Date   

Where to define udev to load kernel modules in boot?

JH
 

Hi,

I built an OE/Yocto IoT device to include kernel modules of usb_wwan,
usbserial, mwifiex_sdio, mwifiex etc, there is one udev from
meta-freescale/recipes-core/udev/udev-rules-imx/10-imx.rules

# ls /etc/udev/rules.d
10-imx.rules touchscreen.rules

My device does not have a touchscreen so that touchscreen.rules should
not be there. The 10-imx.rules does not define any kernel modules
usb_wwan, usbserial, mwifiex_sdio, mwifiex, the device does not have
video or any input

# cat /etc/udev/rules.d/10-imx.rules
KERNEL=="mc13783_connectiv*", NAME="mc13783_connectivity"
# Anyone has readonly permission to IIM device file
KERNEL=="mxc_iim", MODE="0444", SYMLINK+="mxc_mem"
KERNEL=="mxs_viim", MODE="0444", SYMLINK+="mxc_mem"
KERNEL=="mxc_ipu", MODE="0666"
KERNEL=="mxc_vpu", MODE="0666"
SUBSYSTEM=="video", MODE="0660"
KERNEL=="fb[0-9]", MODE="0660", GROUP="video"
KERNEL=="gsl_kmod", MODE="0660", GROUP="video"
KERNEL=="galcore", MODE="0660", GROUP="video"

How can I define udev in recipes to make the system to load kernel
modules of usb_wwan, usbserial, mwifiex_sdio, mwifiex in boot?

Thank you.

Kind regards,

- jh


Re: [meta-raspberrypi][PATCH] xserver-xorg: remove xshmfence configure option

Yu, Mingli
 

On 12/9/21 1:37 PM, Khem Raj wrote:
**[Please note: This e-mail is from an EXTERNAL e-mail address]
On Wed, Dec 8, 2021 at 7:03 PM Yu, Mingli <mingli.yu@... <mailto:mingli.yu@...>> wrote:
From: Mingli Yu <mingli.yu@...
<mailto:mingli.yu@...>>
After the commit [1] introduced in openembedded-core layer,
some configure options is't carried over include xshmfence
option, so remove the xshmfence configure option to silence
the below warning.
  WARNING: xserver-xorg-2_21.1.1-r0 do_configure: QA Issue:
xserver-xorg: invalid PACKAGECONFIG: xshmfence [invalid-packageconfig]
That’s ok to remove it but more importantly does it work now without this option
First we should keep consistent with the change with openembedded-core(https://git.openembedded.org/openembedded-core/commit/?id=e05abd87ee5d23750c641d0129d9c83db68ee2e8) and also not found any issue related to this option until now.

Thanks,

[1]
https://git.openembedded.org/openembedded-core/commit/?id=e05abd87ee5d23750c641d0129d9c83db68ee2e8
<https://urldefense.com/v3/__https://git.openembedded.org/openembedded-core/commit/?id=e05abd87ee5d23750c641d0129d9c83db68ee2e8__;!!AjveYdw8EvQ!O1dnnmQhKwEt9e40TMNLjFCci501QrS-7Erm4Fz5co01OzoGEk8NfXDGEi2vpfa5oCE$>
Signed-off-by: Mingli Yu <mingli.yu@...
<mailto:mingli.yu@...>>
---
 recipes-graphics/xorg-xserver/xserver-xorg_%.bbappend | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/recipes-graphics/xorg-xserver/xserver-xorg_%.bbappend
b/recipes-graphics/xorg-xserver/xserver-xorg_%.bbappend
index 25829c2..ee4812f 100644
--- a/recipes-graphics/xorg-xserver/xserver-xorg_%.bbappend
+++ b/recipes-graphics/xorg-xserver/xserver-xorg_%.bbappend
@@ -1,4 +1,4 @@
-OPENGL_PKGCONFIGS:rpi = "dri glx
${@bb.utils.contains('MACHINE_FEATURES', 'vc4graphics', 'dri3
xshmfence glamor', '', d)}"
+OPENGL_PKGCONFIGS:rpi = "dri glx
${@bb.utils.contains('MACHINE_FEATURES', 'vc4graphics', 'dri3
glamor', '', d)}"
 # when using userland graphic KHR/khrplatform.h is provided by
userland but virtual/libgl is provided by mesa-gl where
 # we explicitly delete KHR/khrplatform.h since its already coming
from userland package
--
2.17.1


Docker exec/attach not working on overlayed root

Beek, Léon van de
 

Hi Bruce,

 

To be honest, I am not quite sure where to ask this, as it is a very specific scenario, so feel free to forward me and my question to someone/somewhere else.

 

Situation:

  • Yocto Hardknott running meta-virtualization, meta-raspberrypi with Docker installed: Dockers works fine and is tested. Docker exec and attach works too
  • Now changed the rootfs to be squashfs, and an overlay of root + a RW ext4 partition is changed to be / at boot. This script is based on: https://github.com/cmhe/meta-readonly-rootfs-overlay
  • Docker’s overlay2 file driver does not work on top of an overlay: https://docs.docker.com/storage/storagedriver/select-storage-driver/
  • Solution: create /etc/docker/daemon.json with the line in it: “data-root”=”/docker-data”. Note: /docker-data is a separate EXT4 partition on the SD card.
  • Restart machine/dockerd. The result is that we see the /docker-data is now full of docker files and the containers and overlay2 folders are there. Docker info shows: Storage driver: overlay2
    Containers run fine. Hello-world example runs. Alpine runs, and when starting Alpine with -it arguments I can mess around in shell all I want, everything works.
  • Problem: Whenever I create a container, for example: docker run -d -t –name=test alpine, and later try to exec into it using “docker exec test echo hello” I get this result:
    Error running exec: OCI-runtime exec failed: exec failed: container_linux.go:367”starting container process caused: read init-p: connection reset by peer: unknown
  • I restarted dockerd with –log-level=debug and noticed that it says: attach: stderr: begin, stream copy error: reading from a closed fifo. (Same for stdout)

 

I removed the overlaying again and can confirm that exec and attach also worked before adding this, but on Google I can not find a single thing that closely relates to the issue I am facing.

 

Hope any of you might be able to help me out here, I feel truly stuck on this.

 

Kind regards,

Léon van de Beek


Re: Bitbake: checksums handling for local directories

Shmuel Hazan
 

On Wed, 2021-12-22 at 18:10 +0000, Richard Purdie wrote:
On Wed, 2021-12-22 at 17:54 +0000, Shmuel Hazan wrote:
I noticed a strange behavior of bitbake, and I am not sure whether
it is a
bug:

Let say that I have a simple recipe that takes the directory
`THISDIR/files/A`
and install all the files inside of it:

...
SRC_URI = "file://A/" 
S = "${WORKDIR}/A"
do_install() {
    install -m 644 ${S}/* ${D}
}
...

Let say that I have one file called "my_file" inside of that
directory.

It will work great, and I will get a package with "/myfile" --
until I will
rename a file to "/myfile1" in the directory. Since the file
content stayed
the same, do_fetch won't be triggered and as a result, the package
will stay
the same and have "/myfile".

The only proper way to workaround it was to mark this recipe's
do_fetch as
nostamp:

do_fetch[nostamp] = "1"

I am currently working with bitbake 1.46.0.

Questions:
1. Is this a known issue?
2. I could not find any reference to a similar issue / a recent
change that
could have caused the issue, am I doing something wrong here?
I'm pretty sure we fixed bugs like that in more recent versions.
Thanks! 

For a reference, b4975d2ecf615ac4c240808fbc5a3f879a93846b
(fetch2/checksum/siggen: Fix taskhashes not tracking file directories)
from 2~ months ago seems to solve that issue.

I see that the checksum code was not changed for a long time, is there
a chance that someone would accept a backport of this commit to
Dunfell/1.46?

Cheers,

Richard


Re: Bitbake: checksums handling for local directories

Richard Purdie
 

On Wed, 2021-12-22 at 17:54 +0000, Shmuel Hazan wrote:
I noticed a strange behavior of bitbake, and I am not sure whether it is a
bug:

Let say that I have a simple recipe that takes the directory `THISDIR/files/A`
and install all the files inside of it:

...
SRC_URI = "file://A/" 
S = "${WORKDIR}/A"
do_install() {
    install -m 644 ${S}/* ${D}
}
...

Let say that I have one file called "my_file" inside of that directory.

It will work great, and I will get a package with "/myfile" -- until I will
rename a file to "/myfile1" in the directory. Since the file content stayed
the same, do_fetch won't be triggered and as a result, the package will stay
the same and have "/myfile".

The only proper way to workaround it was to mark this recipe's do_fetch as
nostamp:

do_fetch[nostamp] = "1"

I am currently working with bitbake 1.46.0.

Questions:
1. Is this a known issue?
2. I could not find any reference to a similar issue / a recent change that
could have caused the issue, am I doing something wrong here?
I'm pretty sure we fixed bugs like that in more recent versions.

Cheers,

Richard


Bitbake: checksums handling for local directories

Shmuel Hazan
 

Hi everyone,

I noticed a strange behavior of bitbake, and I am not sure whether it is a bug:

Let say that I have a simple recipe that takes the directory `THISDIR/files/A` and install all the files inside of it:

...
SRC_URI = "file://A/" 
S = "${WORKDIR}/A"
do_install() {
    install -m 644 ${S}/* ${D}
}
...

Let say that I have one file called "my_file" inside of that directory.

It will work great, and I will get a package with "/myfile" -- until I will rename a file to "/myfile1" in the directory. Since the file content stayed the same, do_fetch won't be triggered and as a result, the package will stay the same and have "/myfile".

The only proper way to workaround it was to mark this recipe's do_fetch as nostamp:

do_fetch[nostamp] = "1"

I am currently working with bitbake 1.46.0.

Questions:
1. Is this a known issue?
2. I could not find any reference to a similar issue / a recent change that could have caused the issue, am I doing something wrong here?

Thanks,
Shmuel.


docker buildx for yocto #yocto

lavkhush2208@...
 

Hello Guys
I want to build "docker/buildx" from github source :- https://github.com/docker/buildx.git

procedure which i am following:-


1. $  git clone https://github.com/docker/buildx.git && cd buildx
2. $  make install 


after this step I am facing an issue:- 
 
docker: 'buildx' is not a docker command.
See 'docker --help'
which: no buildx in (/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin)
Makefile:8: *** recipe commences before first target.  Stop.
 

if something is missing, please update me so that i can modify.


T&R
lavkhush


Re: [OE-core] [yocto] [qa-build-notification] QA notification for completed autobuilder build (yocto-3.1.13.rc1)

Steve Sakoman
 

On Tue, Dec 21, 2021 at 5:50 AM Richard Purdie
<richard.purdie@...> wrote:

On Tue, 2021-12-21 at 15:12 +0000, Jose Quaresma wrote:


Richard Purdie <richard.purdie@...> escreveu no dia terça,
21/12/2021 à(s) 14:19:
On Tue, 2021-12-21 at 11:15 +0000, Jose Quaresma wrote:


Teoh, Jay Shen <jay.shen.teoh@...> escreveu no dia terça, 21/12/2021
à(s) 07:46:
Hi all,

This is the full report for yocto-3.1.13.rc1:
https://git.yoctoproject.org/cgit/cgit.cgi/yocto-testresults-contrib/tree/?h=intel-yocto-testresults

======= Summary ========
No high milestone defects.

new issue found

Bug 14669 - [QA 3.1.13 RC1] failure in ptest :gstreamer1.0.gstreamer-
1.0/pipelines_seek.test


======= Bugs ========
https://bugzilla.yoctoproject.org/show_bug.cgi?id=14669

This patch is a bug fix 14669
https://lists.openembedded.org/g/openembedded-core/message/159911
Great, thanks!

I assume we don't need that in the version on master as it is already
present?


https://git.yoctoproject.org/poky/commit/?id=7b90027aac9fa41b3dc98765151d761df8dabb97
The first version of the patch on the master branch is this one and it fixes
the [YOCTO #14194].
I cherry-picked that with some adaptation for dunfell but the content is the
same.

We need the patch on master as well and we will drop it with the gstreamer
1.20 update.
Thanks for the info, we're ok with master then and can backport this.
It will be in my next patchset for dunfell.

Steve


Cheers,

Richard




Re: [OE-core] [yocto] [qa-build-notification] QA notification for completed autobuilder build (yocto-3.1.13.rc1)

Richard Purdie
 

On Tue, 2021-12-21 at 15:12 +0000, Jose Quaresma wrote:


Richard Purdie <richard.purdie@...> escreveu no dia terça,
21/12/2021 à(s) 14:19:
On Tue, 2021-12-21 at 11:15 +0000, Jose Quaresma wrote:


Teoh, Jay Shen <jay.shen.teoh@...> escreveu no dia terça, 21/12/2021
à(s) 07:46:
Hi all,

This is the full report for yocto-3.1.13.rc1: 
https://git.yoctoproject.org/cgit/cgit.cgi/yocto-testresults-contrib/tree/?h=intel-yocto-testresults

======= Summary ========
No high milestone defects.

new issue found

Bug 14669 - [QA 3.1.13 RC1] failure in ptest :gstreamer1.0.gstreamer-
1.0/pipelines_seek.test


======= Bugs ========
https://bugzilla.yoctoproject.org/show_bug.cgi?id=14669

This patch is a bug fix 14669
https://lists.openembedded.org/g/openembedded-core/message/159911
 
Great, thanks!

I assume we don't need that in the version on master as it is already
present?


https://git.yoctoproject.org/poky/commit/?id=7b90027aac9fa41b3dc98765151d761df8dabb97
The first version of the patch on the master branch is this one and it fixes
the [YOCTO #14194].
I cherry-picked that with some adaptation for dunfell but the content is the
same.

We need the patch on master as well and we will drop it with the gstreamer
1.20 update.
Thanks for the info, we're ok with master then and can backport this.

Cheers,

Richard


Yocto Project Status WW51`21

Stephen Jolley
 

Current Dev Position: YP 3.5 M2

Next Deadline: 17th Jan. 2022 YP 3.5 M2 build

 

Next Team Meetings:

 

Key Status/Updates:

  • YP 3.5 M1 and YP 3.1.13 have both been through QA and are likely to be released this week.
  • The next status report will be sent next year on 4th January with no report next week (28th Dec).
  • We have maintenance to the autobuilder planned to fit SSDs to speed up IO and update the host distros to more modern equivalents. This is scheduled for next few days (22nd-24th) and the autobuilder will be unavailable during the work. There may be bring up issues with the new distros.
  • Intermittent issues continue to be at record high levels and help is very much welcome in trying to resolve them. You can see the list of failures we’re continuing to see by searching for the “AB-INT” tag in bugzilla: https://bugzilla.yoctoproject.org/buglist.cgi?quicksearch=AB-INT

 

Ways to contribute:

 

YP 3.5 Milestone Dates:

  • YP 3.5 M1 is ready for release
  • YP 3.5 M2 build date 2022/01/17
  • YP 3.5 M2 Release date 2022/01/28
  • YP 3.5 M3 build date 2022/02/21
  • YP 3.5 M3 Release date 2022/03/04
  • YP 3.5 M4 build date 2022/04/04
  • YP 3.5 M4 Release date 2022/04/29

 

Upcoming dot releases:

  • YP 3.1.13 is ready for release
  • YP 3.1.14 build date 2022/01/24
  • YP 3.1.14 Release date 2022/02/04
  • YP 3.4.2 build date 2022/02/07
  • YP 3.4.2 Release date 2022/02/18
  • YP 3.3.5 build date 2022/02/14
  • YP 3.3.5 Release date 2022/02/25
  • YP 3.1.15 build date 2022/03/14
  • YP 3.1.15 Release date 2022/03/25
  • YP 3.4.3 build date 2022/03/21
  • YP 3.4.3 Release date 2022/04/01
  • YP 3.3.6 build date 2022/03/28
  • YP 3.3.6 Release date 2022/04/08
  • YP 3.1.16 build date 2022/04/25
  • YP 3.1.16 Release date 2022/05/06

 

Tracking Metrics:

 

The Yocto Project’s technical governance is through its Technical Steering Committee, more information is available at:

https://wiki.yoctoproject.org/wiki/TSC

 

The Status reports are now stored on the wiki at: https://wiki.yoctoproject.org/wiki/Weekly_Status

 

[If anyone has suggestions for other information you’d like to see on this weekly status update, let us know!]

 

Thanks,

 

Stephen K. Jolley

Yocto Project Program Manager

(    Cell:                (208) 244-4460

* Email:              sjolley.yp.pm@...

 


Re: [OE-core] [yocto] [qa-build-notification] QA notification for completed autobuilder build (yocto-3.1.13.rc1)

Jose Quaresma
 



Richard Purdie <richard.purdie@...> escreveu no dia terça, 21/12/2021 à(s) 14:19:
On Tue, 2021-12-21 at 11:15 +0000, Jose Quaresma wrote:
>
>
> Teoh, Jay Shen <jay.shen.teoh@...> escreveu no dia terça, 21/12/2021
> à(s) 07:46:
> > Hi all,
> >
> > This is the full report for yocto-3.1.13.rc1: 
> > https://git.yoctoproject.org/cgit/cgit.cgi/yocto-testresults-contrib/tree/?h=intel-yocto-testresults
> >
> > ======= Summary ========
> > No high milestone defects.
> >
> > new issue found
> >
> > Bug 14669 - [QA 3.1.13 RC1] failure in ptest :gstreamer1.0.gstreamer-
> > 1.0/pipelines_seek.test
> >
> >
> > ======= Bugs ========
> > https://bugzilla.yoctoproject.org/show_bug.cgi?id=14669
> >
>
>
> This patch is a bug fix 14669
> https://lists.openembedded.org/g/openembedded-core/message/159911
>  

Great, thanks!

I assume we don't need that in the version on master as it is already present?


The first version of the patch on the master branch is this one and it fixes the [YOCTO #14194].
I cherry-picked that with some adaptation for dunfell but the content is the same.

We need the patch on master as well and we will drop it with the gstreamer 1.20 update.

Jose
 

Cheers,

Richard



--
Best regards,

José Quaresma


Re: [OE-core] [yocto] [qa-build-notification] QA notification for completed autobuilder build (yocto-3.1.13.rc1)

Richard Purdie
 

On Tue, 2021-12-21 at 11:15 +0000, Jose Quaresma wrote:


Teoh, Jay Shen <jay.shen.teoh@...> escreveu no dia terça, 21/12/2021
à(s) 07:46:
Hi all,

This is the full report for yocto-3.1.13.rc1: 
https://git.yoctoproject.org/cgit/cgit.cgi/yocto-testresults-contrib/tree/?h=intel-yocto-testresults

======= Summary ========
No high milestone defects.

new issue found

Bug 14669 - [QA 3.1.13 RC1] failure in ptest :gstreamer1.0.gstreamer-
1.0/pipelines_seek.test


======= Bugs ========
https://bugzilla.yoctoproject.org/show_bug.cgi?id=14669

This patch is a bug fix 14669
https://lists.openembedded.org/g/openembedded-core/message/159911
 
Great, thanks!

I assume we don't need that in the version on master as it is already present?

