refpolicy*: add new version 2.20130424

These patches are removed because new version merged: - poky-fc-update-alternatives_tinylogin.patch - poky-fc-fix-prefix-path_rpc.patch - poky-fc-fix-portmap.patch - poky-fc-cgroup.patch - poky-fc-networkmanager.patch - poky-policy-allow-dbusd-to-setrlimit-itself.patch - poky-policy-allow-dbusd-to-exec-shell-commands.patch - poky-policy-allow-nfsd-to-bind-nfs-port.patch Add two new patches: + poky-policy-fix-setfiles-statvfs-get-file-count.patch + poky-policy-fix-dmesg-to-use-dev-kmsg.patch Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
author: Xin Ouyang <Xin.Ouyang@windriver.com> 2013-09-23 21:18:03 +0800
committer: Joe MacDonald <joe@deserted.net> 2013-10-02 13:24:45 -0400
commit: 292e6f4ac670d2f5ae5dbb53d6c7c265f006975d (patch)
tree: 9b53470a4acb08220734bd993d8256110848c699
parent: c7fc09794c20db9e3b32d326abb627985d2b5b65 (diff)
download: meta-selinux-292e6f4ac670d2f5ae5dbb53d6c7c265f006975d.tar.gz
39 files changed, 1753 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-clock.patch
new file mode 100644
index 0000000..3ff8f55
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-clock.patch
@@ -0,0 +1,22 @@
+Subject: [PATCH] refpolicy: fix real path for clock
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/clock.fc | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
+index c5e05ca..a74c40c 100644
+--- a/policy/modules/system/clock.fc
+++ b/policy/modules/system/clock.fc
+@@ -2,4 +2,5 @@
+ /etc/adjtime           --      gen_context(system_u:object_r:adjtime_t,s0)
+ 
+ /sbin/hwclock          --      gen_context(system_u:object_r:hwclock_exec_t,s0)
+/sbin/hwclock\.util-linux      --      gen_context(system_u:object_r:hwclock_exec_t,s0)
+ 
+-- 
+1.7.11.7
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-corecommands.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-corecommands.patch
new file mode 100644
index 0000000..24b67c3
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-corecommands.patch
@@ -0,0 +1,24 @@
+Subject: [PATCH] refpolicy: fix real path for corecommands
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/kernel/corecommands.fc | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
+index f051c4a..ab624f3 100644
+--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
+@@ -153,6 +153,7 @@ ifdef(`distro_gentoo',`
+ /sbin/insmod_ksymoops_clean    --      gen_context(system_u:object_r:bin_t,s0)
+ /sbin/mkfs\.cramfs             --      gen_context(system_u:object_r:bin_t,s0)
+ /sbin/nologin                  --      gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/sbin/nologin              --      gen_context(system_u:object_r:shell_exec_t,s0)
+ 
+ #
+ # /opt
+-- 
+1.7.11.7
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-dmesg.patch
new file mode 100644
index 0000000..db4c4d4
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-dmesg.patch
@@ -0,0 +1,20 @@
+Subject: [PATCH] refpolicy: fix real path for dmesg
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/admin/dmesg.fc | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
+index d6cc2d9..7f3e5b0 100644
+--- a/policy/modules/admin/dmesg.fc
+++ b/policy/modules/admin/dmesg.fc
+@@ -1,2 +1,3 @@
+ 
+ /bin/dmesg             --              gen_context(system_u:object_r:dmesg_exec_t,s0)
+/bin/dmesg\.util-linux --              gen_context(system_u:object_r:dmesg_exec_t,s0)
+-- 
+1.7.11.7
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-bind.patch
new file mode 100644
index 0000000..59ba5bc
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-bind.patch
@@ -0,0 +1,30 @@
+From e438a9466a615db3f63421157d5ee3bd6d055403 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 19:09:11 +0800
+Subject: [PATCH] refpolicy: fix real path for bind.
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/bind.fc |    2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc
+index 2b9a3a1..fd45d53 100644
+--- a/policy/modules/contrib/bind.fc
+++ b/policy/modules/contrib/bind.fc
+@@ -1,8 +1,10 @@
+ /etc/rc\.d/init\.d/named       --      gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/bind        --      gen_context(system_u:object_r:named_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/unbound     --      gen_context(system_u:object_r:named_initrc_exec_t,s0)
+ 
+ /etc/bind(/.*)?        gen_context(system_u:object_r:named_zone_t,s0)
+ /etc/bind/named\.conf.*        --      gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.conf    --      gen_context(system_u:object_r:named_conf_t,s0)
+ /etc/bind/rndc\.key    --      gen_context(system_u:object_r:dnssec_t,s0)
+ /etc/dnssec-trigger/dnssec_trigger_server\.key --      gen_context(system_u:object_r:dnssec_t,s0)
+ /etc/named\.rfc1912\.zones     --      gen_context(system_u:object_r:named_conf_t,s0)
+-- 
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_login.patch
new file mode 100644
index 0000000..427181e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_login.patch
@@ -0,0 +1,37 @@
+Subject: [PATCH] fix real path for login commands.
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/authlogin.fc |    7 ++++---
+ 1 files changed, 4 insertions(+), 3 deletions(-)
+diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
+index 28ad538..c8dd17f 100644
+--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
+@@ -1,5 +1,7 @@
+ 
+ /bin/login             --      gen_context(system_u:object_r:login_exec_t,s0)
+/bin/login\.shadow     --      gen_context(system_u:object_r:login_exec_t,s0)
+/bin/login\.tinylogin  --      gen_context(system_u:object_r:login_exec_t,s0)
+ 
+ /etc/\.pwd\.lock       --      gen_context(system_u:object_r:shadow_t,s0)
+ /etc/group\.lock       --      gen_context(system_u:object_r:shadow_t,s0)
+@@ -9,9 +11,9 @@
+ 
+ /sbin/pam_console_apply         --     gen_context(system_u:object_r:pam_console_exec_t,s0)
+ /sbin/pam_timestamp_check --   gen_context(system_u:object_r:pam_exec_t,s0)
+-/sbin/unix_chkpwd      --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+-/sbin/unix_update      --      gen_context(system_u:object_r:updpwd_exec_t,s0)
+-/sbin/unix_verify      --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/usr/sbin/unix_chkpwd  --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/usr/sbin/unix_update  --      gen_context(system_u:object_r:updpwd_exec_t,s0)
+/usr/sbin/unix_verify  --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ ifdef(`distro_suse', `
+ /sbin/unix2_chkpwd     --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ ')
+-- 
+1.7.5.4
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_resolv.conf.patch
new file mode 100644
index 0000000..80cca67
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_resolv.conf.patch
@@ -0,0 +1,24 @@
+Subject: [PATCH] fix real path for resolv.conf
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/sysnetwork.fc |    1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
+index 346a7cc..dec8632 100644
+--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
+@@ -24,6 +24,7 @@ ifdef(`distro_debian',`
+ /etc/hosts\.deny.*     --      gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/denyhosts.*       --      gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/resolv\.conf.*    --      gen_context(system_u:object_r:net_conf_t,s0)
+/var/run/resolv\.conf.*        --      gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/yp\.conf.*                --      gen_context(system_u:object_r:net_conf_t,s0)
+ 
+ /etc/dhcp3(/.*)?               gen_context(system_u:object_r:dhcp_etc_t,s0)
+-- 
+1.7.5.4
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_shadow.patch
new file mode 100644
index 0000000..29ac2c3
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_shadow.patch
@@ -0,0 +1,34 @@
+Subject: [PATCH] fix real path for shadow commands.
