43 files changed, 391 insertions, 446 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch
index 4830566..85c40a4 100644
--- a/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch
+++ b/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch
@@ -17,6 +17,7 @@ root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name
 root@localhost:~#
 Signed-off-by: Roy Li <rongqing.li@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/contrib/ftp.te |    2 ++
 1 file changed, 2 insertions(+)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch
index b36c209..628e8a3 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch
@@ -3,17 +3,15 @@ Subject: [PATCH] refpolicy: fix real path for clock
 Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/clock.fc |    1 +
 1 file changed, 1 insertion(+)
 --- a/policy/modules/system/clock.fc
 +++ b/policy/modules/system/clock.fc
-@@ -1,6 +1,7 @@
+@@ -1,3 +1,4 @@
- 
 /etc/adjtime           --      gen_context(system_u:object_r:adjtime_t,s0)
 
- /sbin/hwclock          --      gen_context(system_u:object_r:hwclock_exec_t,s0)
+/usr/sbin/hwclock\.util-linux  --      gen_context(system_u:object_r:hwclock_exec_t,s0)
-+/sbin/hwclock\.util-linux      --      gen_context(system_u:object_r:hwclock_exec_t,s0)
- 
 /usr/sbin/hwclock      --      gen_context(system_u:object_r:hwclock_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch
index 6995bb5..689c75b 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch
@@ -3,15 +3,13 @@ Subject: [PATCH] refpolicy: fix real path for dmesg
 Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/admin/dmesg.fc |    1 +
 1 file changed, 1 insertion(+)
 --- a/policy/modules/admin/dmesg.fc
 +++ b/policy/modules/admin/dmesg.fc
-@@ -1,4 +1,5 @@
+@@ -1 +1,2 @@
- 
+/usr/bin/dmesg\.util-linux     --              gen_context(system_u:object_r:dmesg_exec_t,s0)
- /bin/dmesg             --              gen_context(system_u:object_r:dmesg_exec_t,s0)
-+/bin/dmesg\.util-linux --              gen_context(system_u:object_r:dmesg_exec_t,s0)
- 
 /usr/bin/dmesg         --              gen_context(system_u:object_r:dmesg_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch
index a96b4a7..3218c88 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch
@@ -6,6 +6,7 @@ Subject: [PATCH] refpolicy: fix real path for bind.
 Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/contrib/bind.fc |    2 ++
 1 file changed, 2 insertions(+)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch
index d97d58e..fc54217 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch
@@ -3,31 +3,33 @@ Subject: [PATCH] fix real path for login commands.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/authlogin.fc |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)
 --- a/policy/modules/system/authlogin.fc
 +++ b/policy/modules/system/authlogin.fc
-@@ -1,19 +1,18 @@
+@@ -3,20 +3,19 @@
- 
- /bin/login             --      gen_context(system_u:object_r:login_exec_t,s0)
-+/bin/login\.shadow     --      gen_context(system_u:object_r:login_exec_t,s0)
-+/bin/login\.tinylogin  --      gen_context(system_u:object_r:login_exec_t,s0)
- 
- /etc/\.pwd\.lock       --      gen_context(system_u:object_r:shadow_t,s0)
- /etc/group\.lock       --      gen_context(system_u:object_r:shadow_t,s0)
 /etc/gshadow.*         --      gen_context(system_u:object_r:shadow_t,s0)
 /etc/passwd\.lock      --      gen_context(system_u:object_r:shadow_t,s0)
 /etc/shadow.*          --      gen_context(system_u:object_r:shadow_t,s0)
 
- /sbin/pam_console_apply         --     gen_context(system_u:object_r:pam_console_exec_t,s0)
+ /usr/bin/login         --      gen_context(system_u:object_r:login_exec_t,s0)
- /sbin/pam_timestamp_check --   gen_context(system_u:object_r:pam_exec_t,s0)
+/usr/bin/login\.shadow --      gen_context(system_u:object_r:login_exec_t,s0)
-/sbin/unix_chkpwd      --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/usr/bin/login\.tinylogin      --      gen_context(system_u:object_r:login_exec_t,s0)
-/sbin/unix_update      --      gen_context(system_u:object_r:updpwd_exec_t,s0)
+ 
-/sbin/unix_verify      --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ /usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0)
+ 
+ /usr/lib/utempter/utempter --  gen_context(system_u:object_r:utempter_exec_t,s0)
+ 
+ /usr/sbin/pam_console_apply    --      gen_context(system_u:object_r:pam_console_exec_t,s0)
+ /usr/sbin/pam_timestamp_check   --     gen_context(system_u:object_r:pam_exec_t,s0)
+-/usr/sbin/unix_chkpwd          --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+-/usr/sbin/unix_update          --      gen_context(system_u:object_r:updpwd_exec_t,s0)
+-/usr/sbin/unix_verify          --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ /usr/sbin/utempter             --      gen_context(system_u:object_r:utempter_exec_t,s0)
+ /usr/sbin/validate             --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
 ifdef(`distro_suse', `
- /sbin/unix2_chkpwd     --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ /usr/sbin/unix2_chkpwd --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
 ')
- 
- /usr/bin/login         --      gen_context(system_u:object_r:login_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch
index c1cd74d..cd79f45 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch
@@ -3,13 +3,14 @@ Subject: [PATCH] fix real path for resolv.conf
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/sysnetwork.fc |    1 +
 1 file changed, 1 insertion(+)
 --- a/policy/modules/system/sysnetwork.fc
 +++ b/policy/modules/system/sysnetwork.fc
-@@ -23,10 +23,11 @@ ifdef(`distro_debian',`
+@@ -17,10 +17,11 @@ ifdef(`distro_debian',`
 /etc/ethers            --      gen_context(system_u:object_r:net_conf_t,s0)
 /etc/hosts             --      gen_context(system_u:object_r:net_conf_t,s0)
 /etc/hosts\.deny.*     --      gen_context(system_u:object_r:net_conf_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch
index d74f524..a15a776 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch
@@ -3,13 +3,14 @@ Subject: [PATCH] fix real path for shadow commands.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/admin/usermanage.fc |    6 ++++++
 1 file changed, 6 insertions(+)
 --- a/policy/modules/admin/usermanage.fc
 +++ b/policy/modules/admin/usermanage.fc
-@@ -6,15 +6,21 @@ ifdef(`distro_debian',`
+@@ -2,15 +2,21 @@ ifdef(`distro_debian',`
 /etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0)
 ')
 