Cheers,

Richard


Re: [qa-build-notification] QA notification for completed autobuilder build (yocto-3.1.13.rc1)

Jose Quaresma
 



Teoh, Jay Shen <jay.shen.teoh@...> escreveu no dia terça, 21/12/2021 à(s) 07:46:
Hi all,

This is the full report for yocto-3.1.13.rc1: 
https://git.yoctoproject.org/cgit/cgit.cgi/yocto-testresults-contrib/tree/?h=intel-yocto-testresults

======= Summary ========
No high milestone defects.

new issue found

Bug 14669 - [QA 3.1.13 RC1] failure in ptest :gstreamer1.0.gstreamer-1.0/pipelines_seek.test


======= Bugs ========
https://bugzilla.yoctoproject.org/show_bug.cgi?id=14669

This patch is a bug fix 14669
 


Thanks,
Jay

>-----Original Message-----
>From: qa-build-notification@... <qa-build-
>notification@...> On Behalf Of Richard Purdie
>Sent: Wednesday, 15 December, 2021 3:40 PM
>To: <yocto@...> <yocto@...>
>Cc: qa-build-notification <qa-build-notification@...>
>Subject: [qa-build-notification] QA notification for completed autobuilder build
>(yocto-3.1.13.rc1)
>
>A build flagged for QA (yocto-3.1.13.rc1) was completed on the autobuilder and is
>available at:
>
>
>    https://autobuilder.yocto.io/pub/releases/yocto-3.1.13.rc1
>
>
>Build hash information:
>
>bitbake: f18b65d0b9a6b983d53bde491e1bf2ca56949444
>meta-agl: 6d1ab9f3bb270a773ec5d2f7c8c856796833b559
>meta-arm: ce535dfb96de4d2529f091d7d85a7172c626001c
>meta-aws: 9979cfa676105cb68cfadfdaeabf044d7c919319
>meta-gplv2: 60b251c25ba87e946a0ca4cdc8d17b1cb09292ac
>meta-intel: 87984115eb6ed1a4c17204629dcb100f6b76fe82
>meta-mingw: 524de686205b5d6736661d4532f5f98fee8589b7
>meta-openembedded: 69f94af4d91215e7d4e225bab54bf3bcfee42f1c
>oecore: 90a07178ea26be453d101c2e8b33d3a0f437635d
>poky: 795339092f87672e4f68e4d3bc4cfd0e252d1831
>
>
>
>This is an automated message from the Yocto Project Autobuilder
>Git: git://git.yoctoproject.org/yocto-autobuilder2
>Email: richard.purdie@...
>
>
>
>
>
>
>






--
Best regards,

José Quaresma


[meta-zephyr][PATCH] zephyr-kernel: upgrade 2.7.0 -> 2.7.1

Jing Hui Tham
 

From: JingHuiTham <jing.hui.tham@...>

Zephyr 2.7.1 release notes:
https://github.com/zephyrproject-rtos/zephyr/releases/tag/zephyr-v2.7.1

Signed-off-by: JingHuiTham <jing.hui.tham@...>
---
...ephyr-kernel-src-2.7.0.inc => zephyr-kernel-src-2.7.1.inc} | 4 ++--
recipes-kernel/zephyr-kernel/zephyr-kernel-src.inc | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
rename recipes-kernel/zephyr-kernel/{zephyr-kernel-src-2.7.0.inc => zephyr-kernel-src-2.7.1.inc} (90%)

diff --git a/recipes-kernel/zephyr-kernel/zephyr-kernel-src-2.7.0.inc b/recipes-kernel/zephyr-kernel/zephyr-kernel-src-2.7.1.inc
similarity index 90%
rename from recipes-kernel/zephyr-kernel/zephyr-kernel-src-2.7.0.inc
rename to recipes-kernel/zephyr-kernel/zephyr-kernel-src-2.7.1.inc
index 2fdda35..9d31c69 100644
--- a/recipes-kernel/zephyr-kernel/zephyr-kernel-src-2.7.0.inc
+++ b/recipes-kernel/zephyr-kernel/zephyr-kernel-src-2.7.1.inc
@@ -1,6 +1,6 @@
SRCREV_FORMAT = "default_cmsis"
SRCREV_cmsis = "b0612c97c1401feeb4160add6462c3627fe90fc7"
-SRCREV_default = "3f826560aaf81a444018293bd6acce3c339fe150"
+SRCREV_default = "e4da3e528088a34a9989f5a50e7ed3149d57de92"
SRCREV_libmetal = "39d049d4ae68e6f6d595fce7de1dcfc1024fb4eb"
SRCREV_lvgl = "31acbaa36e9e74ab88ac81e3d21e7f1d00a71136"
SRCREV_mbedtls = "5765cb7f75a9973ae9232d438e361a9d7bbc49e7"
@@ -11,7 +11,7 @@ SRCREV_stm32 = "5c8275071ec1cf160bfe8c18bbd9330a7d714dc8"
SRCREV_tinycrypt = "3e9a49d2672ec01435ffbf0d788db6d95ef28de0"

ZEPHYR_BRANCH = "v2.7-branch"
-PV = "2.7.0+git${SRCPV}"
+PV = "2.7.1+git${SRCPV}"

SRC_URI:append = " \
file://0001-cmake-add-yocto-toolchain.patch \
diff --git a/recipes-kernel/zephyr-kernel/zephyr-kernel-src.inc b/recipes-kernel/zephyr-kernel/zephyr-kernel-src.inc
index c973c2a..da1efea 100644
--- a/recipes-kernel/zephyr-kernel/zephyr-kernel-src.inc
+++ b/recipes-kernel/zephyr-kernel/zephyr-kernel-src.inc
@@ -23,5 +23,5 @@ SRC_URI = "\
S = "${WORKDIR}/git"

# Default to a stable version
-PREFERRED_VERSION_zephyr-kernel ??= "2.7.0"
+PREFERRED_VERSION_zephyr-kernel ??= "2.7.1"
include zephyr-kernel-src-${PREFERRED_VERSION_zephyr-kernel}.inc
--
2.33.1


[meta-tensorflow][PATCH 3/3] tensorflow-lite: add recipe

Julien STEPHAN
 

Adding 2.6.1 tensorflow-lite recipe.
This recipe is directly based on the corresponding 2.6.1 tensorflow
recipe.

It has been build tested with latest honister and tested on
several mediatek soc using benchmark_model and label_image (C++ and
python)

Signed-off-by: Julien STEPHAN <jstephan@...>
---
.../tensorflow/tensorflow-lite_2.6.1.bb | 156 ++++++++++++++++++
1 file changed, 156 insertions(+)
create mode 100644 recipes-framework/tensorflow/tensorflow-lite_2.6.1.bb

diff --git a/recipes-framework/tensorflow/tensorflow-lite_2.6.1.bb b/recipes-framework/tensorflow/tensorflow-lite_2.6.1.bb
new file mode 100644
index 0000000..104e5a3
--- /dev/null
+++ b/recipes-framework/tensorflow/tensorflow-lite_2.6.1.bb
@@ -0,0 +1,156 @@
+include tensorflow.inc
+
+SRC_URI += " \
+ file://0001-add-yocto-toolchain-to-support-cross-compiling.patch \
+ file://0001-fix-build-tensorflow-lite-examples-label_image-label.patch \
+ file://0001-label_image-tweak-default-model-location.patch \
+ file://0001-label_image.lite-tweak-default-model-location.patch \
+ file://0001-CheckFeatureOrDie-use-warning-to-avoid-die.patch \
+ file://0001-support-32-bit-x64-and-arm-for-yocto.patch \
+ file://0001-Revert-set-distinct_host_configuration-false-by-defa.patch \
+ file://0001-fix-default-Bazel-toolchain-not-work.patch \
+ file://0001-distutils-is-deprecated-in-Python-3.10-cross.patch \
+ file://BUILD.in \
+ file://BUILD.yocto_compiler \
+ file://cc_config.bzl.tpl \
+ file://yocto_compiler_configure.bzl \
+ "
+
+SRC_URI += "https://storage.googleapis.com/download.tensorflow.org/models/inception_v3_2016_08_28_frozen.pb.tar.gz;name=model-inv3"
+SRC_URI[model-inv3.md5sum] = "a904ddf15593d03c7dd786d552e22d73"
+SRC_URI[model-inv3.sha256sum] = "7045b72a954af4dce36346f478610acdccbf149168fa25c78e54e32f0c723d6d"
+
+SRC_URI += "https://storage.googleapis.com/download.tensorflow.org/models/tflite/mobilenet_v1_1.0_224_quant_and_labels.zip;name=model-mobv1"
+SRC_URI[model-mobv1.md5sum] = "38ac0c626947875bd311ef96c8baab62"
+SRC_URI[model-mobv1.sha256sum] = "2f8054076cf655e1a73778a49bd8fd0306d32b290b7e576dda9574f00f186c0f"
+
+RDEPENDS:${PN} += " \
+ python3 \
+ python3-core \
+ python3-numpy \
+"
+
+export PYTHON_BIN_PATH="${PYTHON}"
+export PYTHON_LIB_PATH="${STAGING_LIBDIR_NATIVE}/${PYTHON_DIR}/site-packages"
+
+export CROSSTOOL_PYTHON_INCLUDE_PATH="${STAGING_INCDIR}/python${PYTHON_BASEVERSION}${PYTHON_ABI}"
+
+do_configure:append () {
+ if [ ! -e ${CROSSTOOL_PYTHON_INCLUDE_PATH}/pyconfig-target.h ];then
+ mv ${CROSSTOOL_PYTHON_INCLUDE_PATH}/pyconfig.h ${CROSSTOOL_PYTHON_INCLUDE_PATH}/pyconfig-target.h
+ fi
+
+ install -m 644 ${STAGING_INCDIR_NATIVE}/python${PYTHON_BASEVERSION}${PYTHON_ABI}/pyconfig.h \
+ ${CROSSTOOL_PYTHON_INCLUDE_PATH}/pyconfig-native.h
+
+ cat > ${CROSSTOOL_PYTHON_INCLUDE_PATH}/pyconfig.h <<ENDOF
+#if defined (_PYTHON_INCLUDE_TARGET)
+#include "pyconfig-target.h"
+#elif defined (_PYTHON_INCLUDE_NATIVE)
+#include "pyconfig-native.h"
+#else
+#error "_PYTHON_INCLUDE_TARGET or _PYTHON_INCLUDE_NATIVE is not defined"
+#endif // End of #if defined (_PYTHON_INCLUDE_TARGET)
+
+ENDOF
+
+ mkdir -p ${S}/third_party/toolchains/yocto/
+ sed "s#%%CPU%%#${BAZEL_TARGET_CPU}#g" ${WORKDIR}/BUILD.in > ${S}/third_party/toolchains/yocto/BUILD
+ chmod 644 ${S}/third_party/toolchains/yocto/BUILD
+ install -m 644 ${WORKDIR}/cc_config.bzl.tpl ${S}/third_party/toolchains/yocto/
+ install -m 644 ${WORKDIR}/yocto_compiler_configure.bzl ${S}/third_party/toolchains/yocto/
+ install -m 644 ${WORKDIR}/BUILD.yocto_compiler ${S}
+
+ CT_NAME=$(echo ${HOST_PREFIX} | rev | cut -c 2- | rev)
+ SED_COMMAND="s#%%CT_NAME%%#${CT_NAME}#g"
+ SED_COMMAND="${SED_COMMAND}; s#%%WORKDIR%%#${WORKDIR}#g"
+ SED_COMMAND="${SED_COMMAND}; s#%%YOCTO_COMPILER_PATH%%#${BAZEL_OUTPUTBASE_DIR}/external/yocto_compiler#g"
+
+ sed -i "${SED_COMMAND}" ${S}/BUILD.yocto_compiler \
+ ${S}/WORKSPACE
+
+ ${TF_CONFIG} \
+ ./configure
+}
+
+TF_TARGET_EXTRA ??= ""
+
+export CUSTOM_BAZEL_FLAGS = " \
+ ${TF_ARGS_EXTRA} \
+ --jobs=auto \
+ -c opt \
+ --cpu=${BAZEL_TARGET_CPU} \
+ --crosstool_top=@local_config_yocto_compiler//:toolchain \
+ --host_crosstool_top=@bazel_tools//tools/cpp:toolchain \
+"
+
+do_compile () {
+ export CT_NAME=$(echo ${HOST_PREFIX} | rev | cut -c 2- | rev)
+ unset CC
+
+ ${BAZEL} build \
+ ${CUSTOM_BAZEL_FLAGS} \
+ --copt -DTF_LITE_DISABLE_X86_NEON --copt -DMESA_EGL_NO_X11_HEADERS \
+ tensorflow/lite:libtensorflowlite.so \
+ tensorflow/lite/tools/benchmark:benchmark_model \
+ //tensorflow/lite/examples/label_image:label_image \
+ ${TF_TARGET_EXTRA}
+
+ # build pip package
+ ${S}/tensorflow/lite/tools/pip_package/build_pip_package_with_bazel.sh
+
+}
+
+do_install() {
+ install -d ${D}${libdir}
+ install -m 644 ${S}/bazel-bin/tensorflow/lite/libtensorflowlite.so \
+ ${D}${libdir}
+
+ install -d ${D}${sbindir}
+ install -m 755 ${S}/bazel-bin/tensorflow/lite/tools/benchmark/benchmark_model \
+ ${D}${sbindir}
+
+ install -m 755 ${S}/bazel-bin/tensorflow/lite/examples/label_image/label_image \
+ ${D}${sbindir}/label_image
+
+ install -d ${D}${datadir}/label_image
+ install -m 644 ${WORKDIR}/imagenet_slim_labels.txt ${D}${datadir}/label_image
+ install -m 644 ${WORKDIR}/inception_v3_2016_08_28_frozen.pb \
+ ${D}${datadir}/label_image
+ install -m 644 ${S}/tensorflow/examples/label_image/data/grace_hopper.jpg \
+ ${D}${datadir}/label_image
+
+ install -m 644 ${WORKDIR}/labels_mobilenet_quant_v1_224.txt ${D}${datadir}/label_image
+ install -m 644 ${WORKDIR}/mobilenet_v1_1.0_224_quant.tflite \
+ ${D}${datadir}/label_image
+ install -m 644 ${S}/tensorflow/lite/examples/label_image/testdata/grace_hopper.bmp \
+ ${D}${datadir}/label_image
+
+
+ #echo "Installing pip package"
+ install -d ${D}/${PYTHON_SITEPACKAGES_DIR}
+ ${STAGING_BINDIR_NATIVE}/pip3 install --disable-pip-version-check -v \
+ -t ${D}/${PYTHON_SITEPACKAGES_DIR} --no-cache-dir --no-deps \
+ ${S}/tensorflow/lite/tools/pip_package/gen/tflite_pip/python3/dist/tflite_runtime-${PV}-*.whl
+
+}
+
+FILES:${PN} += "${libdir} ${sbindir} ${datadir}/*"
+INSANE_SKIP:${PN} += "dev-so \
+ already-stripped \
+ "
+
+SOLIBS = ".so"
+FILES_SOLIBSDEV = ""
+ALLOW_EMPTY:${PN} = "1"
+
+FILES:${PN} += "${libdir} /home/root/*"
+
+inherit siteinfo unsupportarch
+python __anonymous() {
+ if d.getVar("SITEINFO_ENDIANNESS") == 'be':
+ msg = "\nIt failed to use pre-build model to do predict/inference on big-endian platform"
+ msg += "\n(such as qemumips), since upstream does not support big-endian very well."
+ msg += "\nDetails: https://github.com/tensorflow/tensorflow/issues/16364"
+ bb.warn(msg)
+}
--
2.34.1


[meta-tensorflow][PATCH 2/3] bazel.class: rename BAZEL_ARGS to BAZEL_STARTUP_OPTIONS

Julien STEPHAN
 

BAZEL_ARGS variable contains bazel startup options so rename the
variable to be more explicit. Moreover upstream tensorflow uses the
variable name BAZEL_STARTUP_OPTIONS inside
https://github.com/tensorflow/tensorflow/blob/master/tensorflow/lite/tools/pip_package/build_pip_package_with_bazel.sh#L97
so we can keep consistency with upstream and this would be useful for
future tensorflow-lite recipe

Signed-off-by: Julien STEPHAN <jstephan@...>
---
classes/bazel.bbclass | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/classes/bazel.bbclass b/classes/bazel.bbclass
index e232d30..ccdfd74 100644
--- a/classes/bazel.bbclass
+++ b/classes/bazel.bbclass
@@ -7,7 +7,7 @@ inherit bazel-base

BAZEL_DIR ?= "${WORKDIR}/bazel"
BAZEL_OUTPUTBASE_DIR ?= "${BAZEL_DIR}/output_base"
-export BAZEL_ARGS="--output_user_root=${BAZEL_DIR}/user_root \
+export BAZEL_STARTUP_OPTIONS="--output_user_root=${BAZEL_DIR}/user_root \
--output_base=${BAZEL_OUTPUTBASE_DIR} \
--bazelrc=${S}/bazelrc \
--batch \
@@ -19,7 +19,7 @@ do_prepare_recipe_sysroot[postfuncs] += "do_install_bazel"
do_install_bazel() {
mkdir -p ${BAZEL_DIR}
install -m 0755 ${STAGING_BINDIR_NATIVE}/bazel ${BAZEL_DIR}
- create_cmdline_wrapper ${BAZEL} \$BAZEL_ARGS
+ create_cmdline_wrapper ${BAZEL} \$BAZEL_STARTUP_OPTIONS
zip -A ${BAZEL}.real
}

--
2.34.1


[meta-tensorflow][PATCH 1/3] tensorflow: do not fail on chmod failure

Julien STEPHAN
 

every recipe using tensorflow.inc will inherits the do_compile:append
task but sometimes, the chmod inside this task fails because the target
files are not generated, we can safely ignore the chmod exit code and
always return 0

Signed-off-by: Julien STEPHAN <jstephan@...>
---
recipes-framework/tensorflow/tensorflow.inc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-framework/tensorflow/tensorflow.inc b/recipes-framework/tensorflow/tensorflow.inc
index e30cca5..25d2ebf 100644
--- a/recipes-framework/tensorflow/tensorflow.inc
+++ b/recipes-framework/tensorflow/tensorflow.inc
@@ -39,6 +39,6 @@ TF_CONFIG ?= " \
inherit tensorflow_ver

do_compile:append() {
- chmod a+w ${BAZEL_DIR}/output_base/execroot/org_tensorflow/bazel-out/*/bin/tensorflow/lite/python/schema_py_srcs_no_include_all
- chmod a+w ${BAZEL_DIR}/output_base/execroot/org_tensorflow/bazel-out/*/bin/tensorflow/lite/python/schema_py_srcs_no_include_all/tflite
+ chmod a+w ${BAZEL_DIR}/output_base/execroot/org_tensorflow/bazel-out/*/bin/tensorflow/lite/python/schema_py_srcs_no_include_all || true
+ chmod a+w ${BAZEL_DIR}/output_base/execroot/org_tensorflow/bazel-out/*/bin/tensorflow/lite/python/schema_py_srcs_no_include_all/tflite || true
}
--
2.34.1


timedatectl (update read only system with local time)

Arik Kleiman
 

Im looking for a way to add timedatectl to image.

What i need is basically setting up local date (according to time zone) on a read only file system.


From what i read, there is a way to do this via timedatectl, but can't find recipe for that.
 (is there another way?)


Thanks 
Arik


Re: [qa-build-notification] QA notification for completed autobuilder build (yocto-3.1.13.rc1)

Teoh, Jay Shen
 

Hi all,

This is the full report for yocto-3.1.13.rc1:
https://git.yoctoproject.org/cgit/cgit.cgi/yocto-testresults-contrib/tree/?h=intel-yocto-testresults

======= Summary ========
No high milestone defects.

new issue found

Bug 14669 - [QA 3.1.13 RC1] failure in ptest :gstreamer1.0.gstreamer-1.0/pipelines_seek.test


======= Bugs ========
https://bugzilla.yoctoproject.org/show_bug.cgi?id=14669

Thanks,
Jay

-----Original Message-----
From: qa-build-notification@... <qa-build-
notification@...> On Behalf Of Richard Purdie
Sent: Wednesday, 15 December, 2021 3:40 PM
To: <yocto@...> <yocto@...>
Cc: qa-build-notification <qa-build-notification@...>
Subject: [qa-build-notification] QA notification for completed autobuilder build
(yocto-3.1.13.rc1)

A build flagged for QA (yocto-3.1.13.rc1) was completed on the autobuilder and is
available at:


https://autobuilder.yocto.io/pub/releases/yocto-3.1.13.rc1


Build hash information:

bitbake: f18b65d0b9a6b983d53bde491e1bf2ca56949444
meta-agl: 6d1ab9f3bb270a773ec5d2f7c8c856796833b559
meta-arm: ce535dfb96de4d2529f091d7d85a7172c626001c
meta-aws: 9979cfa676105cb68cfadfdaeabf044d7c919319
meta-gplv2: 60b251c25ba87e946a0ca4cdc8d17b1cb09292ac
meta-intel: 87984115eb6ed1a4c17204629dcb100f6b76fe82
meta-mingw: 524de686205b5d6736661d4532f5f98fee8589b7
meta-openembedded: 69f94af4d91215e7d4e225bab54bf3bcfee42f1c
oecore: 90a07178ea26be453d101c2e8b33d3a0f437635d
poky: 795339092f87672e4f68e4d3bc4cfd0e252d1831



This is an automated message from the Yocto Project Autobuilder
Git: git://git.yoctoproject.org/yocto-autobuilder2
Email: richard.purdie@...







