /bin
+ /usr/sbin/dhcp6c               --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
- #
+ /usr/sbin/dhcpcd               --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /bin/ifconfig          --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/ethtool              --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /bin/ip                        --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/ifconfig             --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/ip\.iproute2 --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/usr/sbin/ifconfig\.net-tools  --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
- 
+/usr/sbin/ip\.iproute2 --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
- #
+ /usr/sbin/ip                   --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- # /dev
+ /usr/sbin/ipx_configure                --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- #
+ /usr/sbin/ipx_interface                --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- ifdef(`distro_debian',`
+ /usr/sbin/ipx_internal_net     --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
-@@ -43,17 +44,19 @@ ifdef(`distro_redhat',`
+ /usr/sbin/iw                   --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/dhclient.*       --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /usr/sbin/iwconfig             --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/dhcdbd           --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /usr/sbin/mii-tool             --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/dhcpcd           --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
+/usr/sbin/mii-tool\.net-tools  --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ethtool          --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/pump                 --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/ifconfig         --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/tc                   --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/ifconfig\.net-tools  --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ip               --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_configure    --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_interface    --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_internal_net --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/iw               --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/iwconfig         --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/mii-tool         --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/mii-tool\.net-tools  --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/pump             --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/tc               --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
 
 #
- # /usr
+ # /var
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch
index 8e2cb1b..2271a05 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch
@@ -6,6 +6,7 @@ Subject: [PATCH] refpolicy: fix real path for udevd/udevadm
 Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/udev.fc |    2 ++
 1 file changed, 2 insertions(+)
@@ -17,22 +18,22 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 /etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
 /etc/udev/scripts/.+ --        gen_context(system_u:object_r:udev_helper_exec_t,s0)
 
- /lib/udev/udev-acl --  gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/bin/udevinfo --   gen_context(system_u:object_r:udev_exec_t,s0)
-+/lib/udev/udevd    --  gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/bin/udevadm  --   gen_context(system_u:object_r:udev_exec_t,s0)
 
 ifdef(`distro_debian',`
- /bin/udevadm   --      gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/bin/udevadm       --      gen_context(system_u:object_r:udev_exec_t,s0)
- /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
 ')
-@@ -26,10 +27,11 @@ ifdef(`distro_debian',`
+ 
- ifdef(`distro_redhat',`
+@@ -30,10 +31,11 @@ ifdef(`distro_redhat',`
- /sbin/start_udev --    gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/sbin/start_udev --        gen_context(system_u:object_r:udev_exec_t,s0)
 ')
 
- /usr/bin/udevinfo --   gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/bin/udevadm  --   gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/lib/udev/udev-acl --      gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/lib/udev/udevd    --      gen_context(system_u:object_r:udev_exec_t,s0)
+ 
+ /usr/share/virtualbox/VBoxCreateUSBNode\.sh    --      gen_context(system_u:object_r:udev_helper_exec_t,s0)
+ 
+ /run/udev(/.*)?        gen_context(system_u:object_r:udev_var_run_t,s0)
 
- /usr/sbin/udev         --      gen_context(system_u:object_r:udev_exec_t,s0)
- /usr/sbin/udevadm      --      gen_context(system_u:object_r:udev_exec_t,s0)
- /usr/sbin/udevd                --      gen_context(system_u:object_r:udev_exec_t,s0)
- /usr/sbin/udevsend     --      gen_context(system_u:object_r:udev_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch
index 80c40d0..e3edce1 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch
@@ -6,15 +6,14 @@ Subject: [PATCH 3/4] fix update-alternatives for hostname
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/hostname.fc |    1 +
 1 file changed, 1 insertion(+)
 --- a/policy/modules/system/hostname.fc
 +++ b/policy/modules/system/hostname.fc
-@@ -1,4 +1,5 @@
+@@ -1 +1,3 @@
- 
+/usr/bin/hostname\.net-tools   --      gen_context(system_u:object_r:hostname_exec_t,s0)
- /bin/hostname          --      gen_context(system_u:object_r:hostname_exec_t,s0)
+
-+/bin/hostname\.net-tools       --      gen_context(system_u:object_r:hostname_exec_t,s0)
- 
 /usr/bin/hostname      --      gen_context(system_u:object_r:hostname_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch
index 03284cd..dfa67a6 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch
@@ -9,6 +9,7 @@ for syslogd_t to read syslog_conf_t lnk_file is needed.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/logging.fc |    4 ++++
 policy/modules/system/logging.te |    1 +
@@ -16,7 +17,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 --- a/policy/modules/system/logging.fc
 +++ b/policy/modules/system/logging.fc
-@@ -1,22 +1,26 @@
+@@ -1,12 +1,14 @@
 /dev/log               -s      gen_context(system_u:object_r:devlog_t,mls_systemhigh)
 