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch
index 23484de..41c32df 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch
@@ -6,17 +6,15 @@ Subject: [PATCH] fix real path for su.shadow command
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/admin/su.fc |    2 ++
 1 file changed, 2 insertions(+)
 --- a/policy/modules/admin/su.fc
 +++ b/policy/modules/admin/su.fc
-@@ -3,5 +3,7 @@
+@@ -1,3 +1,4 @@
- /usr/bin/su            --      gen_context(system_u:object_r:su_exec_t,s0)
- 
 /usr/(local/)?bin/ksu  --      gen_context(system_u:object_r:su_exec_t,s0)
 /usr/bin/kdesu         --      gen_context(system_u:object_r:su_exec_t,s0)
 /usr/bin/su            --      gen_context(system_u:object_r:su_exec_t,s0)
-+
+/usr/bin/su.shadow             --      gen_context(system_u:object_r:su_exec_t,s0)
-+/bin/su.shadow         --      gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch
index 5d3aa76..cf07b23 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch
@@ -14,62 +14,57 @@ Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
 --- a/policy/modules/system/fstools.fc
 +++ b/policy/modules/system/fstools.fc
-@@ -1,19 +1,23 @@
+@@ -4,10 +4,11 @@
- /sbin/badblocks                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/blkid            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/blkid/.util-linux                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/blockdev         --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/blockdev/.util-linux             --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/cfdisk           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/dosfsck          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/dump             --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/dumpe2fs         --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/e2fsck           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/e4fsck           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/e2label          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/fdisk            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/fdisk/.util-linux                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/findfs           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/fsck.*           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/hdparm           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/hdparm/.util-linux               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/install-mbr      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/jfs_.*           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/losetup.*                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/lsraid           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/make_reiser4     --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -22,20 +26,22 @@
- /sbin/mke4fs           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkfs.*           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkraid           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkreiserfs       --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkswap           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/mkswap/.util-linux               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/parted           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/partprobe                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/partx            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/raidautorun      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/raidstart                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/reiserfs(ck|tune)        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/resize.*fs       --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/scsi_info                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/sfdisk           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/swapoff          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/swapoff/.util-linux              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/swapon.*         --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/tune2fs          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/zdb              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/zhack            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/zinject          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -43,10 +49,11 @@
- /sbin/zstreamdump      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/ztest            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- 
- /usr/bin/partition_uuid        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/raw           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/raw          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/scsi_unique_id        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/syslinux      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 
 /usr/sbin/addpart              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/badblocks            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/blkid                        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/blkid/.util-linux            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/blockdev             --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/cfdisk               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/clubufflush          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/delpart              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/dosfsck              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -17,14 +18,16 @@
+ /usr/sbin/e4fsck               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/e2label              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/efibootmgr           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fatsort              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fdisk                        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/fdisk/.util-linux            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/findfs               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fsck.*               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/gdisk                        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/hdparm               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/hdparm/.util-linux           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/install-mbr          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/jfs_.*               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/losetup.*            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/lsraid               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/make_reiser4         --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -33,21 +36,24 @@
+ /usr/sbin/mke4fs               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkfs.*               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkraid               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkreiserfs           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkswap               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/mkswap/.util-linux           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/parted               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/partprobe            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/partx                        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/raidautorun          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/raidstart            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/raw          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/reiserfs(ck|tune)    --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/resize.*fs           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/scsi_info            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/sfdisk               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/smartctl             --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/swapoff              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/swapoff/.util-linux          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/swapon.*             --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/tune2fs              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/zdb                  --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/zhack                        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/zinject              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch
index b4ba2e2..d58de6a 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch
@@ -5,6 +5,7 @@ Upstream-Status: Pending
 ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it
 Signed-off-by: Roy Li <rongqing.li@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/contrib/ftp.fc |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch
index 1a8fbe3..72b559f 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch
@@ -6,13 +6,14 @@ Subject: [PATCH] refpolicy: fix real path for mta
 Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/contrib/mta.fc |    1 +
 1 file changed, 1 insertion(+)
 --- a/policy/modules/contrib/mta.fc
 +++ b/policy/modules/contrib/mta.fc
-@@ -20,10 +20,11 @@ HOME_DIR/\.maildir(/.*)?    gen_context(sys
+@@ -19,10 +19,11 @@ HOME_DIR/\.maildir(/.*)?    gen_context(sys
 /usr/lib/courier/bin/sendmail  --      gen_context(system_u:object_r:sendmail_exec_t,s0)
 
 /usr/sbin/rmail        --      gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-netutils.patch
deleted file mode 100644
index fea90ad..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-netutils.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-Subject: [PATCH] refpolicy: fix real path for netutils
-Upstream-Status: Inappropriate [configuration]
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
- policy/modules/admin/netutils.fc |    1 +
- 1 file changed, 1 insertion(+)
--- a/policy/modules/admin/netutils.fc
-+++ b/policy/modules/admin/netutils.fc
-@@ -1,10 +1,11 @@
- /bin/ping.*            --      gen_context(system_u:object_r:ping_exec_t,s0)
- /bin/tracepath.*               --      gen_context(system_u:object_r:traceroute_exec_t,s0)
- /bin/traceroute.*      --      gen_context(system_u:object_r:traceroute_exec_t,s0)
- 
- /sbin/arping           --      gen_context(system_u:object_r:netutils_exec_t,s0)
-+/bin/arping            --      gen_context(system_u:object_r:netutils_exec_t,s0)
- 
- /usr/bin/arping                --      gen_context(system_u:object_r:netutils_exec_t,s0)
- /usr/bin/lft           --      gen_context(system_u:object_r:traceroute_exec_t,s0)
- /usr/bin/nmap          --      gen_context(system_u:object_r:traceroute_exec_t,s0)
- /usr/bin/ping.*        --      gen_context(system_u:object_r:ping_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch
index 5fe5062..0adf7c2 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch
@@ -6,6 +6,7 @@ Subject: [PATCH] refpolicy: fix real path for nscd
 Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/contrib/nscd.fc |    1 +
 1 file changed, 1 insertion(+)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch
index 8680f19..922afa9 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch
@@ -6,13 +6,14 @@ Subject: [PATCH] refpolicy: fix real path for cpio
 Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/contrib/rpm.fc |    1 +
 1 file changed, 1 insertion(+)
 --- a/policy/modules/contrib/rpm.fc
 +++ b/policy/modules/contrib/rpm.fc
-@@ -61,6 +61,7 @@ ifdef(`distro_redhat',`
+@@ -57,6 +57,7 @@ ifdef(`distro_redhat',`
 /run/yum.*     --      gen_context(system_u:object_r:rpm_var_run_t,s0)
 /run/PackageKit(/.*)?  gen_context(system_u:object_r:rpm_var_run_t,s0)
 
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch
index a7301e9..8ea210e 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch
@@ -6,20 +6,18 @@ Subject: [PATCH] refpolicy: fix real path for screen
 Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/contrib/screen.fc |    1 +
 1 file changed, 1 insertion(+)
 --- a/policy/modules/contrib/screen.fc
 +++ b/policy/modules/contrib/screen.fc
-@@ -1,9 +1,10 @@
+@@ -4,6 +4,7 @@ HOME_DIR/\.tmux\.conf   --      gen_context(sys
- HOME_DIR/\.screen(/.*)?        gen_context(system_u:object_r:screen_home_t,s0)
- HOME_DIR/\.screenrc    --      gen_context(system_u:object_r:screen_home_t,s0)
- HOME_DIR/\.tmux\.conf  --      gen_context(system_u:object_r:screen_home_t,s0)
 
- /usr/bin/screen        --      gen_context(system_u:object_r:screen_exec_t,s0)
+ /run/screen(/.*)?              gen_context(system_u:object_r:screen_runtime_t,s0)
-+/usr/bin/screen-.*     --      gen_context(system_u:object_r:screen_exec_t,s0)
+ /run/tmux(/.*)?                        gen_context(system_u:object_r:screen_runtime_t,s0)
- /usr/bin/tmux  --      gen_context(system_u:object_r:screen_exec_t,s0)
 