[meta-selinux][PATCH V2] refpolicy: upgrade 20210203+git -> 20210908+git

Yi Zhao
 

* Update to latest git rev.
* Drop obsolete and useless patches.
* Rebase patches.
* Set POLICY_DISTRO from redhat to debian, which can reduce the amount
of local patches.
* Set max kernel policy version from 31 to 33.

Signed-off-by: Yi Zhao <yi.zhao@...>
---
V2 Changes: Fix su command failure
Drop useless patches for MLS policy

.../refpolicy/refpolicy-minimum_git.bb | 3 +-
.../refpolicy/refpolicy-targeted_git.bb | 1 +
...tile-alias-common-var-volatile-paths.patch | 6 +-
...inimum-make-sysadmin-module-optional.patch | 6 +-
...ed-make-unconfined_u-the-default-sel.patch | 126 +-----------
...box-set-aliases-for-bin-sbin-and-usr.patch | 6 +-
...icy-minimum-make-xdg-module-optional.patch | 40 ++++
...ed-add-capability2-bpf-and-perfmon-f.patch | 52 +++++
...y-policy-to-common-yocto-hostname-al.patch | 2 +-
...fpolicy-minimum-enable-nscd_use_shm.patch} | 4 +-
...sr-bin-bash-context-to-bin-bash.bash.patch | 2 +-
...abel-resolv.conf-in-var-run-properly.patch | 2 +-
...-apply-login-context-to-login.shadow.patch | 10 +-
.../0007-fc-bind-fix-real-path-for-bind.patch | 32 ---
...fc-hwclock-add-hwclock-alternatives.patch} | 2 +-
...-apply-policy-to-dmesg-alternatives.patch} | 2 +-
...sh-apply-policy-to-ssh-alternatives.patch} | 2 +-
...ly-policy-to-network-commands-alter.patch} | 20 +-
...-apply-policy-to-udevadm-in-libexec.patch} | 4 +-
...ly-rpm_exec-policy-to-cpio-binaries.patch} | 2 +-
...-su-apply-policy-to-su-alternatives.patch} | 2 +-
...c-fstools-fix-real-path-for-fstools.patch} | 2 +-
...ix-update-alternatives-for-sysvinit.patch} | 2 +-
...-apply-policy-to-brctl-alternatives.patch} | 2 +-
...pply-policy-to-nologin-alternatives.patch} | 2 +-
...pply-policy-to-sulogin-alternatives.patch} | 2 +-
...p-apply-policy-to-ntpd-alternatives.patch} | 2 +-
...ply-policy-to-kerberos-alternatives.patch} | 2 +-
...p-apply-policy-to-ldap-alternatives.patch} | 2 +-
...ly-policy-to-postgresql-alternative.patch} | 2 +-
...apply-policy-to-screen-alternatives.patch} | 2 +-
...ly-policy-to-usermanage-alternative.patch} | 16 +-
...tty-add-file-context-to-start_getty.patch} | 2 +-
...-apply-policy-to-vlock-alternatives.patch} | 2 +-
...for-init-scripts-and-systemd-service.patch | 64 ++++++
...file-context-to-etc-network-if-files.patch | 33 ---
...s_dist-set-aliase-for-root-director.patch} | 6 +-
...ron-apply-policy-to-etc-init.d-crond.patch | 25 ---
...stem-logging-add-rules-for-the-syml.patch} | 22 +-
...ork-update-file-context-for-ifconfig.patch | 31 ---
...stem-logging-add-rules-for-syslogd-.patch} | 6 +-
...rnel-files-add-rules-for-the-symlin.patch} | 20 +-
...stem-logging-fix-auditd-startup-fai.patch} | 41 +---
...rnel-terminal-don-t-audit-tty_devic.patch} | 2 +-
...stem-modutils-allow-mod_t-to-access.patch} | 8 +-
...stem-getty-allow-getty_t-to-search-.patch} | 8 +-
...ervices-bluetooth-allow-bluetooth_t-.patch | 34 ++++
...rvices-rpcbind-allow-rpcbind_t-to-c.patch} | 24 +--
...ervices-avahi-allow-avahi_t-to-watch.patch | 34 ----
...ervices-ssh-do-not-audit-attempts-by.patch | 33 +++
...dmin-usermanage-allow-useradd-to-rel.patch | 71 +++++++
...ervices-bluetooth-fix-bluetoothd-sta.patch | 88 --------
...stem-systemd-enable-support-for-sys.patch} | 8 +-
...oles-sysadm-allow-sysadm-to-run-rpci.patch | 38 ----
...stem-systemd-fix-systemd-resolved-s.patch} | 35 ++--
...ervices-rpc-add-capability-dac_read_.patch | 34 ----
...ystem-systemd-allow-systemd_-_t-to-g.patch | 156 +++++++++++++++
...ystem-systemd-allow-systemd_hostname.patch | 41 ++++
...ervices-rngd-fix-security-context-fo.patch | 65 ------
...ystem-logging-fix-syslogd-failures-f.patch | 55 +++++
...ervices-ssh-allow-ssh_keygen_t-to-re.patch | 34 ----
...es-system-systemd-systemd-user-fixes.patch | 172 ++++++++++++++++
...ervices-ssh-make-respective-init-scr.patch | 33 ---
...stem-sysnetwork-support-priviledge-.patch} | 38 ++--
...ernel-terminal-allow-loging-to-reset.patch | 31 ---
...rvices-acpi-allow-acpid-to-watch-th.patch} | 14 +-
...stem-modutils-allow-kmod_t-to-write.patch} | 15 +-
...ystem-selinuxutil-allow-semanage_t-t.patch | 33 ---
...dmin-su-allow-su-to-map-SELinux-stat.patch | 68 +++++++
...stem-mount-make-mount_t-domain-MLS-.patch} | 15 +-
...les-sysadm-MLS-sysadm-rw-to-clearan.patch} | 15 +-
...ystem-init-add-capability2-bpf-and-p.patch | 37 ----
...rvices-rpc-make-nfsd_t-domain-MLS-t.patch} | 27 +--
...ystem-systemd-allow-systemd_logind_t.patch | 37 ----
...min-dmesg-make-dmesg_t-MLS-trusted-.patch} | 6 +-
...ystem-logging-set-label-devlog_t-to-.patch | 86 --------
...rnel-kernel-make-kernel_t-MLS-trust.patch} | 15 +-
...-system-systemd-support-systemd-user.patch | 189 ------------------
...stem-init-make-init_t-MLS-trusted-f.patch} | 6 +-
...ystem-systemd-allow-systemd-generato.patch | 69 -------
...ystem-systemd-allow-systemd_backligh.patch | 35 ----
...stem-systemd-make-systemd-tmpfiles_.patch} | 6 +-
...ystem-logging-fix-systemd-journald-s.patch | 47 -----
...ystem-systemd-systemd-make-systemd_-.patch | 91 +++++++++
...ervices-cron-allow-crond_t-to-search.patch | 34 ----
...stem-logging-add-the-syslogd_t-to-t.patch} | 8 +-
...ervices-crontab-allow-sysadm_r-to-ru.patch | 46 -----
...stem-init-make-init_t-MLS-trusted-f.patch} | 6 +-
...stem-init-all-init_t-to-read-any-le.patch} | 6 +-
...stem-logging-allow-auditd_t-to-writ.patch} | 6 +-
...rnel-kernel-make-kernel_t-MLS-trust.patch} | 15 +-
...ystem-setrans-allow-setrans-to-acces.patch | 42 ----
...stem-setrans-allow-setrans_t-use-fd.patch} | 6 +-
...oles-sysadm-allow-sysadm_t-to-watch-.patch | 33 ---
...stem-systemd-make-_systemd_t-MLS-tr.patch} | 12 +-
...ystem-logging-make-syslogd_runtime_t.patch | 48 +++++
...ystem-selinux-allow-setfiles_t-to-re.patch | 44 ----
...ystem-systemd-make-systemd-logind-do.patch | 42 ----
...ystem-systemd-systemd-user-sessions-.patch | 41 ----
...ystem-systemd-systemd-make-systemd_-.patch | 162 ---------------
...ervices-ntp-make-nptd_t-MLS-trusted-.patch | 40 ----
...ervices-acpi-make-acpid_t-domain-MLS.patch | 35 ----
...ervices-avahi-make-avahi_t-MLS-trust.patch | 29 ---
...ervices-bluetooth-make-bluetooth_t-d.patch | 36 ----
...ystem-sysnetwork-make-dhcpc_t-domain.patch | 38 ----
...ervices-inetd-make-inetd_t-domain-ML.patch | 36 ----
...ervices-bind-make-named_t-domain-MLS.patch | 38 ----
...ervices-rpc-make-rpcd_t-MLS-trusted-.patch | 36 ----
...ge-update-file-context-for-chfn-chsh.patch | 34 ----
.../refpolicy/refpolicy_common.inc | 152 ++++++--------
recipes-security/refpolicy/refpolicy_git.inc | 4 +-
111 files changed, 1230 insertions(+), 2266 deletions(-)
create mode 100644 recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch
rename recipes-security/refpolicy/refpolicy/{0002-refpolicy-minimum-enable-nscd_use_shm.patch => 0003-refpolicy-minimum-enable-nscd_use_shm.patch} (87%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0007-fc-bind-fix-real-path-for-bind.patch
rename recipes-security/refpolicy/refpolicy/{0008-fc-hwclock-add-hwclock-alternatives.patch => 0007-fc-hwclock-add-hwclock-alternatives.patch} (92%)
rename recipes-security/refpolicy/refpolicy/{0009-fc-dmesg-apply-policy-to-dmesg-alternatives.patch => 0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch} (92%)
rename recipes-security/refpolicy/refpolicy/{0010-fc-ssh-apply-policy-to-ssh-alternatives.patch => 0009-fc-ssh-apply-policy-to-ssh-alternatives.patch} (94%)
rename recipes-security/refpolicy/refpolicy/{0011-fc-sysnetwork-apply-policy-to-ip-alternatives.patch => 0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch} (65%)
rename recipes-security/refpolicy/refpolicy/{0012-fc-udev-apply-policy-to-udevadm-in-libexec.patch => 0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch} (90%)
rename recipes-security/refpolicy/refpolicy/{0013-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch => 0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch} (92%)
rename recipes-security/refpolicy/refpolicy/{0014-fc-su-apply-policy-to-su-alternatives.patch => 0013-fc-su-apply-policy-to-su-alternatives.patch} (93%)
rename recipes-security/refpolicy/refpolicy/{0015-fc-fstools-fix-real-path-for-fstools.patch => 0014-fc-fstools-fix-real-path-for-fstools.patch} (98%)
rename recipes-security/refpolicy/refpolicy/{0016-fc-init-fix-update-alternatives-for-sysvinit.patch => 0015-fc-init-fix-update-alternatives-for-sysvinit.patch} (97%)
rename recipes-security/refpolicy/refpolicy/{0017-fc-brctl-apply-policy-to-brctl-alternatives.patch => 0016-fc-brctl-apply-policy-to-brctl-alternatives.patch} (92%)
rename recipes-security/refpolicy/refpolicy/{0018-fc-corecommands-apply-policy-to-nologin-alternatives.patch => 0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch} (94%)
rename recipes-security/refpolicy/refpolicy/{0019-fc-locallogin-apply-policy-to-sulogin-alternatives.patch => 0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch} (93%)
rename recipes-security/refpolicy/refpolicy/{0020-fc-ntp-apply-policy-to-ntpd-alternatives.patch => 0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch} (93%)
rename recipes-security/refpolicy/refpolicy/{0021-fc-kerberos-apply-policy-to-kerberos-alternatives.patch => 0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch} (97%)
rename recipes-security/refpolicy/refpolicy/{0022-fc-ldap-apply-policy-to-ldap-alternatives.patch => 0021-fc-ldap-apply-policy-to-ldap-alternatives.patch} (96%)
rename recipes-security/refpolicy/refpolicy/{0023-fc-postgresql-apply-policy-to-postgresql-alternative.patch => 0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch} (96%)
rename recipes-security/refpolicy/refpolicy/{0024-fc-screen-apply-policy-to-screen-alternatives.patch => 0023-fc-screen-apply-policy-to-screen-alternatives.patch} (93%)
rename recipes-security/refpolicy/refpolicy/{0025-fc-usermanage-apply-policy-to-usermanage-alternative.patch => 0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch} (80%)
rename recipes-security/refpolicy/refpolicy/{0026-fc-getty-add-file-context-to-start_getty.patch => 0025-fc-getty-add-file-context-to-start_getty.patch} (92%)
rename recipes-security/refpolicy/refpolicy/{0028-fc-vlock-apply-policy-to-vlock-alternatives.patch => 0026-fc-vlock-apply-policy-to-vlock-alternatives.patch} (92%)
create mode 100644 recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0027-fc-init-add-file-context-to-etc-network-if-files.patch
rename recipes-security/refpolicy/refpolicy/{0031-file_contexts.subs_dist-set-aliase-for-root-director.patch => 0028-file_contexts.subs_dist-set-aliase-for-root-director.patch} (87%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0029-fc-cron-apply-policy-to-etc-init.d-crond.patch
rename recipes-security/refpolicy/refpolicy/{0032-policy-modules-system-logging-add-rules-for-the-syml.patch => 0029-policy-modules-system-logging-add-rules-for-the-syml.patch} (81%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0030-fc-sysnetwork-update-file-context-for-ifconfig.patch
rename recipes-security/refpolicy/refpolicy/{0033-policy-modules-system-logging-add-rules-for-syslogd-.patch => 0030-policy-modules-system-logging-add-rules-for-syslogd-.patch} (87%)
rename recipes-security/refpolicy/refpolicy/{0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch => 0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch} (80%)
rename recipes-security/refpolicy/refpolicy/{0035-policy-modules-system-logging-fix-auditd-startup-fai.patch => 0032-policy-modules-system-logging-fix-auditd-startup-fai.patch} (50%)
rename recipes-security/refpolicy/refpolicy/{0036-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch => 0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch} (94%)
rename recipes-security/refpolicy/refpolicy/{0037-policy-modules-system-modutils-allow-mod_t-to-access.patch => 0034-policy-modules-system-modutils-allow-mod_t-to-access.patch} (92%)
rename recipes-security/refpolicy/refpolicy/{0039-policy-modules-system-getty-allow-getty_t-to-search-.patch => 0035-policy-modules-system-getty-allow-getty_t-to-search-.patch} (81%)
create mode 100644 recipes-security/refpolicy/refpolicy/0036-policy-modules-services-bluetooth-allow-bluetooth_t-.patch
rename recipes-security/refpolicy/refpolicy/{0043-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch => 0037-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch} (61%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0038-policy-modules-services-avahi-allow-avahi_t-to-watch.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0038-policy-modules-services-ssh-do-not-audit-attempts-by.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0039-policy-modules-admin-usermanage-allow-useradd-to-rel.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0040-policy-modules-services-bluetooth-fix-bluetoothd-sta.patch
rename recipes-security/refpolicy/refpolicy/{0049-policy-modules-system-systemd-enable-support-for-sys.patch => 0040-policy-modules-system-systemd-enable-support-for-sys.patch} (91%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0041-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch
rename recipes-security/refpolicy/refpolicy/{0050-policy-modules-system-systemd-fix-systemd-resolved-s.patch => 0041-policy-modules-system-systemd-fix-systemd-resolved-s.patch} (67%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0042-policy-modules-services-rpc-add-capability-dac_read_.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0043-policy-modules-system-systemd-allow-systemd_hostname.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0044-policy-modules-services-rngd-fix-security-context-fo.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0044-policy-modules-system-logging-fix-syslogd-failures-f.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0045-policy-modules-services-ssh-allow-ssh_keygen_t-to-re.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-systemd-user-fixes.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0046-policy-modules-services-ssh-make-respective-init-scr.patch
rename recipes-security/refpolicy/refpolicy/{0060-policy-modules-system-sysnetwork-support-priviledge-.patch => 0046-policy-modules-system-sysnetwork-support-priviledge-.patch} (77%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0047-policy-modules-kernel-terminal-allow-loging-to-reset.patch
rename recipes-security/refpolicy/refpolicy/{0061-policy-modules-services-acpi-allow-acpid-to-watch-th.patch => 0047-policy-modules-services-acpi-allow-acpid-to-watch-th.patch} (76%)
rename recipes-security/refpolicy/refpolicy/{0063-policy-modules-system-modutils-allow-kmod_t-to-write.patch => 0048-policy-modules-system-modutils-allow-kmod_t-to-write.patch} (73%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0048-policy-modules-system-selinuxutil-allow-semanage_t-t.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0049-policy-modules-admin-su-allow-su-to-map-SELinux-stat.patch
rename recipes-security/refpolicy/refpolicy/{0066-policy-modules-system-mount-make-mount_t-domain-MLS-.patch => 0050-policy-modules-system-mount-make-mount_t-domain-MLS-.patch} (76%)
rename recipes-security/refpolicy/refpolicy/{0067-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch => 0051-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch} (80%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-add-capability2-bpf-and-p.patch
rename recipes-security/refpolicy/refpolicy/{0068-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch => 0052-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch} (65%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-allow-systemd_logind_t.patch
rename recipes-security/refpolicy/refpolicy/{0069-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch => 0053-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch} (85%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch
rename recipes-security/refpolicy/refpolicy/{0070-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch => 0054-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch} (91%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch
rename recipes-security/refpolicy/refpolicy/{0071-policy-modules-system-init-make-init_t-MLS-trusted-f.patch => 0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch} (90%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-allow-systemd-generato.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0056-policy-modules-system-systemd-allow-systemd_backligh.patch
rename recipes-security/refpolicy/refpolicy/{0072-policy-modules-system-systemd-make-systemd-tmpfiles_.patch => 0056-policy-modules-system-systemd-make-systemd-tmpfiles_.patch} (92%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-fix-systemd-journald-s.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0057-policy-modules-system-systemd-systemd-make-systemd_-.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0058-policy-modules-services-cron-allow-crond_t-to-search.patch
rename recipes-security/refpolicy/refpolicy/{0073-policy-modules-system-logging-add-the-syslogd_t-to-t.patch => 0058-policy-modules-system-logging-add-the-syslogd_t-to-t.patch} (84%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0059-policy-modules-services-crontab-allow-sysadm_r-to-ru.patch
rename recipes-security/refpolicy/refpolicy/{0074-policy-modules-system-init-make-init_t-MLS-trusted-f.patch => 0059-policy-modules-system-init-make-init_t-MLS-trusted-f.patch} (86%)
rename recipes-security/refpolicy/refpolicy/{0075-policy-modules-system-init-all-init_t-to-read-any-le.patch => 0060-policy-modules-system-init-all-init_t-to-read-any-le.patch} (88%)
rename recipes-security/refpolicy/refpolicy/{0076-policy-modules-system-logging-allow-auditd_t-to-writ.patch => 0061-policy-modules-system-logging-allow-auditd_t-to-writ.patch} (88%)
rename recipes-security/refpolicy/refpolicy/{0077-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch => 0062-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch} (73%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0062-policy-modules-system-setrans-allow-setrans-to-acces.patch
rename recipes-security/refpolicy/refpolicy/{0082-policy-modules-system-setrans-allow-setrans_t-use-fd.patch => 0063-policy-modules-system-setrans-allow-setrans_t-use-fd.patch} (83%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0064-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch
rename recipes-security/refpolicy/refpolicy/{0090-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch => 0064-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch} (82%)
create mode 100644 recipes-security/refpolicy/refpolicy/0065-policy-modules-system-logging-make-syslogd_runtime_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0065-policy-modules-system-selinux-allow-setfiles_t-to-re.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-make-systemd-logind-do.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0079-policy-modules-system-systemd-systemd-user-sessions-.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0081-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0083-policy-modules-services-acpi-make-acpid_t-domain-MLS.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0084-policy-modules-services-avahi-make-avahi_t-MLS-trust.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0085-policy-modules-services-bluetooth-make-bluetooth_t-d.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0086-policy-modules-system-sysnetwork-make-dhcpc_t-domain.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0087-policy-modules-services-inetd-make-inetd_t-domain-ML.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0088-policy-modules-services-bind-make-named_t-domain-MLS.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0089-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0091-fc-usermanage-update-file-context-for-chfn-chsh.patch

diff --git a/recipes-security/refpolicy/refpolicy-minimum_git.bb b/recipes-security/refpolicy/refpolicy-minimum_git.bb
index c4c9031..2e95b9f 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_git.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_git.bb
@@ -13,7 +13,8 @@ domains are unconfined. \