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/admin/usermanage.fc |    6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
+index f82f0ce..841ba9b 100644
+--- a/policy/modules/admin/usermanage.fc
+++ b/policy/modules/admin/usermanage.fc
+@@ -4,11 +4,17 @@ ifdef(`distro_gentoo',`
+ 
+ /usr/bin/chage         --      gen_context(system_u:object_r:passwd_exec_t,s0)
+ /usr/bin/chfn          --      gen_context(system_u:object_r:chfn_exec_t,s0)
+/usr/bin/chfn\.shadow  --      gen_context(system_u:object_r:chfn_exec_t,s0)
+ /usr/bin/chsh          --      gen_context(system_u:object_r:chfn_exec_t,s0)
+/usr/bin/chsh\.shadow  --      gen_context(system_u:object_r:chfn_exec_t,s0)
+ /usr/bin/gpasswd       --      gen_context(system_u:object_r:groupadd_exec_t,s0)
+ /usr/bin/passwd                --      gen_context(system_u:object_r:passwd_exec_t,s0)
+/usr/bin/passwd\.shadow        --      gen_context(system_u:object_r:passwd_exec_t,s0)
+/usr/bin/passwd\.tinylogin     --      gen_context(system_u:object_r:passwd_exec_t,s0)
+ /usr/bin/vigr          --      gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/sbin/vigr\.shadow     --      gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/bin/vipw          --      gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/sbin/vipw\.shadow     --      gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ 
+ /usr/lib/cracklib_dict.* --    gen_context(system_u:object_r:crack_db_t,s0)
+ 
+-- 
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fstools.patch
new file mode 100644
index 0000000..8e54921
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fstools.patch
@@ -0,0 +1,69 @@
+From 852860529f24547b662d9383c0eaa821c9efa406 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 19:18:39 +0800
+Subject: [PATCH] efpolicy: fix real path for fstools
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/fstools.fc |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
+diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
+index 7a46b45..9656352 100644
+--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
+@@ -1,6 +1,8 @@
+ /sbin/badblocks                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/blkid            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/blkid\.util-linux        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/blockdev         --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/blockdev\.util-linux     --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/cfdisk           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/dosfsck          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/dump             --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -9,9 +11,12 @@
+ /sbin/e4fsck           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/e2label          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/fdisk            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/fdisk\.util-linux        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/findfs           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/findfs               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/fsck.*           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/hdparm           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/hdparm\.hdparm   --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/install-mbr      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/jfs_.*           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/losetup.*                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -24,21 +29,27 @@
+ /sbin/mkraid           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/mkreiserfs       --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/mkswap           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mkswap\.util-linux       --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/parted           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/parted               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/partprobe                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/partprobe            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/partx            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/partx                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/raidautorun      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/raidstart                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/reiserfs(ck|tune)        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/resize.*fs       --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/scsi_info                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/sfdisk           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/sfdisk               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/swapoff          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/swapon.*         --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/tune2fs          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ 
+ /usr/bin/partition_uuid        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/raw           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/raw          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/scsi_unique_id        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/syslinux      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ 
+-- 
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-iptables.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-iptables.patch
new file mode 100644
index 0000000..89b1547
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-iptables.patch
@@ -0,0 +1,24 @@
+Subject: [PATCH] refpolicy: fix real path for iptables
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/iptables.fc | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
+index 14cffd2..84ac92b 100644
+--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
+@@ -13,6 +13,7 @@
+ /sbin/ipvsadm-restore          --      gen_context(system_u:object_r:iptables_exec_t,s0)
+ /sbin/ipvsadm-save             --      gen_context(system_u:object_r:iptables_exec_t,s0)
+ /sbin/xtables-multi            --      gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/xtables-multi                --      gen_context(system_u:object_r:iptables_exec_t,s0)
+ 
+ /usr/sbin/ipchains.*           --      gen_context(system_u:object_r:iptables_exec_t,s0)
+ /usr/sbin/iptables             --      gen_context(system_u:object_r:iptables_exec_t,s0)
+-- 
+1.7.11.7
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-mta.patch
new file mode 100644
index 0000000..bbd83ec
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-mta.patch
@@ -0,0 +1,27 @@
+From c0bb2996db4f55f3987967bacfb99805fc45d027 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 19:21:55 +0800
+Subject: [PATCH] refpolicy: fix real path for mta
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/mta.fc |    1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc
+index f42896c..0d4bcef 100644
+--- a/policy/modules/contrib/mta.fc
+++ b/policy/modules/contrib/mta.fc
+@@ -22,6 +22,7 @@ HOME_DIR/\.maildir(/.*)?      gen_context(system_u:object_r:mail_home_rw_t,s0)
+ /usr/sbin/rmail        --      gen_context(system_u:object_r:sendmail_exec_t,s0)
+ /usr/sbin/sendmail\.postfix    --      gen_context(system_u:object_r:sendmail_exec_t,s0)
+ /usr/sbin/sendmail(\.sendmail)?        --      gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/msmtp        --      gen_context(system_u:object_r:sendmail_exec_t,s0)
+ /usr/sbin/ssmtp        --      gen_context(system_u:object_r:sendmail_exec_t,s0)
+ 
+ /var/mail(/.*)?        gen_context(system_u:object_r:mail_spool_t,s0)
+-- 
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-netutils.patch
new file mode 100644
index 0000000..b45d03e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-netutils.patch
@@ -0,0 +1,24 @@
+Subject: [PATCH] refpolicy: fix real path for netutils
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/admin/netutils.fc | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
+index 407078f..f2ed3dc 100644
+--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
+@@ -3,6 +3,7 @@
+ /bin/traceroute.*      --      gen_context(system_u:object_r:traceroute_exec_t,s0)
+ 
+ /sbin/arping           --      gen_context(system_u:object_r:netutils_exec_t,s0)
+/bin/arping            --      gen_context(system_u:object_r:netutils_exec_t,s0)
+ 
+ /usr/bin/lft           --      gen_context(system_u:object_r:traceroute_exec_t,s0)
+ /usr/bin/nmap          --      gen_context(system_u:object_r:traceroute_exec_t,s0)
+-- 
+1.7.11.7
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-nscd.patch
new file mode 100644
index 0000000..1db328c
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-nscd.patch
@@ -0,0 +1,27 @@
+From 642fab321a5f1f40495b4ca07f1fca4145024986 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 19:25:36 +0800
+Subject: [PATCH] refpolicy: fix real path for nscd
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/nscd.fc |    1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/policy/modules/contrib/nscd.fc b/policy/modules/contrib/nscd.fc
+index ba64485..61a6f24 100644
+--- a/policy/modules/contrib/nscd.fc
+++ b/policy/modules/contrib/nscd.fc
+@@ -1,6 +1,7 @@
+ /etc/rc\.d/init\.d/nscd        --      gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
+ 
