refpolicy: update git recipes

The targeted, mls and minimum recipes had fallen far behind the upstream
refpolicy repository.  Refresh all patches and discard ones that are
obviously no longer needed.  This should not have any functional change on
the policies.

Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>

43 files changed, 391 insertions, 446 deletions

diff --git a/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch
index 4830566..85c40a4 100644
--- a/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch
+++ b/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch
@@ -17,6 +17,7 @@ root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name
 root@localhost:~#
 
 Signed-off-by: Roy Li <rongqing.li@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/contrib/ftp.te |    2 ++
  1 file changed, 2 insertions(+)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch
index b36c209..628e8a3 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch
@@ -3,17 +3,15 @@ Subject: [PATCH] refpolicy: fix real path for clock
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/clock.fc |    1 +
  1 file changed, 1 insertion(+)
 
 --- a/policy/modules/system/clock.fc
 +++ b/policy/modules/system/clock.fc
-@@ -1,6 +1,7 @@
- 
+@@ -1,3 +1,4 @@
  /etc/adjtime           --      gen_context(system_u:object_r:adjtime_t,s0)
  
- /sbin/hwclock          --      gen_context(system_u:object_r:hwclock_exec_t,s0)
-+/sbin/hwclock\.util-linux      --      gen_context(system_u:object_r:hwclock_exec_t,s0)
- 
++/usr/sbin/hwclock\.util-linux  --      gen_context(system_u:object_r:hwclock_exec_t,s0)
  /usr/sbin/hwclock      --      gen_context(system_u:object_r:hwclock_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch
index 6995bb5..689c75b 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch
@@ -3,15 +3,13 @@ Subject: [PATCH] refpolicy: fix real path for dmesg
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/admin/dmesg.fc |    1 +
  1 file changed, 1 insertion(+)
 
 --- a/policy/modules/admin/dmesg.fc
 +++ b/policy/modules/admin/dmesg.fc
-@@ -1,4 +1,5 @@
- 
- /bin/dmesg             --              gen_context(system_u:object_r:dmesg_exec_t,s0)
-+/bin/dmesg\.util-linux --              gen_context(system_u:object_r:dmesg_exec_t,s0)
- 
+@@ -1 +1,2 @@
++/usr/bin/dmesg\.util-linux     --              gen_context(system_u:object_r:dmesg_exec_t,s0)
  /usr/bin/dmesg         --              gen_context(system_u:object_r:dmesg_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch
index a96b4a7..3218c88 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch
@@ -6,6 +6,7 @@ Subject: [PATCH] refpolicy: fix real path for bind.
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/contrib/bind.fc |    2 ++
  1 file changed, 2 insertions(+)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch
index d97d58e..fc54217 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch
@@ -3,31 +3,33 @@ Subject: [PATCH] fix real path for login commands.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/authlogin.fc |    5 ++---
  1 file changed, 2 insertions(+), 3 deletions(-)
 
 --- a/policy/modules/system/authlogin.fc
 +++ b/policy/modules/system/authlogin.fc
-@@ -1,19 +1,18 @@
- 
- /bin/login             --      gen_context(system_u:object_r:login_exec_t,s0)
-+/bin/login\.shadow     --      gen_context(system_u:object_r:login_exec_t,s0)
-+/bin/login\.tinylogin  --      gen_context(system_u:object_r:login_exec_t,s0)
- 
- /etc/\.pwd\.lock       --      gen_context(system_u:object_r:shadow_t,s0)
- /etc/group\.lock       --      gen_context(system_u:object_r:shadow_t,s0)
+@@ -3,20 +3,19 @@
  /etc/gshadow.*         --      gen_context(system_u:object_r:shadow_t,s0)
  /etc/passwd\.lock      --      gen_context(system_u:object_r:shadow_t,s0)
  /etc/shadow.*          --      gen_context(system_u:object_r:shadow_t,s0)
  
- /sbin/pam_console_apply         --     gen_context(system_u:object_r:pam_console_exec_t,s0)
- /sbin/pam_timestamp_check --   gen_context(system_u:object_r:pam_exec_t,s0)
--/sbin/unix_chkpwd      --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
--/sbin/unix_update      --      gen_context(system_u:object_r:updpwd_exec_t,s0)
--/sbin/unix_verify      --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ /usr/bin/login         --      gen_context(system_u:object_r:login_exec_t,s0)
++/usr/bin/login\.shadow --      gen_context(system_u:object_r:login_exec_t,s0)
++/usr/bin/login\.tinylogin      --      gen_context(system_u:object_r:login_exec_t,s0)
+ 
+ /usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0)
+ 
+ /usr/lib/utempter/utempter --  gen_context(system_u:object_r:utempter_exec_t,s0)
+ 
+ /usr/sbin/pam_console_apply    --      gen_context(system_u:object_r:pam_console_exec_t,s0)
+ /usr/sbin/pam_timestamp_check   --     gen_context(system_u:object_r:pam_exec_t,s0)
+-/usr/sbin/unix_chkpwd          --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+-/usr/sbin/unix_update          --      gen_context(system_u:object_r:updpwd_exec_t,s0)
+-/usr/sbin/unix_verify          --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ /usr/sbin/utempter             --      gen_context(system_u:object_r:utempter_exec_t,s0)
+ /usr/sbin/validate             --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
  ifdef(`distro_suse', `
- /sbin/unix2_chkpwd     --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ /usr/sbin/unix2_chkpwd --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
  ')
- 
- /usr/bin/login         --      gen_context(system_u:object_r:login_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch
index c1cd74d..cd79f45 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch
@@ -3,13 +3,14 @@ Subject: [PATCH] fix real path for resolv.conf
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/sysnetwork.fc |    1 +
  1 file changed, 1 insertion(+)
 
 --- a/policy/modules/system/sysnetwork.fc
 +++ b/policy/modules/system/sysnetwork.fc
-@@ -23,10 +23,11 @@ ifdef(`distro_debian',`
+@@ -17,10 +17,11 @@ ifdef(`distro_debian',`
  /etc/ethers            --      gen_context(system_u:object_r:net_conf_t,s0)
  /etc/hosts             --      gen_context(system_u:object_r:net_conf_t,s0)
  /etc/hosts\.deny.*     --      gen_context(system_u:object_r:net_conf_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch
index d74f524..a15a776 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch
@@ -3,13 +3,14 @@ Subject: [PATCH] fix real path for shadow commands.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/admin/usermanage.fc |    6 ++++++
  1 file changed, 6 insertions(+)
 
 --- a/policy/modules/admin/usermanage.fc
 +++ b/policy/modules/admin/usermanage.fc
-@@ -6,15 +6,21 @@ ifdef(`distro_debian',`
+@@ -2,15 +2,21 @@ ifdef(`distro_debian',`
  /etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0)
  ')
  
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch
index 23484de..41c32df 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch
@@ -6,17 +6,15 @@ Subject: [PATCH] fix real path for su.shadow command
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/admin/su.fc |    2 ++
  1 file changed, 2 insertions(+)
 
 --- a/policy/modules/admin/su.fc
 +++ b/policy/modules/admin/su.fc
-@@ -3,5 +3,7 @@
- /usr/bin/su            --      gen_context(system_u:object_r:su_exec_t,s0)
- 
+@@ -1,3 +1,4 @@
  /usr/(local/)?bin/ksu  --      gen_context(system_u:object_r:su_exec_t,s0)
  /usr/bin/kdesu         --      gen_context(system_u:object_r:su_exec_t,s0)
  /usr/bin/su            --      gen_context(system_u:object_r:su_exec_t,s0)
-+
-+/bin/su.shadow         --      gen_context(system_u:object_r:su_exec_t,s0)
++/usr/bin/su.shadow             --      gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch
index 5d3aa76..cf07b23 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch
@@ -14,62 +14,57 @@ Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
 
