From 72e009ce78f2beb5915df0c568d20ed9913f76b3 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Tue, 11 Sep 2012 14:15:57 +0800
Subject: refpolicy: add poky specific rules for packages.

Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
 ...poky-policy-add-rules-for-bsdpty_device_t.patch | 118 ++++++++++++
 .../poky-policy-add-rules-for-tmp-symlink.patch    |  96 ++++++++++
 ...poky-policy-add-rules-for-var-log-symlink.patch |  88 +++++++++
 ...ky-policy-add-syslogd_t-to-trusted-object.patch |  28 +++
 ...policy-allow-dbusd-to-exec-shell-commands.patch |  25 +++
 ...ky-policy-allow-dbusd-to-setrlimit-itself.patch |  29 +++
 ...-policy-allow-nfsd-to-exec-shell-commands.patch |  67 +++++++
 ...-policy-allow-setfiles_t-to-read-symlinks.patch |  26 +++
 .../poky-policy-don-t-audit-tty_device_t.patch     |  32 ++++
 .../poky-policy-fix-new-SELINUXMNT-in-sys.patch    | 213 +++++++++++++++++++++
 .../refpolicy/refpolicy_2.20120725.inc             |  13 ++
 11 files changed, 735 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-bsdpty_device_t.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-tmp-symlink.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-syslogd_t-to-trusted-object.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-exec-shell-commands.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-setrlimit-itself.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-nfsd-to-exec-shell-commands.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-setfiles_t-to-read-symlinks.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-don-t-audit-tty_device_t.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-new-SELINUXMNT-in-sys.patch

diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-bsdpty_device_t.patch
new file mode 100644
index 0000000..b5d0fa8
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-bsdpty_device_t.patch
@@ -0,0 +1,118 @@
+Subject: [PATCH] add rules for bsdpty_device_t to complete pty devices.
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/kernel/terminal.if |   16 ++++++++++++++++
+ 1 files changed, 16 insertions(+), 0 deletions(-)
+
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index 01dd2f1..f9d46cc 100644
+--- a/policy/modules/kernel/terminal.if
++++ b/policy/modules/kernel/terminal.if
+@@ -512,9 +512,11 @@ interface(`term_dontaudit_manage_pty_dirs',`
+ interface(`term_dontaudit_getattr_generic_ptys',`
+ 	gen_require(`
+ 		type devpts_t;
++		type bsdpty_device_t;
+ 	')
+ 
+ 	dontaudit $1 devpts_t:chr_file getattr;
++	dontaudit $1 bsdpty_device_t:chr_file getattr;
+ ')
+ ########################################
+ ## <summary>
+@@ -530,11 +532,13 @@ interface(`term_dontaudit_getattr_generic_ptys',`
+ interface(`term_ioctl_generic_ptys',`
+ 	gen_require(`
+ 		type devpts_t;
++		type bsdpty_device_t;
+ 	')
+ 
+ 	dev_list_all_dev_nodes($1)
+ 	allow $1 devpts_t:dir search;
+ 	allow $1 devpts_t:chr_file ioctl;
++	allow $1 bsdpty_device_t:chr_file ioctl;
+ ')
+ 
+ ########################################
+@@ -552,9 +556,11 @@ interface(`term_ioctl_generic_ptys',`
+ interface(`term_setattr_generic_ptys',`
+ 	gen_require(`
+ 		type devpts_t;
++		type bsdpty_device_t;
+ 	')
+ 
+ 	allow $1 devpts_t:chr_file setattr;
++	allow $1 bsdpty_device_t:chr_file setattr;
+ ')
+ 
+ ########################################
+@@ -572,9 +578,11 @@ interface(`term_setattr_generic_ptys',`
+ interface(`term_dontaudit_setattr_generic_ptys',`
+ 	gen_require(`
+ 		type devpts_t;
++		type bsdpty_device_t;
+ 	')
+ 
+ 	dontaudit $1 devpts_t:chr_file setattr;
++	dontaudit $1 bsdpty_device_t:chr_file setattr;
+ ')
+ 
+ ########################################
+@@ -592,11 +600,13 @@ interface(`term_dontaudit_setattr_generic_ptys',`
+ interface(`term_use_generic_ptys',`
+ 	gen_require(`
+ 		type devpts_t;