+ /usr/sbin/nscd --      gen_context(system_u:object_r:nscd_exec_t,s0)
+/usr/bin/nscd  --      gen_context(system_u:object_r:nscd_exec_t,s0)
+ 
+ /var/cache/nscd(/.*)?  gen_context(system_u:object_r:nscd_var_run_t,s0)
+ 
+-- 
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-screen.patch
new file mode 100644
index 0000000..3218194
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-screen.patch
@@ -0,0 +1,27 @@
+From 3615e2d67f402a37ae7333e62b54f1d9d0a3bfd1 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 19:27:19 +0800
+Subject: [PATCH] refpolicy: fix real path for screen
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/screen.fc |    1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc
+index e7c2cf7..49ddca2 100644
+--- a/policy/modules/contrib/screen.fc
+++ b/policy/modules/contrib/screen.fc
+@@ -3,6 +3,7 @@ HOME_DIR/\.screenrc     --      gen_context(system_u:object_r:screen_home_t,s0)
+ HOME_DIR/\.tmux\.conf  --      gen_context(system_u:object_r:screen_home_t,s0)
+ 
+ /usr/bin/screen        --      gen_context(system_u:object_r:screen_exec_t,s0)
+/usr/bin/screen-.*     --      gen_context(system_u:object_r:screen_exec_t,s0)
+ /usr/bin/tmux  --      gen_context(system_u:object_r:screen_exec_t,s0)
+ 
+ /var/run/screen(/.*)?  gen_context(system_u:object_r:screen_var_run_t,s0)
+-- 
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ssh.patch
new file mode 100644
index 0000000..9aeb3a2
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ssh.patch
@@ -0,0 +1,24 @@
+Subject: [PATCH] refpolicy: fix real path for ssh
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/services/ssh.fc | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
+index 078bcd7..9717428 100644
+--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
+@@ -6,6 +6,7 @@ HOME_DIR/\.ssh(/.*)?                    gen_context(system_u:object_r:ssh_home_t,s0)
+ /etc/ssh/ssh_host_rsa_key      --      gen_context(system_u:object_r:sshd_key_t,s0)
+ 
+ /usr/bin/ssh                   --      gen_context(system_u:object_r:ssh_exec_t,s0)
+/usr/bin/ssh\.openssh          --      gen_context(system_u:object_r:ssh_exec_t,s0)
+ /usr/bin/ssh-agent             --      gen_context(system_u:object_r:ssh_agent_exec_t,s0)
+ /usr/bin/ssh-keygen            --      gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
+ 
+-- 
+1.7.11.7
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-su.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-su.patch
new file mode 100644
index 0000000..358e4ef
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-su.patch
@@ -0,0 +1,23 @@
+Subject: [PATCH] refpolicy: fix real path for su
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/admin/su.fc | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
+index 688abc2..a563687 100644
+--- a/policy/modules/admin/su.fc
+++ b/policy/modules/admin/su.fc
+@@ -1,5 +1,6 @@
+ 
+ /bin/su                        --      gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/su            --      gen_context(system_u:object_r:su_exec_t,s0)
+ 
+ /usr/(local/)?bin/ksu  --      gen_context(system_u:object_r:su_exec_t,s0)
+ /usr/bin/kdesu         --      gen_context(system_u:object_r:su_exec_t,s0)
+-- 
+1.7.11.7
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch
new file mode 100644
index 0000000..2eaecdf
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch
@@ -0,0 +1,31 @@
+Subject: [PATCH] fix file_contexts.subs_dist for poky
+This file is used for Linux distros to define specific pathes 
+mapping to the pathes in file_contexts.
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ config/file_contexts.subs_dist |    8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
+index 32b87a4..ebba73d 100644
+--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
+@@ -5,3 +5,11 @@
+ /usr/lib32 /usr/lib
+ /usr/lib64 /usr/lib
+ /var/run/lock /var/lock
+/etc/init.d /etc/rc.d/init.d
+/var/volatile/log /var/log
+/var/volatile/run /var/run
+/var/volatile/cache /var/cache
+/var/volatile/tmp /var/tmp
+/var/volatile/lock /var/lock
+/var/volatile/run/lock /var/lock
+/www /var/www
+-- 
+1.7.5.4
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-sysnetwork.patch
new file mode 100644
index 0000000..e0af6a1
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-sysnetwork.patch
@@ -0,0 +1,41 @@
+Subject: [PATCH] refpolicy: fix real path for sysnetwork
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/sysnetwork.fc | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
+index dec8632..2e602e4 100644
+--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
+@@ -3,6 +3,7 @@
+ # /bin
+ #
+ /bin/ip                        --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/ip\.iproute2     --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ 
+ #
+ # /dev
+@@ -43,13 +44,16 @@ ifdef(`distro_redhat',`
+ /sbin/dhcdbd           --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /sbin/dhcpcd           --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /sbin/ethtool          --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/usr/sbin/ethtool      --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ifconfig         --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/ifconfig\.net-tools      --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ip               --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ipx_configure    --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ipx_interface    --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ipx_internal_net --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/iwconfig         --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/mii-tool         --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/mii-tool\.net-tools      --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/pump             --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /sbin/tc               --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ 
+-- 
+1.7.11.7
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_hostname.patch
new file mode 100644
index 0000000..cedb5b5
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_hostname.patch
@@ -0,0 +1,23 @@
+From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 3/4] fix update-alternatives for hostname
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/hostname.fc |    1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
+index 9dfecf7..4003b6d 100644
+--- a/policy/modules/system/hostname.fc
+++ b/policy/modules/system/hostname.fc
+@@ -1,2 +1,3 @@
+ 
+ /bin/hostname          --      gen_context(system_u:object_r:hostname_exec_t,s0)
+/bin/hostname\.net-tools       --      gen_context(system_u:object_r:hostname_exec_t,s0)
+-- 
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysklogd.patch
new file mode 100644
index 0000000..868ee6b
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysklogd.patch
@@ -0,0 +1,59 @@
+From 4964fa5593349916d8f5c69edb0b16f611586098 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:39:41 +0800
+Subject: [PATCH 2/4] fix update-alternatives for sysklogd
+/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow rule
+for syslogd_t to read syslog_conf_t lnk_file is needed.
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/logging.fc |    4 ++++
+ policy/modules/system/logging.te |    1 +
+ 2 files changed, 5 insertions(+)
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index b50c5fe..c005f33 100644
+--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
+@@ -2,19 +2,23 @@
+ 
+ /etc/rsyslog.conf              gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/syslog.conf               gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/syslog.conf\.sysklogd     gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/audit(/.*)?               gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+ /etc/rc\.d/init\.d/auditd --   gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/rsyslog --  gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
+ 
+ /sbin/audispd          --      gen_context(system_u:object_r:audisp_exec_t,s0)
+ /sbin/audisp-remote    --      gen_context(system_u:object_r:audisp_remote_exec_t,s0)
+ /sbin/auditctl         --      gen_context(system_u:object_r:auditctl_exec_t,s0)
+ /sbin/auditd           --      gen_context(system_u:object_r:auditd_exec_t,s0)
+ /sbin/klogd            --      gen_context(system_u:object_r:klogd_exec_t,s0)
+/sbin/klogd\.sysklogd  --      gen_context(system_u:object_r:klogd_exec_t,s0)
+ /sbin/minilogd         --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /sbin/rklogd           --      gen_context(system_u:object_r:klogd_exec_t,s0)
+ /sbin/rsyslogd         --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /sbin/syslogd          --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+/sbin/syslogd\.sysklogd        --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /sbin/syslog-ng                --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ 
+ /usr/sbin/klogd                --      gen_context(system_u:object_r:klogd_exec_t,s0)
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 87e3db2..2914b0b 100644
+--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
+@@ -371,6 +371,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
+ allow syslogd_t self:tcp_socket create_stream_socket_perms;
+ 
+ allow syslogd_t syslog_conf_t:file read_file_perms;
+allow syslogd_t syslog_conf_t:lnk_file read_file_perms;
+ 
+ # Create and bind to /dev/log or /var/run/log.
+ allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
+-- 
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysvinit.patch
new file mode 100644
index 0000000..3a617d8
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysvinit.patch
@@ -0,0 +1,53 @@
+From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 1/4] fix update-alternatives for sysvinit
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/shutdown.fc    |    1 +
+ policy/modules/kernel/corecommands.fc |    1 +
+ policy/modules/system/init.fc         |    1 +
+ 3 files changed, 3 insertions(+)
+diff --git a/policy/modules/contrib/shutdown.fc b/policy/modules/contrib/shutdown.fc
+index a91f33b..90e51e0 100644
+--- a/policy/modules/contrib/shutdown.fc
+++ b/policy/modules/contrib/shutdown.fc
+@@ -3,6 +3,7 @@
+ /lib/upstart/shutdown  --      gen_context(system_u:object_r:shutdown_exec_t,s0)
+ 
+ /sbin/shutdown --      gen_context(system_u:object_r:shutdown_exec_t,s0)
+/sbin/shutdown\.sysvinit       --      gen_context(system_u:object_r:shutdown_exec_t,s0)
+ 
+ /usr/lib/upstart/shutdown      --      gen_context(system_u:object_r:shutdown_exec_t,s0)
+ 
+diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
+index bcfdba7..87502a3 100644
+--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
+@@ -10,6 +10,7 @@
+ /bin/ksh.*                     --      gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/mksh                      --      gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/mountpoint                        --      gen_context(system_u:object_r:bin_t,s0)
+/bin/mountpoint\.sysvinit      --      gen_context(system_u:object_r:bin_t,s0)
+ /bin/sash                      --      gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/tcsh                      --      gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/yash                      --      gen_context(system_u:object_r:shell_exec_t,s0)
+diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
+index bc0ffc8..020b9fe 100644
+--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
+@@ -30,6 +30,7 @@ ifdef(`distro_gentoo', `
+ # /sbin
+ #
+ /sbin/init(ng)?                --      gen_context(system_u:object_r:init_exec_t,s0)
+/sbin/init\.sysvinit   --      gen_context(system_u:object_r:init_exec_t,s0)
+ # because nowadays, /sbin/init is often a symlink to /sbin/upstart
+ /sbin/upstart          --      gen_context(system_u:object_r:init_exec_t,s0)
+ 
+-- 
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-bsdpty_device_t.patch
new file mode 100644
index 0000000..9a3322f
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-bsdpty_device_t.patch
@@ -0,0 +1,121 @@
+From c0b65c327b9354ee5c403cbde428e762ce3f327e Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices.
+Upstream-Status: Pending
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/kernel/terminal.if |   16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index 771bce1..7519d0e 100644
+--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
+@@ -531,9 +531,11 @@ interface(`term_dontaudit_manage_pty_dirs',`
+ interface(`term_dontaudit_getattr_generic_ptys',`
+        gen_require(`
+                type devpts_t;
+               type bsdpty_device_t;
+        ')
+ 
+        dontaudit $1 devpts_t:chr_file getattr;
+       dontaudit $1 bsdpty_device_t:chr_file getattr;
+ ')
+ ########################################
+ ## <summary>
+@@ -549,11 +551,13 @@ interface(`term_dontaudit_getattr_generic_ptys',`
+ interface(`term_ioctl_generic_ptys',`
+        gen_require(`
+                type devpts_t;
+               type bsdpty_device_t;
+        ')
+ 
+        dev_list_all_dev_nodes($1)
+        allow $1 devpts_t:dir search;
+        allow $1 devpts_t:chr_file ioctl;
+       allow $1 bsdpty_device_t:chr_file ioctl;
+ ')
+ 
+ ########################################
+@@ -571,9 +575,11 @@ interface(`term_ioctl_generic_ptys',`
+ interface(`term_setattr_generic_ptys',`
+        gen_require(`
+                type devpts_t;
+               type bsdpty_device_t;
+        ')
+ 
+        allow $1 devpts_t:chr_file setattr;
+       allow $1 bsdpty_device_t:chr_file setattr;
+ ')
+ 
+ ########################################
+@@ -591,9 +597,11 @@ interface(`term_setattr_generic_ptys',`
+ interface(`term_dontaudit_setattr_generic_ptys',`
+        gen_require(`
+                type devpts_t;
+               type bsdpty_device_t;
+        ')
+ 
+        dontaudit $1 devpts_t:chr_file setattr;
+       dontaudit $1 bsdpty_device_t:chr_file setattr;
+ ')
+ 
+ ########################################
+@@ -611,11 +619,13 @@ interface(`term_dontaudit_setattr_generic_ptys',`
+ interface(`term_use_generic_ptys',`
+        gen_require(`
+                type devpts_t;
+               type bsdpty_device_t;
+        ')
+ 
+        dev_list_all_dev_nodes($1)
+        allow $1 devpts_t:dir list_dir_perms;
+        allow $1 devpts_t:chr_file { rw_term_perms lock append };
+       allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
+ ')
+ 
+ ########################################
+@@ -633,9 +643,11 @@ interface(`term_use_generic_ptys',`
+ interface(`term_dontaudit_use_generic_ptys',`
+        gen_require(`
+                type devpts_t;
+               type bsdpty_device_t;
+        ')
+ 
+        dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
+       dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl };
+ ')
+ 
+ #######################################
+@@ -651,10 +663,12 @@ interface(`term_dontaudit_use_generic_ptys',`
+ interface(`term_setattr_controlling_term',`
+        gen_require(`
+                type devtty_t;
+               type bsdpty_device_t;
+        ')
+ 
+        dev_list_all_dev_nodes($1)
+        allow $1 devtty_t:chr_file setattr;
+       allow $1 bsdpty_device_t:chr_file setattr;
+ ')
+ 
+ ########################################
+@@ -671,10 +685,12 @@ interface(`term_setattr_controlling_term',`
+ interface(`term_use_controlling_term',`
+        gen_require(`
+                type devtty_t;
+               type bsdpty_device_t;
+        ')
+ 
+        dev_list_all_dev_nodes($1)
+        allow $1 devtty_t:chr_file { rw_term_perms lock append };
+       allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
+ ')
+ 
+ #######################################
+-- 
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-tmp-symlink.patch
new file mode 100644
index 0000000..210c297
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-tmp-symlink.patch
@@ -0,0 +1,99 @@
+From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] add rules for the symlink of /tmp
+/tmp is a symlink in poky, so we need allow rules for files to read
+lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/kernel/files.fc |    1 +
+ policy/modules/kernel/files.if |    8 ++++++++
+ 2 files changed, 9 insertions(+), 0 deletions(-)
+diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
+index 8796ca3..a0db748 100644
+--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
+@@ -185,6 +185,7 @@ ifdef(`distro_debian',`
+ # /tmp
+ #
+ /tmp                   -d      gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+/tmp                   -l      gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+ /tmp/.*                                <<none>>
+ /tmp/\.journal                 <<none>>
+ 
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index e1e814d..a7384b0 100644
+--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
+@@ -4199,6 +4199,7 @@ interface(`files_search_tmp',`
+        ')
+ 
+        allow $1 tmp_t:dir search_dir_perms;
+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -4235,6 +4236,7 @@ interface(`files_list_tmp',`
+        ')
+ 
+        allow $1 tmp_t:dir list_dir_perms;
+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -4271,6 +4273,7 @@ interface(`files_delete_tmp_dir_entry',`
+        ')
+ 
+        allow $1 tmp_t:dir del_entry_dir_perms;
+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -4289,6 +4292,7 @@ interface(`files_read_generic_tmp_files',`
+        ')
+ 
+        read_files_pattern($1, tmp_t, tmp_t)
+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -4307,6 +4311,7 @@ interface(`files_manage_generic_tmp_dirs',`
+        ')
+ 
+        manage_dirs_pattern($1, tmp_t, tmp_t)
+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -4325,6 +4330,7 @@ interface(`files_manage_generic_tmp_files',`
+        ')
+ 
+        manage_files_pattern($1, tmp_t, tmp_t)
+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -4361,6 +4367,7 @@ interface(`files_rw_generic_tmp_sockets',`
+        ')
+ 
+        rw_sock_files_pattern($1, tmp_t, tmp_t)
+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -4550,6 +4557,7 @@ interface(`files_tmp_filetrans',`
+        ')
+ 
+        filetrans_pattern($1, tmp_t, $2, $3, $4)
+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+-- 
+1.7.5.4
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-cache-symlink.patch
new file mode 100644
index 0000000..18a92dd
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-cache-symlink.patch
@@ -0,0 +1,34 @@
+From bad816bc752369a6c1bf40231c505d21d95cab08 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Fri, 23 Aug 2013 11:20:00 +0800
+Subject: [PATCH 4/6] add rules for the subdir symlinks in /var/
+Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
+/var for poky, so we need allow rules for all domains to read these
+symlinks. Domains still need their practical allow rules to read the
+contents, so this is still a secure relax.
