From 0d58268e290fe9dfa1c17d97b9ca7709aa53d595 Mon Sep 17 00:00:00 2001
From: Yi Zhao
Date: Wed, 11 Oct 2023 10:50:24 +0800
Subject: refpolicy: upgrade 20221101+git -> 20231002+git
* Switch branch to main.
* Update to latest git rev.
* Drop obsolete and useless patches.
* Refresh patches.
Signed-off-by: Yi Zhao
Signed-off-by: Joe MacDonald
---
...-volatile-alias-common-var-volatile-paths.patch | 2 +-
...icy-minimum-make-sysadmin-module-optional.patch | 10 +-
...argeted-make-unconfined_u-the-default-sel.patch | 4 +-
...-busybox-set-aliases-for-bin-sbin-and-usr.patch | 2 +-
...efpolicy-minimum-make-xdg-module-optional.patch | 6 +-
...-apply-policy-to-common-yocto-hostname-al.patch | 2 +-
...ply-usr-bin-bash-context-to-bin-bash.bash.patch | 6 +-
...onf-label-resolv.conf-in-var-run-properly.patch | 2 +-
...login-apply-login-context-to-login.shadow.patch | 8 +-
.../0007-fc-hwclock-add-hwclock-alternatives.patch | 2 +-
...-dmesg-apply-policy-to-dmesg-alternatives.patch | 2 +-
...9-fc-ssh-apply-policy-to-ssh-alternatives.patch | 2 +-
...rk-apply-policy-to-network-commands-alter.patch | 2 +-
...pm-apply-rpm_exec-policy-to-cpio-binaries.patch | 27 ++++++
...c-udev-apply-policy-to-udevadm-in-libexec.patch | 29 ------
...pm-apply-rpm_exec-policy-to-cpio-binaries.patch | 27 ------
...012-fc-su-apply-policy-to-su-alternatives.patch | 27 ++++++
...0013-fc-fstools-fix-real-path-for-fstools.patch | 74 +++++++++++++++
...013-fc-su-apply-policy-to-su-alternatives.patch | 27 ------
...0014-fc-fstools-fix-real-path-for-fstools.patch | 77 ---------------
...init-fix-update-alternatives-for-sysvinit.patch | 55 +++++++++++
...-brctl-apply-policy-to-brctl-alternatives.patch | 24 +++++
...init-fix-update-alternatives-for-sysvinit.patch | 55 -----------
...-brctl-apply-policy-to-brctl-alternatives.patch | 24 -----
...ands-apply-policy-to-nologin-alternatives.patch | 28 ++++++
...ands-apply-policy-to-nologin-alternatives.patch | 28 ------
...ogin-apply-policy-to-sulogin-alternatives.patch | 25 +++++
...ogin-apply-policy-to-sulogin-alternatives.patch | 25 -----
...-fc-ntp-apply-policy-to-ntpd-alternatives.patch | 27 ++++++
...ros-apply-policy-to-kerberos-alternatives.patch | 50 ++++++++++
...-fc-ntp-apply-policy-to-ntpd-alternatives.patch | 27 ------
...ros-apply-policy-to-kerberos-alternatives.patch | 50 ----------
...fc-ldap-apply-policy-to-ldap-alternatives.patch | 40 ++++++++
...fc-ldap-apply-policy-to-ldap-alternatives.patch | 40 --------
...ql-apply-policy-to-postgresql-alternative.patch | 37 ++++++++
...ql-apply-policy-to-postgresql-alternative.patch | 37 --------
...creen-apply-policy-to-screen-alternatives.patch | 25 +++++
...creen-apply-policy-to-screen-alternatives.patch | 25 -----
...ge-apply-policy-to-usermanage-alternative.patch | 57 +++++++++++
...-fc-getty-add-file-context-to-start_getty.patch | 27 ++++++
...ge-apply-policy-to-usermanage-alternative.patch | 57 -----------
...-fc-getty-add-file-context-to-start_getty.patch | 27 ------
...-vlock-apply-policy-to-vlock-alternatives.patch | 25 +++++
...text-for-init-scripts-and-systemd-service.patch | 64 +++++++++++++
...-vlock-apply-policy-to-vlock-alternatives.patch | 25 -----
...text-for-init-scripts-and-systemd-service.patch | 64 -------------
...ts.subs_dist-set-aliase-for-root-director.patch | 30 ++++++
...ts.subs_dist-set-aliase-for-root-director.patch | 30 ------
...les-system-logging-add-rules-for-the-syml.patch | 91 ++++++++++++++++++
...les-system-logging-add-rules-for-syslogd-.patch | 34 +++++++
...les-system-logging-add-rules-for-the-syml.patch | 104 ---------------------
...les-kernel-files-add-rules-for-the-symlin.patch | 102 ++++++++++++++++++++
...les-system-logging-add-rules-for-syslogd-.patch | 34 -------
...les-kernel-files-add-rules-for-the-symlin.patch | 102 --------------------
...les-system-logging-fix-auditd-startup-fai.patch | 41 ++++++++
...les-kernel-terminal-don-t-audit-tty_devic.patch | 38 ++++++++
...les-system-logging-fix-auditd-startup-fai.patch | 41 --------
...les-kernel-terminal-don-t-audit-tty_devic.patch | 38 --------
...les-services-rpcbind-allow-rpcbind_t-to-c.patch | 34 +++++++
...les-services-rpcbind-allow-rpcbind_t-to-c.patch | 34 -------
...les-system-systemd-enable-support-for-sys.patch | 46 +++++++++
...les-system-logging-allow-systemd-tmpfiles.patch | 43 +++++++++
...les-system-systemd-enable-support-for-sys.patch | 64 -------------
...les-system-systemd-allow-systemd_logind_t.patch | 6 +-
...les-roles-sysadm-allow-sysadm-to-use-init.patch | 6 +-
...modules-system-systemd-systemd-user-fixes.patch | 83 ++++++++--------
...les-system-mount-make-mount_t-domain-MLS-.patch | 6 +-
...les-roles-sysadm-MLS-sysadm-rw-to-clearan.patch | 4 +-
...les-services-rpc-make-nfsd_t-domain-MLS-t.patch | 6 +-
...les-admin-dmesg-make-dmesg_t-MLS-trusted-.patch | 2 +-
...les-kernel-kernel-make-kernel_t-MLS-trust.patch | 6 +-
...les-system-init-make-init_t-MLS-trusted-f.patch | 6 +-
...les-system-systemd-make-systemd-tmpfiles_.patch | 6 +-
...les-system-systemd-systemd-make-systemd_-.patch | 12 +--
...les-system-logging-add-the-syslogd_t-to-t.patch | 6 +-
...les-system-init-make-init_t-MLS-trusted-f.patch | 6 +-
...les-system-init-all-init_t-to-read-any-le.patch | 6 +-
...les-system-logging-allow-auditd_t-to-writ.patch | 6 +-
...les-kernel-kernel-make-kernel_t-MLS-trust.patch | 6 +-
...les-system-setrans-allow-setrans_t-use-fd.patch | 2 +-
...les-system-systemd-make-_systemd_t-MLS-tr.patch | 6 +-
...les-system-logging-make-syslogd_runtime_t.patch | 6 +-
recipes-security/refpolicy/refpolicy_common.inc | 50 +++++-----
recipes-security/refpolicy/refpolicy_git.inc | 6 +-
84 files changed, 1221 insertions(+), 1234 deletions(-)
create mode 100644 recipes-security/refpolicy/refpolicy/0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0012-fc-su-apply-policy-to-su-alternatives.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0013-fc-fstools-fix-real-path-for-fstools.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0014-fc-init-fix-update-alternatives-for-sysvinit.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0015-fc-brctl-apply-policy-to-brctl-alternatives.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0020-fc-ldap-apply-policy-to-ldap-alternatives.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0022-fc-screen-apply-policy-to-screen-alternatives.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0024-fc-getty-add-file-context-to-start_getty.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0025-fc-vlock-apply-policy-to-vlock-alternatives.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0027-file_contexts.subs_dist-set-aliase-for-root-director.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0028-policy-modules-system-logging-add-rules-for-the-syml.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-syslogd-.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0034-policy-modules-system-systemd-enable-support-for-sys.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0035-policy-modules-system-systemd-enable-support-for-sys.patch
diff --git a/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
index 1605d90..2b879d2 100644
--- a/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
+++ b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
@@ -1,4 +1,4 @@
-From ee66387c393af77b88c833f5d271efe48036112c Mon Sep 17 00:00:00 2001
+From 1d96fd0c6906566d40cb4c4f2c8a30fe80ed4ad4 Mon Sep 17 00:00:00 2001
From: Joe MacDonald
Date: Thu, 28 Mar 2019 16:14:09 -0400
Subject: [PATCH] fc/subs/volatile: alias common /var/volatile paths
diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch
index 657c5cd..50e0339 100644
--- a/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch
+++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch
@@ -1,4 +1,4 @@
-From 0e3b79ae0ae468640d7092c9a91a91d258d07645 Mon Sep 17 00:00:00 2001
+From 6c5f86f8c5e5fda6ded270753d0535a31ebfbab0 Mon Sep 17 00:00:00 2001
From: Joe MacDonald
Date: Fri, 5 Apr 2019 11:53:28 -0400
Subject: [PATCH] refpolicy-minimum: make sysadmin module optional
@@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 671b5aef3..8ce3d5956 100644
+index e94a29a73..6b1879bb4 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
-@@ -615,13 +615,15 @@ ifdef(`init_systemd',`
+@@ -638,13 +638,15 @@ ifdef(`init_systemd',`
unconfined_write_keys(init_t)
')
',`
@@ -48,10 +48,10 @@ index 671b5aef3..8ce3d5956 100644
')
')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 7728de804..a8ff403dd 100644
+index 8330be8a9..933e94b24 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
-@@ -274,7 +274,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -277,7 +277,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch
index 64e658e..fb92e6c 100644
--- a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch
+++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch
@@ -1,4 +1,4 @@
-From 60b4e5ea5668a71b2a0660461daecea66fd11d51 Mon Sep 17 00:00:00 2001
+From c26f856ac11b3d61aff56c4e512bedca811cf004 Mon Sep 17 00:00:00 2001
From: Xin Ouyang
Date: Mon, 20 Apr 2020 11:50:03 +0800
Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux
@@ -38,7 +38,7 @@ index ce614b41b..c0903d98b 100644
+root:unconfined_u:s0-mcs_systemhigh
+__default__:unconfined_u:s0
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index d116a1b9b..32720f68f 100644
+index 6431d35da..922e7e285 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t;
diff --git a/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
index ef00602..26669ba 100644
--- a/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
+++ b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
@@ -1,4 +1,4 @@
-From 8fa6c5b7b99a50b09e9dffd142c066fa41319750 Mon Sep 17 00:00:00 2001
+From c94348cbaacfdc47a50cc93c8d52295f09b3c1f2 Mon Sep 17 00:00:00 2001
From: Joe MacDonald
Date: Thu, 28 Mar 2019 20:48:10 -0400
Subject: [PATCH] fc/subs/busybox: set aliases for bin, sbin and usr
diff --git a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch
index 25afa3b..75ff75e 100644
--- a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch
+++ b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch
@@ -1,4 +1,4 @@
-From 9a8d6b634d4f714fc63125be5e23228c565d1aaf Mon Sep 17 00:00:00 2001
+From c69e55b03777ee15701ebb9b53b288fc773dbd87 Mon Sep 17 00:00:00 2001
From: Yi Zhao
Date: Wed, 29 Sep 2021 11:08:49 +0800
Subject: [PATCH] refpolicy-minimum: make xdg module optional
@@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 7b717d3ba..3b07b368d 100644
+index 52c7b5346..d9f21b6bf 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
-@@ -298,10 +298,14 @@ init_unit_file(systemd_user_manager_unit_t)
+@@ -305,10 +305,14 @@ init_unit_file(systemd_user_manager_unit_t)
type systemd_conf_home_t;
init_unit_file(systemd_conf_home_t)
diff --git a/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
index 94ac31b..140af4e 100644
--- a/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
+++ b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
@@ -1,4 +1,4 @@
-From 5a0bbd1920205f488b6a4565f7217b9d0825067b Mon Sep 17 00:00:00 2001
+From cb1c9ffb1c8f2c615731c2afae81b687a59b94c4 Mon Sep 17 00:00:00 2001
From: Xin Ouyang
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] fc/hostname: apply policy to common yocto hostname
diff --git a/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
index eff0255..13a0343 100644
--- a/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
+++ b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
@@ -1,4 +1,4 @@
-From c9219d2f7be1e641b3866b770a9b570c12333b93 Mon Sep 17 00:00:00 2001
+From 23f156d0adc37eb9f6f8308c28da4db0bac48200 Mon Sep 17 00:00:00 2001
From: Joe MacDonald
Date: Thu, 28 Mar 2019 21:37:32 -0400
Subject: [PATCH] fc/bash: apply /usr/bin/bash context to /bin/bash.bash
@@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 0c05c693d..b70940928 100644
+index f031e1704..30ac066e4 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
-@@ -142,6 +142,7 @@ ifdef(`distro_gentoo',`
+@@ -144,6 +144,7 @@ ifdef(`distro_gentoo',`
/usr/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
index 06c8087..e3d9e93 100644
--- a/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
+++ b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
@@ -1,4 +1,4 @@
-From 51631a7eaaea1fab4b36a2488497cf725317ce6e Mon Sep 17 00:00:00 2001
+From 10df3192847b50162c7f404b6c5bd1a010951112 Mon Sep 17 00:00:00 2001
From: Joe MacDonald
Date: Thu, 4 Apr 2019 10:45:03 -0400
Subject: [PATCH] fc/resolv.conf: label resolv.conf in var/run/ properly
diff --git a/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch
index 70c5566..a1125d8 100644
--- a/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch
+++ b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch
@@ -1,4 +1,4 @@
-From 1c61b10d21a22d4110bc880b23477295f6cd9efb Mon Sep 17 00:00:00 2001
+From 61900d0f5576fa0cd8297a011f60cb9a40cefc7b Mon Sep 17 00:00:00 2001
From: Joe MacDonald
Date: Thu, 28 Mar 2019 21:43:53 -0400
Subject: [PATCH] fc/login: apply login context to login.shadow
@@ -12,11 +12,11 @@ Signed-off-by: Yi Zhao
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 50efcff7b..5cb48882c 100644
+index adb53a05a..a25a9d607 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
-@@ -6,6 +6,7 @@
- /etc/tcb(/.*)? -- gen_context(system_u:object_r:shadow_t,s0)
+@@ -8,6 +8,7 @@
+ /etc/security/opasswd\.old -- gen_context(system_u:object_r:shadow_history_t,s0)
/usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
+/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch
index 2f9f703..26bc8a0 100644
--- a/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch
@@ -1,4 +1,4 @@
-From e4d7d9fb1cb157bf205874e1a81d5719017866a1 Mon Sep 17 00:00:00 2001
+From e393201b6f3c0242ccc41dd86eada8be97326a08 Mon Sep 17 00:00:00 2001
From: Joe MacDonald
Date: Thu, 28 Mar 2019 21:59:18 -0400
Subject: [PATCH] fc/hwclock: add hwclock alternatives
diff --git a/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
index 6e576a8..5449754 100644
--- a/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
@@ -1,4 +1,4 @@
-From ac6536f04674ccc051744e6eb3644e68fe38da33 Mon Sep 17 00:00:00 2001
+From 2d5ca79ed3f775878b91d76e952644b1347d5f9e Mon Sep 17 00:00:00 2001
From: Joe MacDonald
Date: Fri, 29 Mar 2019 08:26:55 -0400
Subject: [PATCH] fc/dmesg: apply policy to dmesg alternatives
diff --git a/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch b/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch
index 611c0d3..7fada95 100644
--- a/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch
@@ -1,4 +1,4 @@
-From a56887ca448b60ad6715348b2cfe533e8109a040 Mon Sep 17 00:00:00 2001
+From d676349ee55f8c1c16b9d5c6770b9137391d396e Mon Sep 17 00:00:00 2001
From: Joe MacDonald
Date: Fri, 29 Mar 2019 09:20:58 -0400
Subject: [PATCH] fc/ssh: apply policy to ssh alternatives
diff --git a/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch b/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch
index 7af147d..5886168 100644
--- a/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch
+++ b/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch
@@ -1,4 +1,4 @@
-From 47a5e9a0bd4960534998798ab1a5ab62e77b2b61 Mon Sep 17 00:00:00 2001
+From 6730f53849cce4d2586a6e6540f3e7aae1117236 Mon Sep 17 00:00:00 2001
From: Xin Ouyang
Date: Tue, 9 Jun 2015 21:22:52 +0530
Subject: [PATCH] fc/sysnetwork: apply policy to network commands alternatives
diff --git a/recipes-security/refpolicy/refpolicy/0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy/0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
new file mode 100644
index 0000000..2d1d287
