From 1e57d96d3af1912998acd2936667ca89bee29990 Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <Shrikant_Bobade@mentor.com>
Date: Wed, 19 Nov 2014 13:43:06 +0530
Subject: V2 refpolicy:20140311 update for systemd

Systemd init type and related allow rules
updated for refpolicy.

Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
 .../refpolicy-update-for_systemd.patch             | 46 ++++++++++++++++++++++
 .../refpolicy/refpolicy_2.20140311.inc             |  1 +
 2 files changed, 47 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch

diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
new file mode 100644
index 0000000..80b420c
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
@@ -0,0 +1,46 @@
+refpolicy: update for systemd
+ 
+It provides the systemd support for refpolicy 
+and related allow rules. 
+The restorecon provides systemd init labeled 
+as init_exec_t.
+
+Upstream-Status: Pending
+
+
+Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+
+--- a/policy/modules/contrib/shutdown.fc
++++ b/policy/modules/contrib/shutdown.fc
+@@ -5,6 +5,9 @@
+ /sbin/shutdown	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
+ /sbin/shutdown\.sysvinit	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
+ 
++# systemd support
++/bin/systemctl	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
++
+ /usr/lib/upstart/shutdown	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
+ 
+ /usr/sbin/shutdown	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
+--- a/policy/modules/system/init.fc
++++ b/policy/modules/system/init.fc
+@@ -31,6 +31,8 @@
+ #
+ /sbin/init(ng)?		--	gen_context(system_u:object_r:init_exec_t,s0)
+ /sbin/init\.sysvinit	--	gen_context(system_u:object_r:init_exec_t,s0)
++# systemd support
++/lib/systemd/systemd	--	gen_context(system_u:object_r:init_exec_t,s0)
+ # because nowadays, /sbin/init is often a symlink to /sbin/upstart
+ /sbin/upstart		--	gen_context(system_u:object_r:init_exec_t,s0)
+ 
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -913,3 +913,8 @@
+ optional_policy(`
+ 	zebra_read_config(initrc_t)
+ ')
++
++# systemd related allow rules
++allow kernel_t init_t:process dyntransition;
++allow devpts_t device_t:filesystem associate;
++allow init_t self:capability2 block_suspend;
diff --git a/recipes-security/refpolicy/refpolicy_2.20140311.inc b/recipes-security/refpolicy/refpolicy_2.20140311.inc
index 8894583..557b4ab 100644
--- a/recipes-security/refpolicy/refpolicy_2.20140311.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20140311.inc
@@ -29,6 +29,7 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
             file://poky-fc-rpm.patch \
             file://poky-fc-ftpwho-dir.patch \
             file://poky-fc-fix-real-path_su.patch \
+            file://refpolicy-update-for_systemd.patch \
            "
 
 # Specific policy for Poky
-- 
cgit v1.2.3-54-g00ecf