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/kernel/domain.te |    3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
+index cf04cb5..9ffe6b0 100644
+--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
+@@ -104,6 +104,9 @@ term_use_controlling_term(domain)
+ # list the root directory
+ files_list_root(domain)
+ 
+# Yocto/oe-core use some var volatile links
+files_read_var_symlinks(domain)
+
+ ifdef(`hide_broken_symptoms',`
+        # This check is in the general socket
+        # listen code, before protocol-specific
+-- 
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-apache.patch
new file mode 100644
index 0000000..8bc40c4
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-apache.patch
@@ -0,0 +1,31 @@
+From ed2b0a00e2fb78056041b03c7e198e8f5adaf939 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 19:36:44 +0800
+Subject: [PATCH 3/6] add rules for the symlink of /var/log - apache2
+We have added rules for the symlink of /var/log in logging.if,
+while apache.te uses /var/log but does not use the interfaces in
+logging.if. So still need add a individual rule for apache.te.
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/apache.te |    1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
+index ec8bd13..06f2e95 100644
+--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
+@@ -400,6 +400,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
+ logging_log_filetrans(httpd_t, httpd_log_t, file)
+ 
+ allow httpd_t httpd_modules_t:dir list_dir_perms;
+-- 
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink.patch
new file mode 100644
index 0000000..b06f3ef
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink.patch
@@ -0,0 +1,145 @@
+From 03cb6534f75812f3a33ac768fe83861e0805b0e0 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 2/6] add rules for the symlink of /var/log
+/var/log is a symlink in poky, so we need allow rules for files to read
+lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/logging.fc |    1 +
+ policy/modules/system/logging.if |   14 +++++++++++++-
+ policy/modules/system/logging.te |    1 +
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index c005f33..9529e40 100644
+--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
+@@ -41,6 +41,7 @@ ifdef(`distro_suse', `
+ /var/dnscache/log/main(/.*)?   gen_context(system_u:object_r:var_log_t,s0)
+ 
+ /var/log               -d      gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+/var/log               -l      gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+ /var/log/.*                    gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/boot\.log     --      gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/messages[^/]*         gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
+index 4e94884..9a6f599 100644
+--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
+@@ -136,12 +136,13 @@ interface(`logging_set_audit_parameters',`
+ #
+ interface(`logging_read_audit_log',`
+        gen_require(`
+-               type auditd_log_t;
+               type auditd_log_t, var_log_t;
+        ')
+ 
+        files_search_var($1)
+        read_files_pattern($1, auditd_log_t, auditd_log_t)
+        allow $1 auditd_log_t:dir list_dir_perms;
+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -626,6 +627,7 @@ interface(`logging_search_logs',`
+ 
+        files_search_var($1)
+        allow $1 var_log_t:dir search_dir_perms;
+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ #######################################
+@@ -663,6 +665,7 @@ interface(`logging_list_logs',`
+ 
+        files_search_var($1)
+        allow $1 var_log_t:dir list_dir_perms;
+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ #######################################
+@@ -682,6 +685,7 @@ interface(`logging_rw_generic_log_dirs',`
+ 
+        files_search_var($1)
+        allow $1 var_log_t:dir rw_dir_perms;
+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ #######################################
+@@ -793,10 +797,12 @@ interface(`logging_append_all_logs',`
+ interface(`logging_read_all_logs',`
+        gen_require(`
+                attribute logfile;
+               type var_log_t;
+        ')
+ 
+        files_search_var($1)
+        allow $1 logfile:dir list_dir_perms;
+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
+        read_files_pattern($1, logfile, logfile)
+ ')
+ 
+@@ -815,10 +821,12 @@ interface(`logging_read_all_logs',`
+ interface(`logging_exec_all_logs',`
+        gen_require(`
+                attribute logfile;
+               type var_log_t;
+        ')
+ 
+        files_search_var($1)
+        allow $1 logfile:dir list_dir_perms;
+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
+        can_exec($1, logfile)
+ ')
+ 
+@@ -880,6 +888,7 @@ interface(`logging_read_generic_logs',`
+ 
+        files_search_var($1)
+        allow $1 var_log_t:dir list_dir_perms;
+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
+        read_files_pattern($1, var_log_t, var_log_t)
+ ')
+ 
+@@ -900,6 +909,7 @@ interface(`logging_write_generic_logs',`
+ 
+        files_search_var($1)
+        allow $1 var_log_t:dir list_dir_perms;
+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
+        write_files_pattern($1, var_log_t, var_log_t)
+ ')
+ 
+@@ -938,6 +948,7 @@ interface(`logging_rw_generic_logs',`
+ 
+        files_search_var($1)
+        allow $1 var_log_t:dir list_dir_perms;
+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
+        rw_files_pattern($1, var_log_t, var_log_t)
+ ')
+ 
+@@ -960,6 +971,7 @@ interface(`logging_manage_generic_logs',`
+ 
+        files_search_var($1)
+        manage_files_pattern($1, var_log_t, var_log_t)
+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 2ab0a49..2795d89 100644
+--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
+@@ -139,6 +139,7 @@ allow auditd_t auditd_etc_t:file read_file_perms;
+ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t var_log_t:dir search_dir_perms;
+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
+ 
+ manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+ manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+-- 
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-syslogd_t-to-trusted-object.patch
new file mode 100644
index 0000000..92b1592
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-syslogd_t-to-trusted-object.patch
@@ -0,0 +1,31 @@
+From 27e62a5d9ab9993760369ccdad83673e9148cbb2 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 1/6] Add the syslogd_t to trusted object
+We add the syslogd_t to trusted object, because other process need
+to have the right to connectto/sendto /dev/log.
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Roy.Li <rongqing.li@windriver.com>
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/logging.te |    1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 2914b0b..2ab0a49 100644
+--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
+@@ -450,6 +450,7 @@ fs_getattr_all_fs(syslogd_t)
+ fs_search_auto_mountpoints(syslogd_t)
+ 
+ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
+mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log
+ 
+ term_write_console(syslogd_t)
+ # Allow syslog to a terminal
+-- 
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-nfsd-to-exec-shell-commands.patch
new file mode 100644
index 0000000..e77a730
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-nfsd-to-exec-shell-commands.patch
@@ -0,0 +1,58 @@
+From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] allow nfsd to exec shell commands.