 /etc/rsyslog.conf              gen_context(system_u:object_r:syslog_conf_t,s0)
@@ -27,25 +28,30 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 /etc/rc\.d/init\.d/rsyslog --  gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
 
- /sbin/audispd          --      gen_context(system_u:object_r:audisp_exec_t,s0)
- /sbin/audisp-remote    --      gen_context(system_u:object_r:audisp_remote_exec_t,s0)
- /sbin/auditctl         --      gen_context(system_u:object_r:auditctl_exec_t,s0)
- /sbin/auditd           --      gen_context(system_u:object_r:auditd_exec_t,s0)
- /sbin/klogd            --      gen_context(system_u:object_r:klogd_exec_t,s0)
-+/sbin/klogd\.sysklogd  --      gen_context(system_u:object_r:klogd_exec_t,s0)
- /sbin/minilogd         --      gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/rklogd           --      gen_context(system_u:object_r:klogd_exec_t,s0)
- /sbin/rsyslogd         --      gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/syslogd          --      gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/sbin/syslogd\.sysklogd        --      gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/syslog-ng                --      gen_context(system_u:object_r:syslogd_exec_t,s0)
- 
 /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
 /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
+ /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
 /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+@@ -15,14 +17,16 @@
+ /usr/sbin/audispd      --      gen_context(system_u:object_r:audisp_exec_t,s0)
+ /usr/sbin/audisp-remote        --      gen_context(system_u:object_r:audisp_remote_exec_t,s0)
+ /usr/sbin/auditctl     --      gen_context(system_u:object_r:auditctl_exec_t,s0)
+ /usr/sbin/auditd       --      gen_context(system_u:object_r:auditd_exec_t,s0)
+ /usr/sbin/klogd                --      gen_context(system_u:object_r:klogd_exec_t,s0)
+/usr/sbin/klogd\.sysklogd      --      gen_context(system_u:object_r:klogd_exec_t,s0)
+ /usr/sbin/metalog      --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/minilogd     --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/rklogd       --      gen_context(system_u:object_r:klogd_exec_t,s0)
+ /usr/sbin/rsyslogd     --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/sbin/syslogd\.sysklogd    --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/syslog-ng    --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/syslogd      --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ 
+ /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+ /var/lib/syslog-ng(/.*)?       gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -386,10 +386,11 @@ allow syslogd_t self:unix_dgram_socket s
+@@ -390,10 +390,11 @@ allow syslogd_t self:unix_dgram_socket s
 allow syslogd_t self:fifo_file rw_fifo_file_perms;
 allow syslogd_t self:udp_socket create_socket_perms;
 allow syslogd_t self:tcp_socket create_stream_socket_perms;
@@ -56,4 +62,4 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
 files_pid_filetrans(syslogd_t, devlog_t, sock_file)
- 
+ init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch
index 0c09825..81fe141 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch
@@ -6,51 +6,45 @@ Subject: [PATCH 1/4] fix update-alternatives for sysvinit
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/contrib/shutdown.fc    |    1 +
 policy/modules/kernel/corecommands.fc |    1 +
 policy/modules/system/init.fc         |    1 +
 3 files changed, 3 insertions(+)
--- a/policy/modules/contrib/shutdown.fc
+Index: refpolicy/policy/modules/contrib/shutdown.fc
-+++ b/policy/modules/contrib/shutdown.fc
+===================================================================
-@@ -1,10 +1,11 @@
+--- refpolicy.orig/policy/modules/contrib/shutdown.fc
- /etc/nologin   --      gen_context(system_u:object_r:shutdown_etc_t,s0)
+++ refpolicy/policy/modules/contrib/shutdown.fc
- 
+@@ -3,5 +3,6 @@
- /lib/upstart/shutdown  --      gen_context(system_u:object_r:shutdown_exec_t,s0)
- 
- /sbin/shutdown --      gen_context(system_u:object_r:shutdown_exec_t,s0)
-+/sbin/shutdown\.sysvinit       --      gen_context(system_u:object_r:shutdown_exec_t,s0)
- 
 /usr/lib/upstart/shutdown      --      gen_context(system_u:object_r:shutdown_exec_t,s0)
 