SRC_URI += " \
file://0001-refpolicy-minimum-make-sysadmin-module-optional.patch \
- file://0002-refpolicy-minimum-enable-nscd_use_shm.patch \
+ file://0002-refpolicy-minimum-make-xdg-module-optional.patch \
+ file://0003-refpolicy-minimum-enable-nscd_use_shm.patch \
"

POLICY_NAME = "minimum"
diff --git a/recipes-security/refpolicy/refpolicy-targeted_git.bb b/recipes-security/refpolicy/refpolicy-targeted_git.bb
index de81d46..15226db 100644
--- a/recipes-security/refpolicy/refpolicy-targeted_git.bb
+++ b/recipes-security/refpolicy/refpolicy-targeted_git.bb
@@ -14,4 +14,5 @@ include refpolicy_${PV}.inc

SRC_URI += " \
file://0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch \
+ file://0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch \
"
diff --git a/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
index 9f85980..82a8a6f 100644
--- a/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
+++ b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
@@ -1,4 +1,4 @@
-From 8a6052604e4f39ef9cbab62372006bc6f736dbed Mon Sep 17 00:00:00 2001
+From 12b64239af12370bc4e722ff8b97f7090ae4130c Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Thu, 28 Mar 2019 16:14:09 -0400
Subject: [PATCH] fc/subs/volatile: alias common /var/volatile paths
@@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 6 insertions(+)

diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
-index 653d25d93..652e1dd35 100644
+index ba22ce7e7..23d4328f7 100644
--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
-@@ -32,3 +32,9 @@
+@@ -33,3 +33,9 @@
# not for refpolicy intern, but for /var/run using applications,
# like systemd tmpfiles or systemd socket configurations
/var/run /run
diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch
index d300edd..c53419d 100644
--- a/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch
+++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch
@@ -1,4 +1,4 @@
-From dc757d6df2314d82029b23b409df8de22a4df45e Mon Sep 17 00:00:00 2001
+From 84099c81f31a6f883d64b4be3362fbafe1c6668c Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Fri, 5 Apr 2019 11:53:28 -0400
Subject: [PATCH] refpolicy-minimum: make sysadmin module optional
@@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index aa57a5661..9b03d3767 100644
+index 5a19f0e43..1f4a671dc 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
-@@ -527,13 +527,15 @@ ifdef(`init_systemd',`
+@@ -556,13 +556,15 @@ ifdef(`init_systemd',`
unconfined_write_keys(init_t)
')
',`
diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch
index 89bc68e..9fc9dcd 100644
--- a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch
+++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch
@@ -1,4 +1,4 @@
-From 7ff6cf3766a672c4f2b7bd0dc5efa296bd6aba51 Mon Sep 17 00:00:00 2001
+From 2da63c373fd447d2f7ca539566ef2ed4ea882228 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Mon, 20 Apr 2020 11:50:03 +0800
Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux
@@ -8,9 +8,6 @@ For targeted policy type, we define unconfined_u as the default selinux
user for root and normal users, so users could login in and run most
commands and services on unconfined domains.

-Also add rules for users to run init scripts directly, instead of via
-run_init.
-
Upstream-Status: Inappropriate [configuration]

Signed-off-by: Xin Ouyang <Xin.Ouyang@...>
@@ -18,13 +15,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@...>
Signed-off-by: Wenzong Fan <wenzong.fan@...>
Signed-off-by: Yi Zhao <yi.zhao@...>
---
- config/appconfig-mcs/failsafe_context | 2 +-
- config/appconfig-mcs/seusers | 4 +--
- policy/modules/roles/sysadm.te | 1 +
- policy/modules/system/init.if | 42 +++++++++++++++++++++++----
- policy/modules/system/unconfined.te | 7 +++++
- policy/users | 6 ++--
- 6 files changed, 50 insertions(+), 12 deletions(-)
+ config/appconfig-mcs/failsafe_context | 2 +-
+ config/appconfig-mcs/seusers | 4 ++--
+ policy/modules/system/unconfined.te | 5 +++++
+ policy/users | 6 +++---
+ 4 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context
index 999abd9a3..a50bde775 100644
@@ -42,106 +37,8 @@ index ce614b41b..c0903d98b 100644
-__default__:user_u:s0
+root:unconfined_u:s0-mcs_systemhigh
+__default__:unconfined_u:s0
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index ce7d77d31..1aff2c31a 100644
---- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -53,6 +53,7 @@ ubac_fd_exempt(sysadm_t)
-
- init_exec(sysadm_t)
- init_admin(sysadm_t)
-+init_script_role_transition(sysadm_r)
-
- # Add/remove user home directories
- userdom_manage_user_home_dirs(sysadm_t)
-diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 98e94283f..eb6d5b32d 100644
---- a/policy/modules/system/init.if
-+++ b/policy/modules/system/init.if
-@@ -1821,11 +1821,12 @@ interface(`init_script_file_entry_type',`
- #
- interface(`init_spec_domtrans_script',`
- gen_require(`
-- type initrc_t, initrc_exec_t;
-+ type initrc_t;
-+ attribute init_script_file_type;
- ')
-
- files_list_etc($1)
-- spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
-+ spec_domtrans_pattern($1, init_script_file_type, initrc_t)
-
- ifdef(`distro_gentoo',`
- gen_require(`
-@@ -1836,11 +1837,11 @@ interface(`init_spec_domtrans_script',`
- ')
-
- ifdef(`enable_mcs',`
-- range_transition $1 initrc_exec_t:process s0;
-+ range_transition $1 init_script_file_type:process s0;
- ')
-
- ifdef(`enable_mls',`
-- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
-+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- ')
- ')
-
-@@ -1857,17 +1858,18 @@ interface(`init_spec_domtrans_script',`
- interface(`init_domtrans_script',`
- gen_require(`
- type initrc_t, initrc_exec_t;
-+ attribute init_script_file_type;
- ')
-
- files_list_etc($1)
- domtrans_pattern($1, initrc_exec_t, initrc_t)
-
- ifdef(`enable_mcs',`
-- range_transition $1 initrc_exec_t:process s0;
-+ range_transition $1 init_script_file_type:process s0;
- ')
-
- ifdef(`enable_mls',`
-- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
-+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- ')
- ')
-
-@@ -3532,3 +3534,31 @@ interface(`init_getrlimit',`
-
- allow $1 init_t:process getrlimit;
- ')
-+
-+########################################
-+## <summary>
-+## Transition to system_r when execute an init script
-+## </summary>
-+## <desc>
-+## <p>
-+## Execute a init script in a specified role
-+## </p>
-+## <p>
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+## </p>
-+## </desc>
-+## <param name="source_role">
-+## <summary>
-+## Role to transition from.
-+## </summary>
-+## </param>
-+#
-+interface(`init_script_role_transition',`
-+ gen_require(`
-+ attribute init_script_file_type;
-+ ')
-+
-+ role_transition $1 init_script_file_type system_r;
-+')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 385c88695..87adb7e9d 100644
+index 4972094cb..b6d769412 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t;
@@ -156,15 +53,6 @@ index 385c88695..87adb7e9d 100644

########################################
#
-@@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_f
- ifdef(`direct_sysadm_daemon',`
- optional_policy(`
- init_run_daemon(unconfined_t, unconfined_r)
-+ init_domtrans_script(unconfined_t)
-+ init_script_role_transition(unconfined_r)
- ')
- ',`
- ifdef(`distro_gentoo',`
diff --git a/policy/users b/policy/users
index ca203758c..e737cd9cc 100644
--- a/policy/users
diff --git a/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
index 5907c4d..e46dc66 100644
--- a/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
+++ b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
@@ -1,4 +1,4 @@
-From 0ee7bc5f28ffae30b1a1f40edd96cfed993db667 Mon Sep 17 00:00:00 2001
+From a5d8d981e510f05e0bd31235e8889730df30158b Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Thu, 28 Mar 2019 20:48:10 -0400
Subject: [PATCH] fc/subs/busybox: set aliases for bin, sbin and usr
@@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 6 insertions(+)

diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
-index 652e1dd35..a38d58e16 100644
+index 23d4328f7..690007f22 100644
--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
-@@ -38,3 +38,9 @@
+@@ -39,3 +39,9 @@
# volatile hierarchy.
/var/volatile/log /var/log
/var/volatile/tmp /var/tmp
diff --git a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch
new file mode 100644
index 0000000..06800d0
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch
@@ -0,0 +1,40 @@
+From caa9969ddd3b163fa4116fba7a87aa142d6975c2 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@...>
+Date: Wed, 29 Sep 2021 11:08:49 +0800
+Subject: [PATCH] refpolicy-minimum: make xdg module optional
+
+The systemd module invokes xdg_config_content and xdg_data_content
+interfaces which are from xdg module. Since xdg is not a core module, we
+could make it optional in minimum policy.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@...>
+---
+ policy/modules/system/systemd.te | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 76bf7be68..e20db90ce 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -276,10 +276,14 @@ files_type(systemd_update_run_t)
+
+ type systemd_conf_home_t;
+ init_unit_file(systemd_conf_home_t)
+-xdg_config_content(systemd_conf_home_t)
++optional_policy(`
++ xdg_config_content(systemd_conf_home_t)
++')
+
+ type systemd_data_home_t;
+-xdg_data_content(systemd_data_home_t)
++optional_policy(`
++ xdg_data_content(systemd_data_home_t)
++')
+
+ type systemd_user_runtime_notify_t;
+ userdom_user_runtime_content(systemd_user_runtime_notify_t)
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch b/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch
new file mode 100644
index 0000000..6e0a334
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch
@@ -0,0 +1,52 @@
+From df4c7a48bbff04c9460dc432bb1139b16a6eadc0 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@...>
+Date: Wed, 29 Sep 2021 16:43:54 +0800
+Subject: [PATCH] refpolicy-targeted: add capability2 bpf and perfmon for
+ unconfined_t
+
+Fixes:
+avc: denied { bpf } for pid=433 comm="systemd" capability=39
+scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+tclass=capability2 permissive=0
+
+avc: denied { perfmon } for pid=433 comm="systemd" capability=38
+scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+tclass=capability2 permissive=0
+
+type=USER_AVC msg=audit(1632901631.693:86): pid=433 uid=0 auid=0 ses=3
+subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='avc:
+denied { reload } for auid=n/a uid=0 gid=0 cmdline=""
+scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+tclass=system permissive=0 exe="/lib/systemd/systemd" sauid=0
+hostname=? addr=? terminal=?'UID="root" AUID="root" AUID="root"
+UID="root" GID="root" SAUID="root"
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@...>
+---
+ policy/modules/system/unconfined.if | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
+index a139cfe78..807e959c3 100644
+--- a/policy/modules/system/unconfined.if
++++ b/policy/modules/system/unconfined.if
+@@ -66,6 +66,11 @@ interface(`unconfined_domain_noaudit',`
+ files_start_etc_service($1)
+ files_stop_etc_service($1)
+
++ ifdef(`init_systemd',`
++ allow $1 self:capability2 { bpf perfmon };
++ allow $1 self:system reload;
++ ')
++
+ tunable_policy(`allow_execheap',`
+ # Allow making the stack executable via mprotect.
+ allow $1 self:process execheap;
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
index db3f9c3..41aa0f2 100644
--- a/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
+++ b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
@@ -1,4 +1,4 @@
-From e0c34d0feb5305b1397f252d698501b641277517 Mon Sep 17 00:00:00 2001
+From cd6234302686394aa8bf39595ca076ec55959dc3 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@...>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] fc/hostname: apply policy to common yocto hostname
diff --git a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-enable-nscd_use_shm.patch b/recipes-security/refpolicy/refpolicy/0003-refpolicy-minimum-enable-nscd_use_shm.patch
similarity index 87%
rename from recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-enable-nscd_use_shm.patch
rename to recipes-security/refpolicy/refpolicy/0003-refpolicy-minimum-enable-nscd_use_shm.patch
index 5598c70..f23ad77 100644
--- a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-enable-nscd_use_shm.patch
+++ b/recipes-security/refpolicy/refpolicy/0003-refpolicy-minimum-enable-nscd_use_shm.patch
@@ -1,7 +1,7 @@
-From d71b79cc9b174181934d588f64baa5637c8e85d1 Mon Sep 17 00:00:00 2001
+From 42407b8bdea4ebb5cbd6c5b8af6a003223e6aa77 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Fri, 26 Feb 2021 09:13:23 +0800
-Subject: [PATCH] policy/modules/services/nscd: enable nscd_use_shm
+Subject: [PATCH] refpolicy-minimum: enable nscd_use_shm

Fixes:
avc: denied { listen } for pid=199 comm="systemd-resolve"
diff --git a/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
index 4a6d5eb..78b17fb 100644
--- a/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
+++ b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
@@ -1,4 +1,4 @@
-From 8d2c24bc1e2ef8ddf3cf7a08297cfab8a8a92b0d Mon Sep 17 00:00:00 2001
+From 96674eb9e7fe69ed0390d5ba6a7a8c80609efe77 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Thu, 28 Mar 2019 21:37:32 -0400
Subject: [PATCH] fc/bash: apply /usr/bin/bash context to /bin/bash.bash
diff --git a/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
index cb36ac4..2596630 100644
--- a/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
+++ b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
@@ -1,4 +1,4 @@
-From 85a77289d193bb3335c78f6d51b4ae2b81249952 Mon Sep 17 00:00:00 2001
+From 2191dd96ab337c1c1d5b16f9ba59a568fe6c0864 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Thu, 4 Apr 2019 10:45:03 -0400
Subject: [PATCH] fc/resolv.conf: label resolv.conf in var/run/ properly
diff --git a/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch
index 30bbe07..fdd4010 100644
--- a/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch
+++ b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch
@@ -1,4 +1,4 @@
-From 253ab75676232be5522fc628b0819d0c48a08c03 Mon Sep 17 00:00:00 2001
+From 8d8e6e198203bcfcee2258f3d1137dd66cdf3db2 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Thu, 28 Mar 2019 21:43:53 -0400
Subject: [PATCH] fc/login: apply login context to login.shadow
@@ -12,17 +12,17 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 7fd315706..fa86d6f92 100644
+index 50efcff7b..5cb48882c 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
-@@ -5,6 +5,7 @@
- /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+@@ -6,6 +6,7 @@
+ /etc/tcb(/.*)? -- gen_context(system_u:object_r:shadow_t,s0)

/usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
+/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0)
/usr/bin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/usr/bin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
- /usr/bin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ /usr/bin/tcb_convert -- gen_context(system_u:object_r:updpwd_exec_t,s0)
--
2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0007-fc-bind-fix-real-path-for-bind.patch b/recipes-security/refpolicy/refpolicy/0007-fc-bind-fix-real-path-for-bind.patch
deleted file mode 100644
index 351b30e..0000000
--- a/recipes-security/refpolicy/refpolicy/0007-fc-bind-fix-real-path-for-bind.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 7e61e5d715451bafd785ec7db01e24e726e31c35 Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@...>
-Date: Thu, 28 Mar 2019 21:58:53 -0400
-Subject: [PATCH] fc/bind: fix real path for bind
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@...>
-Signed-off-by: Joe MacDonald <joe_macdonald@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/services/bind.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
-index ce68a0af9..585103eb9 100644
---- a/policy/modules/services/bind.fc
-+++ b/policy/modules/services/bind.fc
-@@ -1,8 +1,10 @@
- /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-
- /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
- /etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0)
-+/etc/bind/rndc\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0)
- /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
- /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
- /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0008-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch
similarity index 92%
rename from recipes-security/refpolicy/refpolicy/0008-fc-hwclock-add-hwclock-alternatives.patch
rename to recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch
index 75c8e7f..f3775c4 100644
--- a/recipes-security/refpolicy/refpolicy/0008-fc-hwclock-add-hwclock-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch
@@ -1,4 +1,4 @@
-From c7e69aa036d16a57709684fd2f72959f9a4ac251 Mon Sep 17 00:00:00 2001
+From 9914cb527171cf34bcef7af3bf558d480c88b978 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Thu, 28 Mar 2019 21:59:18 -0400
Subject: [PATCH] fc/hwclock: add hwclock alternatives
diff --git a/recipes-security/refpolicy/refpolicy/0009-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
similarity index 92%
rename from recipes-security/refpolicy/refpolicy/0009-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
rename to recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
index 3c939de..b1ab88c 100644
--- a/recipes-security/refpolicy/refpolicy/0009-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
@@ -1,4 +1,4 @@
-From 0fe5ae0d1b5f4268b04ba6c6134324385bb630a2 Mon Sep 17 00:00:00 2001
+From be2ecd331556a209488b50f81b55d52f5213486c Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Fri, 29 Mar 2019 08:26:55 -0400
Subject: [PATCH] fc/dmesg: apply policy to dmesg alternatives
diff --git a/recipes-security/refpolicy/refpolicy/0010-fc-ssh-apply-policy-to-ssh-alternatives.patch b/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch
similarity index 94%
rename from recipes-security/refpolicy/refpolicy/0010-fc-ssh-apply-policy-to-ssh-alternatives.patch
rename to recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch
index 2a89acc..746ae5e 100644
--- a/recipes-security/refpolicy/refpolicy/0010-fc-ssh-apply-policy-to-ssh-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch
@@ -1,4 +1,4 @@
-From e2d9462c5f26dc02f7d547548d8a94bfd79ea88f Mon Sep 17 00:00:00 2001
+From 8147a6888f6a50a79a409792f43fd71931234084 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Fri, 29 Mar 2019 09:20:58 -0400
Subject: [PATCH] fc/ssh: apply policy to ssh alternatives
diff --git a/recipes-security/refpolicy/refpolicy/0011-fc-sysnetwork-apply-policy-to-ip-alternatives.patch b/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch
similarity index 65%
rename from recipes-security/refpolicy/refpolicy/0011-fc-sysnetwork-apply-policy-to-ip-alternatives.patch
rename to recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch
index 9d7d71c..4ddc267 100644
--- a/recipes-security/refpolicy/refpolicy/0011-fc-sysnetwork-apply-policy-to-ip-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch
@@ -1,7 +1,7 @@
-From dc3edc3b65dccf57d4cb22eb220498c2a5d9685f Mon Sep 17 00:00:00 2001
+From 64b2fd0b93a33645f7cf7a33f2b95ce5e066652b Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@...>
Date: Tue, 9 Jun 2015 21:22:52 +0530
-Subject: [PATCH] fc/sysnetwork: apply policy to ip alternatives
+Subject: [PATCH] fc/sysnetwork: apply policy to network commands alternatives

Upstream-Status: Inappropriate [embedded specific]