 --- a/policy/modules/system/fstools.fc
 +++ b/policy/modules/system/fstools.fc
-@@ -1,19 +1,23 @@
- /sbin/badblocks                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/blkid            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/blkid/.util-linux                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/blockdev         --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/blockdev/.util-linux             --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/cfdisk           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/dosfsck          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/dump             --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/dumpe2fs         --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/e2fsck           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/e4fsck           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/e2label          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/fdisk            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/fdisk/.util-linux                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/findfs           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/fsck.*           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/hdparm           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/hdparm/.util-linux               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/install-mbr      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/jfs_.*           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/losetup.*                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/lsraid           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/make_reiser4     --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -22,20 +26,22 @@
- /sbin/mke4fs           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkfs.*           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkraid           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkreiserfs       --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkswap           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/mkswap/.util-linux               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/parted           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/partprobe                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/partx            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/raidautorun      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/raidstart                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/reiserfs(ck|tune)        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/resize.*fs       --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/scsi_info                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/sfdisk           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/swapoff          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/swapoff/.util-linux              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/swapon.*         --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/tune2fs          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/zdb              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/zhack            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/zinject          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -43,10 +49,11 @@
- /sbin/zstreamdump      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/ztest            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- 
- /usr/bin/partition_uuid        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/raw           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/raw          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/scsi_unique_id        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -4,10 +4,11 @@
  /usr/bin/syslinux      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  
  /usr/sbin/addpart              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/sbin/badblocks            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/blkid                        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/blkid/.util-linux            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/blockdev             --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/cfdisk               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/clubufflush          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/delpart              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/dosfsck              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -17,14 +18,16 @@
+ /usr/sbin/e4fsck               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/e2label              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/efibootmgr           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fatsort              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fdisk                        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/fdisk/.util-linux            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/findfs               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fsck.*               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/gdisk                        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/hdparm               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/hdparm/.util-linux           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/install-mbr          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/jfs_.*               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/losetup.*            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/lsraid               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/make_reiser4         --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -33,21 +36,24 @@
+ /usr/sbin/mke4fs               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkfs.*               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkraid               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkreiserfs           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkswap               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mkswap/.util-linux           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/parted               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/partprobe            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/partx                        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/raidautorun          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/raidstart            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/raw          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/reiserfs(ck|tune)    --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/resize.*fs           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/scsi_info            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/sfdisk               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/smartctl             --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/swapoff              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/swapoff/.util-linux          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/swapon.*             --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/tune2fs              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/zdb                  --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/zhack                        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/zinject              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch
index b4ba2e2..d58de6a 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch
@@ -5,6 +5,7 @@ Upstream-Status: Pending
 ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it
 
 Signed-off-by: Roy Li <rongqing.li@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/contrib/ftp.fc |    2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch
index 1a8fbe3..72b559f 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch
@@ -6,13 +6,14 @@ Subject: [PATCH] refpolicy: fix real path for mta
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/contrib/mta.fc |    1 +
  1 file changed, 1 insertion(+)
 
 --- a/policy/modules/contrib/mta.fc
 +++ b/policy/modules/contrib/mta.fc
-@@ -20,10 +20,11 @@ HOME_DIR/\.maildir(/.*)?    gen_context(sys
+@@ -19,10 +19,11 @@ HOME_DIR/\.maildir(/.*)?    gen_context(sys
  /usr/lib/courier/bin/sendmail  --      gen_context(system_u:object_r:sendmail_exec_t,s0)
  
  /usr/sbin/rmail        --      gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-netutils.patch
deleted file mode 100644
index fea90ad..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-netutils.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for netutils
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/admin/netutils.fc |    1 +
- 1 file changed, 1 insertion(+)
-
---- a/policy/modules/admin/netutils.fc
-+++ b/policy/modules/admin/netutils.fc
-@@ -1,10 +1,11 @@
- /bin/ping.*            --      gen_context(system_u:object_r:ping_exec_t,s0)
- /bin/tracepath.*               --      gen_context(system_u:object_r:traceroute_exec_t,s0)
- /bin/traceroute.*      --      gen_context(system_u:object_r:traceroute_exec_t,s0)
- 
- /sbin/arping           --      gen_context(system_u:object_r:netutils_exec_t,s0)
-+/bin/arping            --      gen_context(system_u:object_r:netutils_exec_t,s0)
- 
- /usr/bin/arping                --      gen_context(system_u:object_r:netutils_exec_t,s0)
- /usr/bin/lft           --      gen_context(system_u:object_r:traceroute_exec_t,s0)
- /usr/bin/nmap          --      gen_context(system_u:object_r:traceroute_exec_t,s0)
- /usr/bin/ping.*        --      gen_context(system_u:object_r:ping_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch
index 5fe5062..0adf7c2 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch
@@ -6,6 +6,7 @@ Subject: [PATCH] refpolicy: fix real path for nscd
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/contrib/nscd.fc |    1 +
  1 file changed, 1 insertion(+)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch
index 8680f19..922afa9 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch
@@ -6,13 +6,14 @@ Subject: [PATCH] refpolicy: fix real path for cpio
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/contrib/rpm.fc |    1 +
  1 file changed, 1 insertion(+)
 
 --- a/policy/modules/contrib/rpm.fc
 +++ b/policy/modules/contrib/rpm.fc
-@@ -61,6 +61,7 @@ ifdef(`distro_redhat',`
+@@ -57,6 +57,7 @@ ifdef(`distro_redhat',`
  /run/yum.*     --      gen_context(system_u:object_r:rpm_var_run_t,s0)
  /run/PackageKit(/.*)?  gen_context(system_u:object_r:rpm_var_run_t,s0)
  
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch
index a7301e9..8ea210e 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch
@@ -6,20 +6,18 @@ Subject: [PATCH] refpolicy: fix real path for screen
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/contrib/screen.fc |    1 +
  1 file changed, 1 insertion(+)
 
 --- a/policy/modules/contrib/screen.fc
 +++ b/policy/modules/contrib/screen.fc
-@@ -1,9 +1,10 @@
- HOME_DIR/\.screen(/.*)?        gen_context(system_u:object_r:screen_home_t,s0)
- HOME_DIR/\.screenrc    --      gen_context(system_u:object_r:screen_home_t,s0)
- HOME_DIR/\.tmux\.conf  --      gen_context(system_u:object_r:screen_home_t,s0)
+@@ -4,6 +4,7 @@ HOME_DIR/\.tmux\.conf   --      gen_context(sys
  
- /usr/bin/screen        --      gen_context(system_u:object_r:screen_exec_t,s0)
-+/usr/bin/screen-.*     --      gen_context(system_u:object_r:screen_exec_t,s0)
- /usr/bin/tmux  --      gen_context(system_u:object_r:screen_exec_t,s0)
+ /run/screen(/.*)?              gen_context(system_u:object_r:screen_runtime_t,s0)
+ /run/tmux(/.*)?                        gen_context(system_u:object_r:screen_runtime_t,s0)
  