 /usr/sbin/shutdown     --      gen_context(system_u:object_r:shutdown_exec_t,s0)
+/usr/sbin/shutdown\.sysvinit   --      gen_context(system_u:object_r:shutdown_exec_t,s0)
+ 
+ /run/shutdown\.pid     --      gen_context(system_u:object_r:shutdown_var_run_t,s0)
+Index: refpolicy/policy/modules/kernel/corecommands.fc
+===================================================================
+--- refpolicy.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy/policy/modules/kernel/corecommands.fc
+@@ -144,6 +144,7 @@ ifdef(`distro_gentoo',`
+ /usr/bin/ksh.*                 --      gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/mksh                  --      gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/mountpoint            --      gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/mountpoint\.sysvinit  --      gen_context(system_u:object_r:bin_t,s0)
+ /usr/bin/sash                  --      gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/scponly               --      gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/tcsh                  --      gen_context(system_u:object_r:shell_exec_t,s0)
+Index: refpolicy/policy/modules/system/init.fc
+===================================================================
+--- refpolicy.orig/policy/modules/system/init.fc
+++ refpolicy/policy/modules/system/init.fc
+@@ -39,6 +39,7 @@ ifdef(`distro_gentoo', `
+ /usr/libexec/dcc/stop-.* --    gen_context(system_u:object_r:initrc_exec_t,s0)
+ 
+ /usr/sbin/init(ng)?    --      gen_context(system_u:object_r:init_exec_t,s0)
+/usr/sbin/init\.sysvinit       --      gen_context(system_u:object_r:init_exec_t,s0)
+ /usr/sbin/open_init_pty        --      gen_context(system_u:object_r:initrc_exec_t,s0)
+ /usr/sbin/upstart      --      gen_context(system_u:object_r:init_exec_t,s0)
 