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
@@ -0,0 +1,27 @@
+From cfb5cec05c98a65d8eb086868444a6e74e1f96bf Mon Sep 17 00:00:00 2001
+From: Joe MacDonald
+Date: Fri, 29 Mar 2019 09:54:07 -0400
+Subject: [PATCH] fc/rpm: apply rpm_exec policy to cpio binaries
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Joe MacDonald
+Signed-off-by: Yi Zhao
+---
+ policy/modules/admin/rpm.fc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
+index 3f842f942..12973ac8b 100644
+--- a/policy/modules/admin/rpm.fc
++++ b/policy/modules/admin/rpm.fc
+@@ -71,4 +71,6 @@ ifdef(`distro_redhat',`
+
+ ifdef(`enable_mls',`
+ /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/cpio\.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ ')
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch
deleted file mode 100644
index 434fc1d..0000000
--- a/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From bbc6eb20e9509a61236051df7a5fa552a8f2654d Mon Sep 17 00:00:00 2001
-From: Joe MacDonald
-Date: Fri, 29 Mar 2019 09:36:08 -0400
-Subject: [PATCH] fc/udev: apply policy to udevadm in libexec
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Joe MacDonald
-Signed-off-by: Yi Zhao
----
- policy/modules/system/udev.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 7898ff01c..bc717e60c 100644
---- a/policy/modules/system/udev.fc
-+++ b/policy/modules/system/udev.fc
-@@ -24,6 +24,8 @@ ifdef(`distro_debian',`
- /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
- /usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
-
-+/usr/libexec/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0)
-+
- ifdef(`distro_redhat',`
- /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
- ')
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
deleted file mode 100644
index bf562d6..0000000
--- a/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 00533fded8e2264f8bdc68c8ed79644a10e4e2ad Mon Sep 17 00:00:00 2001
-From: Joe MacDonald
-Date: Fri, 29 Mar 2019 09:54:07 -0400
-Subject: [PATCH] fc/rpm: apply rpm_exec policy to cpio binaries
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Joe MacDonald
-Signed-off-by: Yi Zhao
----
- policy/modules/admin/rpm.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
-index 3f842f942..12973ac8b 100644
---- a/policy/modules/admin/rpm.fc
-+++ b/policy/modules/admin/rpm.fc
-@@ -71,4 +71,6 @@ ifdef(`distro_redhat',`
-
- ifdef(`enable_mls',`
- /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/bin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/bin/cpio\.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
- ')
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0012-fc-su-apply-policy-to-su-alternatives.patch b/recipes-security/refpolicy/refpolicy/0012-fc-su-apply-policy-to-su-alternatives.patch
new file mode 100644
index 0000000..f1138d6
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0012-fc-su-apply-policy-to-su-alternatives.patch
@@ -0,0 +1,27 @@
+From dd1663aaffec1f7b36097c742094c9c239342d9f Mon Sep 17 00:00:00 2001
+From: Wenzong Fan
+Date: Thu, 13 Feb 2014 00:33:07 -0500
+Subject: [PATCH] fc/su: apply policy to su alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Wenzong Fan
+Signed-off-by: Joe MacDonald
+Signed-off-by: Yi Zhao
+---
+ policy/modules/admin/su.fc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
+index 3375c9692..a9868cd58 100644
+--- a/policy/modules/admin/su.fc
++++ b/policy/modules/admin/su.fc
+@@ -1,3 +1,5 @@
+ /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
+ /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
+ /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
++/usr/bin/su\.shadow -- gen_context(system_u:object_r:su_exec_t,s0)
++/usr/bin/su\.util-linux -- gen_context(system_u:object_r:su_exec_t,s0)
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0013-fc-fstools-fix-real-path-for-fstools.patch b/recipes-security/refpolicy/refpolicy/0013-fc-fstools-fix-real-path-for-fstools.patch
new file mode 100644
index 0000000..4bc2bbc
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0013-fc-fstools-fix-real-path-for-fstools.patch
@@ -0,0 +1,74 @@
+From 9cd6000d7d01cee2eb92038bf4361f603736200b Mon Sep 17 00:00:00 2001
+From: Wenzong Fan
+Date: Mon, 27 Jan 2014 03:54:01 -0500
+Subject: [PATCH] fc/fstools: fix real path for fstools
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Wenzong Fan
+Signed-off-by: Shrikant Bobade
+Signed-off-by: Joe MacDonald
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/fstools.fc | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
+index 63423802d..124109a68 100644
+--- a/policy/modules/system/fstools.fc
++++ b/policy/modules/system/fstools.fc
+@@ -58,7 +58,9 @@
+ /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/blockdev\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/delpart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -72,10 +74,13 @@
+ /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/findfs\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/hdparm\.hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -83,13 +88,16 @@
+ /usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mke2fs\.e2fsprogs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/partprobe\.parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -99,8 +107,10 @@
+ /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/tune2fs\.e2fsprogs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch b/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch
deleted file mode 100644
index 32d38f1..0000000
--- a/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 4b202554e646a60000c1acad7bbdfae1078bdc10 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan
-Date: Thu, 13 Feb 2014 00:33:07 -0500
-Subject: [PATCH] fc/su: apply policy to su alternatives
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Wenzong Fan
-Signed-off-by: Joe MacDonald
-Signed-off-by: Yi Zhao
----
- policy/modules/admin/su.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
-index 3375c9692..a9868cd58 100644
---- a/policy/modules/admin/su.fc
-+++ b/policy/modules/admin/su.fc
-@@ -1,3 +1,5 @@
- /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
- /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
- /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
-+/usr/bin/su\.shadow -- gen_context(system_u:object_r:su_exec_t,s0)
-+/usr/bin/su\.util-linux -- gen_context(system_u:object_r:su_exec_t,s0)
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch b/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch
deleted file mode 100644
index de0aad7..0000000
--- a/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From f64a5d6a2f2e72ae6c5122220eb759117b6384c8 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan
-Date: Mon, 27 Jan 2014 03:54:01 -0500
-Subject: [PATCH] fc/fstools: fix real path for fstools
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Wenzong Fan
-Signed-off-by: Shrikant Bobade
-Signed-off-by: Joe MacDonald
-Signed-off-by: Yi Zhao
----
- policy/modules/system/fstools.fc | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index 8fbd5ce44..2842afbcc 100644
---- a/policy/modules/system/fstools.fc
-+++ b/policy/modules/system/fstools.fc
-@@ -58,7 +58,9 @@
- /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/blockdev\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/delpart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -72,10 +74,13 @@
- /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/findfs\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/hdparm\.hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -83,24 +88,30 @@
- /usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/mke2fs\.e2fsprogs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/partprobe\.parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/tune2fs\.e2fsprogs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0)
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0014-fc-init-fix-update-alternatives-for-sysvinit.patch b/recipes-security/refpolicy/refpolicy/0014-fc-init-fix-update-alternatives-for-sysvinit.patch
new file mode 100644
index 0000000..746a8be
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0014-fc-init-fix-update-alternatives-for-sysvinit.patch
@@ -0,0 +1,55 @@
+From 4c6db6e9d637c6ecde7d104ae3544d18004d2a2c Mon Sep 17 00:00:00 2001
+From: Xin Ouyang
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] fc/init: fix update-alternatives for sysvinit
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Xin Ouyang
+Signed-off-by: Joe MacDonald
+Signed-off-by: Yi Zhao
+---
+ policy/modules/admin/shutdown.fc | 1 +
+ policy/modules/kernel/corecommands.fc | 2 ++
+ policy/modules/system/init.fc | 1 +
+ 3 files changed, 4 insertions(+)
+
+diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc
+index 89d682d36..354f4d1d9 100644
+--- a/policy/modules/admin/shutdown.fc
++++ b/policy/modules/admin/shutdown.fc
+@@ -7,5 +7,6 @@
+
+ /usr/sbin/halt -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+ /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
++/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+ /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_runtime_t,s0)
+diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
+index 30ac066e4..1edc035f3 100644
+--- a/policy/modules/kernel/corecommands.fc
++++ b/policy/modules/kernel/corecommands.fc
+@@ -153,6 +153,8 @@ ifdef(`distro_gentoo',`
+ /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/mountpoint\.util-linux -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
+index 9ebd6094c..e9e9eae85 100644
+--- a/policy/modules/system/init.fc
++++ b/policy/modules/system/init.fc
+@@ -48,6 +48,7 @@ ifdef(`distro_gentoo',`
+ /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+ /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
++/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0)
+ /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
+ /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
+
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0015-fc-brctl-apply-policy-to-brctl-alternatives.patch b/recipes-security/refpolicy/refpolicy/0015-fc-brctl-apply-policy-to-brctl-alternatives.patch
new file mode 100644
index 0000000..c592e8e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0015-fc-brctl-apply-policy-to-brctl-alternatives.patch
@@ -0,0 +1,24 @@
+From e95592bb4138b7bbf3e7725144ac2cbe9cecc4cd Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Fri, 15 Nov 2019 10:19:54 +0800
+Subject: [PATCH] fc/brctl: apply policy to brctl alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/admin/brctl.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/admin/brctl.fc b/policy/modules/admin/brctl.fc
+index ed472f095..2a852b0fd 100644
+--- a/policy/modules/admin/brctl.fc
++++ b/policy/modules/admin/brctl.fc
+@@ -1,3 +1,4 @@
+ /usr/bin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0)
+
+ /usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0)
++/usr/sbin/brctl\.bridge-utils -- gen_context(system_u:object_r:brctl_exec_t,s0)
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch b/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch
deleted file mode 100644
index 5e9c197..0000000
--- a/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 6d2a96abd1e292d0c34ff77501e618cfc193655f Mon Sep 17 00:00:00 2001
-From: Xin Ouyang
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] fc/init: fix update-alternatives for sysvinit
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Xin Ouyang
-Signed-off-by: Joe MacDonald
-Signed-off-by: Yi Zhao
----
- policy/modules/admin/shutdown.fc | 1 +
- policy/modules/kernel/corecommands.fc | 2 ++
- policy/modules/system/init.fc | 1 +
- 3 files changed, 4 insertions(+)
-
-diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc
-index bf51c103f..91ed72be0 100644
---- a/policy/modules/admin/shutdown.fc
-+++ b/policy/modules/admin/shutdown.fc
-@@ -5,5 +5,6 @@
- /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
- /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-+/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
- /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_runtime_t,s0)
-diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index b70940928..e6077fd5b 100644
---- a/policy/modules/kernel/corecommands.fc
-+++ b/policy/modules/kernel/corecommands.fc
-@@ -151,6 +151,8 @@ ifdef(`distro_gentoo',`
- /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
- /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/bin/mountpoint\.util-linux -- gen_context(system_u:object_r:bin_t,s0)
- /usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
-diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 1a99e5824..7f0b7c699 100644
---- a/policy/modules/system/init.fc
-+++ b/policy/modules/system/init.fc
-@@ -41,6 +41,7 @@ ifdef(`distro_gentoo',`
- /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
-
- /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
-+/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0)
- /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
- /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
-
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch b/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch
deleted file mode 100644
index b0ba609..0000000
--- a/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From 2e9c22ee83b7d4fea7b177ca8111c06e69338db9 Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Fri, 15 Nov 2019 10:19:54 +0800
-Subject: [PATCH] fc/brctl: apply policy to brctl alternatives
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/admin/brctl.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/admin/brctl.fc b/policy/modules/admin/brctl.fc
-index ed472f095..2a852b0fd 100644
---- a/policy/modules/admin/brctl.fc
-+++ b/policy/modules/admin/brctl.fc
-@@ -1,3 +1,4 @@
- /usr/bin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0)
-
- /usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0)
-+/usr/sbin/brctl\.bridge-utils -- gen_context(system_u:object_r:brctl_exec_t,s0)
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch
new file mode 100644
index 0000000..8047863
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch
@@ -0,0 +1,28 @@
+From 788d2c125f18dce9e0871fb260b4a0c394b9db53 Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Fri, 15 Nov 2019 10:21:51 +0800
+Subject: [PATCH] fc/corecommands: apply policy to nologin alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/kernel/corecommands.fc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
+index 1edc035f3..258d97c3c 100644
+--- a/policy/modules/kernel/corecommands.fc
++++ b/policy/modules/kernel/corecommands.fc
+@@ -308,6 +308,8 @@ ifdef(`distro_debian',`
+ /usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/sbin/nologin\.shadow -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/sbin/nologin\.util-linux -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch
deleted file mode 100644
index 58ac463..0000000
--- a/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From c43f2d7ddf1d0c2185796e0297dd9f85b9663aaf Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Fri, 15 Nov 2019 10:21:51 +0800
-Subject: [PATCH] fc/corecommands: apply policy to nologin alternatives
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/kernel/corecommands.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index e6077fd5b..0df59e837 100644
---- a/policy/modules/kernel/corecommands.fc
-+++ b/policy/modules/kernel/corecommands.fc
-@@ -306,6 +306,8 @@ ifdef(`distro_debian',`
- /usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
- /usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