++		type bsdpty_device_t;
+ 	')
+ 
+ 	dev_list_all_dev_nodes($1)
+ 	allow $1 devpts_t:dir list_dir_perms;
+ 	allow $1 devpts_t:chr_file { rw_term_perms lock append };
++	allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
+ ')
+ 
+ ########################################
+@@ -614,9 +624,11 @@ interface(`term_use_generic_ptys',`
+ interface(`term_dontaudit_use_generic_ptys',`
+ 	gen_require(`
+ 		type devpts_t;
++		type bsdpty_device_t;
+ 	')
+ 
+ 	dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
++	dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl };
+ ')
+ 
+ #######################################
+@@ -632,10 +644,12 @@ interface(`term_dontaudit_use_generic_ptys',`
+ interface(`term_setattr_controlling_term',`
+ 	gen_require(`
+ 		type devtty_t;
++		type bsdpty_device_t;
+ 	')
+ 
+ 	dev_list_all_dev_nodes($1)
+ 	allow $1 devtty_t:chr_file setattr;
++	allow $1 bsdpty_device_t:chr_file setattr;
+ ')
+ 
+ ########################################
+@@ -652,10 +666,12 @@ interface(`term_setattr_controlling_term',`
+ interface(`term_use_controlling_term',`
+ 	gen_require(`
+ 		type devtty_t;
++		type bsdpty_device_t;
+ 	')
+ 
+ 	dev_list_all_dev_nodes($1)
+ 	allow $1 devtty_t:chr_file { rw_term_perms lock append };
++	allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
+ ')
+ 
+ #######################################
+-- 
+1.7.5.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-tmp-symlink.patch
new file mode 100644
index 0000000..45de2df
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-tmp-symlink.patch
@@ -0,0 +1,96 @@
+Subject: [PATCH] add rules for the symlink of /tmp
+
+/tmp is a symlink in poky, so we need allow rules for files to read
+lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/kernel/files.fc |    1 +
+ policy/modules/kernel/files.if |    8 ++++++++
+ 2 files changed, 9 insertions(+), 0 deletions(-)
+
+diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
+index 8796ca3..a0db748 100644
+--- a/policy/modules/kernel/files.fc
++++ b/policy/modules/kernel/files.fc
+@@ -185,6 +185,7 @@ ifdef(`distro_debian',`
+ # /tmp
+ #
+ /tmp			-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
++/tmp			-l	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+ /tmp/.*				<<none>>
+ /tmp/\.journal			<<none>>
+ 
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index e1e814d..a7384b0 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -4199,6 +4199,7 @@ interface(`files_search_tmp',`
+ 	')
+ 
+ 	allow $1 tmp_t:dir search_dir_perms;
++	allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -4235,6 +4236,7 @@ interface(`files_list_tmp',`
+ 	')
+ 
+ 	allow $1 tmp_t:dir list_dir_perms;
++	allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -4271,6 +4273,7 @@ interface(`files_delete_tmp_dir_entry',`
+ 	')
+ 
+ 	allow $1 tmp_t:dir del_entry_dir_perms;
++	allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -4289,6 +4292,7 @@ interface(`files_read_generic_tmp_files',`
+ 	')
+ 
+ 	read_files_pattern($1, tmp_t, tmp_t)
++	allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -4307,6 +4311,7 @@ interface(`files_manage_generic_tmp_dirs',`
+ 	')
+ 
+ 	manage_dirs_pattern($1, tmp_t, tmp_t)
++	allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -4325,6 +4330,7 @@ interface(`files_manage_generic_tmp_files',`
+ 	')
+ 
+ 	manage_files_pattern($1, tmp_t, tmp_t)
++	allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -4361,6 +4367,7 @@ interface(`files_rw_generic_tmp_sockets',`
+ 	')
+ 
+ 	rw_sock_files_pattern($1, tmp_t, tmp_t)
++	allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -4550,6 +4557,7 @@ interface(`files_tmp_filetrans',`
+ 	')
+ 
+ 	filetrans_pattern($1, tmp_t, $2, $3, $4)
++	allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+-- 
+1.7.5.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch
new file mode 100644
index 0000000..5bf4986
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch
@@ -0,0 +1,88 @@
+Subject: [PATCH] add rules for the symlink of /var/log
+
+/var/log is a symlink in poky, so we need allow rules for files to read
+lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/logging.fc |    1 +
+ policy/modules/system/logging.if |    7 +++++++
+ 2 files changed, 8 insertions(+), 0 deletions(-)
+
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index 3cb65f1..2419cd7 100644
+--- a/policy/modules/system/logging.fc
++++ b/policy/modules/system/logging.fc
+@@ -41,6 +41,7 @@ ifdef(`distro_suse', `
+ /var/cfengine/outputs(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
+ 
+ /var/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
++/var/log		-l	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+ /var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/boot\.log	--	gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/messages[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
+index 321bb13..2be355e 100644
+--- a/policy/modules/system/logging.if
++++ b/policy/modules/system/logging.if
+@@ -626,6 +626,7 @@ interface(`logging_search_logs',`
+ 
+ 	files_search_var($1)
+ 	allow $1 var_log_t:dir search_dir_perms;
++	allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ #######################################
+@@ -663,6 +664,7 @@ interface(`logging_list_logs',`
+ 
+ 	files_search_var($1)
+ 	allow $1 var_log_t:dir list_dir_perms;
++	allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ #######################################
+@@ -682,6 +684,7 @@ interface(`logging_rw_generic_log_dirs',`
+ 
+ 	files_search_var($1)
+ 	allow $1 var_log_t:dir rw_dir_perms;
++	allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ #######################################
+@@ -843,6 +846,7 @@ interface(`logging_read_generic_logs',`
+ 
+ 	files_search_var($1)
+ 	allow $1 var_log_t:dir list_dir_perms;
++	allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ 	read_files_pattern($1, var_log_t, var_log_t)
+ ')
+ 
+@@ -863,6 +867,7 @@ interface(`logging_write_generic_logs',`
+ 
+ 	files_search_var($1)
+ 	allow $1 var_log_t:dir list_dir_perms;
++	allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ 	write_files_pattern($1, var_log_t, var_log_t)
+ ')
+ 
+@@ -901,6 +906,7 @@ interface(`logging_rw_generic_logs',`
+ 
+ 	files_search_var($1)
+ 	allow $1 var_log_t:dir list_dir_perms;
++	allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ 	rw_files_pattern($1, var_log_t, var_log_t)
+ ')
+ 
+@@ -923,6 +929,7 @@ interface(`logging_manage_generic_logs',`
+ 
+ 	files_search_var($1)
+ 	manage_files_pattern($1, var_log_t, var_log_t)
++	allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+-- 
+1.7.5.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-syslogd_t-to-trusted-object.patch
new file mode 100644
index 0000000..9b5db54
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-syslogd_t-to-trusted-object.patch
@@ -0,0 +1,28 @@
+Subject: [PATCH] Add the syslogd_t to trusted object
+
+We add the syslogd_t to trusted object, because other process need
+to have the right to connectto/sendto /dev/log.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Roy.Li <rongqing.li@windriver.com>
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/logging.te |    1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 0034021..b6b0ddf 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -444,6 +444,7 @@ fs_getattr_all_fs(syslogd_t)
+ fs_search_auto_mountpoints(syslogd_t)
+ 
+ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
++mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log
+ 
+ term_write_console(syslogd_t)
+ # Allow syslog to a terminal
+-- 
+1.7.5.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-exec-shell-commands.patch