--- a/policy/modules/kernel/corecommands.fc
-+++ b/policy/modules/kernel/corecommands.fc
-@@ -8,10 +8,11 @@
- /bin/bash2                     --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/fish                      --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/ksh.*                     --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/mksh                      --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/mountpoint                        --      gen_context(system_u:object_r:bin_t,s0)
-+/bin/mountpoint\.sysvinit      --      gen_context(system_u:object_r:bin_t,s0)
- /bin/sash                      --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/tcsh                      --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/yash                      --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/zsh.*                     --      gen_context(system_u:object_r:shell_exec_t,s0)
- 
--- a/policy/modules/system/init.fc
-+++ b/policy/modules/system/init.fc
-@@ -30,10 +30,11 @@ ifdef(`distro_gentoo', `
- 
- #
- # /sbin
- #
- /sbin/init(ng)?                --      gen_context(system_u:object_r:init_exec_t,s0)
-+/sbin/init\.sysvinit   --      gen_context(system_u:object_r:init_exec_t,s0)
- # because nowadays, /sbin/init is often a symlink to /sbin/upstart
- /sbin/upstart          --      gen_context(system_u:object_r:init_exec_t,s0)
- 
- ifdef(`distro_gentoo', `
- /sbin/rc               --      gen_context(system_u:object_r:rc_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch
index fee4068..ad7b5a6 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch
@@ -6,13 +6,14 @@ Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices.
 Upstream-Status: Pending
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/kernel/terminal.if |   16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 --- a/policy/modules/kernel/terminal.if
 +++ b/policy/modules/kernel/terminal.if
-@@ -585,13 +585,15 @@ interface(`term_getattr_generic_ptys',`
+@@ -603,13 +603,15 @@ interface(`term_getattr_generic_ptys',`
 ## </param>
 #
 interface(`term_dontaudit_getattr_generic_ptys',`
@@ -28,7 +29,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ## <summary>
 ##     ioctl of generic pty devices.
 ## </summary>
-@@ -603,15 +605,17 @@ interface(`term_dontaudit_getattr_generi
+@@ -621,15 +623,17 @@ interface(`term_dontaudit_getattr_generi
 #
 # cjp: added for ppp
 interface(`term_ioctl_generic_ptys',`
@@ -46,7 +47,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Allow setting the attributes of
-@@ -625,13 +629,15 @@ interface(`term_ioctl_generic_ptys',`
+@@ -643,13 +647,15 @@ interface(`term_ioctl_generic_ptys',`
 #
 # dwalsh: added for rhgb
 interface(`term_setattr_generic_ptys',`
@@ -62,7 +63,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Dontaudit setting the attributes of
-@@ -645,13 +651,15 @@ interface(`term_setattr_generic_ptys',`
+@@ -663,13 +669,15 @@ interface(`term_setattr_generic_ptys',`
 #
 # dwalsh: added for rhgb
 interface(`term_dontaudit_setattr_generic_ptys',`
@@ -78,7 +79,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Read and write the generic pty
-@@ -665,15 +673,17 @@ interface(`term_dontaudit_setattr_generi
+@@ -683,15 +691,17 @@ interface(`term_dontaudit_setattr_generi
 ## </param>
 #
 interface(`term_use_generic_ptys',`
@@ -96,7 +97,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Dot not audit attempts to read and
-@@ -687,13 +697,15 @@ interface(`term_use_generic_ptys',`
+@@ -705,13 +715,15 @@ interface(`term_use_generic_ptys',`
 ## </param>
 #
 interface(`term_dontaudit_use_generic_ptys',`
@@ -112,7 +113,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 #######################################
 ## <summary>
 ##     Set the attributes of the tty device
-@@ -705,14 +717,16 @@ interface(`term_dontaudit_use_generic_pt
+@@ -723,14 +735,16 @@ interface(`term_dontaudit_use_generic_pt
 ## </param>
 #
 interface(`term_setattr_controlling_term',`
@@ -129,7 +130,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Read and write the controlling
-@@ -725,14 +739,16 @@ interface(`term_setattr_controlling_term
+@@ -743,14 +757,16 @@ interface(`term_setattr_controlling_term
 ## </param>
 #
 interface(`term_use_controlling_term',`
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch
index d3aa705..b12ee9d 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch
@@ -8,22 +8,22 @@ syslogd_t.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/logging.te |    2 ++
 1 file changed, 2 insertions(+)
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -402,10 +402,12 @@ rw_fifo_files_pattern(syslogd_t, var_log
+@@ -406,10 +406,11 @@ manage_files_pattern(syslogd_t, var_log_
+ rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
 files_search_spool(syslogd_t)
 
 # Allow access for syslog-ng
 allow syslogd_t var_log_t:dir { create setattr };
- 
 +allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
-+
- # manage temporary files
- manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
- manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
- files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
 
+ # for systemd but can not be conditional
+ files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
+ 
+ # manage temporary files
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch
index 7a30460..d3c1ee5 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch
@@ -9,6 +9,7 @@ lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/kernel/files.fc |    1 +
 policy/modules/kernel/files.if |    8 ++++++++
@@ -16,7 +17,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 --- a/policy/modules/kernel/files.fc
 +++ b/policy/modules/kernel/files.fc
-@@ -191,10 +191,11 @@ ifdef(`distro_debian',`
+@@ -172,10 +172,11 @@ HOME_ROOT/lost\+found/.*  <<none>>
 