- /run/screen(/.*)?      gen_context(system_u:object_r:screen_var_run_t,s0)
+ /usr/bin/screen                --      gen_context(system_u:object_r:screen_exec_t,s0)
- /run/tmux(/.*)?        gen_context(system_u:object_r:screen_var_run_t,s0)
+/usr/bin/screen-.*     --      gen_context(system_u:object_r:screen_exec_t,s0)
+ /usr/bin/tmux          --      gen_context(system_u:object_r:screen_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch
index 35bbc9e..648b21b 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch
@@ -3,6 +3,7 @@ Subject: [PATCH] refpolicy: fix real path for ssh
 Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/services/ssh.fc |    1 +
 1 file changed, 1 insertion(+)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch
index f82f359..8aec193 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch
@@ -13,7 +13,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 --- a/config/file_contexts.subs_dist
 +++ b/config/file_contexts.subs_dist
-@@ -21,5 +21,16 @@
+@@ -26,5 +26,16 @@
 
 # backward compatibility
 # not for refpolicy intern, but for /var/run using applications,
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch
index 7f8f368..0b148b5 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch
@@ -7,41 +7,31 @@ Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/sysnetwork.fc |    3 +++
 1 file changed, 3 insertions(+)
 --- a/policy/modules/system/sysnetwork.fc
 +++ b/policy/modules/system/sysnetwork.fc
-@@ -2,10 +2,11 @@
+@@ -41,17 +41,20 @@ ifdef(`distro_redhat',`
- #
+ /usr/sbin/dhcdbd               --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
- # /bin
+ /usr/sbin/dhcp6c               --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
- #
+ /usr/sbin/dhcpcd               --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /bin/ifconfig          --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/ethtool              --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /bin/ip                        --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/ifconfig             --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/ip\.iproute2 --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/usr/sbin/ifconfig\.net-tools  --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
- 
+/usr/sbin/ip\.iproute2 --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
- #
+ /usr/sbin/ip                   --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- # /dev
+ /usr/sbin/ipx_configure                --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- #
+ /usr/sbin/ipx_interface                --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- ifdef(`distro_debian',`
+ /usr/sbin/ipx_internal_net     --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
-@@ -43,17 +44,19 @@ ifdef(`distro_redhat',`
+ /usr/sbin/iw                   --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/dhclient.*       --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /usr/sbin/iwconfig             --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/dhcdbd           --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /usr/sbin/mii-tool             --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/dhcpcd           --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
+/usr/sbin/mii-tool\.net-tools  --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ethtool          --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/pump                 --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/ifconfig         --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/tc                   --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/ifconfig\.net-tools  --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ip               --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_configure    --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_interface    --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_internal_net --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/iw               --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/iwconfig         --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/mii-tool         --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/mii-tool\.net-tools  --  gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/pump             --      gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /sbin/tc               --      gen_context(system_u:object_r:ifconfig_exec_t,s0)
 
 #
- # /usr
+ # /var
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch
index 8e2cb1b..2271a05 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch
@@ -6,6 +6,7 @@ Subject: [PATCH] refpolicy: fix real path for udevd/udevadm
 Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/udev.fc |    2 ++
 1 file changed, 2 insertions(+)
@@ -17,22 +18,22 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 /etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
 /etc/udev/scripts/.+ --        gen_context(system_u:object_r:udev_helper_exec_t,s0)
 
- /lib/udev/udev-acl --  gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/bin/udevinfo --   gen_context(system_u:object_r:udev_exec_t,s0)
-+/lib/udev/udevd    --  gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/bin/udevadm  --   gen_context(system_u:object_r:udev_exec_t,s0)
 
 ifdef(`distro_debian',`
- /bin/udevadm   --      gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/bin/udevadm       --      gen_context(system_u:object_r:udev_exec_t,s0)
- /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
 ')
-@@ -26,10 +27,11 @@ ifdef(`distro_debian',`
+ 
- ifdef(`distro_redhat',`
+@@ -30,10 +31,11 @@ ifdef(`distro_redhat',`
- /sbin/start_udev --    gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/sbin/start_udev --        gen_context(system_u:object_r:udev_exec_t,s0)
 ')
 
- /usr/bin/udevinfo --   gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/bin/udevadm  --   gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/lib/udev/udev-acl --      gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/lib/udev/udevd    --      gen_context(system_u:object_r:udev_exec_t,s0)
+ 
+ /usr/share/virtualbox/VBoxCreateUSBNode\.sh    --      gen_context(system_u:object_r:udev_helper_exec_t,s0)
+ 
+ /run/udev(/.*)?        gen_context(system_u:object_r:udev_var_run_t,s0)
 
- /usr/sbin/udev         --      gen_context(system_u:object_r:udev_exec_t,s0)
- /usr/sbin/udevadm      --      gen_context(system_u:object_r:udev_exec_t,s0)
- /usr/sbin/udevd                --      gen_context(system_u:object_r:udev_exec_t,s0)
- /usr/sbin/udevsend     --      gen_context(system_u:object_r:udev_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch
index 80c40d0..e3edce1 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch
@@ -6,15 +6,14 @@ Subject: [PATCH 3/4] fix update-alternatives for hostname
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/hostname.fc |    1 +
 1 file changed, 1 insertion(+)
 --- a/policy/modules/system/hostname.fc
 +++ b/policy/modules/system/hostname.fc
-@@ -1,4 +1,5 @@
+@@ -1 +1,3 @@
- 
+/usr/bin/hostname\.net-tools   --      gen_context(system_u:object_r:hostname_exec_t,s0)
- /bin/hostname          --      gen_context(system_u:object_r:hostname_exec_t,s0)
+
-+/bin/hostname\.net-tools       --      gen_context(system_u:object_r:hostname_exec_t,s0)
- 
 /usr/bin/hostname      --      gen_context(system_u:object_r:hostname_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch
index 03284cd..dfa67a6 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch
@@ -9,6 +9,7 @@ for syslogd_t to read syslog_conf_t lnk_file is needed.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/logging.fc |    4 ++++
 policy/modules/system/logging.te |    1 +
@@ -16,7 +17,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 --- a/policy/modules/system/logging.fc
 +++ b/policy/modules/system/logging.fc
-@@ -1,22 +1,26 @@
+@@ -1,12 +1,14 @@
 /dev/log               -s      gen_context(system_u:object_r:devlog_t,mls_systemhigh)
 
 /etc/rsyslog.conf              gen_context(system_u:object_r:syslog_conf_t,s0)
@@ -27,25 +28,30 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 /etc/rc\.d/init\.d/rsyslog --  gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
 