- /run/screen(/.*)?      gen_context(system_u:object_r:screen_var_run_t,s0)
- /run/tmux(/.*)?        gen_context(system_u:object_r:screen_var_run_t,s0)
+ /usr/bin/screen                --      gen_context(system_u:object_r:screen_exec_t,s0)
++/usr/bin/screen-.*     --      gen_context(system_u:object_r:screen_exec_t,s0)
+ /usr/bin/tmux          --      gen_context(system_u:object_r:screen_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch
index 35bbc9e..648b21b 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch
@@ -3,6 +3,7 @@ Subject: [PATCH] refpolicy: fix real path for ssh
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/services/ssh.fc |    1 +
  1 file changed, 1 insertion(+)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch
index f82f359..8aec193 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch
@@ -13,7 +13,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 
 --- a/config/file_contexts.subs_dist
 +++ b/config/file_contexts.subs_dist
-@@ -21,5 +21,16 @@
+@@ -26,5 +26,16 @@
  
  # backward compatibility
  # not for refpolicy intern, but for /var/run using applications,
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch
index 7f8f368..0b148b5 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch
@@ -7,41 +7,31 @@ Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/sysnetwork.fc |    3 +++
  1 file changed, 3 insertions(+)
 
 --- a/policy/modules/system/sysnetwork.fc
 +++ b/policy/modules/system/sysnetwork.fc
-@@ -2,10 +2,11 @@
- #
- # /bin
- #
- /bin/ifconfig          --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /bin/ip                        --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/ip\.iproute2 --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
- 
- #
- # /dev
- #
- ifdef(`distro_debian',`
-@@ -43,17 +44,19 @@ ifdef(`distro_redhat',`
- /sbin/dhclient.*       --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/dhcdbd           --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/dhcpcd           --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/ethtool          --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ifconfig         --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/ifconfig\.net-tools  --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ip               --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_configure    --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_interface    --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_internal_net --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/iw               --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/iwconfig         --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/mii-tool         --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/mii-tool\.net-tools  --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/pump             --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/tc               --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+@@ -41,17 +41,20 @@ ifdef(`distro_redhat',`
+ /usr/sbin/dhcdbd               --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /usr/sbin/dhcp6c               --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /usr/sbin/dhcpcd               --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /usr/sbin/ethtool              --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/ifconfig             --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ifconfig\.net-tools  --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ip\.iproute2 --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/ip                   --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/ipx_configure                --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/ipx_interface                --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/ipx_internal_net     --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/iw                   --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/iwconfig             --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/mii-tool             --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/mii-tool\.net-tools  --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/pump                 --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /usr/sbin/tc                   --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
  
  #
- # /usr
+ # /var
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch
index 8e2cb1b..2271a05 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch
@@ -6,6 +6,7 @@ Subject: [PATCH] refpolicy: fix real path for udevd/udevadm
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/udev.fc |    2 ++
  1 file changed, 2 insertions(+)
@@ -17,22 +18,22 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
  /etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
  /etc/udev/scripts/.+ --        gen_context(system_u:object_r:udev_helper_exec_t,s0)
  
- /lib/udev/udev-acl --  gen_context(system_u:object_r:udev_exec_t,s0)
-+/lib/udev/udevd    --  gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/bin/udevinfo --   gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/bin/udevadm  --   gen_context(system_u:object_r:udev_exec_t,s0)
  
  ifdef(`distro_debian',`
- /bin/udevadm   --      gen_context(system_u:object_r:udev_exec_t,s0)
- /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/bin/udevadm       --      gen_context(system_u:object_r:udev_exec_t,s0)
  ')
-@@ -26,10 +27,11 @@ ifdef(`distro_debian',`
- ifdef(`distro_redhat',`
- /sbin/start_udev --    gen_context(system_u:object_r:udev_exec_t,s0)
+ 
+@@ -30,10 +31,11 @@ ifdef(`distro_redhat',`
+ /usr/sbin/start_udev --        gen_context(system_u:object_r:udev_exec_t,s0)
  ')
  
- /usr/bin/udevinfo --   gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/bin/udevadm  --   gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/lib/udev/udev-acl --      gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/lib/udev/udevd    --      gen_context(system_u:object_r:udev_exec_t,s0)
+ 
+ /usr/share/virtualbox/VBoxCreateUSBNode\.sh    --      gen_context(system_u:object_r:udev_helper_exec_t,s0)
+ 
+ /run/udev(/.*)?        gen_context(system_u:object_r:udev_var_run_t,s0)
  
- /usr/sbin/udev         --      gen_context(system_u:object_r:udev_exec_t,s0)
- /usr/sbin/udevadm      --      gen_context(system_u:object_r:udev_exec_t,s0)
- /usr/sbin/udevd                --      gen_context(system_u:object_r:udev_exec_t,s0)
- /usr/sbin/udevsend     --      gen_context(system_u:object_r:udev_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch
index 80c40d0..e3edce1 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch
@@ -6,15 +6,14 @@ Subject: [PATCH 3/4] fix update-alternatives for hostname
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/hostname.fc |    1 +
  1 file changed, 1 insertion(+)
 
 --- a/policy/modules/system/hostname.fc
 +++ b/policy/modules/system/hostname.fc
-@@ -1,4 +1,5 @@
- 
- /bin/hostname          --      gen_context(system_u:object_r:hostname_exec_t,s0)
-+/bin/hostname\.net-tools       --      gen_context(system_u:object_r:hostname_exec_t,s0)
- 
+@@ -1 +1,3 @@
++/usr/bin/hostname\.net-tools   --      gen_context(system_u:object_r:hostname_exec_t,s0)
++
  /usr/bin/hostname      --      gen_context(system_u:object_r:hostname_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch
index 03284cd..dfa67a6 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch
@@ -9,6 +9,7 @@ for syslogd_t to read syslog_conf_t lnk_file is needed.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/logging.fc |    4 ++++
  policy/modules/system/logging.te |    1 +
@@ -16,7 +17,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 
 --- a/policy/modules/system/logging.fc
 +++ b/policy/modules/system/logging.fc
-@@ -1,22 +1,26 @@
+@@ -1,12 +1,14 @@
  /dev/log               -s      gen_context(system_u:object_r:devlog_t,mls_systemhigh)
  
  /etc/rsyslog.conf              gen_context(system_u:object_r:syslog_conf_t,s0)
@@ -27,25 +28,30 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  /etc/rc\.d/init\.d/rsyslog --  gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
  
- /sbin/audispd          --      gen_context(system_u:object_r:audisp_exec_t,s0)
- /sbin/audisp-remote    --      gen_context(system_u:object_r:audisp_remote_exec_t,s0)
- /sbin/auditctl         --      gen_context(system_u:object_r:auditctl_exec_t,s0)
- /sbin/auditd           --      gen_context(system_u:object_r:auditd_exec_t,s0)
- /sbin/klogd            --      gen_context(system_u:object_r:klogd_exec_t,s0)
-+/sbin/klogd\.sysklogd  --      gen_context(system_u:object_r:klogd_exec_t,s0)
- /sbin/minilogd         --      gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/rklogd           --      gen_context(system_u:object_r:klogd_exec_t,s0)
- /sbin/rsyslogd         --      gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/syslogd          --      gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/sbin/syslogd\.sysklogd        --      gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/syslog-ng                --      gen_context(system_u:object_r:syslogd_exec_t,s0)
- 
  /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
  /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
+ /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
  /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+@@ -15,14 +17,16 @@
+ /usr/sbin/audispd      --      gen_context(system_u:object_r:audisp_exec_t,s0)
+ /usr/sbin/audisp-remote        --      gen_context(system_u:object_r:audisp_remote_exec_t,s0)
+ /usr/sbin/auditctl     --      gen_context(system_u:object_r:auditctl_exec_t,s0)
+ /usr/sbin/auditd       --      gen_context(system_u:object_r:auditd_exec_t,s0)
+ /usr/sbin/klogd                --      gen_context(system_u:object_r:klogd_exec_t,s0)
++/usr/sbin/klogd\.sysklogd      --      gen_context(system_u:object_r:klogd_exec_t,s0)
+ /usr/sbin/metalog      --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/minilogd     --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/rklogd       --      gen_context(system_u:object_r:klogd_exec_t,s0)
+ /usr/sbin/rsyslogd     --      gen_context(system_u:object_r:syslogd_exec_t,s0)
++/usr/sbin/syslogd\.sysklogd    --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/syslog-ng    --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/syslogd      --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ 
+ /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+ /var/lib/syslog-ng(/.*)?       gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -386,10 +386,11 @@ allow syslogd_t self:unix_dgram_socket s
+@@ -390,10 +390,11 @@ allow syslogd_t self:unix_dgram_socket s
  allow syslogd_t self:fifo_file rw_fifo_file_perms;
  allow syslogd_t self:udp_socket create_socket_perms;
  allow syslogd_t self:tcp_socket create_stream_socket_perms;
@@ -56,4 +62,4 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  # Create and bind to /dev/log or /var/run/log.
  allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
  files_pid_filetrans(syslogd_t, devlog_t, sock_file)
- 
+ init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch
index 0c09825..81fe141 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch
@@ -6,51 +6,45 @@ Subject: [PATCH 1/4] fix update-alternatives for sysvinit
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/contrib/shutdown.fc    |    1 +
  policy/modules/kernel/corecommands.fc |    1 +
  policy/modules/system/init.fc         |    1 +
  3 files changed, 3 insertions(+)
 
