44 files changed, 0 insertions, 2076 deletions

diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-2.20170204/ftp-add-ftpd_t-to-mlsfilewrite.patch
deleted file mode 100644
index 85c40a4..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/ftp-add-ftpd_t-to-mlsfilewrite.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From e4e95b723d31c7b678a05cd81a96b10185978b4e Mon Sep 17 00:00:00 2001
-From: Roy Li <rongqing.li@windriver.com>
-Date: Mon, 10 Feb 2014 18:10:12 +0800
-Subject: [PATCH] ftp: add ftpd_t to mls_file_write_all_levels
-
-Proftpd will create file under /var/run, but its mls is in high, and
-can not write to lowlevel
-
-Upstream-Status: Pending
-
-type=AVC msg=audit(1392347709.621:15): avc:  denied  { write } for  pid=545 comm="proftpd" name="/" dev="tmpfs" ino=5853 scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
-type=AVC msg=audit(1392347709.621:15): avc:  denied  { add_name } for  pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
-type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null)
-
-root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name 
-   allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ; 
-root@localhost:~#
-
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/ftp.te |    2 ++
- 1 file changed, 2 insertions(+)
-
---- a/policy/modules/contrib/ftp.te
-+++ b/policy/modules/contrib/ftp.te
-@@ -148,10 +148,12 @@ init_system_domain(ftpdctl_t, ftpdctl_ex
- role ftpdctl_roles types ftpdctl_t;
- 
- type ftpdctl_tmp_t;
- files_tmp_file(ftpdctl_tmp_t)
- 
-+mls_file_write_all_levels(ftpd_t)
-+
- type sftpd_t;
- domain_type(sftpd_t)
- role system_r types sftpd_t;
- 
- type xferlog_t;
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-clock.patch
deleted file mode 100644
index b2102af..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-clock.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for clock
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/clock.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/system/clock.fc
-+++ b/policy/modules/system/clock.fc
-@@ -1,6 +1,7 @@
- 
- /etc/adjtime           --      gen_context(system_u:object_r:adjtime_t,s0)
- 
- /sbin/hwclock          --      gen_context(system_u:object_r:hwclock_exec_t,s0)
-+/sbin/hwclock\.util-linux      --      gen_context(system_u:object_r:hwclock_exec_t,s0)
- 
- /usr/sbin/hwclock      --      gen_context(system_u:object_r:hwclock_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-corecommands.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-corecommands.patch
deleted file mode 100644
index 3739059..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-corecommands.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for corecommands
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/corecommands.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/kernel/corecommands.fc
-+++ b/policy/modules/kernel/corecommands.fc
-@@ -154,10 +154,11 @@ ifdef(`distro_gentoo',`
- /sbin                          -d      gen_context(system_u:object_r:bin_t,s0)
- /sbin/.*                               gen_context(system_u:object_r:bin_t,s0)
- /sbin/insmod_ksymoops_clean    --      gen_context(system_u:object_r:bin_t,s0)
- /sbin/mkfs\.cramfs             --      gen_context(system_u:object_r:bin_t,s0)
- /sbin/nologin                  --      gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/sbin/nologin              --      gen_context(system_u:object_r:shell_exec_t,s0)
- 
- #
- # /opt
- #
- /opt/(.*/)?bin(/.*)?                   gen_context(system_u:object_r:bin_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-dmesg.patch
deleted file mode 100644
index 2a567da..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-dmesg.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for dmesg
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/admin/dmesg.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/admin/dmesg.fc
-+++ b/policy/modules/admin/dmesg.fc
-@@ -1,4 +1,5 @@
- 
- /bin/dmesg             --              gen_context(system_u:object_r:dmesg_exec_t,s0)
-+/bin/dmesg\.util-linux --              gen_context(system_u:object_r:dmesg_exec_t,s0)
- 
- /usr/bin/dmesg         --              gen_context(system_u:object_r:dmesg_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-bind.patch
deleted file mode 100644
index 3218c88..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-bind.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From e438a9466a615db3f63421157d5ee3bd6d055403 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:09:11 +0800
-Subject: [PATCH] refpolicy: fix real path for bind.
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/bind.fc |    2 ++
- 1 file changed, 2 insertions(+)
-
---- a/policy/modules/contrib/bind.fc
-+++ b/policy/modules/contrib/bind.fc
-@@ -1,10 +1,12 @@
- /etc/rc\.d/init\.d/named       --      gen_context(system_u:object_r:named_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/bind        --      gen_context(system_u:object_r:named_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/unbound     --      gen_context(system_u:object_r:named_initrc_exec_t,s0)
- 
- /etc/bind(/.*)?        gen_context(system_u:object_r:named_zone_t,s0)
- /etc/bind/named\.conf.*        --      gen_context(system_u:object_r:named_conf_t,s0)
-+/etc/bind/rndc\.conf    --      gen_context(system_u:object_r:named_conf_t,s0)
- /etc/bind/rndc\.key    --      gen_context(system_u:object_r:dnssec_t,s0)
- /etc/dnssec-trigger/dnssec_trigger_server\.key --      gen_context(system_u:object_r:dnssec_t,s0)
- /etc/named\.rfc1912\.zones     --      gen_context(system_u:object_r:named_conf_t,s0)
- /etc/named\.root\.hints        --      gen_context(system_u:object_r:named_conf_t,s0)
- /etc/named\.conf       --      gen_context(system_u:object_r:named_conf_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_login.patch
deleted file mode 100644
index dfb7544..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_login.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Subject: [PATCH] fix real path for login commands.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/authlogin.fc |    7 ++++---
- 1 files changed, 4 insertions(+), 3 deletions(-)
-
---- a/policy/modules/system/authlogin.fc
-+++ b/policy/modules/system/authlogin.fc
-@@ -1,19 +1,21 @@
- 
- /bin/login             --      gen_context(system_u:object_r:login_exec_t,s0)
-+/bin/login\.shadow     --      gen_context(system_u:object_r:login_exec_t,s0)
-+/bin/login\.tinylogin  --      gen_context(system_u:object_r:login_exec_t,s0)
- 
- /etc/\.pwd\.lock       --      gen_context(system_u:object_r:shadow_t,s0)
- /etc/group\.lock       --      gen_context(system_u:object_r:shadow_t,s0)
- /etc/gshadow.*         --      gen_context(system_u:object_r:shadow_t,s0)
- /etc/passwd\.lock      --      gen_context(system_u:object_r:shadow_t,s0)
- /etc/shadow.*          --      gen_context(system_u:object_r:shadow_t,s0)
- 
- /sbin/pam_console_apply         --     gen_context(system_u:object_r:pam_console_exec_t,s0)
- /sbin/pam_timestamp_check --   gen_context(system_u:object_r:pam_exec_t,s0)
--/sbin/unix_chkpwd      --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
--/sbin/unix_update      --      gen_context(system_u:object_r:updpwd_exec_t,s0)
--/sbin/unix_verify      --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
-+/sbin/unix_chkpwd              --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
-+/sbin/unix_update              --      gen_context(system_u:object_r:updpwd_exec_t,s0)
-+/sbin/unix_verify              --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
- ifdef(`distro_suse', `
- /sbin/unix2_chkpwd     --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
- ')
- 
- /usr/bin/login         --      gen_context(system_u:object_r:login_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_resolv.conf.patch
deleted file mode 100644
index b90b744..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_resolv.conf.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] fix real path for resolv.conf
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/sysnetwork.fc |    1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
-
---- a/policy/modules/system/sysnetwork.fc
-+++ b/policy/modules/system/sysnetwork.fc
-@@ -23,10 +23,11 @@ ifdef(`distro_debian',`
- /etc/ethers            --      gen_context(system_u:object_r:net_conf_t,s0)
- /etc/hosts             --      gen_context(system_u:object_r:net_conf_t,s0)
- /etc/hosts\.deny.*     --      gen_context(system_u:object_r:net_conf_t,s0)
- /etc/denyhosts.*       --      gen_context(system_u:object_r:net_conf_t,s0)
- /etc/resolv\.conf.*    --      gen_context(system_u:object_r:net_conf_t,s0)
-+/var/run/resolv\.conf.*        --      gen_context(system_u:object_r:net_conf_t,s0)
- /etc/yp\.conf.*                --      gen_context(system_u:object_r:net_conf_t,s0)
- 
- /etc/dhcp3(/.*)?               gen_context(system_u:object_r:dhcp_etc_t,s0)
- /etc/dhcp3?/dhclient.*         gen_context(system_u:object_r:dhcp_etc_t,s0)
- 
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_shadow.patch
deleted file mode 100644
index 9819c1d..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_shadow.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Subject: [PATCH] fix real path for shadow commands.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/admin/usermanage.fc |    6 ++++++
- 1 file changed, 6 insertions(+)
-
---- a/policy/modules/admin/usermanage.fc
-+++ b/policy/modules/admin/usermanage.fc
-@@ -6,15 +6,21 @@ ifdef(`distro_debian',`
- /etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0)
- ')
- 
- /usr/bin/chage         --      gen_context(system_u:object_r:passwd_exec_t,s0)
- /usr/bin/chfn          --      gen_context(system_u:object_r:chfn_exec_t,s0)
-+/usr/bin/chfn\.shadow  --      gen_context(system_u:object_r:chfn_exec_t,s0)
- /usr/bin/chsh          --      gen_context(system_u:object_r:chfn_exec_t,s0)
-+/usr/bin/chsh\.shadow  --      gen_context(system_u:object_r:chfn_exec_t,s0)
- /usr/bin/gpasswd       --      gen_context(system_u:object_r:groupadd_exec_t,s0)
- /usr/bin/passwd                --      gen_context(system_u:object_r:passwd_exec_t,s0)