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/rpc.te   |    2 +-
+ policy/modules/kernel/kernel.if |   18 ++++++++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletions(-)
+diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
+index 9566932..5605205 100644
+--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
+@@ -203,7 +203,7 @@ kernel_read_network_state(nfsd_t)
+ kernel_dontaudit_getattr_core_if(nfsd_t)
+ kernel_setsched(nfsd_t)
+ kernel_request_load_module(nfsd_t)
+-# kernel_mounton_proc(nfsd_t)
+kernel_mounton_proc(nfsd_t)
+ 
+ corenet_sendrecv_nfs_server_packets(nfsd_t)
+ corenet_tcp_bind_nfs_port(nfsd_t)
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index 649e458..8a669c5 100644
+--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
+@@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',`
+ 
+ ########################################
+ ## <summary>
+##     Mounton a proc filesystem.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`kernel_mounton_proc',`
+       gen_require(`
+               type proc_t;
+       ')
+
+       allow $1 proc_t:dir mounton;
+')
+
+########################################
+## <summary>
+ ##     Get the attributes of the proc filesystem.
+ ## </summary>
+ ## <param name="domain">
+-- 
+1.7.5.4
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-setfiles_t-to-read-symlinks.patch
new file mode 100644
index 0000000..71497fb
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-setfiles_t-to-read-symlinks.patch
@@ -0,0 +1,29 @@
+From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] fix setfiles_t to read symlinks
+Upstream-Status: Pending 
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/selinuxutil.te |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index ec01d0b..45ed81b 100644
+--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
+@@ -553,6 +553,9 @@ files_list_all(setfiles_t)
+ files_relabel_all_files(setfiles_t)
+ files_read_usr_symlinks(setfiles_t)
+ 
+# needs to be able to read symlinks to make restorecon on symlink working
+files_read_all_symlinks(setfiles_t)
+
+ fs_getattr_xattr_fs(setfiles_t)
+ fs_list_all(setfiles_t)
+ fs_search_auto_mountpoints(setfiles_t)
+-- 
+1.7.5.4
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-don-t-audit-tty_device_t.patch
new file mode 100644
index 0000000..82370d8
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-don-t-audit-tty_device_t.patch
@@ -0,0 +1,35 @@
+From 29a0d287880f8f83cf4337a3db7c8b94c0c36e1d Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 6/6] don't audit tty_device_t in term_dontaudit_use_console.
+We should also not audit terminal to rw tty_device_t and fds in
+term_dontaudit_use_console.
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/kernel/terminal.if |    3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index 7519d0e..45de1ac 100644
+--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
+@@ -299,9 +299,12 @@ interface(`term_use_console',`
+ interface(`term_dontaudit_use_console',`
+        gen_require(`
+                type console_device_t;
+               type tty_device_t;
+        ')
+ 
+       init_dontaudit_use_fds($1)
+        dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
+       dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
+ ')
+ 
+ ########################################
+-- 
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
new file mode 100644
index 0000000..d6c8dbf
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
@@ -0,0 +1,37 @@
+From 2f5981f2244289a1cc79748e9ffdaaea168b1df2 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Fri, 23 Aug 2013 16:36:09 +0800
+Subject: [PATCH] fix dmesg to use /dev/kmsg as default input
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/admin/dmesg.if |    1 +
+ policy/modules/admin/dmesg.te |    2 ++
+ 2 files changed, 3 insertions(+)
+diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
+index e1973c7..739a4bc 100644
+--- a/policy/modules/admin/dmesg.if
+++ b/policy/modules/admin/dmesg.if
+@@ -37,4 +37,5 @@ interface(`dmesg_exec',`
+ 
+        corecmd_search_bin($1)
+        can_exec($1, dmesg_exec_t)
+       dev_read_kmsg($1)
+ ')
+diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
+index 72bc6d8..c591aea 100644
+--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
+@@ -28,6 +28,8 @@ kernel_read_proc_symlinks(dmesg_t)
+ 
+ dev_read_sysfs(dmesg_t)
+ 
+dev_read_kmsg(dmesg_t)
+
+ fs_search_auto_mountpoints(dmesg_t)
+ 
+ term_dontaudit_use_console(dmesg_t)
+-- 
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-new-SELINUXMNT-in-sys.patch
new file mode 100644
index 0000000..557af04
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-new-SELINUXMNT-in-sys.patch
@@ -0,0 +1,216 @@
+From 0bd1187768c79ccf7d0563fa8e2bc01494fef167 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] fix for new SELINUXMNT in /sys
+SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
+add rules to access sysfs.
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/kernel/selinux.if |   40 ++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 40 insertions(+)
+diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
+index 81440c5..ee4e86b 100644
+--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
+@@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',`
+                type security_t;
+        ')
+ 
+       # SELINUXMNT is now /sys/fs/selinux, so we should add rules to
+       # access sysfs
+       dev_getattr_sysfs_dirs($1)
+       dev_search_sysfs($1)
+        # starting in libselinux 2.0.5, init_selinuxmnt() will
+        # attempt to short circuit by checking if SELINUXMNT
+        # (/selinux) is already a selinuxfs
+@@ -84,6 +88,7 @@ interface(`selinux_dontaudit_get_fs_mount',`
+                type security_t;
+        ')
+ 
+       dev_dontaudit_search_sysfs($1)
+        # starting in libselinux 2.0.5, init_selinuxmnt() will
+        # attempt to short circuit by checking if SELINUXMNT
+        # (/selinux) is already a selinuxfs
+@@ -109,6 +114,8 @@ interface(`selinux_mount_fs',`
+                type security_t;
+        ')
+ 
+       dev_getattr_sysfs_dirs($1)
+       dev_search_sysfs($1)
+        allow $1 security_t:filesystem mount;
+ ')
+ 
+@@ -128,6 +135,8 @@ interface(`selinux_remount_fs',`
+                type security_t;
+        ')
+ 
+       dev_getattr_sysfs_dirs($1)
+       dev_search_sysfs($1)
+        allow $1 security_t:filesystem remount;
+ ')
+ 
+@@ -146,6 +155,8 @@ interface(`selinux_unmount_fs',`
+                type security_t;
+        ')
+ 
+       dev_getattr_sysfs_dirs($1)
+       dev_search_sysfs($1)
+        allow $1 security_t:filesystem unmount;
+ ')
+ 
+@@ -164,6 +175,8 @@ interface(`selinux_getattr_fs',`
+                type security_t;
+        ')
+ 
+       dev_getattr_sysfs_dirs($1)
+       dev_search_sysfs($1)
+        allow $1 security_t:filesystem getattr;
+ ')
+ 
+@@ -183,6 +196,7 @@ interface(`selinux_dontaudit_getattr_fs',`
+                type security_t;
+        ')
+ 
+       dev_dontaudit_search_sysfs($1)
+        dontaudit $1 security_t:filesystem getattr;
+ ')
+ 
+@@ -202,6 +216,7 @@ interface(`selinux_dontaudit_getattr_dir',`
+                type security_t;
+        ')
+ 
+       dev_dontaudit_search_sysfs($1)
+        dontaudit $1 security_t:dir getattr;
+ ')
+ 