---- a/policy/modules/contrib/shutdown.fc
-+++ b/policy/modules/contrib/shutdown.fc
-@@ -1,10 +1,11 @@
- /etc/nologin   --      gen_context(system_u:object_r:shutdown_etc_t,s0)
- 
- /lib/upstart/shutdown  --      gen_context(system_u:object_r:shutdown_exec_t,s0)
- 
- /sbin/shutdown --      gen_context(system_u:object_r:shutdown_exec_t,s0)
-+/sbin/shutdown\.sysvinit       --      gen_context(system_u:object_r:shutdown_exec_t,s0)
- 
+Index: refpolicy/policy/modules/contrib/shutdown.fc
+===================================================================
+--- refpolicy.orig/policy/modules/contrib/shutdown.fc
++++ refpolicy/policy/modules/contrib/shutdown.fc
+@@ -3,5 +3,6 @@
  /usr/lib/upstart/shutdown      --      gen_context(system_u:object_r:shutdown_exec_t,s0)
  
  /usr/sbin/shutdown     --      gen_context(system_u:object_r:shutdown_exec_t,s0)
++/usr/sbin/shutdown\.sysvinit   --      gen_context(system_u:object_r:shutdown_exec_t,s0)
+ 
+ /run/shutdown\.pid     --      gen_context(system_u:object_r:shutdown_var_run_t,s0)
+Index: refpolicy/policy/modules/kernel/corecommands.fc
+===================================================================
+--- refpolicy.orig/policy/modules/kernel/corecommands.fc
++++ refpolicy/policy/modules/kernel/corecommands.fc
+@@ -144,6 +144,7 @@ ifdef(`distro_gentoo',`
+ /usr/bin/ksh.*                 --      gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/mksh                  --      gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/mountpoint            --      gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/mountpoint\.sysvinit  --      gen_context(system_u:object_r:bin_t,s0)
+ /usr/bin/sash                  --      gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/scponly               --      gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/tcsh                  --      gen_context(system_u:object_r:shell_exec_t,s0)
+Index: refpolicy/policy/modules/system/init.fc
+===================================================================
+--- refpolicy.orig/policy/modules/system/init.fc
++++ refpolicy/policy/modules/system/init.fc
+@@ -39,6 +39,7 @@ ifdef(`distro_gentoo', `
+ /usr/libexec/dcc/stop-.* --    gen_context(system_u:object_r:initrc_exec_t,s0)
+ 
+ /usr/sbin/init(ng)?    --      gen_context(system_u:object_r:init_exec_t,s0)
++/usr/sbin/init\.sysvinit       --      gen_context(system_u:object_r:init_exec_t,s0)
+ /usr/sbin/open_init_pty        --      gen_context(system_u:object_r:initrc_exec_t,s0)
+ /usr/sbin/upstart      --      gen_context(system_u:object_r:init_exec_t,s0)
  
---- a/policy/modules/kernel/corecommands.fc
-+++ b/policy/modules/kernel/corecommands.fc
-@@ -8,10 +8,11 @@
- /bin/bash2                     --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/fish                      --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/ksh.*                     --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/mksh                      --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/mountpoint                        --      gen_context(system_u:object_r:bin_t,s0)
-+/bin/mountpoint\.sysvinit      --      gen_context(system_u:object_r:bin_t,s0)
- /bin/sash                      --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/tcsh                      --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/yash                      --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/zsh.*                     --      gen_context(system_u:object_r:shell_exec_t,s0)
- 
---- a/policy/modules/system/init.fc
-+++ b/policy/modules/system/init.fc
-@@ -30,10 +30,11 @@ ifdef(`distro_gentoo', `
- 
- #
- # /sbin
- #
- /sbin/init(ng)?                --      gen_context(system_u:object_r:init_exec_t,s0)
-+/sbin/init\.sysvinit   --      gen_context(system_u:object_r:init_exec_t,s0)
- # because nowadays, /sbin/init is often a symlink to /sbin/upstart
- /sbin/upstart          --      gen_context(system_u:object_r:init_exec_t,s0)
- 
- ifdef(`distro_gentoo', `
- /sbin/rc               --      gen_context(system_u:object_r:rc_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch
index fee4068..ad7b5a6 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch
@@ -6,13 +6,14 @@ Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices.
 Upstream-Status: Pending
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/kernel/terminal.if |   16 ++++++++++++++++
  1 file changed, 16 insertions(+)
 
 --- a/policy/modules/kernel/terminal.if
 +++ b/policy/modules/kernel/terminal.if
-@@ -585,13 +585,15 @@ interface(`term_getattr_generic_ptys',`
+@@ -603,13 +603,15 @@ interface(`term_getattr_generic_ptys',`
  ## </param>
  #
  interface(`term_dontaudit_getattr_generic_ptys',`
@@ -28,7 +29,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  ## <summary>
  ##     ioctl of generic pty devices.
  ## </summary>
-@@ -603,15 +605,17 @@ interface(`term_dontaudit_getattr_generi
+@@ -621,15 +623,17 @@ interface(`term_dontaudit_getattr_generi
  #
  # cjp: added for ppp
  interface(`term_ioctl_generic_ptys',`
@@ -46,7 +47,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  ########################################
  ## <summary>
  ##     Allow setting the attributes of
-@@ -625,13 +629,15 @@ interface(`term_ioctl_generic_ptys',`
+@@ -643,13 +647,15 @@ interface(`term_ioctl_generic_ptys',`
  #
  # dwalsh: added for rhgb
  interface(`term_setattr_generic_ptys',`
@@ -62,7 +63,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  ########################################
  ## <summary>
  ##     Dontaudit setting the attributes of
-@@ -645,13 +651,15 @@ interface(`term_setattr_generic_ptys',`
+@@ -663,13 +669,15 @@ interface(`term_setattr_generic_ptys',`
  #
  # dwalsh: added for rhgb
  interface(`term_dontaudit_setattr_generic_ptys',`
@@ -78,7 +79,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  ########################################
  ## <summary>
  ##     Read and write the generic pty
-@@ -665,15 +673,17 @@ interface(`term_dontaudit_setattr_generi
+@@ -683,15 +691,17 @@ interface(`term_dontaudit_setattr_generi
  ## </param>
  #
  interface(`term_use_generic_ptys',`
@@ -96,7 +97,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  ########################################
  ## <summary>
  ##     Dot not audit attempts to read and
-@@ -687,13 +697,15 @@ interface(`term_use_generic_ptys',`
+@@ -705,13 +715,15 @@ interface(`term_use_generic_ptys',`
  ## </param>
  #
  interface(`term_dontaudit_use_generic_ptys',`
@@ -112,7 +113,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  #######################################
  ## <summary>
  ##     Set the attributes of the tty device
-@@ -705,14 +717,16 @@ interface(`term_dontaudit_use_generic_pt
+@@ -723,14 +735,16 @@ interface(`term_dontaudit_use_generic_pt
  ## </param>
  #
  interface(`term_setattr_controlling_term',`
@@ -129,7 +130,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  ########################################
  ## <summary>
  ##     Read and write the controlling
-@@ -725,14 +739,16 @@ interface(`term_setattr_controlling_term
+@@ -743,14 +757,16 @@ interface(`term_setattr_controlling_term
  ## </param>
  #
  interface(`term_use_controlling_term',`
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch
index d3aa705..b12ee9d 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch
@@ -8,22 +8,22 @@ syslogd_t.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/logging.te |    2 ++
  1 file changed, 2 insertions(+)
 