-+/usr/bin/passwd\.shadow        --      gen_context(system_u:object_r:passwd_exec_t,s0)
-+/usr/bin/passwd\.tinylogin     --      gen_context(system_u:object_r:passwd_exec_t,s0)
- /usr/bin/vigr          --      gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-+/sbin/vigr\.shadow     --      gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/bin/vipw          --      gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-+/sbin/vipw\.shadow     --      gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- 
- /usr/lib/cracklib_dict.* --    gen_context(system_u:object_r:crack_db_t,s0)
- 
- /usr/sbin/crack_[a-z]* --      gen_context(system_u:object_r:crack_exec_t,s0)
- /usr/sbin/cracklib-[a-z]* --   gen_context(system_u:object_r:crack_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_su.patch
deleted file mode 100644
index b8597f9..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_su.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From 4affa5e9797f5d51597c9b8e0f2503883c766699 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Thu, 13 Feb 2014 00:33:07 -0500
-Subject: [PATCH] fix real path for su.shadow command
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/admin/su.fc |    2 ++
- 1 file changed, 2 insertions(+)
-
---- a/policy/modules/admin/su.fc
-+++ b/policy/modules/admin/su.fc
-@@ -2,5 +2,6 @@
- /bin/su                        --      gen_context(system_u:object_r:su_exec_t,s0)
- 
- /usr/(local/)?bin/ksu  --      gen_context(system_u:object_r:su_exec_t,s0)
- /usr/bin/kdesu         --      gen_context(system_u:object_r:su_exec_t,s0)
- /usr/bin/su            --      gen_context(system_u:object_r:su_exec_t,s0)
-+/bin/su.shadow         --      gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fstools.patch
deleted file mode 100644
index 66bef0f..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fstools.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From b420621f7bacdb803bfd104686e9b1785d7a6309 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Mon, 27 Jan 2014 03:54:01 -0500
-Subject: [PATCH] refpolicy: fix real path for fstools
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
----
- policy/modules/system/fstools.fc |    9 +++++++++
- 1 file changed, 9 insertions(+)
-
---- a/policy/modules/system/fstools.fc
-+++ b/policy/modules/system/fstools.fc
-@@ -1,19 +1,23 @@
- /sbin/badblocks                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/blkid            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/blkid/.util-linux                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/blockdev         --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/blockdev/.util-linux             --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/cfdisk           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/dosfsck          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/dump             --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/dumpe2fs         --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/e2fsck           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/e4fsck           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/e2label          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/fdisk            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/fdisk/.util-linux                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/findfs           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/fsck.*           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/hdparm           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/hdparm/.util-linux               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/install-mbr      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/jfs_.*           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/losetup.*                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/lsraid           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/make_reiser4     --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -22,20 +26,22 @@
- /sbin/mke4fs           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkfs.*           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkraid           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkreiserfs       --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkswap           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/mkswap/.util-linux               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/parted           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/partprobe                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/partx            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/raidautorun      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/raidstart                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/reiserfs(ck|tune)        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/resize.*fs       --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/scsi_info                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/sfdisk           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/swapoff          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/swapoff/.util-linux              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/swapon.*         --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/tune2fs          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/zdb              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/zhack            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/zinject          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -83,10 +89,11 @@
- /usr/sbin/parted               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/partprobe            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/partx                        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/raidautorun          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/raidstart            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/raw          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/reiserfs(ck|tune)    --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/resize.*fs           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/scsi_info            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/sfdisk               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/smartctl             --      gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ftpwho-dir.patch
deleted file mode 100644
index d58de6a..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ftpwho-dir.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-fix ftpwho install dir
-
-Upstream-Status: Pending
-
-ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it
-
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/ftp.fc |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/policy/modules/contrib/ftp.fc
-+++ b/policy/modules/contrib/ftp.fc
-@@ -10,11 +10,11 @@
- /usr/kerberos/sbin/ftpd        --      gen_context(system_u:object_r:ftpd_exec_t,s0)
- 
- /usr/lib/systemd/system/proftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0)
- /usr/lib/systemd/system/vsftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0)
- 
--/usr/sbin/ftpwho       --      gen_context(system_u:object_r:ftpd_exec_t,s0)
-+/usr/bin/ftpwho        --      gen_context(system_u:object_r:ftpd_exec_t,s0)
- /usr/sbin/in\.ftpd     --      gen_context(system_u:object_r:ftpd_exec_t,s0)
- /usr/sbin/muddleftpd   --      gen_context(system_u:object_r:ftpd_exec_t,s0)
- /usr/sbin/proftpd      --      gen_context(system_u:object_r:ftpd_exec_t,s0)
- /usr/sbin/vsftpd       --      gen_context(system_u:object_r:ftpd_exec_t,s0)
- 
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-iptables.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-iptables.patch
deleted file mode 100644
index 9e1196a..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-iptables.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for iptables
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/iptables.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/system/iptables.fc
-+++ b/policy/modules/system/iptables.fc
-@@ -14,10 +14,11 @@
- /sbin/ipvsadm                  --      gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/ipvsadm-restore          --      gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/ipvsadm-save             --      gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/nft                      --      gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/xtables-multi            --      gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/xtables-multi                --      gen_context(system_u:object_r:iptables_exec_t,s0)
- 
- /usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
- /usr/lib/systemd/system/[^/]*ebtables.*         -- gen_context(system_u:object_r:iptables_unit_t,s0)
- /usr/lib/systemd/system/[^/]*ip6tables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
- /usr/lib/systemd/system/[^/]*iptables.*        -- gen_context(system_u:object_r:iptables_unit_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-mta.patch
deleted file mode 100644
index 5d2b0cf..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-mta.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From c0bb2996db4f55f3987967bacfb99805fc45d027 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:21:55 +0800
-Subject: [PATCH] refpolicy: fix real path for mta
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/mta.fc |    1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/contrib/mta.fc
-+++ b/policy/modules/contrib/mta.fc
-@@ -20,10 +20,11 @@ HOME_DIR/\.maildir(/.*)?    gen_context(sys
- /usr/lib/courier/bin/sendmail  --      gen_context(system_u:object_r:sendmail_exec_t,s0)
- 
- /usr/sbin/rmail        --      gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/sendmail\.postfix    --      gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/sendmail(\.sendmail)?        --      gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/usr/sbin/msmtp        --      gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/ssmtp        --      gen_context(system_u:object_r:sendmail_exec_t,s0)