- /sbin/audispd          --      gen_context(system_u:object_r:audisp_exec_t,s0)
- /sbin/audisp-remote    --      gen_context(system_u:object_r:audisp_remote_exec_t,s0)
- /sbin/auditctl         --      gen_context(system_u:object_r:auditctl_exec_t,s0)
- /sbin/auditd           --      gen_context(system_u:object_r:auditd_exec_t,s0)
- /sbin/klogd            --      gen_context(system_u:object_r:klogd_exec_t,s0)
-+/sbin/klogd\.sysklogd  --      gen_context(system_u:object_r:klogd_exec_t,s0)
- /sbin/minilogd         --      gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/rklogd           --      gen_context(system_u:object_r:klogd_exec_t,s0)
- /sbin/rsyslogd         --      gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/syslogd          --      gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/sbin/syslogd\.sysklogd        --      gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/syslog-ng                --      gen_context(system_u:object_r:syslogd_exec_t,s0)
- 
 /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
 /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
+ /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
 /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+@@ -15,14 +17,16 @@
+ /usr/sbin/audispd      --      gen_context(system_u:object_r:audisp_exec_t,s0)
+ /usr/sbin/audisp-remote        --      gen_context(system_u:object_r:audisp_remote_exec_t,s0)
+ /usr/sbin/auditctl     --      gen_context(system_u:object_r:auditctl_exec_t,s0)
+ /usr/sbin/auditd       --      gen_context(system_u:object_r:auditd_exec_t,s0)
+ /usr/sbin/klogd                --      gen_context(system_u:object_r:klogd_exec_t,s0)
+/usr/sbin/klogd\.sysklogd      --      gen_context(system_u:object_r:klogd_exec_t,s0)
+ /usr/sbin/metalog      --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/minilogd     --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/rklogd       --      gen_context(system_u:object_r:klogd_exec_t,s0)
+ /usr/sbin/rsyslogd     --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/sbin/syslogd\.sysklogd    --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/syslog-ng    --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/syslogd      --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ 
+ /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+ /var/lib/syslog-ng(/.*)?       gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -386,10 +386,11 @@ allow syslogd_t self:unix_dgram_socket s
+@@ -390,10 +390,11 @@ allow syslogd_t self:unix_dgram_socket s
 allow syslogd_t self:fifo_file rw_fifo_file_perms;
 allow syslogd_t self:udp_socket create_socket_perms;
 allow syslogd_t self:tcp_socket create_stream_socket_perms;
@@ -56,4 +62,4 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
 files_pid_filetrans(syslogd_t, devlog_t, sock_file)
- 
+ init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch
index 0c09825..81fe141 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch
@@ -6,51 +6,45 @@ Subject: [PATCH 1/4] fix update-alternatives for sysvinit
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/contrib/shutdown.fc    |    1 +
 policy/modules/kernel/corecommands.fc |    1 +
 policy/modules/system/init.fc         |    1 +
 3 files changed, 3 insertions(+)
--- a/policy/modules/contrib/shutdown.fc
+Index: refpolicy/policy/modules/contrib/shutdown.fc
-+++ b/policy/modules/contrib/shutdown.fc
+===================================================================
-@@ -1,10 +1,11 @@
+--- refpolicy.orig/policy/modules/contrib/shutdown.fc
- /etc/nologin   --      gen_context(system_u:object_r:shutdown_etc_t,s0)
+++ refpolicy/policy/modules/contrib/shutdown.fc
- 
+@@ -3,5 +3,6 @@
- /lib/upstart/shutdown  --      gen_context(system_u:object_r:shutdown_exec_t,s0)
- 
- /sbin/shutdown --      gen_context(system_u:object_r:shutdown_exec_t,s0)
-+/sbin/shutdown\.sysvinit       --      gen_context(system_u:object_r:shutdown_exec_t,s0)
- 
 /usr/lib/upstart/shutdown      --      gen_context(system_u:object_r:shutdown_exec_t,s0)
 
 /usr/sbin/shutdown     --      gen_context(system_u:object_r:shutdown_exec_t,s0)
+/usr/sbin/shutdown\.sysvinit   --      gen_context(system_u:object_r:shutdown_exec_t,s0)
+ 
+ /run/shutdown\.pid     --      gen_context(system_u:object_r:shutdown_var_run_t,s0)
+Index: refpolicy/policy/modules/kernel/corecommands.fc
+===================================================================
+--- refpolicy.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy/policy/modules/kernel/corecommands.fc
+@@ -144,6 +144,7 @@ ifdef(`distro_gentoo',`
+ /usr/bin/ksh.*                 --      gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/mksh                  --      gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/mountpoint            --      gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/mountpoint\.sysvinit  --      gen_context(system_u:object_r:bin_t,s0)
+ /usr/bin/sash                  --      gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/scponly               --      gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/tcsh                  --      gen_context(system_u:object_r:shell_exec_t,s0)
+Index: refpolicy/policy/modules/system/init.fc
+===================================================================
+--- refpolicy.orig/policy/modules/system/init.fc
+++ refpolicy/policy/modules/system/init.fc
+@@ -39,6 +39,7 @@ ifdef(`distro_gentoo', `
+ /usr/libexec/dcc/stop-.* --    gen_context(system_u:object_r:initrc_exec_t,s0)
+ 
+ /usr/sbin/init(ng)?    --      gen_context(system_u:object_r:init_exec_t,s0)
+/usr/sbin/init\.sysvinit       --      gen_context(system_u:object_r:init_exec_t,s0)
+ /usr/sbin/open_init_pty        --      gen_context(system_u:object_r:initrc_exec_t,s0)
+ /usr/sbin/upstart      --      gen_context(system_u:object_r:init_exec_t,s0)
 
--- a/policy/modules/kernel/corecommands.fc
-+++ b/policy/modules/kernel/corecommands.fc
-@@ -8,10 +8,11 @@
- /bin/bash2                     --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/fish                      --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/ksh.*                     --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/mksh                      --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/mountpoint                        --      gen_context(system_u:object_r:bin_t,s0)
-+/bin/mountpoint\.sysvinit      --      gen_context(system_u:object_r:bin_t,s0)
- /bin/sash                      --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/tcsh                      --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/yash                      --      gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/zsh.*                     --      gen_context(system_u:object_r:shell_exec_t,s0)
- 
--- a/policy/modules/system/init.fc
-+++ b/policy/modules/system/init.fc
-@@ -30,10 +30,11 @@ ifdef(`distro_gentoo', `
- 
- #
- # /sbin
- #
- /sbin/init(ng)?                --      gen_context(system_u:object_r:init_exec_t,s0)
-+/sbin/init\.sysvinit   --      gen_context(system_u:object_r:init_exec_t,s0)
- # because nowadays, /sbin/init is often a symlink to /sbin/upstart
- /sbin/upstart          --      gen_context(system_u:object_r:init_exec_t,s0)
- 
- ifdef(`distro_gentoo', `
- /sbin/rc               --      gen_context(system_u:object_r:rc_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch
index fee4068..ad7b5a6 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch
@@ -6,13 +6,14 @@ Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices.
 Upstream-Status: Pending
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/kernel/terminal.if |   16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 --- a/policy/modules/kernel/terminal.if
 +++ b/policy/modules/kernel/terminal.if
-@@ -585,13 +585,15 @@ interface(`term_getattr_generic_ptys',`
+@@ -603,13 +603,15 @@ interface(`term_getattr_generic_ptys',`
 ## </param>
 #
 interface(`term_dontaudit_getattr_generic_ptys',`
@@ -28,7 +29,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ## <summary>
 ##     ioctl of generic pty devices.
 ## </summary>
-@@ -603,15 +605,17 @@ interface(`term_dontaudit_getattr_generi
+@@ -621,15 +623,17 @@ interface(`term_dontaudit_getattr_generi
 #
 # cjp: added for ppp
 interface(`term_ioctl_generic_ptys',`
@@ -46,7 +47,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Allow setting the attributes of
-@@ -625,13 +629,15 @@ interface(`term_ioctl_generic_ptys',`
+@@ -643,13 +647,15 @@ interface(`term_ioctl_generic_ptys',`
 #
 # dwalsh: added for rhgb
 interface(`term_setattr_generic_ptys',`
@@ -62,7 +63,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Dontaudit setting the attributes of
-@@ -645,13 +651,15 @@ interface(`term_setattr_generic_ptys',`
+@@ -663,13 +669,15 @@ interface(`term_setattr_generic_ptys',`
 #
 # dwalsh: added for rhgb
 interface(`term_dontaudit_setattr_generic_ptys',`
@@ -78,7 +79,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Read and write the generic pty
-@@ -665,15 +673,17 @@ interface(`term_dontaudit_setattr_generi
+@@ -683,15 +691,17 @@ interface(`term_dontaudit_setattr_generi
 ## </param>
 #
 interface(`term_use_generic_ptys',`
@@ -96,7 +97,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Dot not audit attempts to read and
-@@ -687,13 +697,15 @@ interface(`term_use_generic_ptys',`
+@@ -705,13 +715,15 @@ interface(`term_use_generic_ptys',`
 ## </param>
 #
 interface(`term_dontaudit_use_generic_ptys',`
@@ -112,7 +113,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 #######################################
 ## <summary>
 ##     Set the attributes of the tty device
-@@ -705,14 +717,16 @@ interface(`term_dontaudit_use_generic_pt
+@@ -723,14 +735,16 @@ interface(`term_dontaudit_use_generic_pt
 ## </param>
 #
 interface(`term_setattr_controlling_term',`
@@ -129,7 +130,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Read and write the controlling
-@@ -725,14 +739,16 @@ interface(`term_setattr_controlling_term
+@@ -743,14 +757,16 @@ interface(`term_setattr_controlling_term
 ## </param>
 #
 interface(`term_use_controlling_term',`
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch
index d3aa705..b12ee9d 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch
@@ -8,22 +8,22 @@ syslogd_t.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/logging.te |    2 ++
 1 file changed, 2 insertions(+)
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -402,10 +402,12 @@ rw_fifo_files_pattern(syslogd_t, var_log
+@@ -406,10 +406,11 @@ manage_files_pattern(syslogd_t, var_log_
+ rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
 files_search_spool(syslogd_t)
 