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -402,10 +402,12 @@ rw_fifo_files_pattern(syslogd_t, var_log
+@@ -406,10 +406,11 @@ manage_files_pattern(syslogd_t, var_log_
+ rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
  files_search_spool(syslogd_t)
  
  # Allow access for syslog-ng
  allow syslogd_t var_log_t:dir { create setattr };
- 
 +allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
-+
- # manage temporary files
- manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
- manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
- files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
  
+ # for systemd but can not be conditional
+ files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
+ 
+ # manage temporary files
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch
index 7a30460..d3c1ee5 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch
@@ -9,6 +9,7 @@ lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/kernel/files.fc |    1 +
  policy/modules/kernel/files.if |    8 ++++++++
@@ -16,7 +17,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 
 --- a/policy/modules/kernel/files.fc
 +++ b/policy/modules/kernel/files.fc
-@@ -191,10 +191,11 @@ ifdef(`distro_debian',`
+@@ -172,10 +172,11 @@ HOME_ROOT/lost\+found/.*  <<none>>
  
  #
  # /tmp
@@ -30,7 +31,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  /tmp/lost\+found/.*            <<none>>
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
-@@ -4471,10 +4471,11 @@ interface(`files_search_tmp',`
+@@ -4579,10 +4579,11 @@ interface(`files_search_tmp',`
         gen_require(`
                 type tmp_t;
         ')
@@ -42,7 +43,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  ########################################
  ## <summary>
  ##     Do not audit attempts to search the tmp directory (/tmp).
-@@ -4507,10 +4508,11 @@ interface(`files_list_tmp',`
+@@ -4615,10 +4616,11 @@ interface(`files_list_tmp',`
         gen_require(`
                 type tmp_t;
         ')
@@ -54,7 +55,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  ########################################
  ## <summary>
  ##     Do not audit listing of the tmp directory (/tmp).
-@@ -4543,10 +4545,11 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4651,10 +4653,11 @@ interface(`files_delete_tmp_dir_entry',`
         gen_require(`
                 type tmp_t;
         ')
@@ -66,7 +67,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  ########################################
  ## <summary>
  ##     Read files in the tmp directory (/tmp).
-@@ -4561,10 +4564,11 @@ interface(`files_read_generic_tmp_files'
+@@ -4669,10 +4672,11 @@ interface(`files_read_generic_tmp_files'
         gen_require(`
                 type tmp_t;
         ')
@@ -78,7 +79,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  ########################################
  ## <summary>
  ##     Manage temporary directories in /tmp.
-@@ -4579,10 +4583,11 @@ interface(`files_manage_generic_tmp_dirs
+@@ -4687,10 +4691,11 @@ interface(`files_manage_generic_tmp_dirs
         gen_require(`
                 type tmp_t;
         ')
@@ -90,7 +91,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  ########################################
  ## <summary>
  ##     Manage temporary files and directories in /tmp.
-@@ -4597,10 +4602,11 @@ interface(`files_manage_generic_tmp_file
+@@ -4705,10 +4710,11 @@ interface(`files_manage_generic_tmp_file
         gen_require(`
                 type tmp_t;
         ')
@@ -102,7 +103,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  ########################################
  ## <summary>
  ##     Read symbolic links in the tmp directory (/tmp).
-@@ -4633,10 +4639,11 @@ interface(`files_rw_generic_tmp_sockets'
+@@ -4741,10 +4747,11 @@ interface(`files_rw_generic_tmp_sockets'
         gen_require(`
                 type tmp_t;
         ')
@@ -114,7 +115,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  ########################################
  ## <summary>
  ##     Mount filesystems in the tmp directory (/tmp)
-@@ -4840,10 +4847,11 @@ interface(`files_tmp_filetrans',`
+@@ -4948,10 +4955,11 @@ interface(`files_tmp_filetrans',`
         gen_require(`
                 type tmp_t;
         ')
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch
index fc6dea0..b828b7a 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch
@@ -11,6 +11,7 @@ contents, so this is still a secure relax.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/kernel/domain.te |    3 +++
  1 file changed, 3 insertions(+)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch
index d907095..fb912b5 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch
@@ -10,17 +10,18 @@ logging.if. So still need add a individual rule for apache.te.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/contrib/apache.te |    1 +
  1 file changed, 1 insertion(+)
 
 --- a/policy/modules/contrib/apache.te
 +++ b/policy/modules/contrib/apache.te
-@@ -409,10 +409,11 @@ allow httpd_t httpd_log_t:dir setattr_di
- create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
- create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+@@ -407,10 +407,11 @@ allow httpd_t httpd_lock_t:file manage_f
+ files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
+ 
+ manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
  read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 +read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
  logging_log_filetrans(httpd_t, httpd_log_t, file)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
index 90c8f36..7c7355f 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
@@ -8,15 +8,16 @@ audisp_remote_t.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/logging.te |    1 +
  1 file changed, 1 insertion(+)
 
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -276,10 +276,11 @@ optional_policy(`
+@@ -280,10 +280,11 @@ optional_policy(`
  
- allow audisp_remote_t self:capability { setuid setpcap };
+ allow audisp_remote_t self:capability { setpcap setuid };
  allow audisp_remote_t self:process { getcap setcap };
  allow audisp_remote_t self:tcp_socket create_socket_perms;
  allow audisp_remote_t var_log_t:dir search_dir_perms;
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
index a9ae381..19342f5 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
@@ -9,6 +9,7 @@ lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/logging.fc |    1 +
  policy/modules/system/logging.if |   14 +++++++++++++-
@@ -17,7 +18,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 
 --- a/policy/modules/system/logging.fc
 +++ b/policy/modules/system/logging.fc
-@@ -49,10 +49,11 @@ ifdef(`distro_suse', `
+@@ -39,10 +39,11 @@ ifdef(`distro_suse', `
  