- 
- /var/mail(/.*)?        gen_context(system_u:object_r:mail_spool_t,s0)
- 
- /var/qmail/bin/sendmail        --      gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-netutils.patch
deleted file mode 100644
index b41e6e4..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-netutils.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for netutils
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/admin/netutils.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/admin/netutils.fc
-+++ b/policy/modules/admin/netutils.fc
-@@ -1,10 +1,11 @@
- /bin/ping.*            --      gen_context(system_u:object_r:ping_exec_t,s0)
- /bin/tracepath.*               --      gen_context(system_u:object_r:traceroute_exec_t,s0)
- /bin/traceroute.*      --      gen_context(system_u:object_r:traceroute_exec_t,s0)
- 
- /sbin/arping           --      gen_context(system_u:object_r:netutils_exec_t,s0)
-+/bin/arping            --      gen_context(system_u:object_r:netutils_exec_t,s0)
- 
- /usr/bin/arping                --      gen_context(system_u:object_r:netutils_exec_t,s0)
- /usr/bin/lft           --      gen_context(system_u:object_r:traceroute_exec_t,s0)
- /usr/bin/nmap          --      gen_context(system_u:object_r:traceroute_exec_t,s0)
- /usr/bin/ping.*        --      gen_context(system_u:object_r:ping_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-nscd.patch
deleted file mode 100644
index 0adf7c2..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-nscd.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 642fab321a5f1f40495b4ca07f1fca4145024986 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:25:36 +0800
-Subject: [PATCH] refpolicy: fix real path for nscd
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/nscd.fc |    1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/contrib/nscd.fc
-+++ b/policy/modules/contrib/nscd.fc
-@@ -1,8 +1,9 @@
- /etc/rc\.d/init\.d/nscd        --      gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
- 
- /usr/sbin/nscd --      gen_context(system_u:object_r:nscd_exec_t,s0)
-+/usr/bin/nscd  --      gen_context(system_u:object_r:nscd_exec_t,s0)
- 
- /var/cache/nscd(/.*)?  gen_context(system_u:object_r:nscd_var_run_t,s0)
- 
- /var/db/nscd(/.*)?     gen_context(system_u:object_r:nscd_var_run_t,s0)
- 
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-rpm.patch
deleted file mode 100644
index 9de7532..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-rpm.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From 3ecbd842d51a8e70b3403e857a24203285d4983b Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Mon, 27 Jan 2014 01:13:06 -0500
-Subject: [PATCH] refpolicy: fix real path for cpio
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/rpm.fc |    1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/contrib/rpm.fc
-+++ b/policy/modules/contrib/rpm.fc
-@@ -61,6 +61,7 @@ ifdef(`distro_redhat',`
- /run/yum.*     --      gen_context(system_u:object_r:rpm_var_run_t,s0)
- /run/PackageKit(/.*)?  gen_context(system_u:object_r:rpm_var_run_t,s0)
- 
- ifdef(`enable_mls',`
- /usr/sbin/cpio --      gen_context(system_u:object_r:rpm_exec_t,s0)
-+/bin/cpio.cpio --      gen_context(system_u:object_r:rpm_exec_t,s0)
- ')
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-screen.patch
deleted file mode 100644
index 8ea210e..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-screen.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From 3615e2d67f402a37ae7333e62b54f1d9d0a3bfd1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:27:19 +0800
-Subject: [PATCH] refpolicy: fix real path for screen
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/screen.fc |    1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/contrib/screen.fc
-+++ b/policy/modules/contrib/screen.fc
-@@ -4,6 +4,7 @@ HOME_DIR/\.tmux\.conf   --      gen_context(sys
- 
- /run/screen(/.*)?              gen_context(system_u:object_r:screen_runtime_t,s0)
- /run/tmux(/.*)?                        gen_context(system_u:object_r:screen_runtime_t,s0)
- 
- /usr/bin/screen                --      gen_context(system_u:object_r:screen_exec_t,s0)
-+/usr/bin/screen-.*     --      gen_context(system_u:object_r:screen_exec_t,s0)
- /usr/bin/tmux          --      gen_context(system_u:object_r:screen_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ssh.patch
deleted file mode 100644
index a01e2eb..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ssh.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for ssh
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/services/ssh.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/services/ssh.fc
-+++ b/policy/modules/services/ssh.fc
-@@ -2,10 +2,11 @@ HOME_DIR/\.ssh(/.*)?                  gen_context(syste
- 
- /etc/ssh/primes                        --      gen_context(system_u:object_r:sshd_key_t,s0)
- /etc/ssh/ssh_host.*_key                --      gen_context(system_u:object_r:sshd_key_t,s0)
- 
- /usr/bin/ssh                   --      gen_context(system_u:object_r:ssh_exec_t,s0)
-+/usr/bin/ssh\.openssh          --      gen_context(system_u:object_r:ssh_exec_t,s0)
- /usr/bin/ssh-agent             --      gen_context(system_u:object_r:ssh_agent_exec_t,s0)
- /usr/bin/ssh-keygen            --      gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
- 
- /usr/lib/openssh/ssh-keysign   --      gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
- /usr/lib/ssh/ssh-keysign       --      gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-su.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-su.patch
deleted file mode 100644
index e3d156e..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-su.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for su
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/admin/su.fc | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/admin/su.fc
-+++ b/policy/modules/admin/su.fc
-@@ -1,6 +1,7 @@
- 
- /bin/su                        --      gen_context(system_u:object_r:su_exec_t,s0)
-+/usr/bin/su            --      gen_context(system_u:object_r:su_exec_t,s0)
- 
- /usr/(local/)?bin/ksu  --      gen_context(system_u:object_r:su_exec_t,s0)
- /usr/bin/kdesu         --      gen_context(system_u:object_r:su_exec_t,s0)
- /usr/bin/su            --      gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-subs_dist.patch
deleted file mode 100644
index c5fdc51..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-subs_dist.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Subject: [PATCH] fix file_contexts.subs_dist for poky
-
-This file is used for Linux distros to define specific pathes 
-mapping to the pathes in file_contexts.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- config/file_contexts.subs_dist |   10 ++++++++++
- 1 file changed, 10 insertions(+)
-
---- a/config/file_contexts.subs_dist
-+++ b/config/file_contexts.subs_dist
-@@ -21,5 +21,17 @@
- 
- # backward compatibility
- # not for refpolicy intern, but for /var/run using applications,
- # like systemd tmpfiles or systemd socket configurations
- /var/run /run
-+
-+# Yocto compatibility
-+/var/volatile/log /var/log
-+/var/volatile/run /var/run
-+/var/volatile/cache /var/cache
-+/var/volatile/tmp /var/tmp
-+/var/volatile/lock /var/lock
-+/var/volatile/run/lock /var/lock
-+/www /var/www
-+/usr/lib/busybox/bin /bin
-+/usr/lib/busybox/sbin /sbin
-+/usr/lib/busybox/usr /usr
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-sysnetwork.patch
deleted file mode 100644
index fa369ca..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-sysnetwork.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 56ec3e527f2a03d217d5f07ebb708e6e26fa26ff Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Tue, 9 Jun 2015 21:22:52 +0530
-Subject: [PATCH] refpolicy: fix real path for sysnetwork
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/sysnetwork.fc |    4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/policy/modules/system/sysnetwork.fc
-+++ b/policy/modules/system/sysnetwork.fc
-@@ -2,10 +2,11 @@
- #
- # /bin
- #
- /bin/ifconfig          --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /bin/ip                        --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/ip\.iproute2 --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
- 
- #
- # /dev
- #
- ifdef(`distro_debian',`
-@@ -43,17 +44,19 @@ ifdef(`distro_redhat',`
- /sbin/dhclient.*       --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/dhcdbd           --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/dhcpcd           --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/ethtool          --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ifconfig         --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/ifconfig\.net-tools  --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ip               --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_configure    --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_interface    --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_internal_net --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/iw               --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/iwconfig         --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/mii-tool         --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/mii-tool\.net-tools  --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/pump             --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/tc               --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- 
- #
- # /usr
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-udevd.patch
deleted file mode 100644
index 8e2cb1b..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-udevd.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 025bd3c77d3eeb0e316413bf7e6353f1ccd7f6b2 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@windriver.com>
-Date: Sat, 25 Jan 2014 23:40:05 -0500
-Subject: [PATCH] refpolicy: fix real path for udevd/udevadm