 # Allow access for syslog-ng
 allow syslogd_t var_log_t:dir { create setattr };
- 
 +allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
-+
- # manage temporary files
- manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
- manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
- files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
 
+ # for systemd but can not be conditional
+ files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
+ 
+ # manage temporary files
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch
index 7a30460..d3c1ee5 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch
@@ -9,6 +9,7 @@ lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/kernel/files.fc |    1 +
 policy/modules/kernel/files.if |    8 ++++++++
@@ -16,7 +17,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 --- a/policy/modules/kernel/files.fc
 +++ b/policy/modules/kernel/files.fc
-@@ -191,10 +191,11 @@ ifdef(`distro_debian',`
+@@ -172,10 +172,11 @@ HOME_ROOT/lost\+found/.*  <<none>>
 
 #
 # /tmp
@@ -30,7 +31,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 /tmp/lost\+found/.*            <<none>>
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
-@@ -4471,10 +4471,11 @@ interface(`files_search_tmp',`
+@@ -4579,10 +4579,11 @@ interface(`files_search_tmp',`
        gen_require(`
                type tmp_t;
        ')
@@ -42,7 +43,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Do not audit attempts to search the tmp directory (/tmp).
-@@ -4507,10 +4508,11 @@ interface(`files_list_tmp',`
+@@ -4615,10 +4616,11 @@ interface(`files_list_tmp',`
        gen_require(`
                type tmp_t;
        ')
@@ -54,7 +55,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Do not audit listing of the tmp directory (/tmp).
-@@ -4543,10 +4545,11 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4651,10 +4653,11 @@ interface(`files_delete_tmp_dir_entry',`
        gen_require(`
                type tmp_t;
        ')
@@ -66,7 +67,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Read files in the tmp directory (/tmp).
-@@ -4561,10 +4564,11 @@ interface(`files_read_generic_tmp_files'
+@@ -4669,10 +4672,11 @@ interface(`files_read_generic_tmp_files'
        gen_require(`
                type tmp_t;
        ')
@@ -78,7 +79,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Manage temporary directories in /tmp.
-@@ -4579,10 +4583,11 @@ interface(`files_manage_generic_tmp_dirs
+@@ -4687,10 +4691,11 @@ interface(`files_manage_generic_tmp_dirs
        gen_require(`
                type tmp_t;
        ')
@@ -90,7 +91,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Manage temporary files and directories in /tmp.
-@@ -4597,10 +4602,11 @@ interface(`files_manage_generic_tmp_file
+@@ -4705,10 +4710,11 @@ interface(`files_manage_generic_tmp_file
        gen_require(`
                type tmp_t;
        ')
@@ -102,7 +103,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Read symbolic links in the tmp directory (/tmp).
-@@ -4633,10 +4639,11 @@ interface(`files_rw_generic_tmp_sockets'
+@@ -4741,10 +4747,11 @@ interface(`files_rw_generic_tmp_sockets'
        gen_require(`
                type tmp_t;
        ')
@@ -114,7 +115,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Mount filesystems in the tmp directory (/tmp)
-@@ -4840,10 +4847,11 @@ interface(`files_tmp_filetrans',`
+@@ -4948,10 +4955,11 @@ interface(`files_tmp_filetrans',`
        gen_require(`
                type tmp_t;
        ')
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch
index fc6dea0..b828b7a 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch
@@ -11,6 +11,7 @@ contents, so this is still a secure relax.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/kernel/domain.te |    3 +++
 1 file changed, 3 insertions(+)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch
index d907095..fb912b5 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch
@@ -10,17 +10,18 @@ logging.if. So still need add a individual rule for apache.te.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/contrib/apache.te |    1 +
 1 file changed, 1 insertion(+)
 --- a/policy/modules/contrib/apache.te
 +++ b/policy/modules/contrib/apache.te
-@@ -409,10 +409,11 @@ allow httpd_t httpd_log_t:dir setattr_di
+@@ -407,10 +407,11 @@ allow httpd_t httpd_lock_t:file manage_f
- create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
- create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ 
- append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
- read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 +read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
 logging_log_filetrans(httpd_t, httpd_log_t, file)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
index 90c8f36..7c7355f 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
@@ -8,15 +8,16 @@ audisp_remote_t.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/logging.te |    1 +
 1 file changed, 1 insertion(+)
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -276,10 +276,11 @@ optional_policy(`
+@@ -280,10 +280,11 @@ optional_policy(`
 
- allow audisp_remote_t self:capability { setuid setpcap };
+ allow audisp_remote_t self:capability { setpcap setuid };
 allow audisp_remote_t self:process { getcap setcap };
 allow audisp_remote_t self:tcp_socket create_socket_perms;
 allow audisp_remote_t var_log_t:dir search_dir_perms;
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
index a9ae381..19342f5 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
@@ -9,6 +9,7 @@ lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/logging.fc |    1 +
 policy/modules/system/logging.if |   14 +++++++++++++-
@@ -17,7 +18,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 --- a/policy/modules/system/logging.fc
 +++ b/policy/modules/system/logging.fc
-@@ -49,10 +49,11 @@ ifdef(`distro_suse', `
+@@ -39,10 +39,11 @@ ifdef(`distro_suse', `
 