new file mode 100644
index 0000000..6207e40
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-exec-shell-commands.patch
@@ -0,0 +1,25 @@
+Subject: [PATCH] allow dbusd to exec shell commands.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/dbus.te |    2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
+index 529944b..bb76257 100644
+--- a/policy/modules/contrib/dbus.te
++++ b/policy/modules/contrib/dbus.te
+@@ -111,6 +111,8 @@ corecmd_list_bin(system_dbusd_t)
+ corecmd_read_bin_pipes(system_dbusd_t)
+ corecmd_read_bin_sockets(system_dbusd_t)
+ 
++corecmd_exec_shell(system_dbusd_t)
++
+ domain_use_interactive_fds(system_dbusd_t)
+ domain_read_all_domains_state(system_dbusd_t)
+ 
+-- 
+1.7.5.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-setrlimit-itself.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-setrlimit-itself.patch
new file mode 100644
index 0000000..6eded62
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-setrlimit-itself.patch
@@ -0,0 +1,29 @@
+Subject: [PATCH] allow system_dbusd_t to setrlimit itself.
+
+avc:  denied  { setrlimit } for  pid=391 comm="dbus-daemon"
+    scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
+    tcontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tclass=proces
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/dbus.te |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
+index 625cb32..529944b 100644
+--- a/policy/modules/contrib/dbus.te
++++ b/policy/modules/contrib/dbus.te
+@@ -53,7 +53,7 @@ ifdef(`enable_mls',`
+ # cjp: dac_override should probably go in a distro_debian
+ allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
+ dontaudit system_dbusd_t self:capability sys_tty_config;
+-allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
++allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
+ allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
+ allow system_dbusd_t self:dbus { send_msg acquire_svc };
+ allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
+-- 
+1.7.5.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-nfsd-to-exec-shell-commands.patch
new file mode 100644
index 0000000..f1fcc4c
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-nfsd-to-exec-shell-commands.patch
@@ -0,0 +1,67 @@
+Subject: [PATCH] allow nfsd to exec shell commands.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/rpc.te   |    7 +++++++
+ policy/modules/kernel/kernel.if |   18 ++++++++++++++++++
+ 2 files changed, 25 insertions(+), 0 deletions(-)
+
+diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
+index 330d01f..fde39d2 100644
+--- a/policy/modules/contrib/rpc.te
++++ b/policy/modules/contrib/rpc.te
+@@ -120,6 +120,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+ kernel_read_system_state(nfsd_t)
+ kernel_read_network_state(nfsd_t)
+ kernel_dontaudit_getattr_core_if(nfsd_t)
++kernel_setsched(nfsd_t)
++kernel_request_load_module(nfsd_t)
++kernel_mounton_proc(nfsd_t)
++
++corecmd_exec_shell(nfsd_t)
+ 
+ corenet_tcp_bind_all_rpc_ports(nfsd_t)
+ corenet_udp_bind_all_rpc_ports(nfsd_t)
+@@ -174,6 +179,8 @@ tunable_policy(`nfs_export_all_ro',`
+ 	files_read_non_auth_files(nfsd_t)
+ ')
+ 
++mount_exec(nfsd_t)
++
+ ########################################
+ #
+ # GSSD local policy
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index 4bf45cb..25e7b1b 100644
+--- a/policy/modules/kernel/kernel.if
++++ b/policy/modules/kernel/kernel.if
+@@ -785,6 +785,24 @@ interface(`kernel_unmount_proc',`
+ 
+ ########################################
+ ## <summary>
++##	Mounton a proc filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`kernel_mounton_proc',`
++	gen_require(`
++		type proc_t;
++	')
++
++	allow $1 proc_t:dir mounton;
++')
++
++########################################
++## <summary>
+ ##	Get the attributes of the proc filesystem.
