4 files changed, 42 insertions, 23 deletions

diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc
index e8f6e5f..9e45e0c 100644
--- a/recipes-security/selinux/policycoreutils.inc
+++ b/recipes-security/selinux/policycoreutils.inc
@@ -9,7 +9,6 @@ LICENSE = "GPLv2+"
 
 SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
             file://policycoreutils-fixfiles-de-bashify.patch \
-            file://policycoreutils-sandbox-de-bashify.patch \
            "
 
 PAM_SRC_URI = "file://pam.d/newrole \
@@ -64,15 +63,6 @@ RDEPENDS_${BPN}-python += "\
         libsemanage-python \
 "
 RDEPENDS_${BPN}-runinit += "libselinux"
-RDEPENDS_${BPN}-sandbox += "\
-        python-math \
-        python-shell \
-        python-subprocess \
-        python-textutils \
-        python-unixadmin \
-        libselinux-python \
-        ${BPN}-python \
-"
 RDEPENDS_${BPN}-secon += "libselinux"
 RDEPENDS_${BPN}-semanage = "\
         python-core \
@@ -128,7 +118,6 @@ PACKAGES =+ "\
         ${PN}-newrole \
         ${PN}-python \
         ${PN}-runinit \
-        ${PN}-sandbox \
         ${PN}-secon \
         ${PN}-semanage \
         ${PN}-semodule \
@@ -171,12 +160,6 @@ FILES_${PN}-runinit += "\
         ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/run_init', '', d)} \
 "
 FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/.debug/* ${prefix}/libexec/selinux/hll/.debug"
-FILES_${PN}-sandbox += "\
-        ${datadir}/sandbox/* \
-        ${bindir}/sandbox \
-        ${sbindir}/seunshare \
-        ${sysconfdir}/sysconfig/sandbox \
-"
 FILES_${PN}-secon += "${bindir}/secon"
 FILES_${PN}-semanage = "\
         ${sbindir}/semanage \
diff --git a/recipes-security/selinux/selinux-sandbox.inc b/recipes-security/selinux/selinux-sandbox.inc
new file mode 100644
index 0000000..8616dd7
--- /dev/null
+++ b/recipes-security/selinux/selinux-sandbox.inc
@@ -0,0 +1,28 @@
+SUMMARY = "Run cmd under an SELinux sandbox"
+DESCRIPTION = "\
+Run application within a tightly confined SELinux domain. The default \
+sandbox domain only allows applications the ability to read and write \
+stdin, stdout and any other file descriptors handed to it."
+
+SECTION = "base"
+LICENSE = "GPLv2+"
+
+SRC_URI += "file://sandbox-de-bashify.patch \
+"
+
+DEPENDS += "libcap-ng libselinux"
+
+RDEPENDS_${PN} += "\
+        python-math \
+        python-shell \
+        python-subprocess \
+        python-textutils \
+        python-unixadmin \
+        libselinux-python \
+        selinux-python \
+"
+
+FILES_${PN} += "\
+        ${datadir}/sandbox/sandboxX.sh \
+        ${datadir}/sandbox/start \
+"
diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-sandbox-de-bashify.patch b/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch
index c078ef6..18cef4b 100644
--- a/recipes-security/selinux/policycoreutils/policycoreutils-sandbox-de-bashify.patch
+++ b/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch
@@ -9,25 +9,26 @@ sandboxX script, so point them at /bin/sh instead.
 Upstream-Status: Pending
 
 Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 ---
  sandbox/sandbox.init | 2 +-
  sandbox/sandboxX.sh  | 2 +-
  2 files changed, 2 insertions(+), 2 deletions(-)
 
-diff --git a/sandbox/sandbox.init b/sandbox/sandbox.init
+diff --git a/sandbox.init b/sandbox.init
 index b3979bf..1893dc8 100644
---- a/sandbox/sandbox.init
-+++ b/sandbox/sandbox.init
+--- a/sandbox.init
++++ b/sandbox.init
 @@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/bin/sh
  ## BEGIN INIT INFO
  # Provides: sandbox
  # Default-Start: 3 4 5
-diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
+diff --git a/sandboxX.sh b/sandboxX.sh
 index eaa500d..8755d75 100644
---- a/sandbox/sandboxX.sh
-+++ b/sandbox/sandboxX.sh
+--- a/sandboxX.sh
++++ b/sandboxX.sh
 @@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/bin/sh
diff --git a/recipes-security/selinux/selinux-sandbox_2.7.bb b/recipes-security/selinux/selinux-sandbox_2.7.bb
new file mode 100644
index 0000000..1307ce7
--- /dev/null
+++ b/recipes-security/selinux/selinux-sandbox_2.7.bb
@@ -0,0 +1,7 @@
+include selinux_20170804.inc
+include ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "7360e9dc7b1757b7f82face655982bfa"
+SRC_URI[sha256sum] = "9490620380ab6d428a92869002a51ada0343ca35fa2a6905595745902a64c541"