 /var/axfrdns/log/main(/.*)?    gen_context(system_u:object_r:var_log_t,s0)
 /var/dnscache/log/main(/.*)?   gen_context(system_u:object_r:var_log_t,s0)
@@ -50,43 +51,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Execute auditctl in the auditctl domain.
-@@ -665,10 +666,11 @@ interface(`logging_search_logs',`
+@@ -950,14 +951,16 @@ interface(`logging_append_all_inherited_
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir search_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- #######################################
- ## <summary>
- ##     Do not audit attempts to search the var log directory.
-@@ -702,10 +704,11 @@ interface(`logging_list_logs',`
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- #######################################
- ## <summary>
- ##     Read and write the generic log directory (/var/log).
-@@ -721,10 +724,11 @@ interface(`logging_rw_generic_log_dirs',
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir rw_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- #######################################
- ## <summary>
- ##     Search through all log dirs.
-@@ -832,14 +836,16 @@ interface(`logging_append_all_logs',`
 ## <rolecap/>
 #
 interface(`logging_read_all_logs',`
@@ -103,7 +68,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 
 ########################################
 ## <summary>
-@@ -854,14 +860,16 @@ interface(`logging_read_all_logs',`
+@@ -972,14 +975,16 @@ interface(`logging_read_all_logs',`
 # cjp: not sure why this is needed.  This was added
 # because of logrotate.
 interface(`logging_exec_all_logs',`
@@ -120,7 +85,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 
 ########################################
 ## <summary>
-@@ -919,10 +927,11 @@ interface(`logging_read_generic_logs',`
+@@ -1077,10 +1082,11 @@ interface(`logging_read_generic_logs',`
                type var_log_t;
        ')
 
@@ -132,31 +97,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 
 ########################################
 ## <summary>
-@@ -939,10 +948,11 @@ interface(`logging_write_generic_logs',`
+@@ -1159,10 +1165,11 @@ interface(`logging_manage_generic_logs',
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
-        write_files_pattern($1, var_log_t, var_log_t)
- ')
- 
- ########################################
- ## <summary>
-@@ -977,10 +987,11 @@ interface(`logging_rw_generic_logs',`
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
-        rw_files_pattern($1, var_log_t, var_log_t)
- ')
- 
- ########################################
- ## <summary>
-@@ -999,10 +1010,11 @@ interface(`logging_manage_generic_logs',
                type var_log_t;
        ')
 
@@ -170,10 +111,10 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ##     All of the rules required to administrate
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -149,10 +149,11 @@ allow auditd_t auditd_etc_t:dir list_dir
+@@ -153,10 +153,11 @@ allow auditd_t auditd_etc_t:file read_fi
- allow auditd_t auditd_etc_t:file read_file_perms;
 
 manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t auditd_log_t:dir setattr;
 manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
 allow auditd_t var_log_t:dir search_dir_perms;
 +allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch
index c2cba9a..b755b45 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch
@@ -10,13 +10,14 @@ Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Roy.Li <rongqing.li@windriver.com>
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/logging.te |    1 +
 1 file changed, 1 insertion(+)
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -475,10 +475,11 @@ files_var_lib_filetrans(syslogd_t, syslo
+@@ -484,10 +484,11 @@ files_var_lib_filetrans(syslogd_t, syslo
 
 fs_getattr_all_fs(syslogd_t)
 fs_search_auto_mountpoints(syslogd_t)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
index 189dc6e..a9a0a55 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
@@ -6,6 +6,7 @@ Subject: [PATCH] allow nfsd to exec shell commands.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/contrib/rpc.te   |    2 +-
 policy/modules/kernel/kernel.if |   18 ++++++++++++++++++
@@ -13,7 +14,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 --- a/policy/modules/contrib/rpc.te
 +++ b/policy/modules/contrib/rpc.te
-@@ -222,11 +222,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
+@@ -224,11 +224,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
 
 kernel_read_network_state(nfsd_t)
 kernel_dontaudit_getattr_core_if(nfsd_t)
@@ -28,32 +29,53 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
-@@ -844,10 +844,28 @@ interface(`kernel_unmount_proc',`
+@@ -880,43 +880,42 @@ interface(`kernel_unmount_proc',`
        allow $1 proc_t:filesystem unmount;
 ')
 
 ########################################
 ## <summary>
+-##     Get the attributes of the proc filesystem.
 +##     Mounton a proc filesystem.
-+## </summary>
+ ## </summary>
-+## <param name="domain">
+ ## <param name="domain">
-+##     <summary>
+ ##     <summary>
-+##     Domain allowed access.
+ ##     Domain allowed access.
-+##     </summary>
+ ##     </summary>
-+## </param>
+ ## </param>
-+#
+ #
+-interface(`kernel_getattr_proc',`
 +interface(`kernel_mounton_proc',`
-+       gen_require(`
+        gen_require(`
-+               type proc_t;
+                type proc_t;
-+       ')
+        ')
-+
+ 
+-       allow $1 proc_t:filesystem getattr;
 +       allow $1 proc_t:dir mounton;
-+')
+ ')
-+
+ 
-+########################################
+ ########################################
-+## <summary>
+ ## <summary>
- ##     Get the attributes of the proc filesystem.
+-##     Mount on proc directories.
+##     Get the attributes of the proc filesystem.
 ## </summary>
 ## <param name="domain">
 ##     <summary>
 ##     Domain allowed access.
+ ##     </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`kernel_mounton_proc',`
+interface(`kernel_getattr_proc',`
+        gen_require(`
+                type proc_t;
+        ')
+ 
+-       allow $1 proc_t:dir mounton;
+       allow $1 proc_t:filesystem getattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+ ##     Do not audit attempts to set the
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch
index 766b3df..08e9398 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch
@@ -7,13 +7,14 @@ Upstream-Status: Pending
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/selinuxutil.te |    3 +++
 1 file changed, 3 insertions(+)
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
-@@ -553,10 +553,13 @@ files_read_etc_files(setfiles_t)
+@@ -591,10 +591,13 @@ files_read_etc_files(setfiles_t)
 files_list_all(setfiles_t)
 files_relabel_all_files(setfiles_t)
 files_read_usr_symlinks(setfiles_t)
@@ -23,7 +24,7 @@ Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
 +files_read_all_symlinks(setfiles_t)
 +
 fs_getattr_all_xattr_fs(setfiles_t)
- fs_list_all(setfiles_t)
+ fs_getattr_nfs(setfiles_t)
- fs_search_auto_mountpoints(setfiles_t)
+ fs_getattr_pstore_dirs(setfiles_t)
- fs_relabelfrom_noxattr_fs(setfiles_t)
+ fs_getattr_pstorefs(setfiles_t)
- 
+ fs_getattr_tracefs(setfiles_t)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch
index 8ce2f62..a1fda13 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch
@@ -9,6 +9,7 @@ type=AVC msg=audit(1392427946.976:264): avc:  denied  { connectto } for  pid=211
 type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null)
 Signed-off-by: Roy Li <rongqing.li@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/roles/sysadm.te |    4 ++++
 1 file changed, 4 insertions(+)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch
index 998bfa0..e3ea75e 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch
@@ -9,13 +9,14 @@ term_dontaudit_use_console.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/kernel/terminal.if |    3 +++
 1 file changed, 3 insertions(+)
 --- a/policy/modules/kernel/terminal.if
 +++ b/policy/modules/kernel/terminal.if
-@@ -297,13 +297,16 @@ interface(`term_use_console',`
+@@ -315,13 +315,16 @@ interface(`term_use_console',`
 ## </param>
 #
 interface(`term_dontaudit_use_console',`
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
index 131a9bb..11a6963 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
@@ -4,6 +4,7 @@ Date: Fri, 23 Aug 2013 16:36:09 +0800
 Subject: [PATCH] fix dmesg to use /dev/kmsg as default input
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/admin/dmesg.if |    1 +
 policy/modules/admin/dmesg.te |    2 ++
@@ -19,18 +20,3 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
        can_exec($1, dmesg_exec_t)
 +       dev_read_kmsg($1)
 ')
--- a/policy/modules/admin/dmesg.te
-+++ b/policy/modules/admin/dmesg.te
-@@ -28,10 +28,12 @@ kernel_read_proc_symlinks(dmesg_t)
- # for when /usr is not mounted:
- kernel_dontaudit_search_unlabeled(dmesg_t)
- 
- dev_read_sysfs(dmesg_t)
- 
-+dev_read_kmsg(dmesg_t)
-+
- fs_search_auto_mountpoints(dmesg_t)
- 
- term_dontaudit_use_console(dmesg_t)
- 
- domain_use_interactive_fds(dmesg_t)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
index 016685c..d0b0073 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
@@ -14,9 +14,25 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 policy/modules/kernel/kernel.te     |    2 ++
 4 files changed, 13 insertions(+)
+--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
+@@ -73,8 +73,13 @@ auth_use_nsswitch(rpcbind_t)
+ 
+ logging_send_syslog_msg(rpcbind_t)
+ 
+ miscfiles_read_localization(rpcbind_t)
+ 
+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
+# because the are running in different level. So add rules to allow this.
+mls_socket_read_all_levels(rpcbind_t)
+mls_socket_write_all_levels(rpcbind_t)
+
+ ifdef(`distro_debian',`
+        term_dontaudit_use_unallocated_ttys(rpcbind_t)
+ ')
 --- a/policy/modules/contrib/rpc.te
 +++ b/policy/modules/contrib/rpc.te
-@@ -275,10 +275,15 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -277,10 +277,15 @@ tunable_policy(`nfs_export_all_ro',`
        files_read_non_auth_files(nfsd_t)
 ')
 