+@@ -220,6 +235,8 @@ interface(`selinux_search_fs',`
+                type security_t;
+        ')
+ 
+       dev_getattr_sysfs_dirs($1)
+       dev_search_sysfs($1)
+        allow $1 security_t:dir search_dir_perms;
+ ')
+ 
+@@ -238,6 +255,7 @@ interface(`selinux_dontaudit_search_fs',`
+                type security_t;
+        ')
+ 
+       dev_dontaudit_search_sysfs($1)
+        dontaudit $1 security_t:dir search_dir_perms;
+ ')
+ 
+@@ -257,6 +275,7 @@ interface(`selinux_dontaudit_read_fs',`
+                type security_t;
+        ')
+ 
+       dev_dontaudit_search_sysfs($1)
+        dontaudit $1 security_t:dir search_dir_perms;
+        dontaudit $1 security_t:file read_file_perms;
+ ')
+@@ -342,6 +361,8 @@ interface(`selinux_load_policy',`
+                bool secure_mode_policyload;
+        ')
+ 
+       dev_getattr_sysfs_dirs($1)
+       dev_search_sysfs($1)
+        allow $1 security_t:dir list_dir_perms;
+        allow $1 security_t:file rw_file_perms;
+        typeattribute $1 can_load_policy;
+@@ -371,6 +392,8 @@ interface(`selinux_read_policy',`
+                type security_t;
+        ')
+ 
+       dev_getattr_sysfs_dirs($1)
+       dev_search_sysfs($1)
+        allow $1 security_t:dir list_dir_perms;
+        allow $1 security_t:file read_file_perms;
+        allow $1 security_t:security read_policy;
+@@ -435,6 +458,8 @@ interface(`selinux_set_generic_booleans',`
+                type security_t;
+        ')
+ 
+       dev_getattr_sysfs_dirs($1)
+       dev_search_sysfs($1)
+        allow $1 security_t:dir list_dir_perms;
+        allow $1 security_t:file rw_file_perms;
+ 
+@@ -475,6 +500,8 @@ interface(`selinux_set_all_booleans',`
+                bool secure_mode_policyload;
+        ')
+ 
+       dev_getattr_sysfs_dirs($1)
+       dev_search_sysfs($1)
+        allow $1 security_t:dir list_dir_perms;
+        allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
+        allow $1 secure_mode_policyload_t:file read_file_perms;
+@@ -519,6 +546,8 @@ interface(`selinux_set_parameters',`
+                attribute can_setsecparam;
+        ')
+ 
+       dev_getattr_sysfs_dirs($1)
+       dev_search_sysfs($1)
+        allow $1 security_t:dir list_dir_perms;
+        allow $1 security_t:file rw_file_perms;
+        allow $1 security_t:security setsecparam;
+@@ -563,6 +592,7 @@ interface(`selinux_dontaudit_validate_context',`
+                type security_t;
+        ')
+ 
+       dev_dontaudit_search_sysfs($1)
+        dontaudit $1 security_t:dir list_dir_perms;
+        dontaudit $1 security_t:file rw_file_perms;
+        dontaudit $1 security_t:security check_context;
+@@ -584,6 +614,8 @@ interface(`selinux_compute_access_vector',`
+                type security_t;
+        ')
+ 
+       dev_getattr_sysfs_dirs($1)
+       dev_search_sysfs($1)
+        allow $1 security_t:dir list_dir_perms;
+        allow $1 security_t:file rw_file_perms;
+        allow $1 security_t:security compute_av;
+@@ -605,6 +637,8 @@ interface(`selinux_compute_create_context',`
+                type security_t;
+        ')
+ 
+       dev_getattr_sysfs_dirs($1)
+       dev_search_sysfs($1)
+        allow $1 security_t:dir list_dir_perms;
+        allow $1 security_t:file rw_file_perms;
+        allow $1 security_t:security compute_create;
+@@ -626,6 +660,8 @@ interface(`selinux_compute_member',`
+                type security_t;
+        ')
+ 
+       dev_getattr_sysfs_dirs($1)
+       dev_search_sysfs($1)
+        allow $1 security_t:dir list_dir_perms;
+        allow $1 security_t:file rw_file_perms;
+        allow $1 security_t:security compute_member;
+@@ -655,6 +691,8 @@ interface(`selinux_compute_relabel_context',`
+                type security_t;
+        ')
+ 
+       dev_getattr_sysfs_dirs($1)
+       dev_search_sysfs($1)
+        allow $1 security_t:dir list_dir_perms;
+        allow $1 security_t:file rw_file_perms;
+        allow $1 security_t:security compute_relabel;
+@@ -675,6 +713,8 @@ interface(`selinux_compute_user_contexts',`
+                type security_t;
+        ')
+ 
+       dev_getattr_sysfs_dirs($1)
+       dev_search_sysfs($1)
+        allow $1 security_t:dir list_dir_perms;
+        allow $1 security_t:file rw_file_perms;
+        allow $1 security_t:security compute_user;
+-- 
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
new file mode 100644
index 0000000..19e2516
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
@@ -0,0 +1,75 @@
+From 054a2d81a42bc127d29a916c64b43ad5a7c97f21 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Fri, 23 Aug 2013 12:01:53 +0800
+Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t.
+Upstream-Status: Pending
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/rpc.te       |    5 +++++
+ policy/modules/contrib/rpcbind.te   |    5 +++++
+ policy/modules/kernel/filesystem.te |    1 +
+ policy/modules/kernel/kernel.te     |    2 ++
+ 4 files changed, 13 insertions(+)
+diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
+index 5605205..9e9f468 100644
+--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
+@@ -256,6 +256,11 @@ tunable_policy(`nfs_export_all_ro',`
+ 
+ optional_policy(`
+        mount_exec(nfsd_t)
+       # Should domtrans to mount_t while mounting nfsd_fs_t.
+       mount_domtrans(nfsd_t)
+       # nfsd_t need to chdir to /var/lib/nfs and read files.
+       files_list_var(nfsd_t)
+       rpc_read_nfs_state_data(nfsd_t)
+ ')
+ 
+ ########################################
+diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
+index 196f168..9c75677 100644
+--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
+@@ -71,6 +71,11 @@ miscfiles_read_localization(rpcbind_t)
+ 
+ sysnet_dns_name_resolve(rpcbind_t)
+ 
+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
+# because the are running in different level. So add rules to allow this.
+mls_socket_read_all_levels(rpcbind_t)
+mls_socket_write_all_levels(rpcbind_t)
+
+ optional_policy(`
+        nis_use_ypbind(rpcbind_t)
+ ')
+diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
+index 1c66416..2b9e7ce 100644
+--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
+@@ -119,6 +119,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+ 
+ type nfsd_fs_t;
+ fs_type(nfsd_fs_t)
+files_mountpoint(nfsd_fs_t)
+ genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
+ 
+ type oprofilefs_t;
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index 49fde6e..a731078 100644
+--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
+@@ -284,6 +284,8 @@ mls_process_read_up(kernel_t)
+ mls_process_write_down(kernel_t)
+ mls_file_write_all_levels(kernel_t)
+ mls_file_read_all_levels(kernel_t)
+mls_socket_write_all_levels(kernel_t)
+mls_fd_use_all_levels(kernel_t)
+ 
+ ifdef(`distro_redhat',`
+        # Bugzilla 222337
+-- 
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-setfiles-statvfs-get-file-count.patch
new file mode 100644
index 0000000..90efbd8
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-setfiles-statvfs-get-file-count.patch
@@ -0,0 +1,31 @@
+From 4d2c4c358602b246881210889756f229730505d3 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Fri, 23 Aug 2013 14:38:53 +0800
+Subject: [PATCH] fix setfiles statvfs to get file count
+New setfiles will read /proc/mounts and use statvfs in
+file_system_count() to get file count of filesystems.