- /usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/sbin/nologin\.shadow -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/sbin/nologin\.util-linux -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch
new file mode 100644
index 0000000..3dd959c
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch
@@ -0,0 +1,25 @@
+From 03199ca4933ef2760c0e575a76e90521117ea4c3 Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Fri, 15 Nov 2019 10:43:28 +0800
+Subject: [PATCH] fc/locallogin: apply policy to sulogin alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/locallogin.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc
+index fc8d58507..59e6e9601 100644
+--- a/policy/modules/system/locallogin.fc
++++ b/policy/modules/system/locallogin.fc
+@@ -2,4 +2,5 @@
+ /usr/bin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
+
+ /usr/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
++/usr/sbin/sulogin\.util-linux -- gen_context(system_u:object_r:sulogin_exec_t,s0)
+ /usr/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch
deleted file mode 100644
index 3c43254..0000000
--- a/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 11c95928e325aea7e4c41a9cdf969f9bdd306611 Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Fri, 15 Nov 2019 10:43:28 +0800
-Subject: [PATCH] fc/locallogin: apply policy to sulogin alternatives
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/system/locallogin.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc
-index fc8d58507..59e6e9601 100644
---- a/policy/modules/system/locallogin.fc
-+++ b/policy/modules/system/locallogin.fc
-@@ -2,4 +2,5 @@
- /usr/bin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
-
- /usr/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
-+/usr/sbin/sulogin\.util-linux -- gen_context(system_u:object_r:sulogin_exec_t,s0)
- /usr/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch b/recipes-security/refpolicy/refpolicy/0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch
new file mode 100644
index 0000000..1d902f2
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch
@@ -0,0 +1,27 @@
+From ee9c65a2d3db145309bd2898223f8229915c304c Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Fri, 15 Nov 2019 10:45:23 +0800
+Subject: [PATCH] fc/ntp: apply policy to ntpd alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/services/ntp.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc
+index 9243f3304..e13cf6a9b 100644
+--- a/policy/modules/services/ntp.fc
++++ b/policy/modules/services/ntp.fc
+@@ -25,6 +25,7 @@
+ /usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+
+ /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
++/usr/sbin/ntpd\.ntp -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+ /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+ /usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch b/recipes-security/refpolicy/refpolicy/0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch
new file mode 100644
index 0000000..778ed43
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch
@@ -0,0 +1,50 @@
+From 435ae64d593cc09b1109d0457f7ba084259090e8 Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Fri, 15 Nov 2019 10:55:05 +0800
+Subject: [PATCH] fc/kerberos: apply policy to kerberos alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/services/kerberos.fc | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
+index df21fcc78..ce0166edd 100644
+--- a/policy/modules/services/kerberos.fc
++++ b/policy/modules/services/kerberos.fc
+@@ -12,6 +12,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+ /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/krb5-admin-server -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/krb5-kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+
+ /usr/bin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+ /usr/bin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+@@ -26,6 +28,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+
+ /usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+ /usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
++/usr/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
++/usr/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
+
+ /usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+ /usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+@@ -41,6 +45,12 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+ /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+ /var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+
++/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
++/var/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
++/var/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
++/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
++/var/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0)
++
+ /var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0)
+ /var/log/kadmin\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0)
+ /var/log/kadmind\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0)
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch b/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch
deleted file mode 100644
index cbae4c5..0000000
--- a/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 5841a5bd25e6017b6ccff4f56628ad6e950eadad Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Fri, 15 Nov 2019 10:45:23 +0800
-Subject: [PATCH] fc/ntp: apply policy to ntpd alternatives
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/services/ntp.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc
-index cd69ea5d5..49ffe6f68 100644
---- a/policy/modules/services/ntp.fc
-+++ b/policy/modules/services/ntp.fc
-@@ -25,6 +25,7 @@
- /usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-
- /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-+/usr/sbin/ntpd\.ntp -- gen_context(system_u:object_r:ntpd_exec_t,s0)
- /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
- /usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
-
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch b/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch
deleted file mode 100644
index 76e7fe9..0000000
--- a/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 8126ec521e5a0f72da098f5d90b5b5b392006b7c Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Fri, 15 Nov 2019 10:55:05 +0800
-Subject: [PATCH] fc/kerberos: apply policy to kerberos alternatives
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/services/kerberos.fc | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
-index df21fcc78..ce0166edd 100644
---- a/policy/modules/services/kerberos.fc
-+++ b/policy/modules/services/kerberos.fc
-@@ -12,6 +12,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
- /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/krb5-admin-server -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/krb5-kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
-
- /usr/bin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
- /usr/bin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
-@@ -26,6 +28,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
-
- /usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
- /usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
-+/usr/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
-+/usr/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
-
- /usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
- /usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-@@ -41,6 +45,12 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
- /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
- /var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-
-+/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-+/var/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-+/var/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
-+/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-+/var/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-+
- /var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0)
- /var/log/kadmin\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0)
- /var/log/kadmind\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0)
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0020-fc-ldap-apply-policy-to-ldap-alternatives.patch b/recipes-security/refpolicy/refpolicy/0020-fc-ldap-apply-policy-to-ldap-alternatives.patch
new file mode 100644
index 0000000..baad70c
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0020-fc-ldap-apply-policy-to-ldap-alternatives.patch
@@ -0,0 +1,40 @@
+From a1c0776ac6405d1b6aeadf07cc222f5cc9daa424 Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Fri, 15 Nov 2019 11:06:13 +0800
+Subject: [PATCH] fc/ldap: apply policy to ldap alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/services/ldap.fc | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
+index 0a1d08d0f..65b202962 100644
+--- a/policy/modules/services/ldap.fc
++++ b/policy/modules/services/ldap.fc
+@@ -1,8 +1,10 @@
+ /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
+ /etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0)
+ /etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
++/etc/openldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
+
+ /etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/openldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+
+ /usr/bin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+
+@@ -25,6 +27,9 @@
+ /var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0)
+ /var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0)
+
++/var/openldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
++/var/openldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0)
++
+ /run/ldapi -s gen_context(system_u:object_r:slapd_runtime_t,s0)
+ /run/openldap(/.*)? gen_context(system_u:object_r:slapd_runtime_t,s0)
+ /run/slapd.* -s gen_context(system_u:object_r:slapd_runtime_t,s0)
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch b/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch
deleted file mode 100644
index a46c9c9..0000000
--- a/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From c71ea08245069001b56aadd7bb0af28e019f45e4 Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Fri, 15 Nov 2019 11:06:13 +0800
-Subject: [PATCH] fc/ldap: apply policy to ldap alternatives
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/services/ldap.fc | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
-index 0a1d08d0f..65b202962 100644
---- a/policy/modules/services/ldap.fc
-+++ b/policy/modules/services/ldap.fc
-@@ -1,8 +1,10 @@
- /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
- /etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0)
- /etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
-+/etc/openldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
-
- /etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/openldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
-
- /usr/bin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
-
-@@ -25,6 +27,9 @@
- /var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0)
- /var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0)
-
-+/var/openldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
-+/var/openldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0)
-+
- /run/ldapi -s gen_context(system_u:object_r:slapd_runtime_t,s0)
- /run/openldap(/.*)? gen_context(system_u:object_r:slapd_runtime_t,s0)
- /run/slapd.* -s gen_context(system_u:object_r:slapd_runtime_t,s0)
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch b/recipes-security/refpolicy/refpolicy/0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch
new file mode 100644
index 0000000..8bce781
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch
@@ -0,0 +1,37 @@
+From dd6dc74388daffba5c336059fbc046e632bee0f6 Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Fri, 15 Nov 2019 11:13:16 +0800
+Subject: [PATCH] fc/postgresql: apply policy to postgresql alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/services/postgresql.fc | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
+index f31a52cf8..f9bf46870 100644
+--- a/policy/modules/services/postgresql.fc
++++ b/policy/modules/services/postgresql.fc
+@@ -27,6 +27,17 @@
+ /usr/lib/postgresql(-.*)?/(.*/)?bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+ /usr/lib/postgresql(-.*)?/(.*/)?bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0)
+
++/usr/bin/pg_archivecleanup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/pg_basebackup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/pg_controldata -- gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/pg_resetxlog -- gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/pg_standby -- gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/pg_upgrade -- gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/pg_xlogdump -- gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0)
++
+ ifdef(`distro_redhat', `
+ /usr/share/jonas/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+ ')
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch b/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch
deleted file mode 100644
index 0a0464f..0000000
--- a/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 72726c1bc51628e6eb56e758f1e334f9b9a0f17e Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Fri, 15 Nov 2019 11:13:16 +0800
-Subject: [PATCH] fc/postgresql: apply policy to postgresql alternatives
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/services/postgresql.fc | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
-index f31a52cf8..f9bf46870 100644
---- a/policy/modules/services/postgresql.fc
-+++ b/policy/modules/services/postgresql.fc
-@@ -27,6 +27,17 @@
- /usr/lib/postgresql(-.*)?/(.*/)?bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
- /usr/lib/postgresql(-.*)?/(.*/)?bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0)
-
-+/usr/bin/pg_archivecleanup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-+/usr/bin/pg_basebackup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-+/usr/bin/pg_controldata -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-+/usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-+/usr/bin/pg_resetxlog -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-+/usr/bin/pg_standby -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-+/usr/bin/pg_upgrade -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-+/usr/bin/pg_xlogdump -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-+/usr/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-+/usr/bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0)
-+
- ifdef(`distro_redhat', `
- /usr/share/jonas/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
- ')
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0022-fc-screen-apply-policy-to-screen-alternatives.patch b/recipes-security/refpolicy/refpolicy/0022-fc-screen-apply-policy-to-screen-alternatives.patch
new file mode 100644
index 0000000..7fba90e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0022-fc-screen-apply-policy-to-screen-alternatives.patch
@@ -0,0 +1,25 @@
+From 7d78632d5553fcddf12dd57de56ff15b057625ab Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Fri, 15 Nov 2019 11:15:33 +0800
+Subject: [PATCH] fc/screen: apply policy to screen alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/apps/screen.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc
+index e51e01d97..238dc263e 100644
+--- a/policy/modules/apps/screen.fc
++++ b/policy/modules/apps/screen.fc
+@@ -7,4 +7,5 @@ HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
+ /run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0)
+