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
----
- policy/modules/system/udev.fc |    2 ++
- 1 file changed, 2 insertions(+)
-
---- a/policy/modules/system/udev.fc
-+++ b/policy/modules/system/udev.fc
-@@ -8,10 +8,11 @@
- 
- /etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
- /etc/udev/scripts/.+ --        gen_context(system_u:object_r:udev_helper_exec_t,s0)
- 
- /lib/udev/udev-acl --  gen_context(system_u:object_r:udev_exec_t,s0)
-+/lib/udev/udevd    --  gen_context(system_u:object_r:udev_exec_t,s0)
- 
- ifdef(`distro_debian',`
- /bin/udevadm   --      gen_context(system_u:object_r:udev_exec_t,s0)
- /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
- ')
-@@ -26,10 +27,11 @@ ifdef(`distro_debian',`
- ifdef(`distro_redhat',`
- /sbin/start_udev --    gen_context(system_u:object_r:udev_exec_t,s0)
- ')
- 
- /usr/bin/udevinfo --   gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/bin/udevadm  --   gen_context(system_u:object_r:udev_exec_t,s0)
- 
- /usr/sbin/udev         --      gen_context(system_u:object_r:udev_exec_t,s0)
- /usr/sbin/udevadm      --      gen_context(system_u:object_r:udev_exec_t,s0)
- /usr/sbin/udevd                --      gen_context(system_u:object_r:udev_exec_t,s0)
- /usr/sbin/udevsend     --      gen_context(system_u:object_r:udev_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_bash.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_bash.patch
deleted file mode 100644
index e0fdba1..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_bash.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001
-From: Mark Hatle <mark.hatle@windriver.com>
-Date: Thu, 14 Sep 2017 15:02:23 -0500
-Subject: [PATCH 3/4] fix update-alternatives for hostname
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
----
- policy/modules/system/corecommands.fc |    1 +
- 1 file changed, 1 insertion(+)
-
-Index: refpolicy/policy/modules/kernel/corecommands.fc
-===================================================================
---- refpolicy.orig/policy/modules/kernel/corecommands.fc
-+++ refpolicy/policy/modules/kernel/corecommands.fc
-@@ -6,6 +6,7 @@
- /bin/d?ash                     --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/bash                      --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/bash2                     --      gen_context(system_u:object_r:shell_exec_t,s0)
-+/bin/bash\.bash                        --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/fish                      --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/ksh.*                     --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/mksh                      --      gen_context(system_u:object_r:shell_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_hostname.patch
deleted file mode 100644
index 038cb1f..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_hostname.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 3/4] fix update-alternatives for hostname
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/hostname.fc |    1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/system/hostname.fc
-+++ b/policy/modules/system/hostname.fc
-@@ -1,4 +1,5 @@
- 
- /bin/hostname          --      gen_context(system_u:object_r:hostname_exec_t,s0)
-+/bin/hostname\.net-tools       --      gen_context(system_u:object_r:hostname_exec_t,s0)
- 
- /usr/bin/hostname      --      gen_context(system_u:object_r:hostname_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
deleted file mode 100644
index e9a0464..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 4964fa5593349916d8f5c69edb0b16f611586098 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:39:41 +0800
-Subject: [PATCH 2/4] fix update-alternatives for sysklogd
-
-/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow rule
-for syslogd_t to read syslog_conf_t lnk_file is needed.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/logging.fc |    3 +++
- policy/modules/system/logging.te |    2 ++
- 2 files changed, 5 insertions(+)
-
---- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
-@@ -1,9 +1,10 @@
- /dev/log               -s      gen_context(system_u:object_r:devlog_t,mls_systemhigh)
- 
- /etc/rsyslog.conf              gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/syslog.conf               gen_context(system_u:object_r:syslog_conf_t,s0)
-+/etc/syslog.conf\.sysklogd     gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/audit(/.*)?               gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
- /etc/rc\.d/init\.d/auditd --   gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/rsyslog --  gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
- 
- /usr/bin/audispd       --      gen_context(system_u:object_r:audisp_exec_t,s0)
-@@ -27,14 +28,16 @@
- /usr/sbin/audispd      --      gen_context(system_u:object_r:audisp_exec_t,s0)
- /usr/sbin/audisp-remote        --      gen_context(system_u:object_r:audisp_remote_exec_t,s0)
- /usr/sbin/auditctl     --      gen_context(system_u:object_r:auditctl_exec_t,s0)
- /usr/sbin/auditd       --      gen_context(system_u:object_r:auditd_exec_t,s0)
- /usr/sbin/klogd                --      gen_context(system_u:object_r:klogd_exec_t,s0)
-+/usr/sbin/klogd\.sysklogd      --      gen_context(system_u:object_r:klogd_exec_t,s0)
- /usr/sbin/metalog      --      gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/sbin/minilogd     --      gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/sbin/rklogd       --      gen_context(system_u:object_r:klogd_exec_t,s0)
- /usr/sbin/rsyslogd     --      gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/usr/sbin/syslogd\.sysklogd    --      gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/sbin/syslog-ng    --      gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/sbin/syslogd      --      gen_context(system_u:object_r:syslogd_exec_t,s0)
- 
- /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
- /var/lib/syslog-ng(/.*)?       gen_context(system_u:object_r:syslogd_var_lib_t,s0)
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -390,10 +390,12 @@ allow syslogd_t self:unix_dgram_socket s
- allow syslogd_t self:fifo_file rw_fifo_file_perms;
- allow syslogd_t self:udp_socket create_socket_perms;
- allow syslogd_t self:tcp_socket create_stream_socket_perms;
- 
- allow syslogd_t syslog_conf_t:file read_file_perms;
-+allow syslogd_t syslog_conf_t:lnk_file read_file_perms;
-+allow syslogd_t syslog_conf_t:dir list_dir_perms;
- 
- # Create and bind to /dev/log or /var/run/log.
- allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
- files_pid_filetrans(syslogd_t, devlog_t, sock_file)
- init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysvinit.patch
deleted file mode 100644
index d8c1642..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysvinit.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 1/4] fix update-alternatives for sysvinit
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/shutdown.fc    |    1 +
- policy/modules/kernel/corecommands.fc |    1 +
- policy/modules/system/init.fc         |    1 +
- 3 files changed, 3 insertions(+)
-
---- a/policy/modules/contrib/shutdown.fc
-+++ b/policy/modules/contrib/shutdown.fc
-@@ -1,10 +1,11 @@
- /etc/nologin   --      gen_context(system_u:object_r:shutdown_etc_t,s0)
- 
- /lib/upstart/shutdown  --      gen_context(system_u:object_r:shutdown_exec_t,s0)
- 
- /sbin/shutdown --      gen_context(system_u:object_r:shutdown_exec_t,s0)
-+/sbin/shutdown\.sysvinit       --      gen_context(system_u:object_r:shutdown_exec_t,s0)
- 
- /usr/lib/upstart/shutdown      --      gen_context(system_u:object_r:shutdown_exec_t,s0)
- 
- /usr/sbin/shutdown     --      gen_context(system_u:object_r:shutdown_exec_t,s0)
- 
---- a/policy/modules/kernel/corecommands.fc
-+++ b/policy/modules/kernel/corecommands.fc
-@@ -8,10 +8,11 @@
- /bin/bash2                     --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/fish                      --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/ksh.*                     --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/mksh                      --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/mountpoint                        --      gen_context(system_u:object_r:bin_t,s0)
-+/bin/mountpoint\.sysvinit      --      gen_context(system_u:object_r:bin_t,s0)
- /bin/sash                      --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/tcsh                      --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/yash                      --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/zsh.*                     --      gen_context(system_u:object_r:shell_exec_t,s0)
- 
---- a/policy/modules/system/init.fc
-+++ b/policy/modules/system/init.fc
-@@ -30,10 +30,11 @@ ifdef(`distro_gentoo', `
- 
- #
- # /sbin
- #
- /sbin/init(ng)?                --      gen_context(system_u:object_r:init_exec_t,s0)
-+/sbin/init\.sysvinit   --      gen_context(system_u:object_r:init_exec_t,s0)
- # because nowadays, /sbin/init is often a symlink to /sbin/upstart
- /sbin/upstart          --      gen_context(system_u:object_r:init_exec_t,s0)
- 
- ifdef(`distro_gentoo', `
- /sbin/rc               --      gen_context(system_u:object_r:rc_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-bsdpty_device_t.patch
deleted file mode 100644
index 7be7147..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-bsdpty_device_t.patch
+++ /dev/null
@@ -1,149 +0,0 @@
-From c0b65c327b9354ee5c403cbde428e762ce3f327e Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices.
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/terminal.if |   16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
---- a/policy/modules/kernel/terminal.if
-+++ b/policy/modules/kernel/terminal.if
-@@ -585,13 +585,15 @@ interface(`term_getattr_generic_ptys',`
- ## </param>
- #
- interface(`term_dontaudit_getattr_generic_ptys',`
-        gen_require(`
-                type devpts_t;
-+               type bsdpty_device_t;
-        ')
- 
-        dontaudit $1 devpts_t:chr_file getattr;
-+       dontaudit $1 bsdpty_device_t:chr_file getattr;
- ')
- ########################################
- ## <summary>
- ##     ioctl of generic pty devices.