  /var/axfrdns/log/main(/.*)?    gen_context(system_u:object_r:var_log_t,s0)
  /var/dnscache/log/main(/.*)?   gen_context(system_u:object_r:var_log_t,s0)
@@ -50,43 +51,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  ########################################
  ## <summary>
  ##     Execute auditctl in the auditctl domain.
-@@ -665,10 +666,11 @@ interface(`logging_search_logs',`
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir search_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- #######################################
- ## <summary>
- ##     Do not audit attempts to search the var log directory.
-@@ -702,10 +704,11 @@ interface(`logging_list_logs',`
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- #######################################
- ## <summary>
- ##     Read and write the generic log directory (/var/log).
-@@ -721,10 +724,11 @@ interface(`logging_rw_generic_log_dirs',
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir rw_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- #######################################
- ## <summary>
- ##     Search through all log dirs.
-@@ -832,14 +836,16 @@ interface(`logging_append_all_logs',`
+@@ -950,14 +951,16 @@ interface(`logging_append_all_inherited_
  ## <rolecap/>
  #
  interface(`logging_read_all_logs',`
@@ -103,7 +68,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  
  ########################################
  ## <summary>
-@@ -854,14 +860,16 @@ interface(`logging_read_all_logs',`
+@@ -972,14 +975,16 @@ interface(`logging_read_all_logs',`
  # cjp: not sure why this is needed.  This was added
  # because of logrotate.
  interface(`logging_exec_all_logs',`
@@ -120,7 +85,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  
  ########################################
  ## <summary>
-@@ -919,10 +927,11 @@ interface(`logging_read_generic_logs',`
+@@ -1077,10 +1082,11 @@ interface(`logging_read_generic_logs',`
                 type var_log_t;
         ')
  
@@ -132,31 +97,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  
  ########################################
  ## <summary>
-@@ -939,10 +948,11 @@ interface(`logging_write_generic_logs',`
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
-        write_files_pattern($1, var_log_t, var_log_t)
- ')
- 
- ########################################
- ## <summary>
-@@ -977,10 +987,11 @@ interface(`logging_rw_generic_logs',`
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
-        rw_files_pattern($1, var_log_t, var_log_t)
- ')
- 
- ########################################
- ## <summary>
-@@ -999,10 +1010,11 @@ interface(`logging_manage_generic_logs',
+@@ -1159,10 +1165,11 @@ interface(`logging_manage_generic_logs',
                 type var_log_t;
         ')
  
@@ -170,10 +111,10 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  ##     All of the rules required to administrate
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -149,10 +149,11 @@ allow auditd_t auditd_etc_t:dir list_dir
- allow auditd_t auditd_etc_t:file read_file_perms;
+@@ -153,10 +153,11 @@ allow auditd_t auditd_etc_t:file read_fi
  
  manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t auditd_log_t:dir setattr;
  manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
  allow auditd_t var_log_t:dir search_dir_perms;
 +allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch
index c2cba9a..b755b45 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch
@@ -10,13 +10,14 @@ Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Roy.Li <rongqing.li@windriver.com>
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/logging.te |    1 +
  1 file changed, 1 insertion(+)
 
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -475,10 +475,11 @@ files_var_lib_filetrans(syslogd_t, syslo
+@@ -484,10 +484,11 @@ files_var_lib_filetrans(syslogd_t, syslo
  
  fs_getattr_all_fs(syslogd_t)
  fs_search_auto_mountpoints(syslogd_t)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
index 189dc6e..a9a0a55 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
@@ -6,6 +6,7 @@ Subject: [PATCH] allow nfsd to exec shell commands.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/contrib/rpc.te   |    2 +-
  policy/modules/kernel/kernel.if |   18 ++++++++++++++++++
@@ -13,7 +14,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 
 --- a/policy/modules/contrib/rpc.te
 +++ b/policy/modules/contrib/rpc.te
-@@ -222,11 +222,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
+@@ -224,11 +224,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
  
  kernel_read_network_state(nfsd_t)
  kernel_dontaudit_getattr_core_if(nfsd_t)
@@ -28,32 +29,53 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
-@@ -844,10 +844,28 @@ interface(`kernel_unmount_proc',`
+@@ -880,43 +880,42 @@ interface(`kernel_unmount_proc',`
         allow $1 proc_t:filesystem unmount;
  ')
  
  ########################################
  ## <summary>
+-##     Get the attributes of the proc filesystem.
 +##     Mounton a proc filesystem.
-+## </summary>
-+## <param name="domain">
-+##     <summary>
-+##     Domain allowed access.
-+##     </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##     <summary>
+ ##     Domain allowed access.
+ ##     </summary>
+ ## </param>
+ #
+-interface(`kernel_getattr_proc',`
 +interface(`kernel_mounton_proc',`
-+       gen_require(`
-+               type proc_t;
-+       ')
-+
+        gen_require(`
+                type proc_t;
+        ')
+ 
+-       allow $1 proc_t:filesystem getattr;
 +       allow $1 proc_t:dir mounton;
-+')
-+
-+########################################
-+## <summary>
- ##     Get the attributes of the proc filesystem.
+ ')
+ 
+ ########################################
+ ## <summary>
+-##     Mount on proc directories.
++##     Get the attributes of the proc filesystem.
  ## </summary>
  ## <param name="domain">
  ##     <summary>
  ##     Domain allowed access.
+ ##     </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`kernel_mounton_proc',`
++interface(`kernel_getattr_proc',`
+        gen_require(`
+                type proc_t;
+        ')
+ 
+-       allow $1 proc_t:dir mounton;
++       allow $1 proc_t:filesystem getattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+ ##     Do not audit attempts to set the
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch
index 766b3df..08e9398 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch
@@ -7,13 +7,14 @@ Upstream-Status: Pending
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/selinuxutil.te |    3 +++
  1 file changed, 3 insertions(+)
 
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
-@@ -553,10 +553,13 @@ files_read_etc_files(setfiles_t)
+@@ -591,10 +591,13 @@ files_read_etc_files(setfiles_t)
  files_list_all(setfiles_t)
  files_relabel_all_files(setfiles_t)
  files_read_usr_symlinks(setfiles_t)
@@ -23,7 +24,7 @@ Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
 +files_read_all_symlinks(setfiles_t)
 +
  fs_getattr_all_xattr_fs(setfiles_t)
- fs_list_all(setfiles_t)
- fs_search_auto_mountpoints(setfiles_t)
- fs_relabelfrom_noxattr_fs(setfiles_t)
- 
+ fs_getattr_nfs(setfiles_t)
+ fs_getattr_pstore_dirs(setfiles_t)
+ fs_getattr_pstorefs(setfiles_t)
+ fs_getattr_tracefs(setfiles_t)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch
index 8ce2f62..a1fda13 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch
@@ -9,6 +9,7 @@ type=AVC msg=audit(1392427946.976:264): avc:  denied  { connectto } for  pid=211
 type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null)
 
 Signed-off-by: Roy Li <rongqing.li@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/roles/sysadm.te |    4 ++++
  1 file changed, 4 insertions(+)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch
index 998bfa0..e3ea75e 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch
@@ -9,13 +9,14 @@ term_dontaudit_use_console.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/kernel/terminal.if |    3 +++
  1 file changed, 3 insertions(+)
 