+ /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
++/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0)
+ /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch b/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch
deleted file mode 100644
index e95cb3c..0000000
--- a/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 003a22f73563ef7b8b4ab6a6a0cb4a920a43570f Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Fri, 15 Nov 2019 11:15:33 +0800
-Subject: [PATCH] fc/screen: apply policy to screen alternatives
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/apps/screen.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc
-index e51e01d97..238dc263e 100644
---- a/policy/modules/apps/screen.fc
-+++ b/policy/modules/apps/screen.fc
-@@ -7,4 +7,5 @@ HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
- /run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0)
-
- /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
-+/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0)
- /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch b/recipes-security/refpolicy/refpolicy/0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch
new file mode 100644
index 0000000..b65e3b0
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch
@@ -0,0 +1,57 @@
+From 074eff7d27765a1f489f3a787d7f6f64a890f07e Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Fri, 15 Nov 2019 11:25:34 +0800
+Subject: [PATCH] fc/usermanage: apply policy to usermanage alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/admin/usermanage.fc | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
+index 7209a8dd0..c9dc1f000 100644
+--- a/policy/modules/admin/usermanage.fc
++++ b/policy/modules/admin/usermanage.fc
+@@ -4,8 +4,13 @@ ifdef(`distro_debian',`
+
+ /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
+ /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
++/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
++/usr/bin/chfn\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0)
+ /usr/bin/chpasswd -- gen_context(system_u:object_r:passwd_exec_t,s0)
++/usr/bin/chpasswd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0)
+ /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
++/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
++/usr/bin/chsh\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0)
+ /usr/bin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
+ /usr/bin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
+ /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
+@@ -15,6 +20,7 @@ ifdef(`distro_debian',`
+ /usr/bin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/bin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
++/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0)
+ /usr/bin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/bin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/bin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0)
+@@ -26,6 +32,7 @@ ifdef(`distro_debian',`
+ /usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0)
+
+ /usr/sbin/chpasswd -- gen_context(system_u:object_r:passwd_exec_t,s0)
++/usr/sbin/chpasswd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0)
+ /usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
+ /usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
+ /usr/sbin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
+@@ -41,6 +48,7 @@ ifdef(`distro_debian',`
+ /usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0)
+ /usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
++/usr/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+
+ /usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0)
+
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0024-fc-getty-add-file-context-to-start_getty.patch b/recipes-security/refpolicy/refpolicy/0024-fc-getty-add-file-context-to-start_getty.patch
new file mode 100644
index 0000000..b1a85b4
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0024-fc-getty-add-file-context-to-start_getty.patch
@@ -0,0 +1,27 @@
+From dca38e304bb64a5c3a18d02521f56ffe461ec126 Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Fri, 15 Nov 2019 16:07:30 +0800
+Subject: [PATCH] fc/getty: add file context to start_getty
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/getty.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
+index 116ea6421..53ff6137b 100644
+--- a/policy/modules/system/getty.fc
++++ b/policy/modules/system/getty.fc
+@@ -4,6 +4,7 @@
+ /run/agetty\.reload -- gen_context(system_u:object_r:getty_runtime_t,s0)
+
+ /usr/bin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
++/usr/bin/start_getty -- gen_context(system_u:object_r:bin_t,s0)
+
+ /usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
+
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch b/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch
deleted file mode 100644
index a92b809..0000000
--- a/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From fdf7c2d27b6ecf08c88bb98e52a7d8284ac828af Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Fri, 15 Nov 2019 11:25:34 +0800
-Subject: [PATCH] fc/usermanage: apply policy to usermanage alternatives
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/admin/usermanage.fc | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
-index 7209a8dd0..c9dc1f000 100644
---- a/policy/modules/admin/usermanage.fc
-+++ b/policy/modules/admin/usermanage.fc
-@@ -4,8 +4,13 @@ ifdef(`distro_debian',`
-
- /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
- /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
-+/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
-+/usr/bin/chfn\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0)
- /usr/bin/chpasswd -- gen_context(system_u:object_r:passwd_exec_t,s0)
-+/usr/bin/chpasswd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0)
- /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
-+/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
-+/usr/bin/chsh\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0)
- /usr/bin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
- /usr/bin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
- /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
-@@ -15,6 +20,7 @@ ifdef(`distro_debian',`
- /usr/bin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/bin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
-+/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0)
- /usr/bin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/bin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/bin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0)
-@@ -26,6 +32,7 @@ ifdef(`distro_debian',`
- /usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0)
-
- /usr/sbin/chpasswd -- gen_context(system_u:object_r:passwd_exec_t,s0)
-+/usr/sbin/chpasswd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0)
- /usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
- /usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
- /usr/sbin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
-@@ -41,6 +48,7 @@ ifdef(`distro_debian',`
- /usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0)
- /usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-+/usr/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-
- /usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0)
-
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch b/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch
deleted file mode 100644
index f6fa8a0..0000000
--- a/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 863ece4fd9815997486c04ce89180707435669e4 Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Fri, 15 Nov 2019 16:07:30 +0800
-Subject: [PATCH] fc/getty: add file context to start_getty
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/system/getty.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
-index 116ea6421..53ff6137b 100644
---- a/policy/modules/system/getty.fc
-+++ b/policy/modules/system/getty.fc
-@@ -4,6 +4,7 @@
- /run/agetty\.reload -- gen_context(system_u:object_r:getty_runtime_t,s0)
-
- /usr/bin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
-+/usr/bin/start_getty -- gen_context(system_u:object_r:bin_t,s0)
-
- /usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
-
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0025-fc-vlock-apply-policy-to-vlock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0025-fc-vlock-apply-policy-to-vlock-alternatives.patch
new file mode 100644
index 0000000..de97331
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0025-fc-vlock-apply-policy-to-vlock-alternatives.patch
@@ -0,0 +1,25 @@
+From ae142b7d993a7f03b6ff1cf4f7a49c3aec77fe1c Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Wed, 18 Dec 2019 15:04:41 +0800
+Subject: [PATCH] fc/vlock: apply policy to vlock alternatives
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/apps/vlock.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/apps/vlock.fc b/policy/modules/apps/vlock.fc
+index f668cde9c..c4bc50984 100644
+--- a/policy/modules/apps/vlock.fc
++++ b/policy/modules/apps/vlock.fc
+@@ -1,4 +1,5 @@
+ /usr/bin/vlock -- gen_context(system_u:object_r:vlock_exec_t,s0)
++/usr/bin/vlock\.kbd -- gen_context(system_u:object_r:vlock_exec_t,s0)
+ /usr/bin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0)
+
+ /usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0)
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch b/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch
new file mode 100644
index 0000000..c47984d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch
@@ -0,0 +1,64 @@
+From 1096b2eb1172506006691e90769e51a086b8374f Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Tue, 30 Jun 2020 10:45:57 +0800
+Subject: [PATCH] fc: add fcontext for init scripts and systemd service files
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/services/cron.fc | 1 +
+ policy/modules/services/rngd.fc | 1 +
+ policy/modules/services/rpc.fc | 2 ++
+ policy/modules/system/logging.fc | 1 +
+ 4 files changed, 5 insertions(+)
+
+diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
+index 827363d88..e8412396d 100644
+--- a/policy/modules/services/cron.fc
++++ b/policy/modules/services/cron.fc
+@@ -1,4 +1,5 @@
+ /etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/crond -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
+
+ /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+diff --git a/policy/modules/services/rngd.fc b/policy/modules/services/rngd.fc
+index 382c067f9..0ecc5acc4 100644
+--- a/policy/modules/services/rngd.fc
++++ b/policy/modules/services/rngd.fc
+@@ -1,4 +1,5 @@
+ /etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/rng-tools -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
+
+ /usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
+
+diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
+index 75c2f0617..fa881ba2e 100644
+--- a/policy/modules/services/rpc.fc
++++ b/policy/modules/services/rpc.fc
+@@ -1,7 +1,9 @@
+ /etc/exports -- gen_context(system_u:object_r:exports_t,s0)
+
+ /etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/nfsserver -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/nfscommon -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+
+ /usr/bin/nfsdcld -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index 3b0dea51b..0ce2bec4b 100644
+--- a/policy/modules/system/logging.fc
++++ b/policy/modules/system/logging.fc
+@@ -24,6 +24,7 @@
+ /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
+ /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
+ /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
++/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
+ /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch
deleted file mode 100644
index 7f63b14..0000000
--- a/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 5bb33b7d9d7915399cca7d8c6fbdd9c0e27c1cd8 Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Wed, 18 Dec 2019 15:04:41 +0800
-Subject: [PATCH] fc/vlock: apply policy to vlock alternatives
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/apps/vlock.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/apps/vlock.fc b/policy/modules/apps/vlock.fc
-index f668cde9c..c4bc50984 100644
---- a/policy/modules/apps/vlock.fc
-+++ b/policy/modules/apps/vlock.fc
-@@ -1,4 +1,5 @@
- /usr/bin/vlock -- gen_context(system_u:object_r:vlock_exec_t,s0)
-+/usr/bin/vlock\.kbd -- gen_context(system_u:object_r:vlock_exec_t,s0)
- /usr/bin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0)
-
- /usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0)
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch b/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch
deleted file mode 100644
index cfb2fd5..0000000
--- a/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 574df1810c8f32bbf24b223f72f6622b0df7e82c Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Tue, 30 Jun 2020 10:45:57 +0800
-Subject: [PATCH] fc: add fcontext for init scripts and systemd service files
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/services/cron.fc | 1 +
- policy/modules/services/rngd.fc | 1 +
- policy/modules/services/rpc.fc | 2 ++
- policy/modules/system/logging.fc | 1 +
- 4 files changed, 5 insertions(+)
-
-diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
-index 827363d88..e8412396d 100644
---- a/policy/modules/services/cron.fc
-+++ b/policy/modules/services/cron.fc
-@@ -1,4 +1,5 @@
- /etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/crond -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
-
- /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
- /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-diff --git a/policy/modules/services/rngd.fc b/policy/modules/services/rngd.fc
-index 382c067f9..0ecc5acc4 100644
---- a/policy/modules/services/rngd.fc
-+++ b/policy/modules/services/rngd.fc
-@@ -1,4 +1,5 @@
- /etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/rng-tools -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
-
- /usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
-
-diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
-index 75c2f0617..fa881ba2e 100644
---- a/policy/modules/services/rpc.fc
-+++ b/policy/modules/services/rpc.fc
-@@ -1,7 +1,9 @@
- /etc/exports -- gen_context(system_u:object_r:exports_t,s0)
-
- /etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/nfsserver -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/nfscommon -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
-
- /usr/bin/nfsdcld -- gen_context(system_u:object_r:rpcd_exec_t,s0)
-diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 5681acb51..4ff5f990a 100644
---- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
-@@ -24,6 +24,7 @@
- /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
- /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
- /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
-+/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
- /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0027-file_contexts.subs_dist-set-aliase-for-root-director.patch b/recipes-security/refpolicy/refpolicy/0027-file_contexts.subs_dist-set-aliase-for-root-director.patch
new file mode 100644
index 0000000..a527d94
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0027-file_contexts.subs_dist-set-aliase-for-root-director.patch
@@ -0,0 +1,30 @@
+From 153bdbda047a3e769983000b4c8263eb4bfd2031 Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Sun, 5 Apr 2020 22:03:45 +0800
+Subject: [PATCH] file_contexts.subs_dist: set aliase for /root directory
+
+The genhomedircon.py will expand /root directory to /home/root.