 #
 # /tmp
@@ -30,7 +31,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 /tmp/lost\+found/.*            <<none>>
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
-@@ -4471,10 +4471,11 @@ interface(`files_search_tmp',`
+@@ -4579,10 +4579,11 @@ interface(`files_search_tmp',`
        gen_require(`
                type tmp_t;
        ')
@@ -42,7 +43,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Do not audit attempts to search the tmp directory (/tmp).
-@@ -4507,10 +4508,11 @@ interface(`files_list_tmp',`
+@@ -4615,10 +4616,11 @@ interface(`files_list_tmp',`
        gen_require(`
                type tmp_t;
        ')
@@ -54,7 +55,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Do not audit listing of the tmp directory (/tmp).
-@@ -4543,10 +4545,11 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4651,10 +4653,11 @@ interface(`files_delete_tmp_dir_entry',`
        gen_require(`
                type tmp_t;
        ')
@@ -66,7 +67,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Read files in the tmp directory (/tmp).
-@@ -4561,10 +4564,11 @@ interface(`files_read_generic_tmp_files'
+@@ -4669,10 +4672,11 @@ interface(`files_read_generic_tmp_files'
        gen_require(`
                type tmp_t;
        ')
@@ -78,7 +79,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Manage temporary directories in /tmp.
-@@ -4579,10 +4583,11 @@ interface(`files_manage_generic_tmp_dirs
+@@ -4687,10 +4691,11 @@ interface(`files_manage_generic_tmp_dirs
        gen_require(`
                type tmp_t;
        ')
@@ -90,7 +91,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Manage temporary files and directories in /tmp.
-@@ -4597,10 +4602,11 @@ interface(`files_manage_generic_tmp_file
+@@ -4705,10 +4710,11 @@ interface(`files_manage_generic_tmp_file
        gen_require(`
                type tmp_t;
        ')
@@ -102,7 +103,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Read symbolic links in the tmp directory (/tmp).
-@@ -4633,10 +4639,11 @@ interface(`files_rw_generic_tmp_sockets'
+@@ -4741,10 +4747,11 @@ interface(`files_rw_generic_tmp_sockets'
        gen_require(`
                type tmp_t;
        ')
@@ -114,7 +115,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Mount filesystems in the tmp directory (/tmp)
-@@ -4840,10 +4847,11 @@ interface(`files_tmp_filetrans',`
+@@ -4948,10 +4955,11 @@ interface(`files_tmp_filetrans',`
        gen_require(`
                type tmp_t;
        ')
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch
index fc6dea0..b828b7a 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch
@@ -11,6 +11,7 @@ contents, so this is still a secure relax.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/kernel/domain.te |    3 +++
 1 file changed, 3 insertions(+)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch
index d907095..fb912b5 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch
@@ -10,17 +10,18 @@ logging.if. So still need add a individual rule for apache.te.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/contrib/apache.te |    1 +
 1 file changed, 1 insertion(+)
 --- a/policy/modules/contrib/apache.te
 +++ b/policy/modules/contrib/apache.te
-@@ -409,10 +409,11 @@ allow httpd_t httpd_log_t:dir setattr_di
+@@ -407,10 +407,11 @@ allow httpd_t httpd_lock_t:file manage_f
- create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
- create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ 
- append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
- read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 +read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
 logging_log_filetrans(httpd_t, httpd_log_t, file)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
index 90c8f36..7c7355f 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
@@ -8,15 +8,16 @@ audisp_remote_t.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/logging.te |    1 +
 1 file changed, 1 insertion(+)
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -276,10 +276,11 @@ optional_policy(`
+@@ -280,10 +280,11 @@ optional_policy(`
 
- allow audisp_remote_t self:capability { setuid setpcap };
+ allow audisp_remote_t self:capability { setpcap setuid };
 allow audisp_remote_t self:process { getcap setcap };
 allow audisp_remote_t self:tcp_socket create_socket_perms;
 allow audisp_remote_t var_log_t:dir search_dir_perms;
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
index a9ae381..19342f5 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
@@ -9,6 +9,7 @@ lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/logging.fc |    1 +
 policy/modules/system/logging.if |   14 +++++++++++++-
@@ -17,7 +18,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 --- a/policy/modules/system/logging.fc
 +++ b/policy/modules/system/logging.fc
-@@ -49,10 +49,11 @@ ifdef(`distro_suse', `
+@@ -39,10 +39,11 @@ ifdef(`distro_suse', `
 
 /var/axfrdns/log/main(/.*)?    gen_context(system_u:object_r:var_log_t,s0)
 /var/dnscache/log/main(/.*)?   gen_context(system_u:object_r:var_log_t,s0)
@@ -50,43 +51,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Execute auditctl in the auditctl domain.
-@@ -665,10 +666,11 @@ interface(`logging_search_logs',`
+@@ -950,14 +951,16 @@ interface(`logging_append_all_inherited_
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir search_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- #######################################
- ## <summary>
- ##     Do not audit attempts to search the var log directory.
-@@ -702,10 +704,11 @@ interface(`logging_list_logs',`
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- #######################################
- ## <summary>
- ##     Read and write the generic log directory (/var/log).
-@@ -721,10 +724,11 @@ interface(`logging_rw_generic_log_dirs',
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir rw_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- #######################################
- ## <summary>
- ##     Search through all log dirs.
-@@ -832,14 +836,16 @@ interface(`logging_append_all_logs',`
 ## <rolecap/>
 #
 interface(`logging_read_all_logs',`
@@ -103,7 +68,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 
 ########################################
 ## <summary>
-@@ -854,14 +860,16 @@ interface(`logging_read_all_logs',`
+@@ -972,14 +975,16 @@ interface(`logging_read_all_logs',`
 # cjp: not sure why this is needed.  This was added
 # because of logrotate.
 interface(`logging_exec_all_logs',`
@@ -120,7 +85,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 
 ########################################
 ## <summary>
-@@ -919,10 +927,11 @@ interface(`logging_read_generic_logs',`
+@@ -1077,10 +1082,11 @@ interface(`logging_read_generic_logs',`
                type var_log_t;
        ')
 