- ## </summary>
-@@ -603,15 +605,17 @@ interface(`term_dontaudit_getattr_generi
- #
- # cjp: added for ppp
- interface(`term_ioctl_generic_ptys',`
-        gen_require(`
-                type devpts_t;
-+               type bsdpty_device_t;
-        ')
- 
-        dev_list_all_dev_nodes($1)
-        allow $1 devpts_t:dir search;
-        allow $1 devpts_t:chr_file ioctl;
-+       allow $1 bsdpty_device_t:chr_file ioctl;
- ')
- 
- ########################################
- ## <summary>
- ##     Allow setting the attributes of
-@@ -625,13 +629,15 @@ interface(`term_ioctl_generic_ptys',`
- #
- # dwalsh: added for rhgb
- interface(`term_setattr_generic_ptys',`
-        gen_require(`
-                type devpts_t;
-+               type bsdpty_device_t;
-        ')
- 
-        allow $1 devpts_t:chr_file setattr;
-+       allow $1 bsdpty_device_t:chr_file setattr;
- ')
- 
- ########################################
- ## <summary>
- ##     Dontaudit setting the attributes of
-@@ -645,13 +651,15 @@ interface(`term_setattr_generic_ptys',`
- #
- # dwalsh: added for rhgb
- interface(`term_dontaudit_setattr_generic_ptys',`
-        gen_require(`
-                type devpts_t;
-+               type bsdpty_device_t;
-        ')
- 
-        dontaudit $1 devpts_t:chr_file setattr;
-+       dontaudit $1 bsdpty_device_t:chr_file setattr;
- ')
- 
- ########################################
- ## <summary>
- ##     Read and write the generic pty
-@@ -665,15 +673,17 @@ interface(`term_dontaudit_setattr_generi
- ## </param>
- #
- interface(`term_use_generic_ptys',`
-        gen_require(`
-                type devpts_t;
-+               type bsdpty_device_t;
-        ')
- 
-        dev_list_all_dev_nodes($1)
-        allow $1 devpts_t:dir list_dir_perms;
-        allow $1 devpts_t:chr_file { rw_term_perms lock append };
-+       allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
- ')
- 
- ########################################
- ## <summary>
- ##     Dot not audit attempts to read and
-@@ -687,13 +697,15 @@ interface(`term_use_generic_ptys',`
- ## </param>
- #
- interface(`term_dontaudit_use_generic_ptys',`
-        gen_require(`
-                type devpts_t;
-+               type bsdpty_device_t;
-        ')
- 
-        dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
-+       dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl };
- ')
- 
- #######################################
- ## <summary>
- ##     Set the attributes of the tty device
-@@ -705,14 +717,16 @@ interface(`term_dontaudit_use_generic_pt
- ## </param>
- #
- interface(`term_setattr_controlling_term',`
-        gen_require(`
-                type devtty_t;
-+               type bsdpty_device_t;
-        ')
- 
-        dev_list_all_dev_nodes($1)
-        allow $1 devtty_t:chr_file setattr;
-+       allow $1 bsdpty_device_t:chr_file setattr;
- ')
- 
- ########################################
- ## <summary>
- ##     Read and write the controlling
-@@ -725,14 +739,16 @@ interface(`term_setattr_controlling_term
- ## </param>
- #
- interface(`term_use_controlling_term',`
-        gen_require(`
-                type devtty_t;
-+               type bsdpty_device_t;
-        ')
- 
-        dev_list_all_dev_nodes($1)
-        allow $1 devtty_t:chr_file { rw_term_perms lock append };
-+       allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
- ')
- 
- #######################################
- ## <summary>
- ##     Get the attributes of the pty multiplexor (/dev/ptmx).
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-syslogd_t-symlink.patch
deleted file mode 100644
index e90aab5..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-syslogd_t-symlink.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Subject: [PATCH] add rules for the symlink of /var/log - syslogd_t
-
-We have added rules for the symlink of /var/log in logging.if,
-while syslogd_t uses /var/log but does not use the
-interfaces in logging.if. So still need add a individual rule for
-syslogd_t.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/logging.te | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -404,10 +404,12 @@ rw_fifo_files_pattern(syslogd_t, var_log
- files_search_spool(syslogd_t)
- 
- # Allow access for syslog-ng
- allow syslogd_t var_log_t:dir { create setattr };
- 
-+allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
-+
- # manage temporary files
- manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
- manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
- files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
- 
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-tmp-symlink.patch
deleted file mode 100644
index 07ebf58..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-tmp-symlink.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] add rules for the symlink of /tmp
-
-/tmp is a symlink in poky, so we need allow rules for files to read
-lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/files.fc |    1 +
- policy/modules/kernel/files.if |    8 ++++++++
- 2 files changed, 9 insertions(+), 0 deletions(-)
-
---- a/policy/modules/kernel/files.fc
-+++ b/policy/modules/kernel/files.fc
-@@ -191,10 +191,11 @@ ifdef(`distro_debian',`
- 
- #
- # /tmp
- #
- /tmp                   -d      gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-+/tmp                   -l      gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
- /tmp/.*                                <<none>>
- /tmp/\.journal                 <<none>>
- 
- /tmp/lost\+found       -d      gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
- /tmp/lost\+found/.*            <<none>>
---- a/policy/modules/kernel/files.if
-+++ b/policy/modules/kernel/files.if
-@@ -4471,10 +4471,11 @@ interface(`files_search_tmp',`
-        gen_require(`
-                type tmp_t;
-        ')
- 
-        allow $1 tmp_t:dir search_dir_perms;
-+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
- ## <summary>
- ##     Do not audit attempts to search the tmp directory (/tmp).
-@@ -4507,10 +4508,11 @@ interface(`files_list_tmp',`
-        gen_require(`
-                type tmp_t;
-        ')
- 
-        allow $1 tmp_t:dir list_dir_perms;
-+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
- ## <summary>
- ##     Do not audit listing of the tmp directory (/tmp).
-@@ -4543,10 +4545,11 @@ interface(`files_delete_tmp_dir_entry',`
-        gen_require(`
-                type tmp_t;
-        ')
- 
-        allow $1 tmp_t:dir del_entry_dir_perms;
-+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
- ## <summary>
- ##     Read files in the tmp directory (/tmp).
-@@ -4561,10 +4564,11 @@ interface(`files_read_generic_tmp_files'
-        gen_require(`
-                type tmp_t;
-        ')
- 
-        read_files_pattern($1, tmp_t, tmp_t)
-+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
- ## <summary>
- ##     Manage temporary directories in /tmp.
-@@ -4579,10 +4583,11 @@ interface(`files_manage_generic_tmp_dirs
-        gen_require(`
-                type tmp_t;
-        ')
- 
-        manage_dirs_pattern($1, tmp_t, tmp_t)
-+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
- ## <summary>
- ##     Manage temporary files and directories in /tmp.
-@@ -4597,10 +4602,11 @@ interface(`files_manage_generic_tmp_file
-        gen_require(`
-                type tmp_t;
-        ')
- 
-        manage_files_pattern($1, tmp_t, tmp_t)
-+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
- ## <summary>
- ##     Read symbolic links in the tmp directory (/tmp).
-@@ -4633,10 +4639,11 @@ interface(`files_rw_generic_tmp_sockets'
-        gen_require(`
-                type tmp_t;
-        ')
- 
-        rw_sock_files_pattern($1, tmp_t, tmp_t)
-+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
- ## <summary>
- ##     Mount filesystems in the tmp directory (/tmp)
-@@ -4840,10 +4847,11 @@ interface(`files_tmp_filetrans',`
-        gen_require(`
-                type tmp_t;
-        ')
- 
-        filetrans_pattern($1, tmp_t, $2, $3, $4)
-+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
- ## <summary>
- ##     Delete the contents of /tmp.