 --- a/policy/modules/kernel/terminal.if
 +++ b/policy/modules/kernel/terminal.if
-@@ -297,13 +297,16 @@ interface(`term_use_console',`
+@@ -315,13 +315,16 @@ interface(`term_use_console',`
  ## </param>
  #
  interface(`term_dontaudit_use_console',`
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
index 131a9bb..11a6963 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
@@ -4,6 +4,7 @@ Date: Fri, 23 Aug 2013 16:36:09 +0800
 Subject: [PATCH] fix dmesg to use /dev/kmsg as default input
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/admin/dmesg.if |    1 +
  policy/modules/admin/dmesg.te |    2 ++
@@ -19,18 +20,3 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
         can_exec($1, dmesg_exec_t)
 +       dev_read_kmsg($1)
  ')
---- a/policy/modules/admin/dmesg.te
-+++ b/policy/modules/admin/dmesg.te
-@@ -28,10 +28,12 @@ kernel_read_proc_symlinks(dmesg_t)
- # for when /usr is not mounted:
- kernel_dontaudit_search_unlabeled(dmesg_t)
- 
- dev_read_sysfs(dmesg_t)
- 
-+dev_read_kmsg(dmesg_t)
-+
- fs_search_auto_mountpoints(dmesg_t)
- 
- term_dontaudit_use_console(dmesg_t)
- 
- domain_use_interactive_fds(dmesg_t)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
index 016685c..d0b0073 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
@@ -14,9 +14,25 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
  policy/modules/kernel/kernel.te     |    2 ++
  4 files changed, 13 insertions(+)
 
+--- a/policy/modules/contrib/rpcbind.te
++++ b/policy/modules/contrib/rpcbind.te
+@@ -73,8 +73,13 @@ auth_use_nsswitch(rpcbind_t)
+ 
+ logging_send_syslog_msg(rpcbind_t)
+ 
+ miscfiles_read_localization(rpcbind_t)
+ 
++# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
++# because the are running in different level. So add rules to allow this.
++mls_socket_read_all_levels(rpcbind_t)
++mls_socket_write_all_levels(rpcbind_t)
++
+ ifdef(`distro_debian',`
+        term_dontaudit_use_unallocated_ttys(rpcbind_t)
+ ')
 --- a/policy/modules/contrib/rpc.te
 +++ b/policy/modules/contrib/rpc.te
-@@ -275,10 +275,15 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -277,10 +277,15 @@ tunable_policy(`nfs_export_all_ro',`
         files_read_non_auth_files(nfsd_t)
  ')
  
@@ -32,22 +48,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
  ########################################
  #
  # GSSD local policy
---- a/policy/modules/contrib/rpcbind.te
-+++ b/policy/modules/contrib/rpcbind.te
-@@ -71,8 +71,13 @@ auth_use_nsswitch(rpcbind_t)
- 
- logging_send_syslog_msg(rpcbind_t)
- 
- miscfiles_read_localization(rpcbind_t)
- 
-+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
-+# because the are running in different level. So add rules to allow this.
-+mls_socket_read_all_levels(rpcbind_t)
-+mls_socket_write_all_levels(rpcbind_t)
-+
- ifdef(`distro_debian',`
-        term_dontaudit_use_unallocated_ttys(rpcbind_t)
- ')
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
 @@ -127,10 +127,11 @@ fs_noxattr_type(mvfs_t)
@@ -64,7 +64,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
  genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
-@@ -324,10 +324,12 @@ mcs_process_set_categories(kernel_t)
+@@ -325,10 +325,12 @@ mcs_process_set_categories(kernel_t)
  
  mls_process_read_all_levels(kernel_t)
  mls_process_write_all_levels(kernel_t)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch
index 950f525..0cd8bf9 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch
@@ -10,22 +10,22 @@ Upstream-Status: pending
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/selinuxutil.te |    2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
-@@ -556,11 +556,11 @@ files_read_usr_symlinks(setfiles_t)
+@@ -594,10 +594,11 @@ files_read_usr_symlinks(setfiles_t)
  files_dontaudit_read_all_symlinks(setfiles_t)
  
  # needs to be able to read symlinks to make restorecon on symlink working
  files_read_all_symlinks(setfiles_t)
  
--fs_getattr_all_xattr_fs(setfiles_t)
 +fs_getattr_all_fs(setfiles_t)
- fs_list_all(setfiles_t)
- fs_search_auto_mountpoints(setfiles_t)
- fs_relabelfrom_noxattr_fs(setfiles_t)
- 
- mls_file_read_all_levels(setfiles_t)
+ fs_getattr_all_xattr_fs(setfiles_t)
+ fs_getattr_nfs(setfiles_t)
+ fs_getattr_pstore_dirs(setfiles_t)
+ fs_getattr_pstorefs(setfiles_t)
+ fs_getattr_tracefs(setfiles_t)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch
index c9a877b..e0f8c1a 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch
@@ -6,6 +6,7 @@ Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files
 Upstream-Status: Pending
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/selinuxutil.if |    1 +
  policy/modules/system/userdomain.if  |    4 ++++
@@ -27,7 +28,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  #######################################
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
-@@ -1327,10 +1327,14 @@ template(`userdom_security_admin_templat
+@@ -1361,10 +1361,14 @@ template(`userdom_security_admin_templat
         logging_read_audit_log($1)
         logging_read_generic_logs($1)
         logging_read_audit_config($1)
diff --git a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch
index 86ff0d2..6eba356 100644
--- a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch
+++ b/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch
@@ -8,21 +8,21 @@ It provide, the systemd support related allow rules
 Upstream-Status: Pending
 
 Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/init.te |    5 +++++
  1 file changed, 5 insertions(+)
 
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
-@@ -1105,5 +1105,10 @@ optional_policy(`
- ')
- 
+@@ -1387,5 +1387,10 @@ dontaudit systemprocess init_t:unix_stre
  optional_policy(`
-        zebra_read_config(initrc_t)
+        userdom_dontaudit_search_user_home_dirs(systemprocess)
+        userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
+        userdom_dontaudit_write_user_tmp_files(systemprocess)
  ')
 +
 +# systemd related allow rules
 +allow kernel_t init_t:process dyntransition;
 +allow devpts_t device_t:filesystem associate;
 +allow init_t self:capability2 block_suspend;
-\ No newline at end of file
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
index 2dd8291..b33e84b 100644
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
+++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
@@ -11,17 +11,18 @@ Upstream-Status: pending
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/init.te       | 14 ++++++++------
  policy/modules/system/locallogin.te |  4 +++-
  2 files changed, 11 insertions(+), 7 deletions(-)
 
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index c058f0c..d710fb0 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
-@@ -292,12 +292,14 @@ ifdef(`init_systemd',`
-                modutils_domtrans_insmod(init_t)
+@@ -344,17 +344,19 @@ ifdef(`init_systemd',`
+ 
+        optional_policy(`
+                modutils_domtrans(init_t)
         ')
  ',`
 -       tunable_policy(`init_upstart',`
@@ -29,23 +30,27 @@ index c058f0c..d710fb0 100644
 -       ',`
 -               # Run the shell in the sysadm role for single-user mode.
 -               # causes problems with upstart
--               sysadm_shell_domtrans(init_t)
+-               ifndef(`distro_debian',`
+-                       sysadm_shell_domtrans(init_t)
 +       optional_policy(`
 +               tunable_policy(`init_upstart',`
 +                       corecmd_shell_domtrans(init_t, initrc_t)
 +               ',`
 +                       # Run the shell in the sysadm role for single-user mode.
 +                       # causes problems with upstart
-+                       sysadm_shell_domtrans(init_t)
-+               ')
++                       ifndef(`distro_debian',`
++                               sysadm_shell_domtrans(init_t)
++                       ')
+                ')
         ')
  ')
  
-diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 0781eae..ea2493a 100644
+ ifdef(`distro_debian',`
 --- a/policy/modules/system/locallogin.te
 +++ b/policy/modules/system/locallogin.te
-@@ -246,7 +246,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -260,11 +260,13 @@ seutil_read_default_contexts(sulogin_t)
+ userdom_use_unpriv_users_fds(sulogin_t)
+ 
  userdom_search_user_home_dirs(sulogin_t)
  userdom_use_user_ptys(sulogin_t)
  