@@ -132,31 +97,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 
 ########################################
 ## <summary>
-@@ -939,10 +948,11 @@ interface(`logging_write_generic_logs',`
+@@ -1159,10 +1165,11 @@ interface(`logging_manage_generic_logs',
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
-        write_files_pattern($1, var_log_t, var_log_t)
- ')
- 
- ########################################
- ## <summary>
-@@ -977,10 +987,11 @@ interface(`logging_rw_generic_logs',`
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
-        rw_files_pattern($1, var_log_t, var_log_t)
- ')
- 
- ########################################
- ## <summary>
-@@ -999,10 +1010,11 @@ interface(`logging_manage_generic_logs',
                type var_log_t;
        ')
 
@@ -170,10 +111,10 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ##     All of the rules required to administrate
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -149,10 +149,11 @@ allow auditd_t auditd_etc_t:dir list_dir
+@@ -153,10 +153,11 @@ allow auditd_t auditd_etc_t:file read_fi
- allow auditd_t auditd_etc_t:file read_file_perms;
 
 manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t auditd_log_t:dir setattr;
 manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
 allow auditd_t var_log_t:dir search_dir_perms;
 +allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch
index c2cba9a..b755b45 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch
@@ -10,13 +10,14 @@ Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Roy.Li <rongqing.li@windriver.com>
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/logging.te |    1 +
 1 file changed, 1 insertion(+)
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -475,10 +475,11 @@ files_var_lib_filetrans(syslogd_t, syslo
+@@ -484,10 +484,11 @@ files_var_lib_filetrans(syslogd_t, syslo
 
 fs_getattr_all_fs(syslogd_t)
 fs_search_auto_mountpoints(syslogd_t)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
index 189dc6e..a9a0a55 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
@@ -6,6 +6,7 @@ Subject: [PATCH] allow nfsd to exec shell commands.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/contrib/rpc.te   |    2 +-
 policy/modules/kernel/kernel.if |   18 ++++++++++++++++++
@@ -13,7 +14,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 --- a/policy/modules/contrib/rpc.te
 +++ b/policy/modules/contrib/rpc.te
-@@ -222,11 +222,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
+@@ -224,11 +224,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
 
 kernel_read_network_state(nfsd_t)
 kernel_dontaudit_getattr_core_if(nfsd_t)
@@ -28,32 +29,53 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
-@@ -844,10 +844,28 @@ interface(`kernel_unmount_proc',`
+@@ -880,43 +880,42 @@ interface(`kernel_unmount_proc',`
        allow $1 proc_t:filesystem unmount;
 ')
 