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-cache-symlink.patch
deleted file mode 100644
index b828b7a..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-cache-symlink.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From bad816bc752369a6c1bf40231c505d21d95cab08 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 23 Aug 2013 11:20:00 +0800
-Subject: [PATCH 4/6] add rules for the subdir symlinks in /var/
-
-Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
-/var for poky, so we need allow rules for all domains to read these
-symlinks. Domains still need their practical allow rules to read the
-contents, so this is still a secure relax.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/domain.te |    3 +++
- 1 file changed, 3 insertions(+)
-
---- a/policy/modules/kernel/domain.te
-+++ b/policy/modules/kernel/domain.te
-@@ -108,10 +108,13 @@ dev_rw_zero(domain)
- term_use_controlling_term(domain)
- 
- # list the root directory
- files_list_root(domain)
- 
-+# Yocto/oe-core use some var volatile links
-+files_read_var_symlinks(domain)
-+
- ifdef(`hide_broken_symptoms',`
-        # This check is in the general socket
-        # listen code, before protocol-specific
-        # listen function is called, so bad calls
-        # to listen on UDP sockets should be silenced
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
deleted file mode 100644
index fb912b5..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From ed2b0a00e2fb78056041b03c7e198e8f5adaf939 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 19:36:44 +0800
-Subject: [PATCH 3/6] add rules for the symlink of /var/log - apache2
-
-We have added rules for the symlink of /var/log in logging.if,
-while apache.te uses /var/log but does not use the interfaces in
-logging.if. So still need add a individual rule for apache.te.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/apache.te |    1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/contrib/apache.te
-+++ b/policy/modules/contrib/apache.te
-@@ -407,10 +407,11 @@ allow httpd_t httpd_lock_t:file manage_f
- files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
- 
- manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
- manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
- logging_log_filetrans(httpd_t, httpd_log_t, file)
- 
- allow httpd_t httpd_modules_t:dir list_dir_perms;
- mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
- read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
deleted file mode 100644
index 2e8e1f2..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-Subject: [PATCH] add rules for the symlink of /var/log - audisp_remote_t
-
-We have added rules for the symlink of /var/log in logging.if,
-while audisp_remote_t uses /var/log but does not use the
-interfaces in logging.if. So still need add a individual rule for
-audisp_remote_t.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/logging.te | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -278,10 +278,11 @@ optional_policy(`
- 
- allow audisp_remote_t self:capability { setuid setpcap };
- allow audisp_remote_t self:process { getcap setcap };
- allow audisp_remote_t self:tcp_socket create_socket_perms;
- allow audisp_remote_t var_log_t:dir search_dir_perms;
-+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
- 
- manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
- manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
- files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
- 
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch
deleted file mode 100644
index a7161d5..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-From 03cb6534f75812f3a33ac768fe83861e0805b0e0 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 2/6] add rules for the symlink of /var/log
-
-/var/log is a symlink in poky, so we need allow rules for files to read
-lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/logging.fc |    1 +
- policy/modules/system/logging.if |   14 +++++++++++++-
- policy/modules/system/logging.te |    1 +
- 3 files changed, 15 insertions(+), 1 deletion(-)
-
---- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
-@@ -49,10 +49,11 @@ ifdef(`distro_suse', `
- 
- /var/axfrdns/log/main(/.*)?    gen_context(system_u:object_r:var_log_t,s0)
- /var/dnscache/log/main(/.*)?   gen_context(system_u:object_r:var_log_t,s0)
- 
- /var/log               -d      gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
-+/var/log               -l      gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
- /var/log/.*                    gen_context(system_u:object_r:var_log_t,s0)
- /var/log/boot\.log     --      gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/messages[^/]*         gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/secure[^/]*           gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/maillog[^/]*          gen_context(system_u:object_r:var_log_t,mls_systemhigh)
---- a/policy/modules/system/logging.if
-+++ b/policy/modules/system/logging.if
-@@ -134,16 +134,17 @@ interface(`logging_set_audit_parameters'
- ## </param>
- ## <rolecap/>
- #
- interface(`logging_read_audit_log',`
-        gen_require(`
--               type auditd_log_t;
-+               type auditd_log_t, var_log_t;
-        ')
- 
-        files_search_var($1)
-        read_files_pattern($1, auditd_log_t, auditd_log_t)
-        allow $1 auditd_log_t:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
- ## <summary>
- ##     Execute auditctl in the auditctl domain.
-@@ -665,10 +666,11 @@ interface(`logging_search_logs',`
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir search_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- #######################################
- ## <summary>
- ##     Do not audit attempts to search the var log directory.
-@@ -702,10 +704,11 @@ interface(`logging_list_logs',`
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- #######################################
- ## <summary>
- ##     Read and write the generic log directory (/var/log).
-@@ -721,10 +724,11 @@ interface(`logging_rw_generic_log_dirs',
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir rw_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- #######################################
- ## <summary>
- ##     Search through all log dirs.
-@@ -832,14 +836,16 @@ interface(`logging_append_all_logs',`
- ## <rolecap/>
- #
- interface(`logging_read_all_logs',`
-        gen_require(`
-                attribute logfile;
-+               type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 logfile:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
-        read_files_pattern($1, logfile, logfile)
- ')
- 
- ########################################
- ## <summary>
-@@ -854,14 +860,16 @@ interface(`logging_read_all_logs',`
- # cjp: not sure why this is needed.  This was added
- # because of logrotate.
- interface(`logging_exec_all_logs',`
-        gen_require(`
-                attribute logfile;
-+               type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 logfile:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
-        can_exec($1, logfile)
- ')
- 
- ########################################
- ## <summary>
-@@ -919,10 +927,11 @@ interface(`logging_read_generic_logs',`
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
-        read_files_pattern($1, var_log_t, var_log_t)
- ')
- 
- ########################################
- ## <summary>
-@@ -939,10 +948,11 @@ interface(`logging_write_generic_logs',`
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
-        write_files_pattern($1, var_log_t, var_log_t)
- ')
- 
- ########################################
- ## <summary>
-@@ -977,10 +987,11 @@ interface(`logging_rw_generic_logs',`
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
-        rw_files_pattern($1, var_log_t, var_log_t)
- ')
- 
- ########################################
- ## <summary>
-@@ -999,10 +1010,11 @@ interface(`logging_manage_generic_logs',
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        manage_files_pattern($1, var_log_t, var_log_t)
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
- ## <summary>
- ##     All of the rules required to administrate
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -151,10 +151,11 @@ allow auditd_t auditd_etc_t:file read_fi
- 
- manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
- allow auditd_t auditd_log_t:dir setattr;
- manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
- allow auditd_t var_log_t:dir search_dir_perms;
-+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
- 
- manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
- manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
- files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
- 
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-syslogd_t-to-trusted-object.patch
deleted file mode 100644
index dc623d3..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-syslogd_t-to-trusted-object.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 27e62a5d9ab9993760369ccdad83673e9148cbb2 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 1/6] Add the syslogd_t to trusted object
-
-We add the syslogd_t to trusted object, because other process need
-to have the right to connectto/sendto /dev/log.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Roy.Li <rongqing.li@windriver.com>
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/logging.te |    1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -477,10 +477,11 @@ files_var_lib_filetrans(syslogd_t, syslo
- 
- fs_getattr_all_fs(syslogd_t)
- fs_search_auto_mountpoints(syslogd_t)
- 
- mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
-+mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log
- 
- term_write_console(syslogd_t)
- # Allow syslog to a terminal
- term_write_unallocated_ttys(syslogd_t)
- 
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-nfsd-to-exec-shell-commands.patch
deleted file mode 100644
index ca2796f..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-nfsd-to-exec-shell-commands.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] allow nfsd to exec shell commands.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/rpc.te   |    2 +-
- policy/modules/kernel/kernel.if |   18 ++++++++++++++++++
- 2 files changed, 19 insertions(+), 1 deletions(-)
-
---- a/policy/modules/contrib/rpc.te
-+++ b/policy/modules/contrib/rpc.te
-@@ -222,11 +222,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
- 
- kernel_read_network_state(nfsd_t)
- kernel_dontaudit_getattr_core_if(nfsd_t)
- kernel_setsched(nfsd_t)
- kernel_request_load_module(nfsd_t)
--# kernel_mounton_proc(nfsd_t)
-+kernel_mounton_proc(nfsd_t)
- 
- corenet_sendrecv_nfs_server_packets(nfsd_t)
- corenet_tcp_bind_nfs_port(nfsd_t)
- corenet_udp_bind_nfs_port(nfsd_t)
- 
---- a/policy/modules/kernel/kernel.if
-+++ b/policy/modules/kernel/kernel.if
-@@ -844,10 +844,28 @@ interface(`kernel_unmount_proc',`
-        allow $1 proc_t:filesystem unmount;
- ')
- 
- ########################################
- ## <summary>
-+##     Mounton a proc filesystem.
-+## </summary>
-+## <param name="domain">
-+##     <summary>
-+##     Domain allowed access.
-+##     </summary>
-+## </param>
-+#
-+interface(`kernel_mounton_proc',`
-+       gen_require(`
-+               type proc_t;
-+       ')
-+
-+       allow $1 proc_t:dir mounton;
-+')
-+
-+########################################
-+## <summary>
- ##     Get the attributes of the proc filesystem.
- ## </summary>
- ## <param name="domain">
- ##     <summary>
- ##     Domain allowed access.