+Add an aliase for it
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ config/file_contexts.subs_dist | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
+index 690007f22..f80499ebf 100644
+--- a/config/file_contexts.subs_dist
++++ b/config/file_contexts.subs_dist
+@@ -45,3 +45,7 @@
+ /usr/lib/busybox/bin /usr/bin
+ /usr/lib/busybox/sbin /usr/sbin
+ /usr/lib/busybox/usr /usr
++
++# The genhomedircon.py will expand /root home directory to /home/root
++# Add an aliase for it
++/root /home/root
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch b/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch
deleted file mode 100644
index 82b4708..0000000
--- a/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 01f57c996e09fb68daf3d97805c46c27a6d34304 Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Sun, 5 Apr 2020 22:03:45 +0800
-Subject: [PATCH] file_contexts.subs_dist: set aliase for /root directory
-
-The genhomedircon.py will expand /root directory to /home/root.
-Add an aliase for it
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- config/file_contexts.subs_dist | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
-index 690007f22..f80499ebf 100644
---- a/config/file_contexts.subs_dist
-+++ b/config/file_contexts.subs_dist
-@@ -45,3 +45,7 @@
- /usr/lib/busybox/bin /usr/bin
- /usr/lib/busybox/sbin /usr/sbin
- /usr/lib/busybox/usr /usr
-+
-+# The genhomedircon.py will expand /root home directory to /home/root
-+# Add an aliase for it
-+/root /home/root
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0028-policy-modules-system-logging-add-rules-for-the-syml.patch b/recipes-security/refpolicy/refpolicy/0028-policy-modules-system-logging-add-rules-for-the-syml.patch
new file mode 100644
index 0000000..5c4e023
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0028-policy-modules-system-logging-add-rules-for-the-syml.patch
@@ -0,0 +1,91 @@
+From f08f3c554d70c9cd11f0297678bb4a29b8ab034b Mon Sep 17 00:00:00 2001
+From: Xin Ouyang
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] policy/modules/system/logging: add rules for the symlink of
+ /var/log
+
+/var/log is a symlink in poky, so we need allow rules for files to read
+lnk_file while doing search/list/delete/rw... in /var/log/ directory.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Xin Ouyang
+Signed-off-by: Joe MacDonald
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/logging.fc | 1 +
+ policy/modules/system/logging.if | 7 +++++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index 0ce2bec4b..8957366b0 100644
+--- a/policy/modules/system/logging.fc
++++ b/policy/modules/system/logging.fc
+@@ -53,6 +53,7 @@ ifdef(`distro_suse', `
+ /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+ /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
++/var/log -l gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
+diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
+index 49028a0cb..4381d2e83 100644
+--- a/policy/modules/system/logging.if
++++ b/policy/modules/system/logging.if
+@@ -1091,10 +1091,12 @@ interface(`logging_append_all_inherited_logs',`
+ interface(`logging_read_all_logs',`
+ gen_require(`
+ attribute logfile;
++ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 logfile:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, logfile, logfile)
+ ')
+
+@@ -1175,6 +1177,7 @@ interface(`logging_manage_generic_log_dirs',`
+
+ files_search_var($1)
+ allow $1 var_log_t:dir manage_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -1195,6 +1198,7 @@ interface(`logging_relabel_generic_log_dirs',`
+
+ files_search_var($1)
+ allow $1 var_log_t:dir relabel_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -1215,6 +1219,7 @@ interface(`logging_read_generic_logs',`
+
+ files_search_var($1)
+ allow $1 var_log_t:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, var_log_t, var_log_t)
+ ')
+
+@@ -1316,6 +1321,7 @@ interface(`logging_manage_generic_logs',`
+
+ files_search_var($1)
+ manage_files_pattern($1, var_log_t, var_log_t)
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -1334,6 +1340,7 @@ interface(`logging_watch_generic_logs_dir',`
+ ')
+
+ allow $1 var_log_t:dir watch;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-syslogd-.patch b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-syslogd-.patch
new file mode 100644
index 0000000..2889ee8
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-syslogd-.patch
@@ -0,0 +1,34 @@
+From a40442cbc570b9b028ebc1da0115bc368e165c29 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald
+Date: Fri, 29 Mar 2019 10:33:18 -0400
+Subject: [PATCH] policy/modules/system/logging: add rules for syslogd symlink
+ of /var/log
+
+We have added rules for the symlink of /var/log in logging.if, while
+syslogd_t uses /var/log but does not use the interfaces in logging.if. So
+still need add a individual rule for syslogd_t.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Xin Ouyang
+Signed-off-by: Joe MacDonald
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/logging.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 9d9a01fcc..45584dba6 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -425,6 +425,7 @@ files_search_spool(syslogd_t)
+
+ # Allow access for syslog-ng
+ allow syslogd_t var_log_t:dir { create setattr };
++allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
+
+ # for systemd but can not be conditional
+ files_runtime_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch
deleted file mode 100644
index 06b792a..0000000
--- a/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From 2e9b42143ccb92f04d8d57430b3ae1e9f55eb00e Mon Sep 17 00:00:00 2001
-From: Xin Ouyang
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] policy/modules/system/logging: add rules for the symlink of
- /var/log
-
-/var/log is a symlink in poky, so we need allow rules for files to read
-lnk_file while doing search/list/delete/rw... in /var/log/ directory.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Xin Ouyang
-Signed-off-by: Joe MacDonald
-Signed-off-by: Yi Zhao
----
- policy/modules/system/logging.fc | 1 +
- policy/modules/system/logging.if | 9 +++++++++
- 2 files changed, 10 insertions(+)
-
-diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 4ff5f990a..dee26a9f4 100644
---- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
-@@ -53,6 +53,7 @@ ifdef(`distro_suse', `
- /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-
- /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
-+/var/log -l gen_context(system_u:object_r:var_log_t,s0)
- /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
- /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
- /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
-diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index cf7ef1721..b627cacb8 100644
---- a/policy/modules/system/logging.if
-+++ b/policy/modules/system/logging.if
-@@ -1086,10 +1086,12 @@ interface(`logging_append_all_inherited_logs',`
- interface(`logging_read_all_logs',`
- gen_require(`
- attribute logfile;
-+ type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 logfile:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- read_files_pattern($1, logfile, logfile)
- ')
-
-@@ -1127,10 +1129,12 @@ interface(`logging_watch_all_logs',`
- interface(`logging_exec_all_logs',`
- gen_require(`
- attribute logfile;
-+ type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 logfile:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- can_exec($1, logfile)
- ')
-
-@@ -1192,6 +1196,7 @@ interface(`logging_manage_generic_log_dirs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir manage_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -1212,6 +1217,7 @@ interface(`logging_relabel_generic_log_dirs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir relabel_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -1232,6 +1238,7 @@ interface(`logging_read_generic_logs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- read_files_pattern($1, var_log_t, var_log_t)
- ')
-
-@@ -1333,6 +1340,7 @@ interface(`logging_manage_generic_logs',`
-
- files_search_var($1)
- manage_files_pattern($1, var_log_t, var_log_t)
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -1351,6 +1359,7 @@ interface(`logging_watch_generic_logs_dir',`
- ')
-
- allow $1 var_log_t:dir watch;
-+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch b/recipes-security/refpolicy/refpolicy/0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch
new file mode 100644
index 0000000..ee329b1
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch
@@ -0,0 +1,102 @@
+From b4110d4f30f6dc82c810ceaf24911b1fadb0e7c4 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] policy/modules/kernel/files: add rules for the symlink of
+ /tmp
+
+/tmp is a symlink in poky, so we need allow rules for files to read
+lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Xin Ouyang
+Signed-off-by: Joe MacDonald
+Signed-off-by: Yi Zhao
+---
+ policy/modules/kernel/files.fc | 1 +
+ policy/modules/kernel/files.if | 8 ++++++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
+index 9a6f9d2d4..0f511c830 100644
+--- a/policy/modules/kernel/files.fc
++++ b/policy/modules/kernel/files.fc
+@@ -171,6 +171,7 @@ HOME_ROOT/lost\+found/.* <>
+ # /tmp
+ #
+ /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
++/tmp -l gen_context(system_u:object_r:tmp_t,s0)
+ /tmp/.* <>
+ /tmp/\.journal <>
+
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index 9e4344d24..14b34a467 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -4780,6 +4780,7 @@ interface(`files_search_tmp',`
+ ')
+
+ allow $1 tmp_t:dir search_dir_perms;
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4816,6 +4817,7 @@ interface(`files_list_tmp',`
+ ')
+
+ allow $1 tmp_t:dir list_dir_perms;
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4852,6 +4854,7 @@ interface(`files_delete_tmp_dir_entry',`
+ ')
+
+ allow $1 tmp_t:dir del_entry_dir_perms;
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4870,6 +4873,7 @@ interface(`files_read_generic_tmp_files',`
+ ')
+
+ read_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4888,6 +4892,7 @@ interface(`files_manage_generic_tmp_dirs',`
+ ')
+
+ manage_dirs_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4924,6 +4929,7 @@ interface(`files_manage_generic_tmp_files',`
+ ')
+
+ manage_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4960,6 +4966,7 @@ interface(`files_rw_generic_tmp_sockets',`
+ ')
+
+ rw_sock_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -5167,6 +5174,7 @@ interface(`files_tmp_filetrans',`
+ ')
+
+ filetrans_pattern($1, tmp_t, $2, $3, $4)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch b/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch
deleted file mode 100644
index ecfc018..0000000
--- a/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 26dc5529db7664ae248eba4dbc5d17915c371137 Mon Sep 17 00:00:00 2001
-From: Joe MacDonald
-Date: Fri, 29 Mar 2019 10:33:18 -0400
-Subject: [PATCH] policy/modules/system/logging: add rules for syslogd symlink
- of /var/log
-
-We have added rules for the symlink of /var/log in logging.if, while
-syslogd_t uses /var/log but does not use the interfaces in logging.if. So
-still need add a individual rule for syslogd_t.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Xin Ouyang
-Signed-off-by: Joe MacDonald
-Signed-off-by: Yi Zhao
----
- policy/modules/system/logging.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index abd61e6bd..90d8ccd31 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -420,6 +420,7 @@ files_search_spool(syslogd_t)
-
- # Allow access for syslog-ng
- allow syslogd_t var_log_t:dir { create setattr };
-+allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
-
- # for systemd but can not be conditional
- files_runtime_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch
deleted file mode 100644
index 48e8acf..0000000
--- a/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From 9052089dfc4f7466fcf304ab282c2e32933a5881 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] policy/modules/kernel/files: add rules for the symlink of
- /tmp
-
-/tmp is a symlink in poky, so we need allow rules for files to read
-lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Xin Ouyang
-Signed-off-by: Joe MacDonald
-Signed-off-by: Yi Zhao
----
- policy/modules/kernel/files.fc | 1 +
- policy/modules/kernel/files.if | 8 ++++++++
- 2 files changed, 9 insertions(+)
-
-diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index f6ff6b079..279df3d3c 100644
---- a/policy/modules/kernel/files.fc
-+++ b/policy/modules/kernel/files.fc
-@@ -170,6 +170,7 @@ HOME_ROOT/lost\+found/.* <>
- # /tmp
- #
- /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-+/tmp -l gen_context(system_u:object_r:tmp_t,s0)
- /tmp/.* <>
- /tmp/\.journal <>
-
-diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f7217b226..451f302af 100644
---- a/policy/modules/kernel/files.if
-+++ b/policy/modules/kernel/files.if
-@@ -4750,6 +4750,7 @@ interface(`files_search_tmp',`
- ')
-
- allow $1 tmp_t:dir search_dir_perms;
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4786,6 +4787,7 @@ interface(`files_list_tmp',`
- ')
-
- allow $1 tmp_t:dir list_dir_perms;
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4822,6 +4824,7 @@ interface(`files_delete_tmp_dir_entry',`
- ')
-
- allow $1 tmp_t:dir del_entry_dir_perms;
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4840,6 +4843,7 @@ interface(`files_read_generic_tmp_files',`
- ')
-
- read_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4858,6 +4862,7 @@ interface(`files_manage_generic_tmp_dirs',`