+Upstream-Status: pending
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/selinuxutil.te |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index 45ed81b..12c3d2e 100644
+--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
+@@ -556,7 +556,7 @@ files_read_usr_symlinks(setfiles_t)
+ # needs to be able to read symlinks to make restorecon on symlink working
+ files_read_all_symlinks(setfiles_t)
+ 
+-fs_getattr_xattr_fs(setfiles_t)
+fs_getattr_all_fs(setfiles_t)
+ fs_list_all(setfiles_t)
+ fs_search_auto_mountpoints(setfiles_t)
+ fs_relabelfrom_noxattr_fs(setfiles_t)
+-- 
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-seutils-manage-config-files.patch
new file mode 100644
index 0000000..be33bf1
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-seutils-manage-config-files.patch
@@ -0,0 +1,43 @@
+From be8e015aec19553d3753af132861d24da9ed0265 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files
+Upstream-Status: Pending
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/selinuxutil.if |    1 +
+ policy/modules/system/userdomain.if  |    4 ++++
+ 2 files changed, 5 insertions(+)
+diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
+index 3822072..db03ca1 100644
+--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
+@@ -680,6 +680,7 @@ interface(`seutil_manage_config',`
+        ')
+ 
+        files_search_etc($1)
+       manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
+        manage_files_pattern($1, selinux_config_t, selinux_config_t)
+        read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
+ ')
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index b4a691d..20c8bf8 100644
+--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
+@@ -1277,6 +1277,10 @@ template(`userdom_security_admin_template',`
+        logging_read_audit_config($1)
+ 
+        seutil_manage_bin_policy($1)
+       seutil_manage_default_contexts($1)
+       seutil_manage_file_contexts($1)
+       seutil_manage_module_store($1)
+       seutil_manage_config($1)
+        seutil_run_checkpolicy($1, $2)
+        seutil_run_loadpolicy($1, $2)
+        seutil_run_semanage($1, $2)
+-- 
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-xconsole_device_t-as-a-dev_node.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-xconsole_device_t-as-a-dev_node.patch
new file mode 100644
index 0000000..aa870f4
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-xconsole_device_t-as-a-dev_node.patch
@@ -0,0 +1,27 @@
+From 843299c135c30b036ed163a10570a1d5efe36ff8 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 1/2] fix xconsole_device_t as a dev_node.
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/services/xserver.te |    1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
+index 4f6d693..b00f004 100644
+--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
+@@ -151,6 +151,7 @@ userdom_user_tmp_file(xauth_tmp_t)
+ # this is not actually a device, its a pipe
+ type xconsole_device_t;
+ files_type(xconsole_device_t)
+dev_node(xconsole_device_t)
+ fs_associate_tmpfs(xconsole_device_t)
+ files_associate_tmp(xconsole_device_t)
+ 
+-- 
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20130424.bb b/recipes-security/refpolicy/refpolicy-mls_2.20130424.bb
new file mode 100644
index 0000000..3541611
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-mls_2.20130424.bb
@@ -0,0 +1,24 @@
+SUMMARY = "MLS (Multi Level Security) variant of the SELinux policy"
+DESCRIPTION = "\
+This is the reference policy for SE Linux built with MLS support. \
+It allows giving data labels such as \"Top Secret\" and preventing \
+such data from leaking to processes or files with lower classification. \
+"
+PR = "r0"
+POLICY_NAME = "mls"
+POLICY_TYPE = "mls"
+POLICY_DISTRO = "redhat"
+POLICY_UBAC = "n"
+POLICY_UNK_PERMS = "allow"
+POLICY_DIRECT_INITRC = "n"
+POLICY_MONOLITHIC = "n"
+POLICY_CUSTOM_BUILDOPT = ""
+POLICY_QUIET = "y"
+POLICY_MLS_SENS = "16"
+POLICY_MLS_CATS = "1024"
+POLICY_MCS_CATS = "1024"
+include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20130424.bb b/recipes-security/refpolicy/refpolicy-standard_2.20130424.bb
new file mode 100644
index 0000000..1f3030a
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-standard_2.20130424.bb
@@ -0,0 +1,18 @@
+SUMMARY = "Standard variants of the SELinux policy"
+DESCRIPTION = "\
+This is the reference policy for SELinux built with type enforcement \
+only."
+PR = "r3"
+POLICY_NAME = "standard"
+POLICY_TYPE = "standard"
+POLICY_DISTRO = "redhat"
+POLICY_UBAC = "n"
+POLICY_UNK_PERMS = "allow"
+POLICY_DIRECT_INITRC = "n"
+POLICY_MONOLITHIC = "n"
+POLICY_CUSTOM_BUILDOPT = ""
+POLICY_QUIET = "y"
+include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc
new file mode 100644
index 0000000..d081e33
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -0,0 +1,51 @@
+SRC_URI = "http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2;"
+SRC_URI[md5sum] = "6a5c975258cc8eb92c122f11b11a5085"
+SRC_URI[sha256sum] = "6039ba854f244a39dc727cc7db25632f7b933bb271c803772d754d4354f5aef4"
+FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
+# Fix file contexts for Poky
+SRC_URI += "file://poky-fc-subs_dist.patch \
+            file://poky-fc-update-alternatives_sysvinit.patch \
+            file://poky-fc-update-alternatives_sysklogd.patch \
+            file://poky-fc-update-alternatives_hostname.patch \
+            file://poky-fc-fix-real-path_resolv.conf.patch \
+            file://poky-fc-fix-real-path_login.patch \
+            file://poky-fc-fix-real-path_shadow.patch \
+            file://poky-fc-fix-bind.patch \
+            file://poky-fc-clock.patch \
+            file://poky-fc-corecommands.patch \
+            file://poky-fc-dmesg.patch \
+            file://poky-fc-fstools.patch \
+            file://poky-fc-iptables.patch \
+            file://poky-fc-mta.patch \
+            file://poky-fc-netutils.patch \
+            file://poky-fc-nscd.patch \
+            file://poky-fc-screen.patch \
+            file://poky-fc-ssh.patch \
+            file://poky-fc-su.patch \
+            file://poky-fc-sysnetwork.patch \
+           "
+# Specific policy for Poky
+SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
+            file://poky-policy-add-rules-for-var-log-symlink.patch \
+            file://poky-policy-add-rules-for-var-log-symlink-apache.patch \
+            file://poky-policy-add-rules-for-var-cache-symlink.patch \
+            file://poky-policy-add-rules-for-tmp-symlink.patch \
+            file://poky-policy-add-rules-for-bsdpty_device_t.patch \
+            file://poky-policy-don-t-audit-tty_device_t.patch \
+            file://poky-policy-allow-nfsd-to-exec-shell-commands.patch \
+            file://poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch \
+            file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \
+            file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \
+           "
+# Other policy fixes 
+SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
+            file://poky-policy-fix-seutils-manage-config-files.patch \
+            file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \
+            file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
+           "
+include refpolicy_common.inc
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 0f9f83b..3eaf16d 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -58,10 +58,15 @@ module-store = direct
 path = ${STAGING_DIR_NATIVE}${base_sbindir_native}/setfiles
 args = -q -c \$@ \$<
 [end]
+[sefcontext_compile]
+path = ${STAGING_DIR_NATIVE}${sbindir_native}/sefcontext_compile
+args = \$@
+[end]
 EOF
        mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy
        mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
        mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
+        touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
        bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/base.pp  > \
                ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
        for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
author	Xin Ouyang <Xin.Ouyang@windriver.com>	2013-09-23 21:18:03 +0800
committer	Joe MacDonald <joe@deserted.net>	2013-10-02 13:24:45 -0400
commit	292e6f4ac670d2f5ae5dbb53d6c7c265f006975d (patch)
tree	9b53470a4acb08220734bd993d8256110848c699
parent	c7fc09794c20db9e3b32d326abb627985d2b5b65 (diff)
download	meta-selinux-292e6f4ac670d2f5ae5dbb53d6c7c265f006975d.tar.gz