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-setfiles_t-to-read-symlinks.patch
deleted file mode 100644
index d28bde0..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-setfiles_t-to-read-symlinks.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 87b6daf87a07350a58c1724db8fc0a99b849818a Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] fix setfiles_t to read symlinks
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/selinuxutil.te |    3 +++
- 1 file changed, 3 insertions(+)
-
---- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -553,10 +553,13 @@ files_read_etc_files(setfiles_t)
- files_list_all(setfiles_t)
- files_relabel_all_files(setfiles_t)
- files_read_usr_symlinks(setfiles_t)
- files_dontaudit_read_all_symlinks(setfiles_t)
- 
-+# needs to be able to read symlinks to make restorecon on symlink working
-+files_read_all_symlinks(setfiles_t)
-+
- fs_getattr_all_xattr_fs(setfiles_t)
- fs_list_all(setfiles_t)
- fs_search_auto_mountpoints(setfiles_t)
- fs_relabelfrom_noxattr_fs(setfiles_t)
- 
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-sysadm-to-run-rpcinfo.patch
deleted file mode 100644
index a1fda13..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-sysadm-to-run-rpcinfo.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 7005533d61770fed5a3312aa9dfd1c18dae88c16 Mon Sep 17 00:00:00 2001
-From: Roy Li <rongqing.li@windriver.com>
-Date: Sat, 15 Feb 2014 09:45:00 +0800
-Subject: [PATCH] allow sysadm to run rpcinfo
-
-Upstream-Status: Pending
-
-type=AVC msg=audit(1392427946.976:264): avc:  denied  { connectto } for  pid=2111 comm="rpcinfo" path="/run/rpcbind.sock" scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tclass=unix_stream_socket
-type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null)
-
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/roles/sysadm.te |    4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -1169,10 +1169,14 @@ optional_policy(`
-        virt_admin(sysadm_t, sysadm_r)
-        virt_stream_connect(sysadm_t)
- ')
- 
- optional_policy(`
-+       rpcbind_stream_connect(sysadm_t)
-+')
-+
-+optional_policy(`
-        vmware_role(sysadm_r, sysadm_t)
- ')
- 
- optional_policy(`
-        vnstatd_admin(sysadm_t, sysadm_r)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-don-t-audit-tty_device_t.patch
deleted file mode 100644
index 346872a..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-don-t-audit-tty_device_t.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 29a0d287880f8f83cf4337a3db7c8b94c0c36e1d Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 6/6] don't audit tty_device_t in term_dontaudit_use_console.
-
-We should also not audit terminal to rw tty_device_t and fds in
-term_dontaudit_use_console.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/terminal.if |    3 +++
- 1 file changed, 3 insertions(+)
-
---- a/policy/modules/kernel/terminal.if
-+++ b/policy/modules/kernel/terminal.if
-@@ -297,13 +297,16 @@ interface(`term_use_console',`
- ## </param>
- #
- interface(`term_dontaudit_use_console',`
-        gen_require(`
-                type console_device_t;
-+               type tty_device_t;
-        ')
- 
-+       init_dontaudit_use_fds($1)
-        dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
-+       dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
- ')
- 
- ########################################
- ## <summary>
- ##     Set the attributes of the console
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
deleted file mode 100644
index 8443e31..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 2f5981f2244289a1cc79748e9ffdaaea168b1df2 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 23 Aug 2013 16:36:09 +0800
-Subject: [PATCH] fix dmesg to use /dev/kmsg as default input
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/admin/dmesg.if |    1 +
- policy/modules/admin/dmesg.te |    2 ++
- 2 files changed, 3 insertions(+)
-
---- a/policy/modules/admin/dmesg.if
-+++ b/policy/modules/admin/dmesg.if
-@@ -35,6 +35,7 @@ interface(`dmesg_exec',`
-                type dmesg_exec_t;
-        ')
- 
-        corecmd_search_bin($1)
-        can_exec($1, dmesg_exec_t)
-+       dev_read_kmsg($1)
- ')
---- a/policy/modules/admin/dmesg.te
-+++ b/policy/modules/admin/dmesg.te
-@@ -28,10 +28,12 @@ kernel_read_proc_symlinks(dmesg_t)
- # for when /usr is not mounted:
- kernel_dontaudit_search_unlabeled(dmesg_t)
- 
- dev_read_sysfs(dmesg_t)
- 
-+dev_read_kmsg(dmesg_t)
-+
- fs_search_auto_mountpoints(dmesg_t)
- 
- term_dontaudit_use_console(dmesg_t)
- 
- domain_use_interactive_fds(dmesg_t)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-new-SELINUXMNT-in-sys.patch
deleted file mode 100644
index 58903ce..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-new-SELINUXMNT-in-sys.patch
+++ /dev/null
@@ -1,259 +0,0 @@
-From 0bd1187768c79ccf7d0563fa8e2bc01494fef167 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] fix for new SELINUXMNT in /sys
-
-SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
-add rules to access sysfs.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/kernel/selinux.if |   34 ++++++++++++++++++++++++++++++++--
- 1 file changed, 32 insertions(+), 2 deletions(-)
-
---- a/policy/modules/kernel/selinux.if
-+++ b/policy/modules/kernel/selinux.if
-@@ -56,10 +56,14 @@ interface(`selinux_labeled_boolean',`
- interface(`selinux_get_fs_mount',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       # SELINUXMNT is now /sys/fs/selinux, so we should add rules to
-+       # access sysfs
-+       dev_getattr_sysfs_dirs($1)
-+       dev_search_sysfs($1)
-        # starting in libselinux 2.0.5, init_selinuxmnt() will
-        # attempt to short circuit by checking if SELINUXMNT
-        # (/selinux) is already a selinuxfs
-        allow $1 security_t:filesystem getattr;
- 
-@@ -86,10 +90,11 @@ interface(`selinux_get_fs_mount',`
- interface(`selinux_dontaudit_get_fs_mount',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_dontaudit_search_sysfs($1)
-        # starting in libselinux 2.0.5, init_selinuxmnt() will
-        # attempt to short circuit by checking if SELINUXMNT
-        # (/selinux) is already a selinuxfs
-        dontaudit $1 security_t:filesystem getattr;
- 
-@@ -115,10 +120,12 @@ interface(`selinux_dontaudit_get_fs_moun
- interface(`selinux_mount_fs',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-+       dev_search_sysfs($1)
-        allow $1 security_t:filesystem mount;
- ')
- 
- ########################################
- ## <summary>
-@@ -134,10 +141,12 @@ interface(`selinux_mount_fs',`
- interface(`selinux_remount_fs',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-+       dev_search_sysfs($1)
-        allow $1 security_t:filesystem remount;
- ')
- 
- ########################################
- ## <summary>
-@@ -152,10 +161,12 @@ interface(`selinux_remount_fs',`
- interface(`selinux_unmount_fs',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-+       dev_search_sysfs($1)
-        allow $1 security_t:filesystem unmount;
- ')
- 
- ########################################
- ## <summary>
-@@ -170,10 +181,12 @@ interface(`selinux_unmount_fs',`
- interface(`selinux_getattr_fs',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-+       dev_search_sysfs($1)
-        allow $1 security_t:filesystem getattr;
- 
-        dev_getattr_sysfs($1)
-        dev_search_sysfs($1)
- ')
-@@ -192,10 +205,11 @@ interface(`selinux_getattr_fs',`
- interface(`selinux_dontaudit_getattr_fs',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_dontaudit_search_sysfs($1)
-        dontaudit $1 security_t:filesystem getattr;
- 
-        dev_dontaudit_getattr_sysfs($1)
-        dev_dontaudit_search_sysfs($1)
- ')
-@@ -214,10 +228,11 @@ interface(`selinux_dontaudit_getattr_fs'
- interface(`selinux_dontaudit_getattr_dir',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_dontaudit_search_sysfs($1)
-        dontaudit $1 security_t:dir getattr;
- ')
- 
- ########################################
- ## <summary>
-@@ -232,10 +247,11 @@ interface(`selinux_dontaudit_getattr_dir
- interface(`selinux_search_fs',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-        dev_search_sysfs($1)
-        allow $1 security_t:dir search_dir_perms;
- ')
- 
- ########################################
-@@ -251,10 +267,11 @@ interface(`selinux_search_fs',`
- interface(`selinux_dontaudit_search_fs',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_dontaudit_search_sysfs($1)
-        dontaudit $1 security_t:dir search_dir_perms;
- ')
- 
- ########################################
- ## <summary>
-@@ -270,10 +287,11 @@ interface(`selinux_dontaudit_search_fs',
- interface(`selinux_dontaudit_read_fs',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_dontaudit_search_sysfs($1)
-        dontaudit $1 security_t:dir search_dir_perms;
-        dontaudit $1 security_t:file read_file_perms;
- ')
- 
- ########################################
-@@ -291,10 +309,11 @@ interface(`selinux_dontaudit_read_fs',`
- interface(`selinux_get_enforce_mode',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-        dev_search_sysfs($1)
-        allow $1 security_t:dir list_dir_perms;
-        allow $1 security_t:file read_file_perms;
- ')
- 
-@@ -359,10 +378,11 @@ interface(`selinux_load_policy',`
- interface(`selinux_read_policy',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-        dev_search_sysfs($1)
-        allow $1 security_t:dir list_dir_perms;
-        allow $1 security_t:file read_file_perms;
-        allow $1 security_t:security read_policy;
- ')
-@@ -424,10 +444,11 @@ interface(`selinux_set_boolean',`
- interface(`selinux_set_generic_booleans',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-        dev_search_sysfs($1)
- 
-        allow $1 security_t:dir list_dir_perms;
-        allow $1 security_t:file rw_file_perms;
- 
-@@ -461,10 +482,11 @@ interface(`selinux_set_all_booleans',`
-                type security_t, secure_mode_policyload_t;
-                attribute boolean_type;
-                bool secure_mode_policyload;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-        dev_search_sysfs($1)
- 
-        allow $1 security_t:dir list_dir_perms;
-        allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
-        allow $1 secure_mode_policyload_t:file read_file_perms;
-@@ -520,10 +542,11 @@ interface(`selinux_set_parameters',`
- interface(`selinux_validate_context',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-        dev_search_sysfs($1)
-        allow $1 security_t:dir list_dir_perms;
-        allow $1 security_t:file rw_file_perms;
-        allow $1 security_t:security check_context;
- ')
-@@ -542,10 +565,11 @@ interface(`selinux_validate_context',`
- interface(`selinux_dontaudit_validate_context',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_dontaudit_search_sysfs($1)
-        dontaudit $1 security_t:dir list_dir_perms;
-        dontaudit $1 security_t:file rw_file_perms;
-        dontaudit $1 security_t:security check_context;
- ')
- 
-@@ -563,10 +587,11 @@ interface(`selinux_dontaudit_validate_co
- interface(`selinux_compute_access_vector',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-        dev_search_sysfs($1)
-        allow $1 security_t:dir list_dir_perms;
-        allow $1 security_t:file rw_file_perms;
-        allow $1 security_t:security compute_av;
- ')
-@@ -658,10 +683,17 @@ interface(`selinux_compute_relabel_conte
- interface(`selinux_compute_user_contexts',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-+       dev_getattr_sysfs_dirs($1)
-+       dev_getattr_sysfs_dirs($1)
-+       dev_getattr_sysfs_dirs($1)
-+       dev_getattr_sysfs_dirs($1)
-+       dev_getattr_sysfs_dirs($1)
-+       dev_getattr_sysfs_dirs($1)
-        dev_search_sysfs($1)
-        allow $1 security_t:dir list_dir_perms;
-        allow $1 security_t:file rw_file_perms;
-        allow $1 security_t:security compute_user;
- ')
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
deleted file mode 100644
index 883daf8..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From 054a2d81a42bc127d29a916c64b43ad5a7c97f21 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 23 Aug 2013 12:01:53 +0800
-Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t.