@@ -32,22 +48,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ########################################
 #
 # GSSD local policy
--- a/policy/modules/contrib/rpcbind.te
-+++ b/policy/modules/contrib/rpcbind.te
-@@ -71,8 +71,13 @@ auth_use_nsswitch(rpcbind_t)
- 
- logging_send_syslog_msg(rpcbind_t)
- 
- miscfiles_read_localization(rpcbind_t)
- 
-+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
-+# because the are running in different level. So add rules to allow this.
-+mls_socket_read_all_levels(rpcbind_t)
-+mls_socket_write_all_levels(rpcbind_t)
-+
- ifdef(`distro_debian',`
-        term_dontaudit_use_unallocated_ttys(rpcbind_t)
- ')
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
 @@ -127,10 +127,11 @@ fs_noxattr_type(mvfs_t)
@@ -64,7 +64,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
-@@ -324,10 +324,12 @@ mcs_process_set_categories(kernel_t)
+@@ -325,10 +325,12 @@ mcs_process_set_categories(kernel_t)
 
 mls_process_read_all_levels(kernel_t)
 mls_process_write_all_levels(kernel_t)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch
index 950f525..0cd8bf9 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch
@@ -10,22 +10,22 @@ Upstream-Status: pending
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/selinuxutil.te |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
-@@ -556,11 +556,11 @@ files_read_usr_symlinks(setfiles_t)
+@@ -594,10 +594,11 @@ files_read_usr_symlinks(setfiles_t)
 files_dontaudit_read_all_symlinks(setfiles_t)
 
 # needs to be able to read symlinks to make restorecon on symlink working
 files_read_all_symlinks(setfiles_t)
 
-fs_getattr_all_xattr_fs(setfiles_t)
 +fs_getattr_all_fs(setfiles_t)
- fs_list_all(setfiles_t)
+ fs_getattr_all_xattr_fs(setfiles_t)
- fs_search_auto_mountpoints(setfiles_t)
+ fs_getattr_nfs(setfiles_t)
- fs_relabelfrom_noxattr_fs(setfiles_t)
+ fs_getattr_pstore_dirs(setfiles_t)
- 
+ fs_getattr_pstorefs(setfiles_t)
- mls_file_read_all_levels(setfiles_t)
+ fs_getattr_tracefs(setfiles_t)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch
index c9a877b..e0f8c1a 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch
@@ -6,6 +6,7 @@ Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files
 Upstream-Status: Pending
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/selinuxutil.if |    1 +
 policy/modules/system/userdomain.if  |    4 ++++
@@ -27,7 +28,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 #######################################
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
-@@ -1327,10 +1327,14 @@ template(`userdom_security_admin_templat
+@@ -1361,10 +1361,14 @@ template(`userdom_security_admin_templat
        logging_read_audit_log($1)
        logging_read_generic_logs($1)
        logging_read_audit_config($1)
diff --git a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch
index 86ff0d2..6eba356 100644
--- a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch
+++ b/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch
@@ -8,21 +8,21 @@ It provide, the systemd support related allow rules
 Upstream-Status: Pending
 Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/init.te |    5 +++++
 1 file changed, 5 insertions(+)
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
-@@ -1105,5 +1105,10 @@ optional_policy(`
+@@ -1387,5 +1387,10 @@ dontaudit systemprocess init_t:unix_stre
- ')
- 
 optional_policy(`
-        zebra_read_config(initrc_t)
+        userdom_dontaudit_search_user_home_dirs(systemprocess)
+        userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
+        userdom_dontaudit_write_user_tmp_files(systemprocess)
 ')
 +
 +# systemd related allow rules
 +allow kernel_t init_t:process dyntransition;
 +allow devpts_t device_t:filesystem associate;
 +allow init_t self:capability2 block_suspend;
-\ No newline at end of file
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
index 2dd8291..b33e84b 100644
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
+++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
@@ -11,17 +11,18 @@ Upstream-Status: pending
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/init.te       | 14 ++++++++------
 policy/modules/system/locallogin.te |  4 +++-
 2 files changed, 11 insertions(+), 7 deletions(-)
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index c058f0c..d710fb0 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
-@@ -292,12 +292,14 @@ ifdef(`init_systemd',`
+@@ -344,17 +344,19 @@ ifdef(`init_systemd',`
-                modutils_domtrans_insmod(init_t)
+ 
+        optional_policy(`
+                modutils_domtrans(init_t)
        ')
 ',`
 -       tunable_policy(`init_upstart',`
@@ -29,23 +30,27 @@ index c058f0c..d710fb0 100644
 -       ',`
 -               # Run the shell in the sysadm role for single-user mode.
 -               # causes problems with upstart
-               sysadm_shell_domtrans(init_t)
+-               ifndef(`distro_debian',`
+-                       sysadm_shell_domtrans(init_t)
 +       optional_policy(`
 +               tunable_policy(`init_upstart',`
 +                       corecmd_shell_domtrans(init_t, initrc_t)
 +               ',`
 +                       # Run the shell in the sysadm role for single-user mode.
 +                       # causes problems with upstart
-+                       sysadm_shell_domtrans(init_t)
+                       ifndef(`distro_debian',`
-+               ')
+                               sysadm_shell_domtrans(init_t)
+                       ')
+                ')
        ')
 ')
 
-diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+ ifdef(`distro_debian',`
-index 0781eae..ea2493a 100644
 --- a/policy/modules/system/locallogin.te
 +++ b/policy/modules/system/locallogin.te
-@@ -246,7 +246,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -260,11 +260,13 @@ seutil_read_default_contexts(sulogin_t)
+ userdom_use_unpriv_users_fds(sulogin_t)
+ 
 userdom_search_user_home_dirs(sulogin_t)
 userdom_use_user_ptys(sulogin_t)
 