 ########################################
 ## <summary>
+-##     Get the attributes of the proc filesystem.
 +##     Mounton a proc filesystem.
-+## </summary>
+ ## </summary>
-+## <param name="domain">
+ ## <param name="domain">
-+##     <summary>
+ ##     <summary>
-+##     Domain allowed access.
+ ##     Domain allowed access.
-+##     </summary>
+ ##     </summary>
-+## </param>
+ ## </param>
-+#
+ #
+-interface(`kernel_getattr_proc',`
 +interface(`kernel_mounton_proc',`
-+       gen_require(`
+        gen_require(`
-+               type proc_t;
+                type proc_t;
-+       ')
+        ')
-+
+ 
+-       allow $1 proc_t:filesystem getattr;
 +       allow $1 proc_t:dir mounton;
-+')
+ ')
-+
+ 
-+########################################
+ ########################################
-+## <summary>
+ ## <summary>
- ##     Get the attributes of the proc filesystem.
+-##     Mount on proc directories.
+##     Get the attributes of the proc filesystem.
 ## </summary>
 ## <param name="domain">
 ##     <summary>
 ##     Domain allowed access.
+ ##     </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`kernel_mounton_proc',`
+interface(`kernel_getattr_proc',`
+        gen_require(`
+                type proc_t;
+        ')
+ 
+-       allow $1 proc_t:dir mounton;
+       allow $1 proc_t:filesystem getattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+ ##     Do not audit attempts to set the
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch
index 766b3df..08e9398 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch
@@ -7,13 +7,14 @@ Upstream-Status: Pending
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/selinuxutil.te |    3 +++
 1 file changed, 3 insertions(+)
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
-@@ -553,10 +553,13 @@ files_read_etc_files(setfiles_t)
+@@ -591,10 +591,13 @@ files_read_etc_files(setfiles_t)
 files_list_all(setfiles_t)
 files_relabel_all_files(setfiles_t)
 files_read_usr_symlinks(setfiles_t)
@@ -23,7 +24,7 @@ Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
 +files_read_all_symlinks(setfiles_t)
 +
 fs_getattr_all_xattr_fs(setfiles_t)
- fs_list_all(setfiles_t)
+ fs_getattr_nfs(setfiles_t)
- fs_search_auto_mountpoints(setfiles_t)
+ fs_getattr_pstore_dirs(setfiles_t)
- fs_relabelfrom_noxattr_fs(setfiles_t)
+ fs_getattr_pstorefs(setfiles_t)
- 
+ fs_getattr_tracefs(setfiles_t)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch
index 8ce2f62..a1fda13 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch
@@ -9,6 +9,7 @@ type=AVC msg=audit(1392427946.976:264): avc:  denied  { connectto } for  pid=211
 type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null)
 Signed-off-by: Roy Li <rongqing.li@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/roles/sysadm.te |    4 ++++
 1 file changed, 4 insertions(+)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch
index 998bfa0..e3ea75e 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch
@@ -9,13 +9,14 @@ term_dontaudit_use_console.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/kernel/terminal.if |    3 +++
 1 file changed, 3 insertions(+)
 --- a/policy/modules/kernel/terminal.if
 +++ b/policy/modules/kernel/terminal.if
-@@ -297,13 +297,16 @@ interface(`term_use_console',`
+@@ -315,13 +315,16 @@ interface(`term_use_console',`
 ## </param>
 #
 interface(`term_dontaudit_use_console',`
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
index 131a9bb..11a6963 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
@@ -4,6 +4,7 @@ Date: Fri, 23 Aug 2013 16:36:09 +0800
 Subject: [PATCH] fix dmesg to use /dev/kmsg as default input
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/admin/dmesg.if |    1 +
 policy/modules/admin/dmesg.te |    2 ++
@@ -19,18 +20,3 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
        can_exec($1, dmesg_exec_t)
 +       dev_read_kmsg($1)
 ')
--- a/policy/modules/admin/dmesg.te
-+++ b/policy/modules/admin/dmesg.te
-@@ -28,10 +28,12 @@ kernel_read_proc_symlinks(dmesg_t)
- # for when /usr is not mounted:
- kernel_dontaudit_search_unlabeled(dmesg_t)
- 
- dev_read_sysfs(dmesg_t)
- 
-+dev_read_kmsg(dmesg_t)
-+
- fs_search_auto_mountpoints(dmesg_t)
- 
- term_dontaudit_use_console(dmesg_t)
- 
- domain_use_interactive_fds(dmesg_t)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
index 016685c..d0b0073 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
@@ -14,9 +14,25 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 policy/modules/kernel/kernel.te     |    2 ++
 4 files changed, 13 insertions(+)
+--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
+@@ -73,8 +73,13 @@ auth_use_nsswitch(rpcbind_t)
+ 
+ logging_send_syslog_msg(rpcbind_t)
+ 
+ miscfiles_read_localization(rpcbind_t)
+ 
+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
+# because the are running in different level. So add rules to allow this.
+mls_socket_read_all_levels(rpcbind_t)
+mls_socket_write_all_levels(rpcbind_t)
+
+ ifdef(`distro_debian',`
+        term_dontaudit_use_unallocated_ttys(rpcbind_t)
+ ')
 --- a/policy/modules/contrib/rpc.te
 +++ b/policy/modules/contrib/rpc.te
-@@ -275,10 +275,15 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -277,10 +277,15 @@ tunable_policy(`nfs_export_all_ro',`
        files_read_non_auth_files(nfsd_t)
 ')
 