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/contrib/rpc.te       |    5 +++++
- policy/modules/contrib/rpcbind.te   |    5 +++++
- policy/modules/kernel/filesystem.te |    1 +
- policy/modules/kernel/kernel.te     |    2 ++
- 4 files changed, 13 insertions(+)
-
---- a/policy/modules/contrib/rpcbind.te
-+++ b/policy/modules/contrib/rpcbind.te
-@@ -71,8 +71,13 @@ auth_use_nsswitch(rpcbind_t)
- 
- logging_send_syslog_msg(rpcbind_t)
- 
- miscfiles_read_localization(rpcbind_t)
- 
-+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
-+# because the are running in different level. So add rules to allow this.
-+mls_socket_read_all_levels(rpcbind_t)
-+mls_socket_write_all_levels(rpcbind_t)
-+
- ifdef(`distro_debian',`
-        term_dontaudit_use_unallocated_ttys(rpcbind_t)
- ')
---- a/policy/modules/contrib/rpc.te
-+++ b/policy/modules/contrib/rpc.te
-@@ -275,10 +275,15 @@ tunable_policy(`nfs_export_all_ro',`
-        files_read_non_auth_files(nfsd_t)
- ')
- 
- optional_policy(`
-        mount_exec(nfsd_t)
-+       # Should domtrans to mount_t while mounting nfsd_fs_t.
-+       mount_domtrans(nfsd_t)
-+       # nfsd_t need to chdir to /var/lib/nfs and read files.
-+       files_list_var(nfsd_t)
-+       rpc_read_nfs_state_data(nfsd_t)
- ')
- 
- ########################################
- #
- # GSSD local policy
---- a/policy/modules/kernel/filesystem.te
-+++ b/policy/modules/kernel/filesystem.te
-@@ -127,10 +127,11 @@ fs_noxattr_type(mvfs_t)
- allow mvfs_t self:filesystem associate;
- genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
- 
- type nfsd_fs_t;
- fs_type(nfsd_fs_t)
-+files_mountpoint(nfsd_fs_t)
- genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
- 
- type nsfs_t;
- fs_type(nsfs_t)
- genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
---- a/policy/modules/kernel/kernel.te
-+++ b/policy/modules/kernel/kernel.te
-@@ -324,10 +324,12 @@ mcs_process_set_categories(kernel_t)
- 
- mls_process_read_all_levels(kernel_t)
- mls_process_write_all_levels(kernel_t)
- mls_file_write_all_levels(kernel_t)
- mls_file_read_all_levels(kernel_t)
-+mls_socket_write_all_levels(kernel_t)
-+mls_fd_use_all_levels(kernel_t)
- 
- ifdef(`distro_redhat',`
-        # Bugzilla 222337
-        fs_rw_tmpfs_chr_files(kernel_t)
- ')
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-setfiles-statvfs-get-file-count.patch
deleted file mode 100644
index 1cfd80b..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-setfiles-statvfs-get-file-count.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From f4e034d6996c5b1f88a9262828dac2ad6ee09b7b Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 23 Aug 2013 14:38:53 +0800
-Subject: [PATCH] fix setfiles statvfs to get file count
-
-New setfiles will read /proc/mounts and use statvfs in
-file_system_count() to get file count of filesystems.
-
-Upstream-Status: pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/selinuxutil.te |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -556,11 +556,11 @@ files_read_usr_symlinks(setfiles_t)
- files_dontaudit_read_all_symlinks(setfiles_t)
- 
- # needs to be able to read symlinks to make restorecon on symlink working
- files_read_all_symlinks(setfiles_t)
- 
--fs_getattr_all_xattr_fs(setfiles_t)
-+fs_getattr_all_fs(setfiles_t)
- fs_list_all(setfiles_t)
- fs_search_auto_mountpoints(setfiles_t)
- fs_relabelfrom_noxattr_fs(setfiles_t)
- 
- mls_file_read_all_levels(setfiles_t)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-seutils-manage-config-files.patch
deleted file mode 100644
index fba7759..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-seutils-manage-config-files.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From be8e015aec19553d3753af132861d24da9ed0265 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files
-
-Upstream-Status: Pending
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/selinuxutil.if |    1 +
- policy/modules/system/userdomain.if  |    4 ++++
- 2 files changed, 5 insertions(+)
-
---- a/policy/modules/system/selinuxutil.if
-+++ b/policy/modules/system/selinuxutil.if
-@@ -753,10 +753,11 @@ interface(`seutil_manage_config',`
-        gen_require(`
-                type selinux_config_t;
-        ')
- 
-        files_search_etc($1)
-+       manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
-        manage_files_pattern($1, selinux_config_t, selinux_config_t)
-        read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
- ')
- 
- #######################################
---- a/policy/modules/system/userdomain.if
-+++ b/policy/modules/system/userdomain.if
-@@ -1327,10 +1327,14 @@ template(`userdom_security_admin_templat
-        logging_read_audit_log($1)
-        logging_read_generic_logs($1)
-        logging_read_audit_config($1)
- 
-        seutil_manage_bin_policy($1)
-+       seutil_manage_default_contexts($1)
-+       seutil_manage_file_contexts($1)
-+       seutil_manage_module_store($1)
-+       seutil_manage_config($1)
-        seutil_run_checkpolicy($1, $2)
-        seutil_run_loadpolicy($1, $2)
-        seutil_run_semanage($1, $2)
-        seutil_run_setfiles($1, $2)
- 
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/refpolicy-update-for_systemd.patch
deleted file mode 100644
index 41b9c2b..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/refpolicy-update-for_systemd.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 07553727dca51631c93bca482442da8d0c50ac94 Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade@mentor.com>
-Date: Fri, 12 Jun 2015 19:37:52 +0530
-Subject: [PATCH] refpolicy: update for systemd related allow rules
-
-It provide, the systemd support related allow rules
-
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- policy/modules/system/init.te |    5 +++++
- 1 file changed, 5 insertions(+)
-
---- a/policy/modules/system/init.te
-+++ b/policy/modules/system/init.te
-@@ -1105,5 +1105,10 @@ optional_policy(`
- ')
- 
- optional_policy(`
-        zebra_read_config(initrc_t)
- ')
-+
-+# systemd related allow rules
-+allow kernel_t init_t:process dyntransition;
-+allow devpts_t device_t:filesystem associate;
-+allow init_t self:capability2 block_suspend;
-\ No newline at end of file