@@ -10,14 +10,22 @@ Signed-off-by: Shrikant Bobade <Shrikant_Bobade@...>
Signed-off-by: Joe MacDonald <joe_macdonald@...>
Signed-off-by: Yi Zhao <yi.zhao@...>
---
- policy/modules/system/sysnetwork.fc | 3 +++
- 1 file changed, 3 insertions(+)
+ policy/modules/system/sysnetwork.fc | 4 ++++
+ 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index c9ec4e5ab..c3291962d 100644
+index c9ec4e5ab..4ca151524 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
-@@ -60,13 +60,16 @@ ifdef(`distro_redhat',`
+@@ -44,6 +44,7 @@ ifdef(`distro_redhat',`
+ /usr/bin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /usr/bin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/bin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/bin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/bin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+@@ -60,13 +61,16 @@ ifdef(`distro_redhat',`
/usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy/0012-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch
similarity index 90%
rename from recipes-security/refpolicy/refpolicy/0012-fc-udev-apply-policy-to-udevadm-in-libexec.patch
rename to recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch
index 0bb05e3..0dddf13 100644
--- a/recipes-security/refpolicy/refpolicy/0012-fc-udev-apply-policy-to-udevadm-in-libexec.patch
+++ b/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch
@@ -1,4 +1,4 @@
-From 9afd44d1300bc858c1569344fc1271e0468edad9 Mon Sep 17 00:00:00 2001
+From 29c082cbe398d4af9f69330be4fe66d1e0e3350d Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Fri, 29 Mar 2019 09:36:08 -0400
Subject: [PATCH] fc/udev: apply policy to udevadm in libexec
@@ -12,7 +12,7 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index c88189fb7..ad4c0bba2 100644
+index 7898ff01c..bc717e60c 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -24,6 +24,8 @@ ifdef(`distro_debian',`
diff --git a/recipes-security/refpolicy/refpolicy/0013-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
similarity index 92%
rename from recipes-security/refpolicy/refpolicy/0013-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
rename to recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
index 55f0444..912c7c9 100644
--- a/recipes-security/refpolicy/refpolicy/0013-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
+++ b/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
@@ -1,4 +1,4 @@
-From 79e58207060c25d5f2484ed164ab74413d00792a Mon Sep 17 00:00:00 2001
+From e99cedaf111e58ad0c409a14f203421dac7732b3 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Fri, 29 Mar 2019 09:54:07 -0400
Subject: [PATCH] fc/rpm: apply rpm_exec policy to cpio binaries
diff --git a/recipes-security/refpolicy/refpolicy/0014-fc-su-apply-policy-to-su-alternatives.patch b/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch
similarity index 93%
rename from recipes-security/refpolicy/refpolicy/0014-fc-su-apply-policy-to-su-alternatives.patch
rename to recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch
index 8d1c9aa..9edebfd 100644
--- a/recipes-security/refpolicy/refpolicy/0014-fc-su-apply-policy-to-su-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch
@@ -1,4 +1,4 @@
-From a1281be5b894c0c6dc3471a1e6b6c910bab7aa46 Mon Sep 17 00:00:00 2001
+From c7bac7f6487ecc88954995492115ffc545c9b6db Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@...>
Date: Thu, 13 Feb 2014 00:33:07 -0500
Subject: [PATCH] fc/su: apply policy to su alternatives
diff --git a/recipes-security/refpolicy/refpolicy/0015-fc-fstools-fix-real-path-for-fstools.patch b/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch
similarity index 98%
rename from recipes-security/refpolicy/refpolicy/0015-fc-fstools-fix-real-path-for-fstools.patch
rename to recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch
index a9fbe33..bb516d8 100644
--- a/recipes-security/refpolicy/refpolicy/0015-fc-fstools-fix-real-path-for-fstools.patch
+++ b/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch
@@ -1,4 +1,4 @@
-From 02f6557320c60d895397650a59c39708c8e63d27 Mon Sep 17 00:00:00 2001
+From 0139f926a398848199ae10a8f088f7655c0e6d79 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@...>
Date: Mon, 27 Jan 2014 03:54:01 -0500
Subject: [PATCH] fc/fstools: fix real path for fstools
diff --git a/recipes-security/refpolicy/refpolicy/0016-fc-init-fix-update-alternatives-for-sysvinit.patch b/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch
similarity index 97%
rename from recipes-security/refpolicy/refpolicy/0016-fc-init-fix-update-alternatives-for-sysvinit.patch
rename to recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch
index a2e5762..6c6f6b5 100644
--- a/recipes-security/refpolicy/refpolicy/0016-fc-init-fix-update-alternatives-for-sysvinit.patch
+++ b/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch
@@ -1,4 +1,4 @@
-From f7860456e3867e6d9c24a7e07bc9e518f65ec478 Mon Sep 17 00:00:00 2001
+From 82c72fb6faff95e4d12aa451495ef81ced2821e1 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@...>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] fc/init: fix update-alternatives for sysvinit
diff --git a/recipes-security/refpolicy/refpolicy/0017-fc-brctl-apply-policy-to-brctl-alternatives.patch b/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch
similarity index 92%
rename from recipes-security/refpolicy/refpolicy/0017-fc-brctl-apply-policy-to-brctl-alternatives.patch
rename to recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch
index 9da5acc..88dd311 100644
--- a/recipes-security/refpolicy/refpolicy/0017-fc-brctl-apply-policy-to-brctl-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch
@@ -1,4 +1,4 @@
-From 3a83de3883d0e287c0b6647e87a93d2cdc48aa10 Mon Sep 17 00:00:00 2001
+From 49bff0c3d5cee8face82fde060cb13629ee11d70 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Fri, 15 Nov 2019 10:19:54 +0800
Subject: [PATCH] fc/brctl: apply policy to brctl alternatives
diff --git a/recipes-security/refpolicy/refpolicy/0018-fc-corecommands-apply-policy-to-nologin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch
similarity index 94%
rename from recipes-security/refpolicy/refpolicy/0018-fc-corecommands-apply-policy-to-nologin-alternatives.patch
rename to recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch
index 4c1ac26..764df80 100644
--- a/recipes-security/refpolicy/refpolicy/0018-fc-corecommands-apply-policy-to-nologin-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch
@@ -1,4 +1,4 @@
-From 5219bc4e0b3147455fecb1485e8387573207070c Mon Sep 17 00:00:00 2001
+From 925d94c5074e4c65a24ec65df49f6ca726922be0 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Fri, 15 Nov 2019 10:21:51 +0800
Subject: [PATCH] fc/corecommands: apply policy to nologin alternatives
diff --git a/recipes-security/refpolicy/refpolicy/0019-fc-locallogin-apply-policy-to-sulogin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch
similarity index 93%
rename from recipes-security/refpolicy/refpolicy/0019-fc-locallogin-apply-policy-to-sulogin-alternatives.patch
rename to recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch
index acd2663..4db0aac 100644
--- a/recipes-security/refpolicy/refpolicy/0019-fc-locallogin-apply-policy-to-sulogin-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch
@@ -1,4 +1,4 @@
-From 2b3b5d43040e939e836ea5c9803f0b27641e50a4 Mon Sep 17 00:00:00 2001
+From 52afb51f51d9084eb32175913f56ee2a2aa53067 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Fri, 15 Nov 2019 10:43:28 +0800
Subject: [PATCH] fc/locallogin: apply policy to sulogin alternatives
diff --git a/recipes-security/refpolicy/refpolicy/0020-fc-ntp-apply-policy-to-ntpd-alternatives.patch b/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch
similarity index 93%
rename from recipes-security/refpolicy/refpolicy/0020-fc-ntp-apply-policy-to-ntpd-alternatives.patch
rename to recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch
index c40413a..14e2d1c 100644
--- a/recipes-security/refpolicy/refpolicy/0020-fc-ntp-apply-policy-to-ntpd-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch
@@ -1,4 +1,4 @@
-From 5308969204d535391cb766ba5aa4b5479f64248c Mon Sep 17 00:00:00 2001
+From 32892769171992d525fb46c87a4403e60754beb9 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Fri, 15 Nov 2019 10:45:23 +0800
Subject: [PATCH] fc/ntp: apply policy to ntpd alternatives
diff --git a/recipes-security/refpolicy/refpolicy/0021-fc-kerberos-apply-policy-to-kerberos-alternatives.patch b/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch
similarity index 97%
rename from recipes-security/refpolicy/refpolicy/0021-fc-kerberos-apply-policy-to-kerberos-alternatives.patch
rename to recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch
index 8d9ccd8..af21f4a 100644
--- a/recipes-security/refpolicy/refpolicy/0021-fc-kerberos-apply-policy-to-kerberos-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch
@@ -1,4 +1,4 @@
-From 89a54472ea0195ec19c291374e88e55b40107ff8 Mon Sep 17 00:00:00 2001
+From df6d9c8a993fb4c90fe70d5e487bdc9b28542130 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Fri, 15 Nov 2019 10:55:05 +0800
Subject: [PATCH] fc/kerberos: apply policy to kerberos alternatives
diff --git a/recipes-security/refpolicy/refpolicy/0022-fc-ldap-apply-policy-to-ldap-alternatives.patch b/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch
similarity index 96%
rename from recipes-security/refpolicy/refpolicy/0022-fc-ldap-apply-policy-to-ldap-alternatives.patch
rename to recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch
index c88dcd9..3587a03 100644
--- a/recipes-security/refpolicy/refpolicy/0022-fc-ldap-apply-policy-to-ldap-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch
@@ -1,4 +1,4 @@
-From 1130a43390bf41adb7747d0cc62c85c4320806cb Mon Sep 17 00:00:00 2001
+From 0ce10214366ebd09a0b9e125818c07aa02ce9163 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Fri, 15 Nov 2019 11:06:13 +0800
Subject: [PATCH] fc/ldap: apply policy to ldap alternatives
diff --git a/recipes-security/refpolicy/refpolicy/0023-fc-postgresql-apply-policy-to-postgresql-alternative.patch b/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch
similarity index 96%
rename from recipes-security/refpolicy/refpolicy/0023-fc-postgresql-apply-policy-to-postgresql-alternative.patch
rename to recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch
index ddd78b0..6641ffc 100644
--- a/recipes-security/refpolicy/refpolicy/0023-fc-postgresql-apply-policy-to-postgresql-alternative.patch
+++ b/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch
@@ -1,4 +1,4 @@
-From 184f1dfe4cbff9c5ff2cbe865d4e7427f100ff59 Mon Sep 17 00:00:00 2001
+From 7486b35d28429f75b913fee3305edeb36187c603 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Fri, 15 Nov 2019 11:13:16 +0800
Subject: [PATCH] fc/postgresql: apply policy to postgresql alternatives
diff --git a/recipes-security/refpolicy/refpolicy/0024-fc-screen-apply-policy-to-screen-alternatives.patch b/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch
similarity index 93%
rename from recipes-security/refpolicy/refpolicy/0024-fc-screen-apply-policy-to-screen-alternatives.patch
rename to recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch
index 7ae54d9..9c53b74 100644
--- a/recipes-security/refpolicy/refpolicy/0024-fc-screen-apply-policy-to-screen-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch
@@ -1,4 +1,4 @@
-From e114e09928232dd9eed568a4717dca2094f6e4ad Mon Sep 17 00:00:00 2001
+From 505a638a29971deb11d0fded79ddbd532d350ece Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Fri, 15 Nov 2019 11:15:33 +0800
Subject: [PATCH] fc/screen: apply policy to screen alternatives
diff --git a/recipes-security/refpolicy/refpolicy/0025-fc-usermanage-apply-policy-to-usermanage-alternative.patch b/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch
similarity index 80%
rename from recipes-security/refpolicy/refpolicy/0025-fc-usermanage-apply-policy-to-usermanage-alternative.patch
rename to recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch
index e6fbba0..3612bc1 100644
--- a/recipes-security/refpolicy/refpolicy/0025-fc-usermanage-apply-policy-to-usermanage-alternative.patch
+++ b/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch
@@ -1,4 +1,4 @@
-From 62a5f9dee28411f1d88a2101e507c15780467b2f Mon Sep 17 00:00:00 2001
+From d9c0c498e2163f5d56c8b4325b4bc77fb35f421f Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Fri, 15 Nov 2019 11:25:34 +0800
Subject: [PATCH] fc/usermanage: apply policy to usermanage alternatives
@@ -7,24 +7,26 @@ Upstream-Status: Inappropriate [embedded specific]

Signed-off-by: Yi Zhao <yi.zhao@...>
---
- policy/modules/admin/usermanage.fc | 4 ++++
- 1 file changed, 4 insertions(+)
+ policy/modules/admin/usermanage.fc | 6 ++++++
+ 1 file changed, 6 insertions(+)

diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
-index 620eefc6f..6a051f8a5 100644
+index 620eefc6f..bf1ff09ab 100644
--- a/policy/modules/admin/usermanage.fc
+++ b/policy/modules/admin/usermanage.fc
-@@ -4,7 +4,9 @@ ifdef(`distro_debian',`
+@@ -4,7 +4,11 @@ ifdef(`distro_debian',`

/usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
/usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
+/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
++/usr/bin/chfn\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0)
/usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
+/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
++/usr/bin/chsh\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0)
/usr/bin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
/usr/bin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
/usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
-@@ -14,6 +16,7 @@ ifdef(`distro_debian',`
+@@ -14,6 +18,7 @@ ifdef(`distro_debian',`
/usr/bin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
/usr/bin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
/usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
@@ -32,7 +34,7 @@ index 620eefc6f..6a051f8a5 100644
/usr/bin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
/usr/bin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
/usr/bin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0)
-@@ -39,6 +42,7 @@ ifdef(`distro_debian',`
+@@ -39,6 +44,7 @@ ifdef(`distro_debian',`
/usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0)
/usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
/usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy/0026-fc-getty-add-file-context-to-start_getty.patch b/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch
similarity index 92%
rename from recipes-security/refpolicy/refpolicy/0026-fc-getty-add-file-context-to-start_getty.patch
rename to recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch
index d51faa5..e5f92f7 100644
--- a/recipes-security/refpolicy/refpolicy/0026-fc-getty-add-file-context-to-start_getty.patch
+++ b/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch
@@ -1,4 +1,4 @@
-From 7be59b4d42165f7e12ccb8b2409304a2640eb898 Mon Sep 17 00:00:00 2001
+From fa45c54ee9e801aaea10dc7efff352121642f16a Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Fri, 15 Nov 2019 16:07:30 +0800
Subject: [PATCH] fc/getty: add file context to start_getty
diff --git a/recipes-security/refpolicy/refpolicy/0028-fc-vlock-apply-policy-to-vlock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch
similarity index 92%
rename from recipes-security/refpolicy/refpolicy/0028-fc-vlock-apply-policy-to-vlock-alternatives.patch
rename to recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch
index d0bd7b4..ba6507f 100644
--- a/recipes-security/refpolicy/refpolicy/0028-fc-vlock-apply-policy-to-vlock-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch
@@ -1,4 +1,4 @@
-From 1ee2b12fa1585bf765370e3e787081fe01ad990f Mon Sep 17 00:00:00 2001
+From f1759b82bd1903240c8ebe6551a55a4fb7b21411 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Wed, 18 Dec 2019 15:04:41 +0800
Subject: [PATCH] fc/vlock: apply policy to vlock alternatives
diff --git a/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch b/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch
new file mode 100644
index 0000000..26af03a
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch
@@ -0,0 +1,64 @@
+From bebf4de8bacdd31aba7fd0bdd981a6a229cccae2 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@...>
+Date: Tue, 30 Jun 2020 10:45:57 +0800
+Subject: [PATCH] fc: add fcontext for init scripts and systemd service files
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@...>
+---
+ policy/modules/services/cron.fc | 1 +
+ policy/modules/services/rngd.fc | 1 +
+ policy/modules/services/rpc.fc | 2 ++
+ policy/modules/system/logging.fc | 1 +
+ 4 files changed, 5 insertions(+)
+
+diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
+index 827363d88..e8412396d 100644
+--- a/policy/modules/services/cron.fc
++++ b/policy/modules/services/cron.fc
+@@ -1,4 +1,5 @@
+ /etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/crond -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
+
+ /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+diff --git a/policy/modules/services/rngd.fc b/policy/modules/services/rngd.fc
+index 382c067f9..0ecc5acc4 100644
+--- a/policy/modules/services/rngd.fc
++++ b/policy/modules/services/rngd.fc
+@@ -1,4 +1,5 @@
+ /etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/rng-tools -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
+
+ /usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
+
+diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
+index 88d2acaf0..d9c0a4aa7 100644
+--- a/policy/modules/services/rpc.fc
++++ b/policy/modules/services/rpc.fc
+@@ -1,7 +1,9 @@
+ /etc/exports -- gen_context(system_u:object_r:exports_t,s0)
+
+ /etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/nfsserver -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/nfscommon -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+
+ /usr/bin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index 5681acb51..4ff5f990a 100644
+--- a/policy/modules/system/logging.fc
++++ b/policy/modules/system/logging.fc
+@@ -24,6 +24,7 @@
+ /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
+ /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
+ /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
++/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
+ /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0027-fc-init-add-file-context-to-etc-network-if-files.patch b/recipes-security/refpolicy/refpolicy/0027-fc-init-add-file-context-to-etc-network-if-files.patch
deleted file mode 100644
index e34abe6..0000000
--- a/recipes-security/refpolicy/refpolicy/0027-fc-init-add-file-context-to-etc-network-if-files.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From ac335f80d09f9ce4756f2e58944a975a12441fa7 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Tue, 19 Nov 2019 14:33:28 +0800
-Subject: [PATCH] fc/init: add file context to /etc/network/if-* files
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/init.fc | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 5268bddb2..a6762bd00 100644
---- a/policy/modules/system/init.fc
-+++ b/policy/modules/system/init.fc
-@@ -75,11 +75,12 @@ ifdef(`distro_redhat',`
- ifdef(`distro_debian',`
- /run/hotkey-setup -- gen_context(system_u:object_r:initrc_runtime_t,s0)
- /run/kdm/.* -- gen_context(system_u:object_r:initrc_runtime_t,s0)
-+')
-+
- /etc/network/if-pre-up\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
- /etc/network/if-up\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
- /etc/network/if-down\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
- /etc/network/if-post-down\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
--')
-
- ifdef(`distro_gentoo', `
- /var/lib/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0031-file_contexts.subs_dist-set-aliase-for-root-director.patch b/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch
similarity index 87%
rename from recipes-security/refpolicy/refpolicy/0031-file_contexts.subs_dist-set-aliase-for-root-director.patch
rename to recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch
index f65d1be..84e0692 100644
--- a/recipes-security/refpolicy/refpolicy/0031-file_contexts.subs_dist-set-aliase-for-root-director.patch
+++ b/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch
@@ -1,4 +1,4 @@
-From 8c733eff8089c24fe6885977d2bdcdfb0c453726 Mon Sep 17 00:00:00 2001
+From 7f9a176681d7c1854a722e79fb325a5f0f85f64d Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Sun, 5 Apr 2020 22:03:45 +0800
Subject: [PATCH] file_contexts.subs_dist: set aliase for /root directory
@@ -14,10 +14,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 4 insertions(+)

diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
-index a38d58e16..3e4c5720f 100644
+index 690007f22..f80499ebf 100644
--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
-@@ -44,3 +44,7 @@
+@@ -45,3 +45,7 @@
/usr/lib/busybox/bin /usr/bin
/usr/lib/busybox/sbin /usr/sbin
/usr/lib/busybox/usr /usr
diff --git a/recipes-security/refpolicy/refpolicy/0029-fc-cron-apply-policy-to-etc-init.d-crond.patch b/recipes-security/refpolicy/refpolicy/0029-fc-cron-apply-policy-to-etc-init.d-crond.patch
deleted file mode 100644
index be57060..0000000
--- a/recipes-security/refpolicy/refpolicy/0029-fc-cron-apply-policy-to-etc-init.d-crond.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From a14d7d6fc54e7cf82d977c4b5c2df961c5eb1fe0 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Tue, 30 Jun 2020 10:45:57 +0800
-Subject: [PATCH] fc/cron: apply policy to /etc/init.d/crond
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/services/cron.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
-index 827363d88..e8412396d 100644
---- a/policy/modules/services/cron.fc
-+++ b/policy/modules/services/cron.fc
-@@ -1,4 +1,5 @@
- /etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/crond -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
-
- /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
- /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-add-rules-for-the-syml.patch b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch
similarity index 81%
rename from recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-add-rules-for-the-syml.patch
rename to recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch
index a80bf03..57afcb5 100644
--- a/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-add-rules-for-the-syml.patch
+++ b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch
@@ -1,4 +1,4 @@
-From 456bb92237aa637f506fcc56b190eb534d745e41 Mon Sep 17 00:00:00 2001
+From f62187fc61e110dee575c32a441b32c9660f48a5 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@...>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] policy/modules/system/logging: add rules for the symlink of
@@ -18,10 +18,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
2 files changed, 10 insertions(+)