- ')
-
- manage_dirs_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4894,6 +4899,7 @@ interface(`files_manage_generic_tmp_files',`
- ')
-
- manage_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4930,6 +4936,7 @@ interface(`files_rw_generic_tmp_sockets',`
- ')
-
- rw_sock_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -5137,6 +5144,7 @@ interface(`files_tmp_filetrans',`
- ')
-
- filetrans_pattern($1, tmp_t, $2, $3, $4)
-+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch
new file mode 100644
index 0000000..ae6e5cf
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch
@@ -0,0 +1,41 @@
+From bd4f7608f50da4a829d9042311163922776146ca Mon Sep 17 00:00:00 2001
+From: Xin Ouyang
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures
+
+Fixes:
+avc: denied { read } for pid=321 comm="auditd" name="log" dev="vda"
+ino=12552 scontext=system_u:system_r:auditd_t
+tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Xin Ouyang
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/logging.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 45584dba6..8bc70b81d 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -177,6 +177,7 @@ dontaudit auditd_t auditd_etc_t:file map;
+ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t auditd_log_t:dir setattr;
+ manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
++allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
+ allow auditd_t var_log_t:dir search_dir_perms;
+
+ manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
+@@ -306,6 +307,7 @@ optional_policy(`
+ allow audisp_remote_t self:capability { setpcap setuid };
+ allow audisp_remote_t self:process { getcap setcap };
+ allow audisp_remote_t self:tcp_socket create_socket_perms;
++allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
+ allow audisp_remote_t var_log_t:dir search_dir_perms;
+
+ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch b/recipes-security/refpolicy/refpolicy/0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch
new file mode 100644
index 0000000..9648dfd
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch
@@ -0,0 +1,38 @@
+From a23028f17d5e56e20ed3930b3075ba2d1c211b16 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] policy/modules/kernel/terminal: don't audit tty_device_t in
+ term_dontaudit_use_console
+
+We should also not audit terminal to rw tty_device_t and fds in
+term_dontaudit_use_console.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Xin Ouyang
+Signed-off-by: Joe MacDonald
+Signed-off-by: Yi Zhao
+---
+ policy/modules/kernel/terminal.if | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index e5645c7c5..6e9f654ac 100644
+--- a/policy/modules/kernel/terminal.if
++++ b/policy/modules/kernel/terminal.if
+@@ -335,9 +335,12 @@ interface(`term_use_console',`
+ interface(`term_dontaudit_use_console',`
+ gen_require(`
+ type console_device_t;
++ type tty_device_t;
+ ')
+
++ init_dontaudit_use_fds($1)
+ dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
++ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
+ ')
+
+ ########################################
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch b/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch
deleted file mode 100644
index 22ce8f2..0000000
--- a/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From eed095029b270bbc49dc67d6b7b6b2fe9c3bca07 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures
-
-Fixes:
-avc: denied { read } for pid=321 comm="auditd" name="log" dev="vda"
-ino=12552 scontext=system_u:system_r:auditd_t
-tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Xin Ouyang
-Signed-off-by: Yi Zhao
----
- policy/modules/system/logging.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 90d8ccd31..d3b06db7d 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -169,6 +169,7 @@ dontaudit auditd_t auditd_etc_t:file map;
- manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
- allow auditd_t auditd_log_t:dir setattr;
- manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
-+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
- allow auditd_t var_log_t:dir search_dir_perms;
-
- manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
-@@ -298,6 +299,7 @@ optional_policy(`
- allow audisp_remote_t self:capability { setpcap setuid };
- allow audisp_remote_t self:process { getcap setcap };
- allow audisp_remote_t self:tcp_socket create_socket_perms;
-+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
- allow audisp_remote_t var_log_t:dir search_dir_perms;
-
- manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch b/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch
deleted file mode 100644
index f62db74..0000000
--- a/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 3f24b88886fcd1a17248d8d674a02d01061d937a Mon Sep 17 00:00:00 2001
-From: Xin Ouyang
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] policy/modules/kernel/terminal: don't audit tty_device_t in
- term_dontaudit_use_console
-
-We should also not audit terminal to rw tty_device_t and fds in
-term_dontaudit_use_console.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Xin Ouyang
-Signed-off-by: Joe MacDonald
-Signed-off-by: Yi Zhao
----
- policy/modules/kernel/terminal.if | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index e5645c7c5..6e9f654ac 100644
---- a/policy/modules/kernel/terminal.if
-+++ b/policy/modules/kernel/terminal.if
-@@ -335,9 +335,12 @@ interface(`term_use_console',`
- interface(`term_dontaudit_use_console',`
- gen_require(`
- type console_device_t;
-+ type tty_device_t;
- ')
-
-+ init_dontaudit_use_fds($1)
- dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
-+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
- ')
-
- ########################################
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch b/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
new file mode 100644
index 0000000..e7b993e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
@@ -0,0 +1,34 @@
+From 288c0c4b20a80846691d113a1759325b214d64f9 Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Wed, 1 Jul 2020 08:44:07 +0800
+Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create
+ directory with label rpcbind_runtime_t
+
+Fixes:
+avc: denied { create } for pid=136 comm="rpcbind" name="rpcbind"
+scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/services/rpcbind.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
+index 137c21ece..2a712192b 100644
+--- a/policy/modules/services/rpcbind.te
++++ b/policy/modules/services/rpcbind.te
+@@ -25,7 +25,7 @@ files_type(rpcbind_var_lib_t)
+ # Local policy
+ #
+
+-allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
++allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config chown };
+ # net_admin is for SO_SNDBUFFORCE
+ dontaudit rpcbind_t self:capability net_admin;
+ allow rpcbind_t self:fifo_file rw_fifo_file_perms;
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch b/recipes-security/refpolicy/refpolicy/0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
deleted file mode 100644
index 0b00f5a..0000000
--- a/recipes-security/refpolicy/refpolicy/0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 9c84425bbcaef5913fb6e309b8811639134714ed Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Wed, 1 Jul 2020 08:44:07 +0800
-Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create
- directory with label rpcbind_runtime_t
-
-Fixes:
-avc: denied { create } for pid=136 comm="rpcbind" name="rpcbind"
-scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/services/rpcbind.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
-index 137c21ece..2a712192b 100644
---- a/policy/modules/services/rpcbind.te
-+++ b/policy/modules/services/rpcbind.te
-@@ -25,7 +25,7 @@ files_type(rpcbind_var_lib_t)
- # Local policy
- #
-
--allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
-+allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config chown };
- # net_admin is for SO_SNDBUFFORCE
- dontaudit rpcbind_t self:capability net_admin;
- allow rpcbind_t self:fifo_file rw_fifo_file_perms;
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-systemd-enable-support-for-sys.patch b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-systemd-enable-support-for-sys.patch
new file mode 100644
index 0000000..e54d69e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-systemd-enable-support-for-sys.patch
@@ -0,0 +1,46 @@
+From 48da8a2589b1d5bce2609fd307ca009605d801c3 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan
+Date: Thu, 4 Feb 2016 06:03:19 -0500
+Subject: [PATCH] policy/modules/system/systemd: enable support for
+ systemd-tmpfiles to manage all non-security files
+
+Fixes:
+systemd-tmpfiles[226]: Failed to create directory or subvolume "/root/.ssh", ignoring: Permission denied
+systemd-tmpfiles[226]: Failed to create directory or subvolume "/var/lib/systemd/ephemeral-trees": Permission denied
+
+AVC avc: denied { relabelfrom } for pid=226 comm="systemd-tmpfile"
+name="root" dev="vda" ino=643 scontext=system_u:system_r:systemd_tmpfiles_t
+tcontext=root:object_r:user_home_dir_t tclass=dir permissive=0
+
+AVC avc: denied { write } for pid=226 comm="systemd-tmpfile"
+name="root" dev="vda" ino=643 scontext=system_u:system_r:systemd_tmpfiles_t
+tcontext=root:object_r:user_home_dir_t tclass=dir permissive=0
+
+AVC avc: denied { create } for pid=226 comm="systemd-tmpfile"
+name="ephemeral-trees" scontext=system_u:system_r:systemd_tmpfiles_t
+tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Wenzong Fan
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/systemd.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index b6d575f87..70a45ac58 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -10,7 +10,7 @@ policy_module(systemd)
+ ## Enable support for systemd-tmpfiles to manage all non-security files.
+ ##
+ ##
+-gen_tunable(systemd_tmpfiles_manage_all, false)
++gen_tunable(systemd_tmpfiles_manage_all, true)
+
+ ##
+ ##
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch
new file mode 100644
index 0000000..05a0887
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch
@@ -0,0 +1,43 @@
+From 1f7fb5de202cb30c45b4051b0bce6e9b1aa53ea8 Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Sat, 30 Sep 2023 17:20:29 +0800
+Subject: [PATCH] policy/modules/system/logging: allow systemd-tmpfiles to
+ create /var/log/audit
+
+Fixes:
+systemd[1]: Starting Security Auditing Service...
+auditd[246]: Could not open dir /var/log/audit (No such file or directory)
+auditd[246]: The audit daemon is exiting.
+systemd[1]: auditd.service: Control process exited, code=exited, status=6/NOTCONFIGURED
+systemd[1]: auditd.service: Failed with result 'exit-code'.
+systemd[1]: Failed to start Security Auditing Service.
+
+AVC avc: denied { create } for pid=224 comm="systemd-tmpfile"
+name="audit" scontext=system_u:system_r:systemd_tmpfiles_t
+tcontext=system_u:object_r:auditd_log_t tclass=dir permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/logging.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 8bc70b81d..3cab14381 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -27,6 +27,10 @@ type auditd_log_t;
+ files_security_file(auditd_log_t)
+ files_security_mountpoint(auditd_log_t)
+
++optional_policy(`
++ systemd_tmpfilesd_managed(auditd_log_t)
++')
++
+ type audit_spool_t;
+ files_security_file(audit_spool_t)
+ files_security_mountpoint(audit_spool_t)
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-systemd-enable-support-for-sys.patch b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-systemd-enable-support-for-sys.patch
deleted file mode 100644
index 43b2f4d..0000000
--- a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-systemd-enable-support-for-sys.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 6465e39b6dfe8daa88cab321e3cf44ccc9f1441d Mon Sep 17 00:00:00 2001
-From: Wenzong Fan
-Date: Thu, 4 Feb 2016 06:03:19 -0500
-Subject: [PATCH] policy/modules/system/systemd: enable support for
- systemd-tmpfiles to manage all non-security files
-
-Fixes:
-systemd-tmpfiles[137]: Failed to create directory or subvolume "/var/volatile/log": Permission denied
-systemd-tmpfiles[137]: Failed to create directory or subvolume "/var/volatile/tmp": Permission denied
-systemd-tmpfiles[137]: Failed to create directory or subvolume "/var/log/audit": Permission denied
-
-avc: denied { write } for pid=137 comm="systemd-tmpfile" name="/"
-dev="tmpfs" ino=12400 scontext=system_u:system_r:systemd_tmpfiles_t
-tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0
-
-avc: denied { read } for pid=137 comm="systemd-tmpfile" name="dbus"
-dev="vda" ino=12363 scontext=system_u:system_r:systemd_tmpfiles_t
-tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=dir
-permissive=0
-
-avc: denied { relabelfrom } for pid=137 comm="systemd-tmpfile"
-name="log" dev="vda" ino=14129
-scontext=system_u:system_r:systemd_tmpfiles_t
-tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0
-
-avc: denied { create } for pid=137 comm="systemd-tmpfile"
-name="audit" scontext=system_u:system_r:systemd_tmpfiles_t
-tcontext=system_u:object_r:auditd_log_t tclass=dir permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Wenzong Fan
-Signed-off-by: Yi Zhao
----
- policy/modules/system/systemd.te | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index ef25974ac..362248d17 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -10,7 +10,7 @@ policy_module(systemd)
- ## Enable support for systemd-tmpfiles to manage all non-security files.