+ ## </summary>
+ ## <param name="domain">
+-- 
+1.7.5.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-setfiles_t-to-read-symlinks.patch
new file mode 100644
index 0000000..15dc506
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-setfiles_t-to-read-symlinks.patch
@@ -0,0 +1,26 @@
+Subject: [PATCH] fix setfiles_t to read symlinks
+
+Upstream-Status: Pending 
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/selinuxutil.te |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index ec01d0b..45ed81b 100644
+--- a/policy/modules/system/selinuxutil.te
++++ b/policy/modules/system/selinuxutil.te
+@@ -553,6 +553,9 @@ files_list_all(setfiles_t)
+ files_relabel_all_files(setfiles_t)
+ files_read_usr_symlinks(setfiles_t)
+ 
++# needs to be able to read symlinks to make restorecon on symlink working
++files_read_all_symlinks(setfiles_t)
++
+ fs_getattr_xattr_fs(setfiles_t)
+ fs_list_all(setfiles_t)
+ fs_search_auto_mountpoints(setfiles_t)
+-- 
+1.7.5.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-don-t-audit-tty_device_t.patch
new file mode 100644
index 0000000..d7e407b
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-don-t-audit-tty_device_t.patch
@@ -0,0 +1,32 @@
+Subject: [PATCH] don't audit tty_device_t in term_dontaudit_use_console.
+
+We should also not audit terminal to rw tty_device_t and fds in 
+term_dontaudit_use_console. 
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/kernel/terminal.if |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index f9d46cc..234e0b8 100644
+--- a/policy/modules/kernel/terminal.if
++++ b/policy/modules/kernel/terminal.if
+@@ -299,9 +299,12 @@ interface(`term_use_console',`
+ interface(`term_dontaudit_use_console',`
+ 	gen_require(`
+ 		type console_device_t;
++		type tty_device_t;
+ 	')
+ 
++	init_dontaudit_use_fds($1)
+ 	dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
++	dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
+ ')
+ 
+ ########################################
+-- 
+1.7.5.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-new-SELINUXMNT-in-sys.patch
new file mode 100644
index 0000000..fa0a274
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-new-SELINUXMNT-in-sys.patch
@@ -0,0 +1,213 @@
+Subject: [PATCH] fix for new SELINUXMNT in /sys
+
+SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
+add rules to access sysfs.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/kernel/selinux.if |   40 ++++++++++++++++++++++++++++++++++++++
+ 1 files changed, 40 insertions(+), 0 deletions(-)
+
+diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
+index 81440c5..b57ec34 100644
+--- a/policy/modules/kernel/selinux.if
++++ b/policy/modules/kernel/selinux.if
+@@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',`
+ 		type security_t;
+ 	')
+ 
++	# SELINUXMNT is now /sys/fs/selinux, so we should add rules to 
++	# access sysfs
++	dev_getattr_sysfs_dirs($1)
++	dev_search_sysfs($1)
+ 	# starting in libselinux 2.0.5, init_selinuxmnt() will
+ 	# attempt to short circuit by checking if SELINUXMNT
+ 	# (/selinux) is already a selinuxfs
+@@ -84,6 +88,7 @@ interface(`selinux_dontaudit_get_fs_mount',`