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 5681acb51..a4ecd570a 100644
+index 4ff5f990a..dee26a9f4 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
-@@ -52,6 +52,7 @@ ifdef(`distro_suse', `
+@@ -53,6 +53,7 @@ ifdef(`distro_suse', `
/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)

/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
@@ -30,10 +30,10 @@ index 5681acb51..a4ecd570a 100644
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
/var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 10dee6563..9bb3afdb2 100644
+index 341763730..30d402c75 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
-@@ -1065,10 +1065,12 @@ interface(`logging_append_all_inherited_logs',`
+@@ -1086,10 +1086,12 @@ interface(`logging_append_all_inherited_logs',`
interface(`logging_read_all_logs',`
gen_require(`
attribute logfile;
@@ -46,7 +46,7 @@ index 10dee6563..9bb3afdb2 100644
read_files_pattern($1, logfile, logfile)
')

-@@ -1087,10 +1089,12 @@ interface(`logging_read_all_logs',`
+@@ -1127,10 +1129,12 @@ interface(`logging_watch_all_logs',`
interface(`logging_exec_all_logs',`
gen_require(`
attribute logfile;
@@ -59,7 +59,7 @@ index 10dee6563..9bb3afdb2 100644
can_exec($1, logfile)
')

-@@ -1152,6 +1156,7 @@ interface(`logging_manage_generic_log_dirs',`
+@@ -1192,6 +1196,7 @@ interface(`logging_manage_generic_log_dirs',`

files_search_var($1)
allow $1 var_log_t:dir manage_dir_perms;
@@ -67,7 +67,7 @@ index 10dee6563..9bb3afdb2 100644
')

########################################
-@@ -1172,6 +1177,7 @@ interface(`logging_relabel_generic_log_dirs',`
+@@ -1212,6 +1217,7 @@ interface(`logging_relabel_generic_log_dirs',`

files_search_var($1)
allow $1 var_log_t:dir relabel_dir_perms;
@@ -75,7 +75,7 @@ index 10dee6563..9bb3afdb2 100644
')

########################################
-@@ -1192,6 +1198,7 @@ interface(`logging_read_generic_logs',`
+@@ -1232,6 +1238,7 @@ interface(`logging_read_generic_logs',`

files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
@@ -83,7 +83,7 @@ index 10dee6563..9bb3afdb2 100644
read_files_pattern($1, var_log_t, var_log_t)
')

-@@ -1293,6 +1300,7 @@ interface(`logging_manage_generic_logs',`
+@@ -1333,6 +1340,7 @@ interface(`logging_manage_generic_logs',`

files_search_var($1)
manage_files_pattern($1, var_log_t, var_log_t)
@@ -91,7 +91,7 @@ index 10dee6563..9bb3afdb2 100644
')

########################################
-@@ -1311,6 +1319,7 @@ interface(`logging_watch_generic_logs_dir',`
+@@ -1351,6 +1359,7 @@ interface(`logging_watch_generic_logs_dir',`
')

allow $1 var_log_t:dir watch;
diff --git a/recipes-security/refpolicy/refpolicy/0030-fc-sysnetwork-update-file-context-for-ifconfig.patch b/recipes-security/refpolicy/refpolicy/0030-fc-sysnetwork-update-file-context-for-ifconfig.patch
deleted file mode 100644
index 6a659b2..0000000
--- a/recipes-security/refpolicy/refpolicy/0030-fc-sysnetwork-update-file-context-for-ifconfig.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From b3d2611360ddf21a3f8729766a1e4b64117ea710 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Tue, 4 Aug 2020 16:48:12 +0800
-Subject: [PATCH] fc/sysnetwork: update file context for ifconfig
-
-The ifconfig was moved from sbin to bin with oe-core commit:
-c9caff40ff61c08e24a84922f8d7c8e9cdf8883e. Update the file context for
-it.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/sysnetwork.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index c3291962d..4ca151524 100644
---- a/policy/modules/system/sysnetwork.fc
-+++ b/policy/modules/system/sysnetwork.fc
-@@ -44,6 +44,7 @@ ifdef(`distro_redhat',`
- /usr/bin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /usr/bin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /usr/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/bin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /usr/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /usr/bin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /usr/bin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0033-policy-modules-system-logging-add-rules-for-syslogd-.patch b/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch
similarity index 87%
rename from recipes-security/refpolicy/refpolicy/0033-policy-modules-system-logging-add-rules-for-syslogd-.patch
rename to recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch
index 4e5ee51..96fd4d2 100644
--- a/recipes-security/refpolicy/refpolicy/0033-policy-modules-system-logging-add-rules-for-syslogd-.patch
+++ b/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch
@@ -1,4 +1,4 @@
-From 275597cbb54eb8007c07fc06c3d9bd3d3090f7f2 Mon Sep 17 00:00:00 2001
+From e809c35686424c75cf9fd5d59facb66053be2589 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Fri, 29 Mar 2019 10:33:18 -0400
Subject: [PATCH] policy/modules/system/logging: add rules for syslogd symlink
@@ -18,10 +18,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 031e2f40f..673046781 100644
+index 21e3285a9..abee7df9c 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -404,6 +404,7 @@ files_search_spool(syslogd_t)
+@@ -411,6 +411,7 @@ files_search_spool(syslogd_t)

# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
diff --git a/recipes-security/refpolicy/refpolicy/0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch
similarity index 80%
rename from recipes-security/refpolicy/refpolicy/0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch
rename to recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch
index da42fdd..2d1ef1d 100644
--- a/recipes-security/refpolicy/refpolicy/0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch
+++ b/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch
@@ -1,4 +1,4 @@
-From 491783f2ae026ac969c9f6ef6eea1bd75ac7e2a5 Mon Sep 17 00:00:00 2001
+From ca9ef20cc6a7c7457f7a242d1b588279cad17aa4 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@...>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] policy/modules/kernel/files: add rules for the symlink of
@@ -30,10 +30,10 @@ index 826722f4e..677ae96c3 100644
/tmp/\.journal <<none>>

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 34a9cd66d..7fc7e922f 100644
+index 495cbe2f4..b308eefd9 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
-@@ -4533,6 +4533,7 @@ interface(`files_search_tmp',`
+@@ -4555,6 +4555,7 @@ interface(`files_search_tmp',`
')

allow $1 tmp_t:dir search_dir_perms;
@@ -41,7 +41,7 @@ index 34a9cd66d..7fc7e922f 100644
')

########################################
-@@ -4569,6 +4570,7 @@ interface(`files_list_tmp',`
+@@ -4591,6 +4592,7 @@ interface(`files_list_tmp',`
')

allow $1 tmp_t:dir list_dir_perms;
@@ -49,7 +49,7 @@ index 34a9cd66d..7fc7e922f 100644
')

########################################
-@@ -4605,6 +4607,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4627,6 +4629,7 @@ interface(`files_delete_tmp_dir_entry',`
')

allow $1 tmp_t:dir del_entry_dir_perms;
@@ -57,7 +57,7 @@ index 34a9cd66d..7fc7e922f 100644
')

########################################
-@@ -4623,6 +4626,7 @@ interface(`files_read_generic_tmp_files',`
+@@ -4645,6 +4648,7 @@ interface(`files_read_generic_tmp_files',`
')

read_files_pattern($1, tmp_t, tmp_t)
@@ -65,7 +65,7 @@ index 34a9cd66d..7fc7e922f 100644
')

########################################
-@@ -4641,6 +4645,7 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4663,6 +4667,7 @@ interface(`files_manage_generic_tmp_dirs',`
')

manage_dirs_pattern($1, tmp_t, tmp_t)
@@ -73,7 +73,7 @@ index 34a9cd66d..7fc7e922f 100644
')

########################################
-@@ -4659,6 +4664,7 @@ interface(`files_manage_generic_tmp_files',`
+@@ -4699,6 +4704,7 @@ interface(`files_manage_generic_tmp_files',`
')

manage_files_pattern($1, tmp_t, tmp_t)
@@ -81,7 +81,7 @@ index 34a9cd66d..7fc7e922f 100644
')

########################################
-@@ -4695,6 +4701,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4735,6 +4741,7 @@ interface(`files_rw_generic_tmp_sockets',`
')

rw_sock_files_pattern($1, tmp_t, tmp_t)
@@ -89,7 +89,7 @@ index 34a9cd66d..7fc7e922f 100644
')

########################################
-@@ -4902,6 +4909,7 @@ interface(`files_tmp_filetrans',`
+@@ -4942,6 +4949,7 @@ interface(`files_tmp_filetrans',`
')

filetrans_pattern($1, tmp_t, $2, $3, $4)
diff --git a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-fix-auditd-startup-fai.patch b/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch
similarity index 50%
rename from recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-fix-auditd-startup-fai.patch
rename to recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch
index 9856fcd..2990e3b 100644
--- a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-fix-auditd-startup-fai.patch
+++ b/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch
@@ -1,64 +1,41 @@
-From 25036d5f5c41e4215d071d9c1eb77760a0eca87c Mon Sep 17 00:00:00 2001
+From 3c5d83fbf406fc9e717147b4c57627fa1f202bd5 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@...>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures

Fixes:
-avc: denied { getattr } for pid=322 comm="auditd"
-path="/sbin/audisp-remote" dev="vda" ino=1115
-scontext=system_u:system_r:auditd_t
-tcontext=system_u:object_r:audisp_remote_exec_t tclass=file permissive=0
-
avc: denied { read } for pid=321 comm="auditd" name="log" dev="vda"
ino=12552 scontext=system_u:system_r:auditd_t
tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0

-avc: denied { getattr } for pid=183 comm="auditctl" name="/"
-dev="proc" ino=1 scontext=system_u:system_r:auditctl_t
-tcontext=system_u:object_r:proc_t tclass=filesystem permissive=0
-
Upstream-Status: Inappropriate [embedded specific]

Signed-off-by: Xin Ouyang <Xin.Ouyang@...>
Signed-off-by: Yi Zhao <yi.zhao@...>
---
- policy/modules/system/logging.te | 5 +++++
- 1 file changed, 5 insertions(+)
+ policy/modules/system/logging.te | 2 ++
+ 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 673046781..9b3254f63 100644
+index abee7df9c..cc530a2be 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -117,6 +117,7 @@ files_read_etc_files(auditctl_t)
- kernel_read_kernel_sysctls(auditctl_t)
- kernel_read_proc_symlinks(auditctl_t)
- kernel_setsched(auditctl_t)
-+kernel_getattr_proc(auditctl_t)
-
- domain_read_all_domains_state(auditctl_t)
- domain_use_interactive_fds(auditctl_t)
-@@ -157,10 +158,13 @@ allow auditd_t auditd_etc_t:dir list_dir_perms;
- allow auditd_t auditd_etc_t:file read_file_perms;
- dontaudit auditd_t auditd_etc_t:file map;
-
-+allow auditd_t audisp_remote_exec_t:file getattr;
-+
+@@ -161,6 +161,7 @@ dontaudit auditd_t auditd_etc_t:file map;
manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
allow auditd_t auditd_log_t:dir setattr;
manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
- allow auditd_t var_log_t:dir search_dir_perms;
+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
+ allow auditd_t var_log_t:dir search_dir_perms;

manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
- manage_sock_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
-@@ -284,6 +288,7 @@ allow audisp_remote_t self:capability { setpcap setuid };
+@@ -290,6 +291,7 @@ optional_policy(`
+ allow audisp_remote_t self:capability { setpcap setuid };
allow audisp_remote_t self:process { getcap setcap };
allow audisp_remote_t self:tcp_socket create_socket_perms;
- allow audisp_remote_t var_log_t:dir search_dir_perms;
+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
+ allow audisp_remote_t var_log_t:dir search_dir_perms;

manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
- manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
--
2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0036-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch b/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch
similarity index 94%
rename from recipes-security/refpolicy/refpolicy/0036-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch
rename to recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch
index 855aae6..5110454 100644
--- a/recipes-security/refpolicy/refpolicy/0036-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch
+++ b/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch
@@ -1,4 +1,4 @@
-From 15773d54215587284f937b9a37b08c682949e7ab Mon Sep 17 00:00:00 2001
+From f31db60837f667674a4dcc499f00c0d0e78b6461 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@...>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] policy/modules/kernel/terminal: don't audit tty_device_t in
diff --git a/recipes-security/refpolicy/refpolicy/0037-policy-modules-system-modutils-allow-mod_t-to-access.patch b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch
similarity index 92%
rename from recipes-security/refpolicy/refpolicy/0037-policy-modules-system-modutils-allow-mod_t-to-access.patch
rename to recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch
index da03017..d42afab 100644
--- a/recipes-security/refpolicy/refpolicy/0037-policy-modules-system-modutils-allow-mod_t-to-access.patch
+++ b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch
@@ -1,4 +1,4 @@
-From 1126ee6883d7e107b103a18d255416d542ca50f2 Mon Sep 17 00:00:00 2001
+From 5b7f6d1dc5c2c54d1e1ee6c724ffdc100ba59bd5 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Mon, 24 Aug 2020 11:29:09 +0800
Subject: [PATCH] policy/modules/system/modutils: allow mod_t to access
@@ -37,7 +37,7 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
2 files changed, 4 insertions(+)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index ef5de835e..ee249ae04 100644
+index b0a419dc1..5b4f0aca1 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -41,6 +41,8 @@ dontaudit kmod_t self:capability sys_admin;
@@ -50,10 +50,10 @@ index ef5de835e..ee249ae04 100644
list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 4a2283b6c..daf64482f 100644
+index c50ff68c1..4c5a690fb 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
-@@ -61,6 +61,8 @@ allow udev_t self:rawip_socket create_socket_perms;
+@@ -67,6 +67,8 @@ ifdef(`init_systemd',`
# for systemd-udevd to rename interfaces
allow udev_t self:netlink_route_socket nlmsg_write;

diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-getty-allow-getty_t-to-search-.patch b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-getty-allow-getty_t-to-search-.patch
similarity index 81%
rename from recipes-security/refpolicy/refpolicy/0039-policy-modules-system-getty-allow-getty_t-to-search-.patch
rename to recipes-security/refpolicy/refpolicy/0035-policy-modules-system-getty-allow-getty_t-to-search-.patch
index d673d54..5efa4ce 100644
--- a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-getty-allow-getty_t-to-search-.patch
+++ b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-getty-allow-getty_t-to-search-.patch
@@ -1,4 +1,4 @@
-From f23178d9d89bf39895f75867c29bda4dfb27e786 Mon Sep 17 00:00:00 2001
+From 4ef0b1cdfd10dfcb8f5ee2e7b5cd0a93c9ee0bd4 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Tue, 23 Jun 2020 08:39:44 +0800
Subject: [PATCH] policy/modules/system/getty: allow getty_t to search tmpfs
@@ -16,13 +16,13 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index 95b1ec632..0415e1ee7 100644
+index e6e76a93b..c704ddb82 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
-@@ -66,6 +66,7 @@ dev_read_sysfs(getty_t)
- files_read_etc_runtime_files(getty_t)
+@@ -68,6 +68,7 @@ files_read_etc_runtime_files(getty_t)
files_read_etc_files(getty_t)
files_search_spool(getty_t)
+ files_dontaudit_search_var_lib(getty_t)
+fs_search_tmpfs(getty_t)

fs_search_auto_mountpoints(getty_t)
diff --git a/recipes-security/refpolicy/refpolicy/0036-policy-modules-services-bluetooth-allow-bluetooth_t-.patch b/recipes-security/refpolicy/refpolicy/0036-policy-modules-services-bluetooth-allow-bluetooth_t-.patch
new file mode 100644
index 0000000..9071ffb
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0036-policy-modules-services-bluetooth-allow-bluetooth_t-.patch
@@ -0,0 +1,34 @@
+From 20fe61dd58f8c1477800e316aefb7bd78bad6a26 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@...>
+Date: Tue, 23 Jun 2020 08:54:20 +0800
+Subject: [PATCH] policy/modules/services/bluetooth: allow bluetooth_t to
+ create alg_socket
+
+Fixes:
+avc: denied { create } for pid=268 comm="bluetoothd"
+scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
+tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tclass=alg_socket
+permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@...>
+---
+ policy/modules/services/bluetooth.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
+index 3f3d94e60..6a596f37d 100644
+--- a/policy/modules/services/bluetooth.te
++++ b/policy/modules/services/bluetooth.te
+@@ -61,6 +61,7 @@ allow bluetooth_t self:unix_stream_socket { accept connectto listen };
+ allow bluetooth_t self:tcp_socket { accept listen };
+ allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow bluetooth_t self:bluetooth_socket create_stream_socket_perms;
++allow bluetooth_t self:alg_socket create;
+
+ read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
+
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch b/recipes-security/refpolicy/refpolicy/0037-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
similarity index 61%
rename from recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
rename to recipes-security/refpolicy/refpolicy/0037-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
index 408df05..b364a26 100644
--- a/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
+++ b/recipes-security/refpolicy/refpolicy/0037-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
@@ -1,12 +1,9 @@
-From 40101e4da939fcea2eebe3e4800d0de4e551ca26 Mon Sep 17 00:00:00 2001
+From b907d458336ee430c765e7abf9e390385517a8de Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Wed, 1 Jul 2020 08:44:07 +0800
Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create
directory with label rpcbind_runtime_t

-* Allow rpcbind_t to create directory with label rpcbind_runtime_t
-* Set context for nfsserver and nfscommon
-
Fixes:
avc: denied { create } for pid=136 comm="rpcbind" name="rpcbind"
scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023
@@ -16,26 +13,11 @@ Upstream-Status: Inappropriate [embedded specific]

Signed-off-by: Yi Zhao <yi.zhao@...>
---
- policy/modules/services/rpc.fc | 2 ++
policy/modules/services/rpcbind.te | 5 +++--
- 2 files changed, 5 insertions(+), 2 deletions(-)
+ 1 file changed, 3 insertions(+), 2 deletions(-)

-diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
-index 88d2acaf0..d9c0a4aa7 100644
---- a/policy/modules/services/rpc.fc
-+++ b/policy/modules/services/rpc.fc
-@@ -1,7 +1,9 @@
- /etc/exports -- gen_context(system_u:object_r:exports_t,s0)
-
- /etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/nfsserver -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/nfscommon -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
-
- /usr/bin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
-index 370c9bce6..8972980fa 100644
+index 168c28ca3..e1eb7d5fc 100644
--- a/policy/modules/services/rpcbind.te
+++ b/policy/modules/services/rpcbind.te
@@ -25,16 +25,17 @@ files_type(rpcbind_var_lib_t)
diff --git a/recipes-security/refpolicy/refpolicy/0038-policy-modules-services-avahi-allow-avahi_t-to-watch.patch b/recipes-security/refpolicy/refpolicy/0038-policy-modules-services-avahi-allow-avahi_t-to-watch.patch
deleted file mode 100644
index 1b0391d..0000000
--- a/recipes-security/refpolicy/refpolicy/0038-policy-modules-services-avahi-allow-avahi_t-to-watch.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 92571e7c066b3d91634a4c1f55542cb528f5bac4 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Tue, 23 Jun 2020 08:19:16 +0800
-Subject: [PATCH] policy/modules/services/avahi: allow avahi_t to watch
- /etc/avahi directory
-
-Fixes:
-type=AVC msg=audit(1592813140.176:24): avc: denied { watch } for
-pid=360 comm="avahi-daemon" path="/services" dev="vda" ino=173
-scontext=system_u:system_r:avahi_t tcontext=system_u:object_r:etc_t
-tclass=dir permissive=1
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/services/avahi.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
-index af838d8b0..674cdcb81 100644
---- a/policy/modules/services/avahi.te
-+++ b/policy/modules/services/avahi.te
-@@ -76,6 +76,7 @@ domain_use_interactive_fds(avahi_t)
-
- files_read_etc_runtime_files(avahi_t)
- files_read_usr_files(avahi_t)
-+files_watch_etc_dirs(avahi_t)
-
- auth_use_nsswitch(avahi_t)
-
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0038-policy-modules-services-ssh-do-not-audit-attempts-by.patch b/recipes-security/refpolicy/refpolicy/0038-policy-modules-services-ssh-do-not-audit-attempts-by.patch
new file mode 100644
index 0000000..2066450
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0038-policy-modules-services-ssh-do-not-audit-attempts-by.patch
@@ -0,0 +1,33 @@
+From 997d9e0cb9016f49b421972764902c184d2d66f8 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@...>
+Date: Fri, 29 Jan 2021 10:32:00 +0800
+Subject: [PATCH] policy/modules/services/ssh: do not audit attempts by
+ ssh-keygen to read proc
+
+Fixes:
+avc: denied { read } for pid=353 comm="ssh-keygen" name="filesystems"
+dev="proc" ino=4026532078 scontext=system_u:system_r:ssh_keygen_t
+tcontext=system_u:object_r:proc_t tclass=file permissive=0
+
+Upstream-Status: Pending
+
+Signed-off-by: Yi Zhao <yi.zhao@...>
+---
+ policy/modules/services/ssh.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
+index 12b675545..d92efcc7a 100644
+--- a/policy/modules/services/ssh.te
++++ b/policy/modules/services/ssh.te
+@@ -344,6 +344,7 @@ files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
+
+ kernel_read_kernel_sysctls(ssh_keygen_t)
+ kernel_dontaudit_getattr_proc(ssh_keygen_t)
++kernel_dontaudit_read_system_state(ssh_keygen_t)
+
+ fs_search_auto_mountpoints(ssh_keygen_t)
+
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-admin-usermanage-allow-useradd-to-rel.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-admin-usermanage-allow-useradd-to-rel.patch
new file mode 100644
index 0000000..242e909
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0039-policy-modules-admin-usermanage-allow-useradd-to-rel.patch
@@ -0,0 +1,71 @@
+From 8ae69796dd5e911ffbf2793437335a480b6ff6b2 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@...>
+Date: Mon, 11 Oct 2021 10:10:10 +0800
+Subject: [PATCH] policy/modules/admin/usermanage: allow useradd to relabel
+ user home files
+
+Fixes:
+avc: denied { relabelfrom } for pid=491 comm="useradd" name=".bashrc"
+dev="vda" ino=12641 scontext=root:sysadm_r:useradd_t
+tcontext=user_u:object_r:user_home_t tclass=file permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@...>
+---
+ policy/modules/admin/usermanage.te | 2 ++
+ policy/modules/system/userdomain.if | 18 ++++++++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
+index 98646b4b4..50c479498 100644
+--- a/policy/modules/admin/usermanage.te
++++ b/policy/modules/admin/usermanage.te
+@@ -496,6 +496,7 @@ files_read_etc_runtime_files(useradd_t)
+
+ fs_search_auto_mountpoints(useradd_t)
+ fs_getattr_xattr_fs(useradd_t)
++fs_search_tmpfs(useradd_t)
+
+ mls_file_upgrade(useradd_t)
+
+@@ -541,6 +542,7 @@ userdom_home_filetrans_user_home_dir(useradd_t)
+ userdom_manage_user_home_content_dirs(useradd_t)
+ userdom_manage_user_home_content_files(useradd_t)
+ userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
++userdom_relabel_user_home_content_files(useradd_t)
+
+ optional_policy(`
+ mta_manage_spool(useradd_t)
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index 22b3c1bf7..ec625170d 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -2362,6 +2362,24 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
+ dontaudit $1 user_home_t:file relabel_file_perms;
+ ')
+
++########################################
++## <summary>
++## Relabel user home files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_relabel_user_home_content_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ allow $1 user_home_t:file relabel_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Read user home subdirectory symbolic links.
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0040-policy-modules-services-bluetooth-fix-bluetoothd-sta.patch b/recipes-security/refpolicy/refpolicy/0040-policy-modules-services-bluetooth-fix-bluetoothd-sta.patch
deleted file mode 100644
index 8532a24..0000000
--- a/recipes-security/refpolicy/refpolicy/0040-policy-modules-services-bluetooth-fix-bluetoothd-sta.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 21c60a1ed37aef0427dbd49f602896b09b875bca Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Tue, 23 Jun 2020 08:54:20 +0800
-Subject: [PATCH] policy/modules/services/bluetooth: fix bluetoothd startup
- failures
-
-* Allow bluetooth_t to create and use bluetooth_socket
-* Allow bluetooth_t to create alg_socket
-* Allow bluetooth_t to send and receive messages from systemd hostnamed
- over dbus
-
-Fixes:
-avc: denied { create } for pid=324 comm="bluetoothd"
-scontext=system_u:system_r:bluetooth_t
-tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
-permissive=0
-
-avc: denied { bind } for pid=324 comm="bluetoothd"
-scontext=system_u:system_r:bluetooth_t
-tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
-permissive=0
-
-avc: denied { write } for pid=324 comm="bluetoothd"
-scontext=system_u:system_r:bluetooth_t
-tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
-permissive=0
-
-avc: denied { getattr } for pid=324 comm="bluetoothd"
-path="socket:[11771]" dev="sockfs" ino=11771
-scontext=system_u:system_r:bluetooth_t
-tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
-permissive=0
-
-avc: denied { listen } for pid=324 comm="bluetoothd"
-scontext=system_u:system_r:bluetooth_t
-tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
-permissive=0
-
-avc: denied { read } for pid=324 comm="bluetoothd" path="socket:[11771]"
-dev="sockfs" ino=11771 scontext=system_u:system_r:bluetooth_t
-tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
-permissive=0
-
-avc: denied { create } for pid=268 comm="bluetoothd"
-scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tclass=alg_socket
-permissive=0
-
-avc: denied { send_msg } for msgtype=method_call
-interface=org.freedesktop.DBus.Properties member=GetAll
-dest=org.freedesktop.hostname1 spid=266 tpid=312
-scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
-tclass=dbus permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/services/bluetooth.te | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
-index 69a38543e..b3df695db 100644
---- a/policy/modules/services/bluetooth.te
-+++ b/policy/modules/services/bluetooth.te
-@@ -60,6 +60,8 @@ allow bluetooth_t self:socket create_stream_socket_perms;
- allow bluetooth_t self:unix_stream_socket { accept connectto listen };
- allow bluetooth_t self:tcp_socket { accept listen };
- allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow bluetooth_t self:bluetooth_socket create_stream_socket_perms;
-+allow bluetooth_t self:alg_socket create;
-
- read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
-
-@@ -127,6 +129,9 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
- userdom_dontaudit_use_user_terminals(bluetooth_t)
- userdom_dontaudit_search_user_home_dirs(bluetooth_t)
-
-+init_dbus_send_script(bluetooth_t)
-+systemd_dbus_chat_hostnamed(bluetooth_t)
-+
- optional_policy(`
- dbus_system_bus_client(bluetooth_t)
- dbus_connect_system_bus(bluetooth_t)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-systemd-enable-support-for-sys.patch b/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-enable-support-for-sys.patch
similarity index 91%
rename from recipes-security/refpolicy/refpolicy/0049-policy-modules-system-systemd-enable-support-for-sys.patch
rename to recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-enable-support-for-sys.patch
index ae1d71a..e8b4ee0 100644
--- a/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-systemd-enable-support-for-sys.patch
+++ b/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-enable-support-for-sys.patch
@@ -1,4 +1,4 @@
-From c2a6ad9b4eee990b79175ec1866cfe20b7c61ef3 Mon Sep 17 00:00:00 2001
+From 7c5e9c228d1858d2f5fc9217a850e6b1de89dcd5 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@...>
Date: Thu, 4 Feb 2016 06:03:19 -0500
Subject: [PATCH] policy/modules/system/systemd: enable support for
@@ -36,10 +36,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 2e08efd19..7da836136 100644
+index 744cbc605..05d6700d0 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
-@@ -10,7 +10,7 @@ policy_module(systemd, 1.11.1)
+@@ -10,7 +10,7 @@ policy_module(systemd, 1.12.5)
## Enable support for systemd-tmpfiles to manage all non-security files.
## </p>
## </desc>
@@ -48,7 +48,7 @@ index 2e08efd19..7da836136 100644

## <desc>
## <p>
-@@ -1332,6 +1332,10 @@ files_relabelfrom_home(systemd_tmpfiles_t)
+@@ -1393,6 +1393,10 @@ files_relabelfrom_home(systemd_tmpfiles_t)
files_relabelto_home(systemd_tmpfiles_t)
files_relabelto_etc_dirs(systemd_tmpfiles_t)
files_setattr_lock_dirs(systemd_tmpfiles_t)
diff --git a/recipes-security/refpolicy/refpolicy/0041-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch b/recipes-security/refpolicy/refpolicy/0041-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch
deleted file mode 100644
index bd06065..0000000
--- a/recipes-security/refpolicy/refpolicy/0041-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From e67fe4fa79d59be7bcefd256c1966ea8c034a3d9 Mon Sep 17 00:00:00 2001
-From: Roy Li <rongqing.li@...>
-Date: Sat, 15 Feb 2014 09:45:00 +0800
-Subject: [PATCH] policy/modules/roles/sysadm: allow sysadm to run rpcinfo
-
-Fixes:
-$ rpcinfo
-rpcinfo: can't contact rpcbind: RPC: Remote system error - Permission denied
-
-avc: denied { connectto } for pid=406 comm="rpcinfo"
-path="/run/rpcbind.sock" scontext=root:sysadm_r:sysadm_t
-tcontext=system_u:system_r:rpcbind_t tclass=unix_stream_socket
-permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Roy Li <rongqing.li@...>
-Signed-off-by: Joe MacDonald <joe_macdonald@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/roles/sysadm.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index ddf973693..1642f3b93 100644
---- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -947,6 +947,7 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ rpcbind_stream_connect(sysadm_t)
- rpcbind_admin(sysadm_t, sysadm_r)
- ')
-
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-systemd-fix-systemd-resolved-s.patch b/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-systemd-fix-systemd-resolved-s.patch
similarity index 67%
rename from recipes-security/refpolicy/refpolicy/0050-policy-modules-system-systemd-fix-systemd-resolved-s.patch
rename to recipes-security/refpolicy/refpolicy/0041-policy-modules-system-systemd-fix-systemd-resolved-s.patch
index a0dc9f2..9d5b3f8 100644
--- a/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-systemd-fix-systemd-resolved-s.patch
+++ b/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-systemd-fix-systemd-resolved-s.patch
@@ -1,22 +1,15 @@
-From 8e762e1070e98a4235a70536ee6ca81725858a4b Mon Sep 17 00:00:00 2001
+From c348510f7ae78b86be4572a7abcdbeee150638a3 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Mon, 25 Jan 2021 14:14:59 +0800
Subject: [PATCH] policy/modules/system/systemd: fix systemd-resolved startup
failures

-* Allow systemd_resolved_t to create socket file
* Allow systemd_resolved_t to manage systemd_resolved_runtime_t link
files
* Allow systemd_resolved_t to send and recevie messages from dhcpc over
dbus

Fixes:
-avc: denied { create } for pid=258 comm="systemd-resolve"
-name="io.systemd.Resolve"
-scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:systemd_resolved_runtime_t:s0
-tclass=sock_file permissive=0
-
avc: denied { create } for pid=329 comm="systemd-resolve"
name=".#stub-resolv.conf53cb7f9d1e3aa72b"
scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
@@ -39,31 +32,29 @@ Upstream-Status: Inappropriate [embedded specific]

Signed-off-by: Yi Zhao <yi.zhao@...>
---
- policy/modules/system/systemd.te | 4 ++++
- 1 file changed, 4 insertions(+)
+ policy/modules/system/systemd.te | 2 ++
+ 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 7da836136..0411729ea 100644
+index 05d6700d0..e8559cb6a 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
-@@ -1164,6 +1164,8 @@ allow systemd_resolved_t systemd_networkd_runtime_t:dir watch;
+@@ -1196,6 +1196,7 @@ allow systemd_resolved_t systemd_networkd_runtime_t:dir watch;

manage_dirs_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
manage_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
-+manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
+manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
+ manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
init_runtime_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir)