- ##
- ##
--gen_tunable(systemd_tmpfiles_manage_all, false)
-+gen_tunable(systemd_tmpfiles_manage_all, true)
-
- ##
- ##
-@@ -1640,6 +1640,10 @@ files_relabelfrom_home(systemd_tmpfiles_t)
- files_relabelto_home(systemd_tmpfiles_t)
- files_relabelto_etc_dirs(systemd_tmpfiles_t)
- files_setattr_lock_dirs(systemd_tmpfiles_t)
-+
-+files_manage_non_auth_files(systemd_tmpfiles_t)
-+files_relabel_non_auth_files(systemd_tmpfiles_t)
-+
- # for /etc/mtab
- files_manage_etc_symlinks(systemd_tmpfiles_t)
-
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch b/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch
index 56b6119..8f218ca 100644
--- a/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch
+++ b/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch
@@ -1,4 +1,4 @@
-From 2acb5ddbd04c578a420418e3bcb572bbd2dfbae6 Mon Sep 17 00:00:00 2001
+From 5d53b5ab28038eb7e326ab577e0b5e0799c9500b Mon Sep 17 00:00:00 2001
From: Yi Zhao
Date: Sat, 18 Dec 2021 09:26:43 +0800
Subject: [PATCH] policy/modules/system/systemd: allow systemd_logind_t to read
@@ -27,10 +27,10 @@ Signed-off-by: Yi Zhao
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 362248d17..4a1e06640 100644
+index 70a45ac58..42520f9f8 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
-@@ -920,6 +920,7 @@ userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
+@@ -980,6 +980,7 @@ userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
userdom_relabelto_user_runtime_dirs(systemd_logind_t)
userdom_setattr_user_ttys(systemd_logind_t)
userdom_use_user_ttys(systemd_logind_t)
diff --git a/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch b/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch
index 78c4dc8..e7406e5 100644
--- a/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch
+++ b/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch
@@ -1,4 +1,4 @@
-From 51a7f8058fee569322c1a0597fccd36c318ad943 Mon Sep 17 00:00:00 2001
+From 11c172fe44a22341b686dc537fde4991b7a49ed5 Mon Sep 17 00:00:00 2001
From: Yi Zhao
Date: Fri, 28 Oct 2022 11:56:09 +0800
Subject: [PATCH] policy/modules/roles/sysadm: allow sysadm to use init file
@@ -19,10 +19,10 @@ Signed-off-by: Yi Zhao
1 file changed, 2 insertions(+)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index bb715a847..088c954f5 100644
+index 936381f25..a6b0c35f3 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -86,6 +86,8 @@ ifdef(`init_systemd',`
+@@ -92,6 +92,8 @@ ifdef(`init_systemd',`
# LookupDynamicUserByUID on org.freedesktop.systemd1.
init_dbus_chat(sysadm_t)
diff --git a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch
index 85bb82b..6a48b3d 100644
--- a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch
+++ b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch
@@ -1,4 +1,4 @@
-From 5b6f3fcb1ddabd0a66541959306e7b0adfe2b2b0 Mon Sep 17 00:00:00 2001
+From 9dcbec008d4213c6649f894fda0e87b0829c56de Mon Sep 17 00:00:00 2001
From: Yi Zhao
Date: Thu, 4 Feb 2021 10:48:54 +0800
Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes
@@ -26,59 +26,66 @@ Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Yi Zhao
---
- policy/modules/roles/sysadm.te | 2 ++
- policy/modules/system/systemd.if | 21 ++++++++++++++++++++-
- 2 files changed, 22 insertions(+), 1 deletion(-)
+ policy/modules/system/systemd.if | 30 +++++++++++++++++++++++++++++
+ policy/modules/system/userdomain.if | 4 ++++
+ 2 files changed, 34 insertions(+)
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 088c954f5..92f50fd5a 100644
---- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -98,6 +98,8 @@ ifdef(`init_systemd',`
-
- # Allow sysadm to follow logs in the journal, i.e. with podman logs -f
- systemd_watch_journal_dirs(sysadm_t)
-+
-+ systemd_sysadm_user(sysadm_t)
- ')
-
- tunable_policy(`allow_ptrace',`
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 9dc91fbb7..325ca548b 100644
+index 6054b5038..d89ad35b1 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
-@@ -58,7 +58,7 @@ template(`systemd_role_template',`
- allow $1_systemd_t self:process { getsched signal };
- allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms;
- allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
-- allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
-+ allow $1_systemd_t $3:process { setsched rlimitinh signal_perms noatsecure };
- corecmd_shell_domtrans($1_systemd_t, $3)
- corecmd_bin_domtrans($1_systemd_t, $3)
-
-@@ -2613,3 +2613,22 @@ interface(`systemd_use_inherited_machined_ptys', `
- allow $1 systemd_machined_t:fd use;
- allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
+@@ -199,6 +199,36 @@ template(`systemd_role_template',`
+ ')
')
-+
-+#########################################
+
++######################################
+##
-+## sysadm user for systemd --user
++## Admin role for systemd --user
+##
++##
++##
++## Prefix for generated types
++##
++##
+##
+##
-+## Role allowed access.
++## The admin role.
++##
++##
++##
++##
++## The amdin domain for the role.
+##
+##
+#
-+interface(`systemd_sysadm_user',`
++template(`systemd_admin_role_extra',`
+ gen_require(`
-+ type sysadm_systemd_t;
++ type $1_systemd_t;
+ ')
+
-+ allow sysadm_systemd_t self:capability { mknod sys_admin };
-+ allow sysadm_systemd_t self:capability2 { bpf perfmon };
++ allow $1_systemd_t $3:process noatsecure;
++ allow $1_systemd_t self:capability { mknod sys_admin };
++ allow $1_systemd_t self:capability2 { bpf perfmon };
+')
++
+ ######################################
+ ##
+ ## Allow the specified domain to be started as a daemon by the
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index 24c3cb012..80072c03e 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -1455,6 +1455,10 @@ template(`userdom_admin_user_template',`
+ optional_policy(`
+ userhelper_exec($1_t)
+ ')
++
++ optional_policy(`
++ systemd_admin_role_extra($1, $1_r, $1_t)
++ ')
+ ')
+
+ ########################################
--
2.25.1
diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch
index c3b4b55..d3f035e 100644
--- a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch
+++ b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch
@@ -1,4 +1,4 @@
-From ccdd22cc2776b695f96faffc88699aa2b182e085 Mon Sep 17 00:00:00 2001
+From 15e29022299d44fbb172560b448c531b9714616b Mon Sep 17 00:00:00 2001
From: Wenzong Fan
Date: Sat, 15 Feb 2014 04:22:47 -0500
Subject: [PATCH] policy/modules/system/mount: make mount_t domain MLS trusted
@@ -19,10 +19,10 @@ Signed-off-by: Yi Zhao
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index d028723ce..97f49e58e 100644
+index e08df77a5..30b26841f 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
-@@ -112,6 +112,7 @@ fs_dontaudit_write_all_image_files(mount_t)
+@@ -113,6 +113,7 @@ fs_dontaudit_write_all_image_files(mount_t)
mls_file_read_all_levels(mount_t)
mls_file_write_all_levels(mount_t)
diff --git a/recipes-security/refpolicy/refpolicy/0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch b/recipes-security/refpolicy/refpolicy/0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
index d711612..46d4851 100644
--- a/recipes-security/refpolicy/refpolicy/0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
+++ b/recipes-security/refpolicy/refpolicy/0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
@@ -1,4 +1,4 @@
-From 64498d6cd30a0a65a24e3e7ab22cca5921c2db89 Mon Sep 17 00:00:00 2001
+From 183070b02b5ca9aeb8fd58c8c737b5f9589e9a12 Mon Sep 17 00:00:00 2001
From: Xin Ouyang
Date: Mon, 28 Jan 2019 14:05:18 +0800
Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance
@@ -23,7 +23,7 @@ Signed-off-by: Yi Zhao
1 file changed, 2 insertions(+)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 92f50fd5a..8c154d474 100644
+index a6b0c35f3..68f7ab381 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -45,6 +45,8 @@ logging_watch_all_logs(sysadm_t)
diff --git a/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch b/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch
index d22dacf..9c602fe 100644
--- a/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch
+++ b/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch
@@ -1,4 +1,4 @@
-From e82c43e60ef52ba00e8f2af5b46b2a6d49331209 Mon Sep 17 00:00:00 2001
+From 3b93adc08461ebea92d018bf7704386426f129d3 Mon Sep 17 00:00:00 2001
From: Xin Ouyang
Date: Fri, 23 Aug 2013 12:01:53 +0800
Subject: [PATCH] policy/modules/services/rpc: make nfsd_t domain MLS trusted
@@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao
2 files changed, 7 insertions(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 5124ae016..a40db8507 100644
+index e449160d8..9ef5e0b6f 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
-@@ -368,6 +368,8 @@ mls_process_read_all_levels(kernel_t)
+@@ -373,6 +373,8 @@ mls_process_read_all_levels(kernel_t)
mls_process_write_all_levels(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch
index 30c84f6..9598a41 100644
--- a/recipes-security/refpolicy/refpolicy/0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch
+++ b/recipes-security/refpolicy/refpolicy/0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch
@@ -1,4 +1,4 @@
-From 9343914c0486b5aa6ff7cceeb8f6c399115e5fb3 Mon Sep 17 00:00:00 2001
+From 7b5cac323ea0638fcd5d35658f49c644f32d3442 Mon Sep 17 00:00:00 2001
From: Yi Zhao
Date: Tue, 30 Jun 2020 10:18:20 +0800
Subject: [PATCH] policy/modules/admin/dmesg: make dmesg_t MLS trusted reading
diff --git a/recipes-security/refpolicy/refpolicy/0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
index 932047a..fec9532 100644
--- a/recipes-security/refpolicy/refpolicy/0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
+++ b/recipes-security/refpolicy/refpolicy/0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
@@ -1,4 +1,4 @@
-From 057e4e6a6e2e87edcd6a93dd533620700b00b1c2 Mon Sep 17 00:00:00 2001
+From fd0d3887275237c1f1968d20972b535b9fdc9954 Mon Sep 17 00:00:00 2001
From: Wenzong Fan
Date: Fri, 13 Oct 2017 07:20:40 +0000
Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for
@@ -59,10 +59,10 @@ Signed-off-by: Yi Zhao
1 file changed, 2 insertions(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index a40db8507..40cd52825 100644
+index 9ef5e0b6f..8082cf6b7 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
-@@ -370,6 +370,8 @@ mls_file_write_all_levels(kernel_t)
+@@ -375,6 +375,8 @@ mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
mls_socket_write_all_levels(kernel_t)
mls_fd_use_all_levels(kernel_t)
diff --git a/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
index 9e52b7f..5457079 100644
--- a/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
+++ b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
@@ -1,4 +1,4 @@
-From c47e288e8950e7e92e3c90972ca7ef8ef9fc6a7f Mon Sep 17 00:00:00 2001
+From f2fcbcde9dc16985f1ffa43329fb47d36d132bd3 Mon Sep 17 00:00:00 2001
From: Wenzong Fan
Date: Fri, 15 Jan 2016 03:47:05 -0500
Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for
@@ -27,10 +27,10 @@ Signed-off-by: Yi Zhao
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 97a75cf86..fee846cb5 100644
+index d19734d6f..8b9b8aa9a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
-@@ -229,6 +229,10 @@ mls_process_write_all_levels(init_t)
+@@ -238,6 +238,10 @@ mls_process_write_all_levels(init_t)
mls_fd_use_all_levels(init_t)
mls_process_set_level(init_t)
diff --git a/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch b/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
index 1bfbb16..c61b403 100644
--- a/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
+++ b/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
@@ -1,4 +1,4 @@
-From afd35f6c73551c674e5bfe7cc1832b6a0ea717a6 Mon Sep 17 00:00:00 2001
+From ff749bb5ba3786283c348bb2db160794ba74e20c Mon Sep 17 00:00:00 2001
From: Wenzong Fan
Date: Thu, 4 Feb 2016 06:03:19 -0500
Subject: [PATCH] policy/modules/system/systemd: make systemd-tmpfiles_t domain
@@ -43,10 +43,10 @@ Signed-off-by: Yi Zhao
1 file changed, 5 insertions(+)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 4a1e06640..b44b9b2d7 100644
+index 42520f9f8..7a2041956 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
-@@ -1694,6 +1694,11 @@ sysnet_relabel_config(systemd_tmpfiles_t)
+@@ -1813,6 +1813,11 @@ sysnet_relabel_config(systemd_tmpfiles_t)
systemd_log_parse_environment(systemd_tmpfiles_t)
diff --git a/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-systemd-systemd-make-systemd_-.patch b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-systemd-systemd-make-systemd_-.patch
index 800439c..da588ed 100644
--- a/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-systemd-systemd-make-systemd_-.patch
+++ b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-systemd-systemd-make-systemd_-.patch
@@ -1,4 +1,4 @@
-From 8aa70c13d63e093bff87ea938d35dcc76e5bdd56 Mon Sep 17 00:00:00 2001
+From a1d15d213fee3e40129968dbd9928d5012d541f7 Mon Sep 17 00:00:00 2001
From: Yi Zhao
Date: Thu, 18 Jun 2020 09:59:58 +0800
Subject: [PATCH] policy/modules/system/systemd: systemd-*: make systemd_*_t
@@ -43,10 +43,10 @@ Signed-off-by: Yi Zhao
1 file changed, 12 insertions(+)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index b44b9b2d7..7b717d3ba 100644
+index 7a2041956..52c7b5346 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
-@@ -373,6 +373,9 @@ files_search_var_lib(systemd_backlight_t)