+ 		type security_t;
+ 	')
+ 
++	dev_dontaudit_search_sysfs($1)
+ 	# starting in libselinux 2.0.5, init_selinuxmnt() will
+ 	# attempt to short circuit by checking if SELINUXMNT
+ 	# (/selinux) is already a selinuxfs
+@@ -109,6 +114,8 @@ interface(`selinux_mount_fs',`
+ 		type security_t;
+ 	')
+ 
++	dev_getattr_sysfs_dirs($1)
++	dev_search_sysfs($1)
+ 	allow $1 security_t:filesystem mount;
+ ')
+ 
+@@ -128,6 +135,8 @@ interface(`selinux_remount_fs',`
+ 		type security_t;
+ 	')
+ 
++	dev_getattr_sysfs_dirs($1)
++	dev_search_sysfs($1)
+ 	allow $1 security_t:filesystem remount;
+ ')
+ 
+@@ -146,6 +155,8 @@ interface(`selinux_unmount_fs',`
+ 		type security_t;
+ 	')
+ 
++	dev_getattr_sysfs_dirs($1)
++	dev_search_sysfs($1)
+ 	allow $1 security_t:filesystem unmount;
+ ')
+ 
+@@ -164,6 +175,8 @@ interface(`selinux_getattr_fs',`
+ 		type security_t;
+ 	')
+ 
++	dev_getattr_sysfs_dirs($1)
++	dev_search_sysfs($1)
+ 	allow $1 security_t:filesystem getattr;
+ ')
+ 
+@@ -183,6 +196,7 @@ interface(`selinux_dontaudit_getattr_fs',`
+ 		type security_t;
+ 	')
+ 
++	dev_dontaudit_search_sysfs($1)
+ 	dontaudit $1 security_t:filesystem getattr;
+ ')
+ 
+@@ -202,6 +216,7 @@ interface(`selinux_dontaudit_getattr_dir',`
+ 		type security_t;
+ 	')
+ 
++	dev_dontaudit_search_sysfs($1)
+ 	dontaudit $1 security_t:dir getattr;
+ ')
+ 
+@@ -220,6 +235,8 @@ interface(`selinux_search_fs',`
+ 		type security_t;
+ 	')
+ 
++	dev_getattr_sysfs_dirs($1)
++	dev_search_sysfs($1)
+ 	allow $1 security_t:dir search_dir_perms;
+ ')
+ 
+@@ -238,6 +255,7 @@ interface(`selinux_dontaudit_search_fs',`
+ 		type security_t;
+ 	')
+ 
++	dev_dontaudit_search_sysfs($1)
+ 	dontaudit $1 security_t:dir search_dir_perms;
+ ')
+ 
+@@ -257,6 +275,7 @@ interface(`selinux_dontaudit_read_fs',`
+ 		type security_t;
+ 	')
+ 
++	dev_dontaudit_search_sysfs($1)
+ 	dontaudit $1 security_t:dir search_dir_perms;
+ 	dontaudit $1 security_t:file read_file_perms;
+ ')
+@@ -342,6 +361,8 @@ interface(`selinux_load_policy',`
+ 		bool secure_mode_policyload;
+ 	')
+ 
++	dev_getattr_sysfs_dirs($1)
++	dev_search_sysfs($1)
+ 	allow $1 security_t:dir list_dir_perms;
+ 	allow $1 security_t:file rw_file_perms;
+ 	typeattribute $1 can_load_policy;
+@@ -371,6 +392,8 @@ interface(`selinux_read_policy',`
+ 		type security_t;
+ 	')
+ 
++	dev_getattr_sysfs_dirs($1)
++	dev_search_sysfs($1)
+ 	allow $1 security_t:dir list_dir_perms;
+ 	allow $1 security_t:file read_file_perms;
+ 	allow $1 security_t:security read_policy;
+@@ -435,6 +458,8 @@ interface(`selinux_set_generic_booleans',`
+ 		type security_t;
+ 	')
+ 
++	dev_getattr_sysfs_dirs($1)
++	dev_search_sysfs($1)
+ 	allow $1 security_t:dir list_dir_perms;
+ 	allow $1 security_t:file rw_file_perms;
+ 
+@@ -475,6 +500,8 @@ interface(`selinux_set_all_booleans',`
+ 		bool secure_mode_policyload;
+ 	')
+ 
++	dev_getattr_sysfs_dirs($1)
++	dev_search_sysfs($1)
+ 	allow $1 security_t:dir list_dir_perms;
+ 	allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
+ 	allow $1 secure_mode_policyload_t:file read_file_perms;
+@@ -519,6 +546,8 @@ interface(`selinux_set_parameters',`