@@ -54,8 +59,7 @@ index 0781eae..ea2493a 100644
 +       sysadm_shell_domtrans(sulogin_t)
 +')
 
- # suse and debian do not use pam with sulogin...
+ # by default, sulogin does not use pam...
- ifdef(`distro_suse', `define(`sulogin_no_pam')')
+ # sulogin_pam might need to be defined otherwise
-- 
+ ifdef(`sulogin_pam', `
-1.9.1
+        selinux_get_fs_mount(sulogin_t)
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch
index b6c64c6..17a8199 100644
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch
+++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch
@@ -18,15 +18,16 @@ support is enabled:
 Upstream-Status: Inappropriate
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/init.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index f50c6e1..b445886 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
-@@ -1307,12 +1307,12 @@ interface(`init_spec_domtrans_script',`
+@@ -1430,16 +1430,16 @@ interface(`init_spec_domtrans_script',`
+ ##     </summary>
+ ## </param>
 #
 interface(`init_domtrans_script',`
        gen_require(`
@@ -41,6 +42,5 @@ index f50c6e1..b445886 100644
 
        ifdef(`enable_mcs',`
                range_transition $1 init_script_file_type:process s0;
-- 
+        ')
-1.9.1
+ 
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
index ba14851..29d3e2d 100644
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
+++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
@@ -20,33 +20,33 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 policy/users                        | 16 +++++--------
 5 files changed, 55 insertions(+), 20 deletions(-)
-diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
-index dc5f1e4..4428da8 100644
 --- a/config/appconfig-mcs/seusers
 +++ b/config/appconfig-mcs/seusers
-@@ -1,3 +1,3 @@
+@@ -1,2 +1,3 @@
- system_u:system_u:s0-mcs_systemhigh
 -root:root:s0-mcs_systemhigh
 -__default__:user_u:s0
 +root:unconfined_u:s0-mcs_systemhigh
 +__default__:unconfined_u:s0
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+
-index 005afd8..4699d6a 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
-@@ -34,6 +34,7 @@ ubac_file_exempt(sysadm_t)
+@@ -37,10 +37,11 @@ ubac_process_exempt(sysadm_t)
+ ubac_file_exempt(sysadm_t)
 ubac_fd_exempt(sysadm_t)
 
 init_exec(sysadm_t)
+ init_admin(sysadm_t)
 +init_script_role_transition(sysadm_r)
- init_get_system_status(sysadm_t)
+ 
- init_disable(sysadm_t)
+ selinux_read_policy(sysadm_t)
- init_enable(sysadm_t)
+ 
-diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
+ # Add/remove user home directories
-index b68dfc1..35b4141 100644
+ userdom_manage_user_home_dirs(sysadm_t)
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
-@@ -1234,11 +1234,12 @@ interface(`init_script_file_entry_type',`
+@@ -1394,30 +1394,31 @@ interface(`init_script_file_entry_type',
+ ##     </summary>
+ ## </param>
 #
 interface(`init_spec_domtrans_script',`
        gen_require(`
@@ -61,7 +61,10 @@ index b68dfc1..35b4141 100644
 
        ifdef(`distro_gentoo',`
                gen_require(`
-@@ -1249,11 +1250,11 @@ interface(`init_spec_domtrans_script',`
+                        type rc_exec_t;
+                ')
+ 
+                domtrans_pattern($1, rc_exec_t, initrc_t)
        ')
 
        ifdef(`enable_mcs',`
@@ -75,7 +78,11 @@ index b68dfc1..35b4141 100644
        ')
 ')
 
-@@ -1269,18 +1270,19 @@ interface(`init_spec_domtrans_script',`
+ ########################################
+ ## <summary>
+@@ -1429,22 +1430,23 @@ interface(`init_spec_domtrans_script',`
+ ##     </summary>
+ ## </param>
 #
 interface(`init_domtrans_script',`
        gen_require(`
@@ -99,9 +106,13 @@ index b68dfc1..35b4141 100644
        ')
 ')
 
-@@ -2504,3 +2506,32 @@ interface(`init_reload_all_units',`
+ ########################################
- 
+ ## <summary>
-        allow $1 systemdunit:service reload;
+@@ -2972,5 +2974,34 @@ interface(`init_admin',`
+        init_stop_all_units($1)
+        init_stop_generic_units($1)
+        init_stop_system($1)
+        init_telinit($1)
 ')
 +
 +########################################
@@ -132,11 +143,11 @@ index b68dfc1..35b4141 100644
 +       role_transition $1 init_script_file_type system_r;
 +')
 +
-diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index ad23fce..99cab31 100644
 --- a/policy/modules/system/unconfined.te
 +++ b/policy/modules/system/unconfined.te
-@@ -20,6 +20,11 @@ type unconfined_execmem_t;
+@@ -18,10 +18,15 @@ init_system_domain(unconfined_t, unconfi
+ 
+ type unconfined_execmem_t;
 type unconfined_execmem_exec_t;
 init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
 role unconfined_r types unconfined_execmem_t;
@@ -148,7 +159,11 @@ index ad23fce..99cab31 100644
 
 ########################################
 #
-@@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_f
+ # Local policy
+ #
+@@ -48,10 +53,12 @@ unconfined_domain(unconfined_t)
+ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
+ 
 ifdef(`direct_sysadm_daemon',`
         optional_policy(`
                 init_run_daemon(unconfined_t, unconfined_r)
@@ -157,11 +172,13 @@ index ad23fce..99cab31 100644
         ')
 ',`
         ifdef(`distro_gentoo',`
-diff --git a/policy/users b/policy/users
+                 seutil_run_runinit(unconfined_t, unconfined_r)
-index ca20375..ac1ca6c 100644
+                 seutil_init_script_run_runinit(unconfined_t, unconfined_r)
 --- a/policy/users
 +++ b/policy/users
-@@ -15,7 +15,7 @@
+@@ -13,37 +13,33 @@
+ # system_u is the user identity for system processes and objects.
+ # There should be no corresponding Unix user identity for system,
 # and a user process should never be assigned the system user
 # identity.
 #
@@ -170,7 +187,9 @@ index ca20375..ac1ca6c 100644
 
 #
 # user_u is a generic user identity for Linux users who have no
-@@ -25,14 +25,14 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ # SELinux user identity defined.  The modified daemons will use
+ # this user identity in the security context if there is no matching
+ # SELinux user identity for a Linux user.  If you do not want to
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
@@ -189,7 +208,9 @@ index ca20375..ac1ca6c 100644
 ')
 
 #
-@@ -42,8 +42,4 @@ ifdef(`direct_sysadm_daemon',`
+ # The following users correspond to Unix identities.
+ # These identities are typically assigned as the user attribute
+ # when login starts the user shell.  Users with access to the sysadm_r
 # role should use the staff_r role instead of the user_r role when
 # not in the sysadm_r.
 #
@@ -199,6 +220,3 @@ index ca20375..ac1ca6c 100644
 -       gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 -')
 +gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-- 
-1.9.1
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc
index e6e63c9..b320e4d 100644
--- a/recipes-security/refpolicy/refpolicy_git.inc
+++ b/recipes-security/refpolicy/refpolicy_git.inc
@@ -20,7 +20,6 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
            file://poky-fc-dmesg.patch \
            file://poky-fc-fstools.patch \
            file://poky-fc-mta.patch \
-            file://poky-fc-netutils.patch \
            file://poky-fc-nscd.patch \
            file://poky-fc-screen.patch \
            file://poky-fc-ssh.patch \