refpolicy: update to 2.20190201 and git HEAD policiesjjm/RELEASE_2.20190201

Additionally, the README has fallen out of date, update it to reflect the
current reality of layer dependencies.

Signed-off-by: Joe MacDonald <joe@deserted.net>

1 files changed, 36 insertions, 0 deletions

diff --git a/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch b/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
new file mode 100644
index 0000000..a494671
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
@@ -0,0 +1,36 @@
+From 07456143d9478b345dbe480e1b418b744de96751 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Fri, 23 Aug 2013 11:20:00 +0800
+Subject: [PATCH 20/34] policy/module/logging: add domain rules for the subdir
+ symlinks in /var/
+
+Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
+/var for poky, so we need allow rules for all domains to read these
+symlinks. Domains still need their practical allow rules to read the
+contents, so this is still a secure relax.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/domain.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
+index 1a55e3d2..babb794f 100644
+--- a/policy/modules/kernel/domain.te
++++ b/policy/modules/kernel/domain.te
+@@ -110,6 +110,9 @@ term_use_controlling_term(domain)
+ # list the root directory
+ files_list_root(domain)
+ 
++# Yocto/oe-core use some var volatile links
++files_read_var_symlinks(domain)
++
+ ifdef(`hide_broken_symptoms',`
+        # This check is in the general socket
+        # listen code, before protocol-specific
+-- 
+2.19.1
+