+@@ -383,6 +383,9 @@ files_search_var_lib(systemd_backlight_t)
fs_getattr_all_fs(systemd_backlight_t)
fs_search_cgroup_dirs(systemd_backlight_t)
@@ -56,7 +56,7 @@ index b44b9b2d7..7b717d3ba 100644
#######################################
#
# Binfmt local policy
-@@ -528,6 +531,9 @@ term_use_unallocated_ttys(systemd_generator_t)
+@@ -545,6 +548,9 @@ term_use_unallocated_ttys(systemd_generator_t)
udev_read_runtime_files(systemd_generator_t)
@@ -66,7 +66,7 @@ index b44b9b2d7..7b717d3ba 100644
ifdef(`distro_gentoo',`
corecmd_shell_entry_type(systemd_generator_t)
')
-@@ -922,6 +928,9 @@ userdom_setattr_user_ttys(systemd_logind_t)
+@@ -982,6 +988,9 @@ userdom_setattr_user_ttys(systemd_logind_t)
userdom_use_user_ttys(systemd_logind_t)
domain_read_all_domains_state(systemd_logind_t)
@@ -76,7 +76,7 @@ index b44b9b2d7..7b717d3ba 100644
# Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
# The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
# should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
-@@ -1412,6 +1421,9 @@ udev_read_runtime_files(systemd_rfkill_t)
+@@ -1527,6 +1536,9 @@ udev_read_runtime_files(systemd_rfkill_t)
systemd_log_parse_environment(systemd_rfkill_t)
diff --git a/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch b/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch
index cb3894c..451e6bc 100644
--- a/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch
+++ b/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch
@@ -1,4 +1,4 @@
-From 2afa5753f2ef8c7cee5ad0511c521d252bedf3e5 Mon Sep 17 00:00:00 2001
+From 8c45c5d48f7125ce47252c6ea36ed771c9baaf4d Mon Sep 17 00:00:00 2001
From: Xin Ouyang
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] policy/modules/system/logging: add the syslogd_t to trusted
@@ -18,10 +18,10 @@ Signed-off-by: Yi Zhao
1 file changed, 3 insertions(+)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index d3b06db7d..f63965d4d 100644
+index 3cab14381..caf319f04 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -505,6 +505,9 @@ fs_getattr_all_fs(syslogd_t)
+@@ -491,6 +491,9 @@ fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
diff --git a/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
index 16f0e4e..ebeee4f 100644
--- a/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
+++ b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
@@ -1,4 +1,4 @@
-From f87bb3cb0843af69f9aecaef0a4052e04b15a630 Mon Sep 17 00:00:00 2001
+From 6867f764b99e48cfa6557e664c9ee8ae8947eb08 Mon Sep 17 00:00:00 2001
From: Yi Zhao
Date: Tue, 28 May 2019 16:41:37 +0800
Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for
@@ -17,10 +17,10 @@ Signed-off-by: Yi Zhao
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index fee846cb5..df7f87f17 100644
+index 8b9b8aa9a..bd2ca0802 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
-@@ -228,6 +228,7 @@ mls_file_write_all_levels(init_t)
+@@ -237,6 +237,7 @@ mls_file_write_all_levels(init_t)
mls_process_write_all_levels(init_t)
mls_fd_use_all_levels(init_t)
mls_process_set_level(init_t)
diff --git a/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-init-all-init_t-to-read-any-le.patch b/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-init-all-init_t-to-read-any-le.patch
index fb56eca..3c418dd 100644
--- a/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-init-all-init_t-to-read-any-le.patch
+++ b/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-init-all-init_t-to-read-any-le.patch
@@ -1,4 +1,4 @@
-From f3c0f18b647631fd2ffc1e86c9e3f51cbf74d60f Mon Sep 17 00:00:00 2001
+From ad9b0e1542804060ac3cea69129c224074da6766 Mon Sep 17 00:00:00 2001
From: Wenzong Fan
Date: Wed, 3 Feb 2016 04:16:06 -0500
Subject: [PATCH] policy/modules/system/init: all init_t to read any level
@@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao
1 file changed, 3 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index df7f87f17..671b5aef3 100644
+index bd2ca0802..e94a29a73 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
-@@ -234,6 +234,9 @@ mls_key_write_all_levels(init_t)
+@@ -243,6 +243,9 @@ mls_key_write_all_levels(init_t)
mls_file_downgrade(init_t)
mls_file_upgrade(init_t)
diff --git a/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch b/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch
index aa02eb1..3931641 100644
--- a/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch
+++ b/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch
@@ -1,4 +1,4 @@
-From cb7a4ff6081f19d05b109512275ec9a537f2f6d2 Mon Sep 17 00:00:00 2001
+From 315a53e50dd8957787e3a71c57ffc8ac46d0c474 Mon Sep 17 00:00:00 2001
From: Wenzong Fan
Date: Thu, 25 Feb 2016 04:25:08 -0500
Subject: [PATCH] policy/modules/system/logging: allow auditd_t to write socket
@@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index f63965d4d..7e41596f4 100644
+index caf319f04..25e1d1397 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -223,6 +223,8 @@ miscfiles_read_localization(auditd_t)
+@@ -235,6 +235,8 @@ miscfiles_read_localization(auditd_t)
mls_file_read_all_levels(auditd_t)
mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
diff --git a/recipes-security/refpolicy/refpolicy/0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
index 16bdf84..9c38e7d 100644
--- a/recipes-security/refpolicy/refpolicy/0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
+++ b/recipes-security/refpolicy/refpolicy/0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
@@ -1,4 +1,4 @@
-From 023e7b92a805103c54aec06bbd9465e4fbf7a6f2 Mon Sep 17 00:00:00 2001
+From 1c275b335fd047c678b449bf90a75a7ac48c2b38 Mon Sep 17 00:00:00 2001
From: Yi Zhao
Date: Thu, 31 Oct 2019 17:35:59 +0800
Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for
@@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 40cd52825..d08610543 100644
+index 8082cf6b7..63c2087f7 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
-@@ -372,6 +372,7 @@ mls_socket_write_all_levels(kernel_t)
+@@ -377,6 +377,7 @@ mls_socket_write_all_levels(kernel_t)
mls_fd_use_all_levels(kernel_t)
# https://bugzilla.redhat.com/show_bug.cgi?id=667370
mls_file_downgrade(kernel_t)
diff --git a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
index b916084..a0a726d 100644
--- a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
+++ b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
@@ -1,4 +1,4 @@
-From 55fe90eba640e6d52bb269176f45a3a5e2c3ed80 Mon Sep 17 00:00:00 2001
+From 95f5c28ce9ed0a6d955afa758988ef8542644a64 Mon Sep 17 00:00:00 2001
From: Roy Li
Date: Sat, 22 Feb 2014 13:35:38 +0800
Subject: [PATCH] policy/modules/system/setrans: allow setrans_t use fd at any
diff --git a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
index c4dc87b..d1c0775 100644
--- a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
+++ b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
@@ -1,4 +1,4 @@
-From c9afe0dc30f51f7ad7b93b8878c88df1146272a0 Mon Sep 17 00:00:00 2001
+From 7af0a6b367cb21943d111c9f6386e40efdc02907 Mon Sep 17 00:00:00 2001
From: Yi Zhao
Date: Mon, 22 Feb 2021 11:28:12 +0800
Subject: [PATCH] policy/modules/system/systemd: make *_systemd_t MLS trusted
@@ -24,10 +24,10 @@ Signed-off-by: Yi Zhao
1 file changed, 3 insertions(+)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 325ca548b..b23b9bb0a 100644
+index d89ad35b1..00ac2f27e 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
-@@ -196,6 +196,9 @@ template(`systemd_role_template',`
+@@ -197,6 +197,9 @@ template(`systemd_role_template',`
xdg_read_config_files($1_systemd_t)
xdg_read_data_files($1_systemd_t)
')
diff --git a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-make-syslogd_runtime_t.patch b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-make-syslogd_runtime_t.patch
index ab87039..3be7027 100644
--- a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-make-syslogd_runtime_t.patch
+++ b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-make-syslogd_runtime_t.patch
@@ -1,4 +1,4 @@
-From 7a65c9f3636b43f3a29349ea1c045d5281efa5aa Mon Sep 17 00:00:00 2001
+From 1536eaea2cc68074f55ca50eff2d129b7e1894d8 Mon Sep 17 00:00:00 2001
From: Yi Zhao
Date: Sat, 18 Dec 2021 17:31:45 +0800
Subject: [PATCH] policy/modules/system/logging: make syslogd_runtime_t MLS
@@ -31,10 +31,10 @@ Signed-off-by: Yi Zhao
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 7e41596f4..0c25457d6 100644
+index 25e1d1397..ba0fd10e0 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -447,6 +447,8 @@ allow syslogd_t syslogd_runtime_t:file map;
+@@ -456,6 +456,8 @@ allow syslogd_t syslogd_runtime_t:file map;
manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file)
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index a51312f..e9b0b1a 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -26,31 +26,31 @@ SRC_URI += " \
file://0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \
file://0009-fc-ssh-apply-policy-to-ssh-alternatives.patch \
file://0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch \
- file://0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch \
- file://0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \
- file://0013-fc-su-apply-policy-to-su-alternatives.patch \
- file://0014-fc-fstools-fix-real-path-for-fstools.patch \
- file://0015-fc-init-fix-update-alternatives-for-sysvinit.patch \
- file://0016-fc-brctl-apply-policy-to-brctl-alternatives.patch \
- file://0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch \
- file://0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch \
- file://0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch \
- file://0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch \
- file://0021-fc-ldap-apply-policy-to-ldap-alternatives.patch \
- file://0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch \
- file://0023-fc-screen-apply-policy-to-screen-alternatives.patch \
- file://0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch \
- file://0025-fc-getty-add-file-context-to-start_getty.patch \
- file://0026-fc-vlock-apply-policy-to-vlock-alternatives.patch \
- file://0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch \
- file://0028-file_contexts.subs_dist-set-aliase-for-root-director.patch \
- file://0029-policy-modules-system-logging-add-rules-for-the-syml.patch \
- file://0030-policy-modules-system-logging-add-rules-for-syslogd-.patch \
- file://0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch \
- file://0032-policy-modules-system-logging-fix-auditd-startup-fai.patch \
- file://0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \
- file://0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \
- file://0035-policy-modules-system-systemd-enable-support-for-sys.patch \
+ file://0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \
+ file://0012-fc-su-apply-policy-to-su-alternatives.patch \
+ file://0013-fc-fstools-fix-real-path-for-fstools.patch \
+ file://0014-fc-init-fix-update-alternatives-for-sysvinit.patch \
+ file://0015-fc-brctl-apply-policy-to-brctl-alternatives.patch \
+ file://0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch \
+ file://0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch \
+ file://0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch \
+ file://0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch \
+ file://0020-fc-ldap-apply-policy-to-ldap-alternatives.patch \
+ file://0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch \
+ file://0022-fc-screen-apply-policy-to-screen-alternatives.patch \
+ file://0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch \
+ file://0024-fc-getty-add-file-context-to-start_getty.patch \
+ file://0025-fc-vlock-apply-policy-to-vlock-alternatives.patch \
+ file://0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch \
+ file://0027-file_contexts.subs_dist-set-aliase-for-root-director.patch \
+ file://0028-policy-modules-system-logging-add-rules-for-the-syml.patch \
+ file://0029-policy-modules-system-logging-add-rules-for-syslogd-.patch \
+ file://0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch \
+ file://0031-policy-modules-system-logging-fix-auditd-startup-fai.patch \
+ file://0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \
+ file://0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \
+ file://0034-policy-modules-system-systemd-enable-support-for-sys.patch \
+ file://0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch \
file://0036-policy-modules-system-systemd-allow-systemd_logind_t.patch \
file://0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \
file://0038-policy-modules-system-systemd-systemd-user-fixes.patch \
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc
index af3413b..1913ec8 100644
--- a/recipes-security/refpolicy/refpolicy_git.inc
+++ b/recipes-security/refpolicy/refpolicy_git.inc
@@ -1,8 +1,8 @@
-PV = "2.20221101+git${SRCPV}"
+PV = "2.20231002+git${SRCPV}"
-SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=master;name=refpolicy;destsuffix=refpolicy"
+SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=main;name=refpolicy;destsuffix=refpolicy"
-SRCREV_refpolicy ?= "8e8f5e3ca3e5900cad126cb8b4fadaa8adb8caac"
+SRCREV_refpolicy ?= "f3865abfc25a395c877a27074bd03c5fc22992dd"
UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P\d+_\d+)"
--
cgit v1.2.3-54-g00ecf