+ 		attribute can_setsecparam;
+ 	')
+ 
++	dev_getattr_sysfs_dirs($1)
++	dev_search_sysfs($1)
+ 	allow $1 security_t:dir list_dir_perms;
+ 	allow $1 security_t:file rw_file_perms;
+ 	allow $1 security_t:security setsecparam;
+@@ -563,6 +592,7 @@ interface(`selinux_dontaudit_validate_context',`
+ 		type security_t;
+ 	')
+ 
++	dev_dontaudit_search_sysfs($1)
+ 	dontaudit $1 security_t:dir list_dir_perms;
+ 	dontaudit $1 security_t:file rw_file_perms;
+ 	dontaudit $1 security_t:security check_context;
+@@ -584,6 +614,8 @@ interface(`selinux_compute_access_vector',`
+ 		type security_t;
+ 	')
+ 
++	dev_getattr_sysfs_dirs($1)
++	dev_search_sysfs($1)
+ 	allow $1 security_t:dir list_dir_perms;
+ 	allow $1 security_t:file rw_file_perms;
+ 	allow $1 security_t:security compute_av;
+@@ -605,6 +637,8 @@ interface(`selinux_compute_create_context',`
+ 		type security_t;
+ 	')
+ 
++	dev_getattr_sysfs_dirs($1)
++	dev_search_sysfs($1)
+ 	allow $1 security_t:dir list_dir_perms;
+ 	allow $1 security_t:file rw_file_perms;
+ 	allow $1 security_t:security compute_create;
+@@ -626,6 +660,8 @@ interface(`selinux_compute_member',`
+ 		type security_t;
+ 	')
+ 
++	dev_getattr_sysfs_dirs($1)
++	dev_search_sysfs($1)
+ 	allow $1 security_t:dir list_dir_perms;
+ 	allow $1 security_t:file rw_file_perms;
+ 	allow $1 security_t:security compute_member;
+@@ -655,6 +691,8 @@ interface(`selinux_compute_relabel_context',`
+ 		type security_t;
+ 	')
+ 
++	dev_getattr_sysfs_dirs($1)
++	dev_search_sysfs($1)
+ 	allow $1 security_t:dir list_dir_perms;
+ 	allow $1 security_t:file rw_file_perms;
+ 	allow $1 security_t:security compute_relabel;
+@@ -675,6 +713,8 @@ interface(`selinux_compute_user_contexts',`
+ 		type security_t;
+ 	')
+ 
++	dev_getattr_sysfs_dirs($1)
++	dev_search_sysfs($1)
+ 	allow $1 security_t:dir list_dir_perms;
+ 	allow $1 security_t:file rw_file_perms;
+ 	allow $1 security_t:security compute_user;
+-- 
+1.7.5.4
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20120725.inc b/recipes-security/refpolicy/refpolicy_2.20120725.inc
index b588010..3582ddf 100644
--- a/recipes-security/refpolicy/refpolicy_2.20120725.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20120725.inc
@@ -15,4 +15,17 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
             file://poky-fc-fix-real-path_login.patch \
            "
 
+# Specific policy for Poky
+SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
+            file://poky-policy-add-rules-for-var-log-symlink.patch \
+            file://poky-policy-add-rules-for-tmp-symlink.patch \
+            file://poky-policy-add-rules-for-bsdpty_device_t.patch \
+            file://poky-policy-don-t-audit-tty_device_t.patch \
+            file://poky-policy-allow-dbusd-to-setrlimit-itself.patch \
+            file://poky-policy-allow-dbusd-to-exec-shell-commands.patch \
+            file://poky-policy-allow-nfsd-to-exec-shell-commands.patch \
+            file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \
+            file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \
+           "
+
 include refpolicy_common.inc
-- 
cgit v1.2.3-54-g00ecf