@@ -54,8 +59,7 @@ index 0781eae..ea2493a 100644
 +       sysadm_shell_domtrans(sulogin_t)
 +')
  
- # suse and debian do not use pam with sulogin...
- ifdef(`distro_suse', `define(`sulogin_no_pam')')
--- 
-1.9.1
-
+ # by default, sulogin does not use pam...
+ # sulogin_pam might need to be defined otherwise
+ ifdef(`sulogin_pam', `
+        selinux_get_fs_mount(sulogin_t)
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch
index b6c64c6..17a8199 100644
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch
+++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch
@@ -18,15 +18,16 @@ support is enabled:
 Upstream-Status: Inappropriate
 
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/system/init.if | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
-diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index f50c6e1..b445886 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
-@@ -1307,12 +1307,12 @@ interface(`init_spec_domtrans_script',`
+@@ -1430,16 +1430,16 @@ interface(`init_spec_domtrans_script',`
+ ##     </summary>
+ ## </param>
  #
  interface(`init_domtrans_script',`
         gen_require(`
@@ -41,6 +42,5 @@ index f50c6e1..b445886 100644
  
         ifdef(`enable_mcs',`
                 range_transition $1 init_script_file_type:process s0;
--- 
-1.9.1
-
+        ')
+ 
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
index ba14851..29d3e2d 100644
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
+++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
@@ -20,33 +20,33 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
  policy/users                        | 16 +++++--------
  5 files changed, 55 insertions(+), 20 deletions(-)
 
-diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
-index dc5f1e4..4428da8 100644
 --- a/config/appconfig-mcs/seusers
 +++ b/config/appconfig-mcs/seusers
-@@ -1,3 +1,3 @@
- system_u:system_u:s0-mcs_systemhigh
+@@ -1,2 +1,3 @@
 -root:root:s0-mcs_systemhigh
 -__default__:user_u:s0
 +root:unconfined_u:s0-mcs_systemhigh
 +__default__:unconfined_u:s0
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 005afd8..4699d6a 100644
++
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
-@@ -34,6 +34,7 @@ ubac_file_exempt(sysadm_t)
+@@ -37,10 +37,11 @@ ubac_process_exempt(sysadm_t)
+ ubac_file_exempt(sysadm_t)
  ubac_fd_exempt(sysadm_t)
  
  init_exec(sysadm_t)
+ init_admin(sysadm_t)
 +init_script_role_transition(sysadm_r)
- init_get_system_status(sysadm_t)
- init_disable(sysadm_t)
- init_enable(sysadm_t)
-diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index b68dfc1..35b4141 100644
+ 
+ selinux_read_policy(sysadm_t)
+ 
+ # Add/remove user home directories
+ userdom_manage_user_home_dirs(sysadm_t)
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
-@@ -1234,11 +1234,12 @@ interface(`init_script_file_entry_type',`
+@@ -1394,30 +1394,31 @@ interface(`init_script_file_entry_type',
+ ##     </summary>
+ ## </param>
  #
  interface(`init_spec_domtrans_script',`
         gen_require(`
@@ -61,7 +61,10 @@ index b68dfc1..35b4141 100644
  
         ifdef(`distro_gentoo',`
                 gen_require(`
-@@ -1249,11 +1250,11 @@ interface(`init_spec_domtrans_script',`
+                        type rc_exec_t;
+                ')
+ 
+                domtrans_pattern($1, rc_exec_t, initrc_t)
         ')
  
         ifdef(`enable_mcs',`
@@ -75,7 +78,11 @@ index b68dfc1..35b4141 100644
         ')
  ')
  
-@@ -1269,18 +1270,19 @@ interface(`init_spec_domtrans_script',`
+ ########################################
+ ## <summary>
+@@ -1429,22 +1430,23 @@ interface(`init_spec_domtrans_script',`
+ ##     </summary>
+ ## </param>
  #
  interface(`init_domtrans_script',`
         gen_require(`
@@ -99,9 +106,13 @@ index b68dfc1..35b4141 100644
         ')
  ')
  
-@@ -2504,3 +2506,32 @@ interface(`init_reload_all_units',`
- 
-        allow $1 systemdunit:service reload;
+ ########################################
+ ## <summary>
+@@ -2972,5 +2974,34 @@ interface(`init_admin',`
+        init_stop_all_units($1)
+        init_stop_generic_units($1)
+        init_stop_system($1)
+        init_telinit($1)
  ')
 +
 +########################################
@@ -132,11 +143,11 @@ index b68dfc1..35b4141 100644
 +       role_transition $1 init_script_file_type system_r;
 +')
 +
-diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index ad23fce..99cab31 100644
 --- a/policy/modules/system/unconfined.te
 +++ b/policy/modules/system/unconfined.te
-@@ -20,6 +20,11 @@ type unconfined_execmem_t;
+@@ -18,10 +18,15 @@ init_system_domain(unconfined_t, unconfi
+ 
+ type unconfined_execmem_t;
  type unconfined_execmem_exec_t;
  init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
  role unconfined_r types unconfined_execmem_t;
@@ -148,7 +159,11 @@ index ad23fce..99cab31 100644
  
  ########################################
  #
-@@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_f
+ # Local policy
+ #
+@@ -48,10 +53,12 @@ unconfined_domain(unconfined_t)
+ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
+ 
  ifdef(`direct_sysadm_daemon',`
          optional_policy(`
                  init_run_daemon(unconfined_t, unconfined_r)
@@ -157,11 +172,13 @@ index ad23fce..99cab31 100644
          ')
  ',`
          ifdef(`distro_gentoo',`
-diff --git a/policy/users b/policy/users
-index ca20375..ac1ca6c 100644
+                 seutil_run_runinit(unconfined_t, unconfined_r)
+                 seutil_init_script_run_runinit(unconfined_t, unconfined_r)
 --- a/policy/users
 +++ b/policy/users
-@@ -15,7 +15,7 @@
+@@ -13,37 +13,33 @@
+ # system_u is the user identity for system processes and objects.
+ # There should be no corresponding Unix user identity for system,
  # and a user process should never be assigned the system user
  # identity.
  #
@@ -170,7 +187,9 @@ index ca20375..ac1ca6c 100644
  
  #
  # user_u is a generic user identity for Linux users who have no
-@@ -25,14 +25,14 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ # SELinux user identity defined.  The modified daemons will use
+ # this user identity in the security context if there is no matching
+ # SELinux user identity for a Linux user.  If you do not want to
  # permit any access to such users, then remove this entry.
  #
  gen_user(user_u, user, user_r, s0, s0)
@@ -189,7 +208,9 @@ index ca20375..ac1ca6c 100644
  ')
  
  #
-@@ -42,8 +42,4 @@ ifdef(`direct_sysadm_daemon',`
+ # The following users correspond to Unix identities.
+ # These identities are typically assigned as the user attribute
+ # when login starts the user shell.  Users with access to the sysadm_r
  # role should use the staff_r role instead of the user_r role when
  # not in the sysadm_r.
  #
@@ -199,6 +220,3 @@ index ca20375..ac1ca6c 100644
 -       gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 -')
 +gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
--- 
-1.9.1
-
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc
index e6e63c9..b320e4d 100644
--- a/recipes-security/refpolicy/refpolicy_git.inc
+++ b/recipes-security/refpolicy/refpolicy_git.inc
@@ -20,7 +20,6 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
             file://poky-fc-dmesg.patch \
             file://poky-fc-fstools.patch \
             file://poky-fc-mta.patch \
-            file://poky-fc-netutils.patch \
             file://poky-fc-nscd.patch \
             file://poky-fc-screen.patch \
             file://poky-fc-ssh.patch \