@@ -32,22 +48,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ########################################
 #
 # GSSD local policy
--- a/policy/modules/contrib/rpcbind.te
-+++ b/policy/modules/contrib/rpcbind.te
-@@ -71,8 +71,13 @@ auth_use_nsswitch(rpcbind_t)
- 
- logging_send_syslog_msg(rpcbind_t)
- 
- miscfiles_read_localization(rpcbind_t)
- 
-+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
-+# because the are running in different level. So add rules to allow this.
-+mls_socket_read_all_levels(rpcbind_t)
-+mls_socket_write_all_levels(rpcbind_t)
-+
- ifdef(`distro_debian',`
-        term_dontaudit_use_unallocated_ttys(rpcbind_t)
- ')
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
 @@ -127,10 +127,11 @@ fs_noxattr_type(mvfs_t)
@@ -64,7 +64,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
-@@ -324,10 +324,12 @@ mcs_process_set_categories(kernel_t)
+@@ -325,10 +325,12 @@ mcs_process_set_categories(kernel_t)
 
 mls_process_read_all_levels(kernel_t)
 mls_process_write_all_levels(kernel_t)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch
index 950f525..0cd8bf9 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch
@@ -10,22 +10,22 @@ Upstream-Status: pending
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/selinuxutil.te |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
-@@ -556,11 +556,11 @@ files_read_usr_symlinks(setfiles_t)
+@@ -594,10 +594,11 @@ files_read_usr_symlinks(setfiles_t)
 files_dontaudit_read_all_symlinks(setfiles_t)
 
 # needs to be able to read symlinks to make restorecon on symlink working
 files_read_all_symlinks(setfiles_t)
 
-fs_getattr_all_xattr_fs(setfiles_t)
 +fs_getattr_all_fs(setfiles_t)
- fs_list_all(setfiles_t)
+ fs_getattr_all_xattr_fs(setfiles_t)
- fs_search_auto_mountpoints(setfiles_t)
+ fs_getattr_nfs(setfiles_t)
- fs_relabelfrom_noxattr_fs(setfiles_t)
+ fs_getattr_pstore_dirs(setfiles_t)
- 
+ fs_getattr_pstorefs(setfiles_t)
- mls_file_read_all_levels(setfiles_t)
+ fs_getattr_tracefs(setfiles_t)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch
index c9a877b..e0f8c1a 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch
@@ -6,6 +6,7 @@ Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files
 Upstream-Status: Pending
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/selinuxutil.if |    1 +
 policy/modules/system/userdomain.if  |    4 ++++
@@ -27,7 +28,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 #######################################
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
-@@ -1327,10 +1327,14 @@ template(`userdom_security_admin_templat
+@@ -1361,10 +1361,14 @@ template(`userdom_security_admin_templat
        logging_read_audit_log($1)
        logging_read_generic_logs($1)
        logging_read_audit_config($1)
diff --git a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch
index 86ff0d2..6eba356 100644
--- a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch
+++ b/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch
@@ -8,21 +8,21 @@ It provide, the systemd support related allow rules
 Upstream-Status: Pending
 Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/init.te |    5 +++++
 1 file changed, 5 insertions(+)
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
-@@ -1105,5 +1105,10 @@ optional_policy(`
+@@ -1387,5 +1387,10 @@ dontaudit systemprocess init_t:unix_stre
- ')
- 
 optional_policy(`
-        zebra_read_config(initrc_t)
+        userdom_dontaudit_search_user_home_dirs(systemprocess)
+        userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
+        userdom_dontaudit_write_user_tmp_files(systemprocess)
 ')
 +
 +# systemd related allow rules
 +allow kernel_t init_t:process dyntransition;
 +allow devpts_t device_t:filesystem associate;
 +allow init_t self:capability2 block_suspend;
-\ No newline at end of file
author	Joe MacDonald <joe_macdonald@mentor.com>	2017-05-03 21:05:44 -0400
committer	Joe MacDonald <joe_macdonald@mentor.com>	2017-05-03 21:05:44 -0400
commit	0cfdbb47aafef9e9af562c9dffebd0aefefe5457 (patch)
tree	3ab165035cc90e193aeb0de686fb3a80fa4d9285 /recipes-security/refpolicy/refpolicy-git
parent	849cd74b5ff3c915356ae7411746194728594212 (diff)
download	meta-selinux-0cfdbb47aafef9e9af562c9dffebd0aefefe5457.tar.gz