- dev_read_sysfs(systemd_resolved_t)
-@@ -1194,6 +1196,8 @@ seutil_read_file_contexts(systemd_resolved_t)
- systemd_log_parse_environment(systemd_resolved_t)
- systemd_read_networkd_runtime(systemd_resolved_t)
-
-+sysnet_dbus_chat_dhcpc(systemd_resolved_t)
-+
- optional_policy(`
- dbus_connect_system_bus(systemd_resolved_t)
+@@ -1233,6 +1234,7 @@ optional_policy(`
dbus_system_bus_client(systemd_resolved_t)
+ dbus_watch_system_bus_runtime_dirs(systemd_resolved_t)
+ dbus_watch_system_bus_runtime_named_sockets(systemd_resolved_t)
++ sysnet_dbus_chat_dhcpc(systemd_resolved_t)
+ ')
+
+ #########################################
--
2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-services-rpc-add-capability-dac_read_.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-services-rpc-add-capability-dac_read_.patch
deleted file mode 100644
index 534c280..0000000
--- a/recipes-security/refpolicy/refpolicy/0042-policy-modules-services-rpc-add-capability-dac_read_.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 7c94b6aa3c679dc201ed5a907f713c0857d8b8ca Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Tue, 14 May 2019 15:22:08 +0800
-Subject: [PATCH] policy/modules/services/rpc: add capability dac_read_search
- for rpcd_t
-
-Fixes:
-type=AVC msg=audit(1558592079.931:494): avc: denied { dac_read_search }
-for pid=585 comm="sm-notify" capability=2 scontext=system_u:system_r:rpcd_t
-tcontext=system_u:system_r:rpcd_t tclass=capability permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/services/rpc.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index c3e37177b..87b6b4561 100644
---- a/policy/modules/services/rpc.te
-+++ b/policy/modules/services/rpc.te
-@@ -232,7 +232,7 @@ optional_policy(`
- # Local policy
- #
-
--allow rpcd_t self:capability { chown dac_override setgid setpcap setuid sys_admin };
-+allow rpcd_t self:capability { chown dac_override dac_read_search setgid setpcap setuid sys_admin };
- allow rpcd_t self:capability2 block_suspend;
- allow rpcd_t self:process { getcap setcap };
- allow rpcd_t self:fifo_file rw_fifo_file_perms;
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch
new file mode 100644
index 0000000..38ad025
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch
@@ -0,0 +1,156 @@
+From c74e40fb95cd6d8c6a704637c8e0d1752c60b3de Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@...>
+Date: Tue, 28 Sep 2021 10:03:04 +0800
+Subject: [PATCH] policy/modules/system/systemd: allow systemd_*_t to get the
+ attributes of tmpfs and cgroups
+
+Fixes:
+avc: denied { getattr } for pid=245 comm="systemd-network" name="/"
+dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_networkd_t
+tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
+
+avc: denied { getattr } for pid=252 comm="systemd-resolve" name="/"
+dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_resolved_t
+tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
+
+avc: denied { getattr } for pid=260 comm="systemd-user-se" name="/"
+dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_sessions_t
+tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
+
+avc: denied { search } for pid=293 comm="systemd-user-ru" name="/"
+dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_user_runtime_dir_t
+tcontext=system_u:object_r:cgroup_t tclass=dir permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@...>
+---
+ policy/modules/system/systemd.te | 35 ++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index e8559cb6a..e488bf3dc 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -337,6 +337,10 @@ udev_read_runtime_files(systemd_backlight_t)
+
+ files_search_var_lib(systemd_backlight_t)
+
++fs_getattr_tmpfs(systemd_backlight_t)
++fs_search_cgroup_dirs(systemd_backlight_t)
++fs_getattr_cgroup(systemd_backlight_t)
++
+ #######################################
+ #
+ # Binfmt local policy
+@@ -447,6 +451,7 @@ files_list_usr(systemd_generator_t)
+ fs_list_efivars(systemd_generator_t)
+ fs_getattr_cgroup(systemd_generator_t)
+ fs_getattr_xattr_fs(systemd_generator_t)
++fs_getattr_tmpfs(systemd_generator_t)
+
+ init_create_runtime_files(systemd_generator_t)
+ init_manage_runtime_dirs(systemd_generator_t)
+@@ -512,6 +517,10 @@ sysnet_manage_config(systemd_hostnamed_t)
+
+ systemd_log_parse_environment(systemd_hostnamed_t)
+
++fs_getattr_tmpfs(systemd_hostnamed_t)
++fs_search_cgroup_dirs(systemd_hostnamed_t)
++fs_getattr_cgroup(systemd_hostnamed_t)
++
+ optional_policy(`
+ dbus_connect_system_bus(systemd_hostnamed_t)
+ dbus_system_bus_client(systemd_hostnamed_t)
+@@ -832,6 +841,10 @@ dev_read_sysfs(systemd_modules_load_t)
+ files_mmap_read_kernel_modules(systemd_modules_load_t)
+ files_read_etc_files(systemd_modules_load_t)
+
++fs_getattr_tmpfs(systemd_modules_load_t)
++fs_search_cgroup_dirs(systemd_modules_load_t)
++fs_getattr_cgroup(systemd_modules_load_t)
++
+ modutils_read_module_config(systemd_modules_load_t)
+ modutils_read_module_deps(systemd_modules_load_t)
+
+@@ -882,6 +895,7 @@ files_watch_runtime_dirs(systemd_networkd_t)
+ files_watch_root_dirs(systemd_networkd_t)
+ files_list_runtime(systemd_networkd_t)
+ fs_getattr_xattr_fs(systemd_networkd_t)
++fs_getattr_tmpfs(systemd_networkd_t)
+ fs_getattr_cgroup(systemd_networkd_t)
+ fs_search_cgroup_dirs(systemd_networkd_t)
+ fs_read_nsfs_files(systemd_networkd_t)
+@@ -1182,6 +1196,10 @@ udev_read_runtime_files(systemd_rfkill_t)
+
+ systemd_log_parse_environment(systemd_rfkill_t)
+
++fs_getattr_tmpfs(systemd_rfkill_t)
++fs_search_cgroup_dirs(systemd_rfkill_t)
++fs_getattr_cgroup(systemd_rfkill_t)
++
+ #########################################
+ #
+ # Resolved local policy
+@@ -1221,6 +1239,9 @@ auth_use_nsswitch(systemd_resolved_t)
+ files_watch_root_dirs(systemd_resolved_t)
+ files_watch_runtime_dirs(systemd_resolved_t)
+ files_list_runtime(systemd_resolved_t)
++fs_getattr_tmpfs(systemd_resolved_t)
++fs_search_cgroup_dirs(systemd_resolved_t)
++fs_getattr_cgroup(systemd_resolved_t)
+
+ init_dgram_send(systemd_resolved_t)
+
+@@ -1285,6 +1306,10 @@ seutil_read_file_contexts(systemd_sessions_t)
+
+ systemd_log_parse_environment(systemd_sessions_t)
+
++fs_getattr_tmpfs(systemd_sessions_t)
++fs_search_cgroup_dirs(systemd_sessions_t)
++fs_getattr_cgroup(systemd_sessions_t)
++
+ ########################################
+ #
+ # sysctl local policy
+@@ -1301,6 +1326,9 @@ kernel_rw_all_sysctls(systemd_sysctl_t)
+ kernel_dontaudit_getattr_proc(systemd_sysctl_t)
+
+ files_read_etc_files(systemd_sysctl_t)
++fs_getattr_tmpfs(systemd_sysctl_t)
++fs_search_cgroup_dirs(systemd_sysctl_t)
++fs_getattr_cgroup(systemd_sysctl_t)
+
+ systemd_log_parse_environment(systemd_sysctl_t)
+
+@@ -1406,6 +1434,8 @@ fs_getattr_tmpfs(systemd_tmpfiles_t)
+ fs_getattr_xattr_fs(systemd_tmpfiles_t)
+ fs_list_tmpfs(systemd_tmpfiles_t)
+ fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
++fs_search_cgroup_dirs(systemd_tmpfiles_t)
++fs_getattr_cgroup(systemd_tmpfiles_t)
+
+ selinux_get_fs_mount(systemd_tmpfiles_t)
+ selinux_use_status_page(systemd_tmpfiles_t)
+@@ -1494,6 +1524,10 @@ allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
+ files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file)
+ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)
+
++fs_getattr_tmpfs(systemd_update_done_t)
++fs_search_cgroup_dirs(systemd_update_done_t)
++fs_getattr_cgroup(systemd_update_done_t)
++
+ kernel_read_kernel_sysctls(systemd_update_done_t)
+
+ selinux_use_status_page(systemd_update_done_t)
+@@ -1598,6 +1632,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t)
+ fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
+ fs_read_cgroup_files(systemd_user_runtime_dir_t)
+ fs_getattr_cgroup(systemd_user_runtime_dir_t)
++fs_search_cgroup_dirs(systemd_user_runtime_dir_t)
+
+ kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
+ kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-systemd-allow-systemd_hostname.patch b/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-systemd-allow-systemd_hostname.patch
new file mode 100644
index 0000000..9da5b68
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-systemd-allow-systemd_hostname.patch
@@ -0,0 +1,41 @@
+From 8dde3ab80552772c00ed18af46aec6ec5ecbb296 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@...>
+Date: Thu, 4 Feb 2021 15:13:50 +0800
+Subject: [PATCH] policy/modules/system/systemd: allow systemd_hostnamed to
+ read udev runtime files
+
+Fixes:
+avc: denied { open } for pid=392 comm="systemd-hostnam"
+path="/run/udev/data/+dmi:id" dev="tmpfs" ino=609
+scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=1
+
+avc: denied { getattr } for pid=392 comm="systemd-hostnam"
+path="/run/udev/data/+dmi:id" dev="tmpfs" ino=609
+scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=1
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@...>
+---
+ policy/modules/system/systemd.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index e488bf3dc..9092bb8b4 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -521,6 +521,9 @@ fs_getattr_tmpfs(systemd_hostnamed_t)
+ fs_search_cgroup_dirs(systemd_hostnamed_t)
+ fs_getattr_cgroup(systemd_hostnamed_t)
+
++# Allow reading /run/udev/data/+dmi:id
++udev_read_runtime_files(systemd_hostnamed_t)
++
+ optional_policy(`
+ dbus_connect_system_bus(systemd_hostnamed_t)
+ dbus_system_bus_client(systemd_hostnamed_t)
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0044-policy-modules-services-rngd-fix-security-context-fo.patch b/recipes-security/refpolicy/refpolicy/0044-policy-modules-services-rngd-fix-security-context-fo.patch
deleted file mode 100644
index 7bd1402..0000000
--- a/recipes-security/refpolicy/refpolicy/0044-policy-modules-services-rngd-fix-security-context-fo.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 5dbfff582a9c7745f8517adefb27c5f90653f8fa Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@...>
-Date: Wed, 25 May 2016 03:16:24 -0400
-Subject: [PATCH] policy/modules/services/rngd: fix security context for
- rng-tools
-
-* Fix security context for /etc/init.d/rng-tools
-* Allow rngd_t to read sysfs
-
-Fixes:
-avc: denied { read } for pid=355 comm="rngd" name="cpu" dev="sysfs"
-ino=36 scontext=system_u:system_r:rngd_t
-tcontext=system_u:object_r:sysfs_t tclass=dir permissive=1
-
-avc: denied { getsched } for pid=355 comm="rngd"
-scontext=system_u:system_r:rngd_t tcontext=system_u:system_r:rngd_t
-tclass=process permissive=1
-
-avc: denied { setsched } for pid=355 comm="rngd"
-scontext=system_u:system_r:rngd_t tcontext=system_u:system_r:rngd_t
-tclass=process permissive=1
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/services/rngd.fc | 1 +
- policy/modules/services/rngd.te | 3 ++-
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/services/rngd.fc b/policy/modules/services/rngd.fc
-index 382c067f9..0ecc5acc4 100644
---- a/policy/modules/services/rngd.fc
-+++ b/policy/modules/services/rngd.fc
-@@ -1,4 +1,5 @@
- /etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/rng-tools -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
-
- /usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
-
-diff --git a/policy/modules/services/rngd.te b/policy/modules/services/rngd.te
-index 4540e4ec7..48f08fb48 100644
---- a/policy/modules/services/rngd.te
-+++ b/policy/modules/services/rngd.te
-@@ -21,7 +21,7 @@ files_runtime_file(rngd_runtime_t)
- #
-
- allow rngd_t self:capability { ipc_lock sys_admin };
--allow rngd_t self:process signal;
-+allow rngd_t self:process { signal getsched setsched };
- allow rngd_t self:fifo_file rw_fifo_file_perms;
- allow rngd_t self:unix_stream_socket { accept listen };
-
-@@ -34,6 +34,7 @@ dev_read_rand(rngd_t)
- dev_read_urand(rngd_t)
- dev_rw_tpm(rngd_t)
- dev_write_rand(rngd_t)
-+dev_read_sysfs(rngd_t)
-
- files_read_etc_files(rngd_t)
-
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-logging-fix-syslogd-failures-f.patch b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-logging-fix-syslogd-failures-f.patch
new file mode 100644
index 0000000..7d35863
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-logging-fix-syslogd-failures-f.patch
@@ -0,0 +1,55 @@
+From e4c2a285cebbd372da0e89953ce9a71a3fdbec2e Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@...>
+Date: Thu, 4 Feb 2016 02:10:15 -0500
+Subject: [PATCH] policy/modules/system/logging: fix syslogd failures for
+ systemd
+
+Fixes:
+syslogd[243]: Error opening log file: /var/log/auth.log: Permission denied
+syslogd[243]: Error opening log file: /var/log/syslog: Permission denied
+syslogd[243]: Error opening log file: /var/log/kern.log: Permission denied
+syslogd[243]: Error opening log file: /var/log/mail.log: Permission denied
+syslogd[243]: Error opening log file: /var/log/mail.err: Permission denied
+syslogd[243]: Error opening log file: /var/log/messages: Permission denied
+
+avc: denied { search } for pid=243 comm="syslogd" name="/"
+dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t
+tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0
+
+avc: denied { write } for pid=162 comm="systemd-journal"
+name="syslog" dev="tmpfs" ino=515 scontext=system_u:system_r:syslogd_t
+tcontext=system_u:object_r:syslogd_runtime_t tclass=sock_file
+permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Wenzong Fan <wenzong.fan@...>
+Signed-off-by: Yi Zhao <yi.zhao@...>
+---
+ policy/modules/system/logging.te | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index cc530a2be..5b4b5ec5d 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -431,7 +431,7 @@ files_search_var_lib(syslogd_t)
+
+ # manage runtime files
+ allow syslogd_t syslogd_runtime_t:dir create_dir_perms;
+-allow syslogd_t syslogd_runtime_t:sock_file { create setattr unlink };
++allow syslogd_t syslogd_runtime_t:sock_file { create setattr unlink write };
+ allow syslogd_t syslogd_runtime_t:file map;
+ manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
+ files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file)
+@@ -495,6 +495,7 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+
+ fs_getattr_all_fs(syslogd_t)
+ fs_search_auto_mountpoints(syslogd_t)
++fs_search_tmpfs(syslogd_t)
+
+ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
+
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0045-policy-modules-services-ssh-allow-ssh_keygen_t-to-re.patch b/recipes-security/refpolicy/refpolicy/0045-policy-modules-services-ssh-allow-ssh_keygen_t-to-re.patch
deleted file mode 100644
index 4b7e2b5..0000000
--- a/recipes-security/refpolicy/refpolicy/0045-policy-modules-services-ssh-allow-ssh_keygen_t-to-re.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From be61411d6d7d3bb2c700ec24f42661ce9c728df4 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Fri, 29 Jan 2021 10:32:00 +0800
-Subject: [PATCH] policy/modules/services/ssh: allow ssh_keygen_t to read
- proc_t
-
-Fixes:
-avc: denied { read } for pid=353 comm="ssh-keygen" name="filesystems"
-dev="proc" ino=4026532078 scontext=system_u:system_r:ssh_keygen_t
-tcontext=system_u:object_r:proc_t tclass=file permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/services/ssh.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 238c45ed8..2bbf50e84 100644
---- a/policy/modules/services/ssh.te
-+++ b/policy/modules/services/ssh.te
-@@ -330,6 +330,8 @@ allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
-
- allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
-
-+allow ssh_keygen_t proc_t:file read_file_perms;
-+
- allow ssh_keygen_t sshd_key_t:file manage_file_perms;
- files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
-
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-systemd-user-fixes.patch b/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-systemd-user-fixes.patch
new file mode 100644
index 0000000..0482c2b
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-systemd-user-fixes.patch
@@ -0,0 +1,172 @@
+From abc97dcee46ff4ed557aefce51ec3b1385095361 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@...>
+Date: Thu, 4 Feb 2021 10:48:54 +0800
+Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes
+
+Fixes:
+systemctl[1598]: Failed to connect to bus: $DBUS_SESSION_BUS_ADDRESS and
+$XDG_RUNTIME_DIR not defined (consider using --machine=<user>@.host
+--user to connect to bus of other user)
+
+avc: denied { connectto } for pid=293 comm="login"
+path="/run/systemd/userdb/io.systemd.Multiplexer"
+scontext=system_u:system_r:local_login_t
+tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
+permissive=0
+
+avc: denied { read } for pid=293 comm="login" name="io.systemd.DropIn"
+dev="tmpfs" ino=44 scontext=system_u:system_r:local_login_t
+tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
+permissive=0
+
+avc: denied { read } for pid=293 comm="login"
+name="io.systemd.NameServiceSwitch" dev="tmpfs" ino=43
+scontext=system_u:system_r:local_login_t
+tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
+permissive=0
+
+avc: denied { connectto } for pid=244 comm="systemd-logind"
+path="/run/systemd/userdb/io.systemd.Multiplexer"
+scontext=system_u:system_r:systemd_logind_t
+tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
+permissive=0
+
+avc: denied { read } for pid=244 comm="systemd-logind"
+name="io.systemd.DropIn" dev="tmpfs" ino=44
+scontext=system_u:system_r:systemd_logind_t
+tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
+permissive=0
+
+avc: denied { read } for pid=244 comm="systemd-logind"
+name="io.systemd.NameServiceSwitch" dev="tmpfs" ino=43
+scontext=system_u:system_r:systemd_logind_t
+tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
+permissive=0
+
+avc: denied { mknod } for pid=297 comm="systemd" capability=27
+scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0
+
+avc: denied { setrlimit } for pid=297 comm="systemd"
+scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=root:sysadm_r:sysadm_systemd_t tclass=process permissive=0
+
+avc: denied { bpf } for pid=297 comm="systemd" capability=39
+scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0
+
+avc: denied { sys_admin } for pid=297 comm="systemd" capability=21
+scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0
+
+avc: denied { perfmon } for pid=297 comm="systemd" capability=38
+scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0
+
+avc: denied { watch } for pid=297 comm="systemd" path="/etc" dev="vda"
+ino=173 scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=system_u:object_r:etc_t tclass=dir permissive=0
+
+avc: denied { getattr } for pid=297 comm="systemd" name="/" dev="vda"
+ino=2 scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0
+
+avc: denied { read } for pid=297 comm="systemd" name="unix" dev="proc"
+ino=4026532057 scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=system_u:object_r:proc_net_t tclass=file permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@...>
+---
+ policy/modules/roles/sysadm.te | 2 ++
+ policy/modules/system/init.if | 1 +
+ policy/modules/system/systemd.if | 27 ++++++++++++++++++++++++++-
+ 3 files changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 46d3e2f0b..e1933a5bd 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -92,6 +92,8 @@ ifdef(`init_systemd',`
+ # Allow sysadm to query and set networking settings on the system.
+ systemd_dbus_chat_networkd(sysadm_t)
+ fs_read_nsfs_files(sysadm_t)
++
++ systemd_sysadm_user(sysadm_t)
+ ')
+
+ tunable_policy(`allow_ptrace',`
+diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
+index 0171ee299..8ca29f654 100644
+--- a/policy/modules/system/init.if
++++ b/policy/modules/system/init.if
+@@ -959,6 +959,7 @@ interface(`init_unix_stream_socket_connectto',`
+ ')
+
+ allow $1 init_t:unix_stream_socket connectto;
++ allow $1 initrc_t:unix_stream_socket connectto;
+ ')
+
+ ########################################
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index 38adf050c..5c44d8d8a 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -57,7 +57,7 @@ template(`systemd_role_template',`
+ allow $1_systemd_t self:process { getsched signal };
+ allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
+- allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
++ allow $1_systemd_t $3:process { setsched rlimitinh signal_perms noatsecure };
+ corecmd_shell_domtrans($1_systemd_t, $3)
+ corecmd_bin_domtrans($1_systemd_t, $3)
+
+@@ -88,8 +88,11 @@ template(`systemd_role_template',`
+
+ fs_manage_cgroup_files($1_systemd_t)
+ fs_watch_cgroup_files($1_systemd_t)
++ files_watch_etc_dirs($1_systemd_t)
++ fs_getattr_xattr_fs($1_systemd_t)
+
+ kernel_dontaudit_getattr_proc($1_systemd_t)
++ kernel_read_network_state($1_systemd_t)
+
+ selinux_use_status_page($1_systemd_t)
+
+@@ -1052,6 +1055,7 @@ interface(`systemd_stream_connect_userdb', `
+ init_search_runtime($1)
+ allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
+ allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
++ allow $1 systemd_userdb_runtime_t:lnk_file read_lnk_file_perms;
+ init_unix_stream_socket_connectto($1)
+ ')
+
+@@ -2003,3 +2007,24 @@ interface(`systemd_use_inherited_machined_ptys', `
+ allow $1 systemd_machined_t:fd use;
+ allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
+ ')
++
++#########################################
++## <summary>
++## sysadm user for systemd --user
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_sysadm_user',`
++ gen_require(`
++ type sysadm_systemd_t;
++ ')
++
++ allow sysadm_systemd_t self:capability { mknod sys_admin };
++ allow sysadm_systemd_t self:capability2 { bpf perfmon };
++ allow sysadm_systemd_t self:process setrlimit;
++ allow $1 sysadm_systemd_t:system reload;
++')
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0046-policy-modules-services-ssh-make-respective-init-scr.patch b/recipes-security/refpolicy/refpolicy/0046-policy-modules-services-ssh-make-respective-init-scr.patch
deleted file mode 100644
index fd8d527..0000000
--- a/recipes-security/refpolicy/refpolicy/0046-policy-modules-services-ssh-make-respective-init-scr.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 20e6395a7e8bce552fb0190dbc57d836d763fc18 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Sun, 28 Jun 2020 16:14:45 +0800
-Subject: [PATCH] policy/modules/services/ssh: make respective init scripts
- create pid dirs with proper contexts
-
-Fix sshd starup failure.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/services/ssh.te | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2bbf50e84..ad0a1b7ad 100644
---- a/policy/modules/services/ssh.te
-+++ b/policy/modules/services/ssh.te
-@@ -80,9 +80,7 @@ userdom_user_home_content(ssh_home_t)
- type sshd_keytab_t;
- files_type(sshd_keytab_t)
-
--ifdef(`distro_debian',`
-- init_daemon_runtime_file(sshd_runtime_t, dir, "sshd")
--')
-+init_daemon_runtime_file(sshd_runtime_t, dir, "sshd")
-
- ##############################
- #
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-sysnetwork-support-priviledge-.patch b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-sysnetwork-support-priviledge-.patch
similarity index 77%
rename from recipes-security/refpolicy/refpolicy/0060-policy-modules-system-sysnetwork-support-priviledge-.patch
rename to recipes-security/refpolicy/refpolicy/0046-policy-modules-system-sysnetwork-support-priviledge-.patch
index 64cc90e..825cc25 100644
--- a/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-sysnetwork-support-priviledge-.patch
+++ b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-sysnetwork-support-priviledge-.patch
@@ -1,4 +1,4 @@
-From ab462f0022c35fde984dbe792ce386f5d507aeeb Mon Sep 17 00:00:00 2001
+From 7a24e7be73fefc64f0759417c89f887f32d75521 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Thu, 24 Sep 2020 14:05:52 +0800
Subject: [PATCH] policy/modules/system/sysnetwork: support priviledge
@@ -80,26 +80,38 @@ Upstream-Status: Inappropriate [embedded specific]

Signed-off-by: Yi Zhao <yi.zhao@...>
---
- policy/modules/system/sysnetwork.te | 7 +++++++
- 1 file changed, 7 insertions(+)
+ policy/modules/system/sysnetwork.te | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index cb1434180..a9297f976 100644
+index 4c317cc4c..05a9a52b8 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
-@@ -72,6 +72,11 @@ allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms;
- allow dhcpc_t self:rawip_socket create_socket_perms;
- allow dhcpc_t self:unix_dgram_socket { create_socket_perms sendto };
-
+@@ -58,10 +58,11 @@ ifdef(`distro_debian',`
+ # DHCP client local policy
+ #
+ allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config };
+allow dhcpc_t self:capability { setgid setuid sys_chroot kill };
+ dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
+ # for access("/etc/bashrc", X_OK) on Red Hat
+ dontaudit dhcpc_t self:capability { dac_read_search sys_module };
+-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
++allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms setrlimit };
+
+ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
+ allow dhcpc_t self:tcp_socket create_stream_socket_perms;
+@@ -69,8 +70,10 @@ allow dhcpc_t self:udp_socket create_socket_perms;
+ allow dhcpc_t self:packet_socket create_socket_perms;
+ allow dhcpc_t self:netlink_generic_socket create_socket_perms;
+ allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms;
+allow dhcpc_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow dhcpc_t self:process setrlimit;
+ allow dhcpc_t self:rawip_socket create_socket_perms;
+ allow dhcpc_t self:unix_dgram_socket { create_socket_perms sendto };
+allow dhcpc_t self:unix_stream_socket connectto;
-+
+
allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
- exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
-@@ -145,6 +150,7 @@ files_manage_var_files(dhcpc_t)
+@@ -146,6 +149,7 @@ files_manage_var_files(dhcpc_t)
fs_getattr_all_fs(dhcpc_t)
fs_search_auto_mountpoints(dhcpc_t)
fs_search_cgroup_dirs(dhcpc_t)
@@ -107,7 +119,7 @@ index cb1434180..a9297f976 100644

term_dontaudit_use_all_ttys(dhcpc_t)
term_dontaudit_use_all_ptys(dhcpc_t)
-@@ -180,6 +186,7 @@ ifdef(`init_systemd',`
+@@ -181,6 +185,7 @@ ifdef(`init_systemd',`
init_stream_connect(dhcpc_t)
init_get_all_units_status(dhcpc_t)
init_search_units(dhcpc_t)
diff --git a/recipes-security/refpolicy/refpolicy/0047-policy-modules-kernel-terminal-allow-loging-to-reset.patch b/recipes-security/refpolicy/refpolicy/0047-policy-modules-kernel-terminal-allow-loging-to-reset.patch
deleted file mode 100644
index cafdd61..0000000
--- a/recipes-security/refpolicy/refpolicy/0047-policy-modules-kernel-terminal-allow-loging-to-reset.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From f0249cb5802af7f9113786940d0c49e786f774ae Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Mon, 29 Jun 2020 14:27:02 +0800
-Subject: [PATCH] policy/modules/kernel/terminal: allow loging to reset tty
- perms
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/kernel/terminal.if | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index e8c0735eb..9ccecfa0d 100644
---- a/policy/modules/kernel/terminal.if
-+++ b/policy/modules/kernel/terminal.if
-@@ -119,9 +119,7 @@ interface(`term_user_tty',`
-
- # Debian login is from shadow utils and does not allow resetting the perms.
- # have to fix this!
-- ifdef(`distro_debian',`
-- type_change $1 ttynode:chr_file $2;
-- ')
-+ type_change $1 ttynode:chr_file $2;
-
- tunable_policy(`console_login',`
- # When user logs in from /dev/console, relabel it
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0061-policy-modules-services-acpi-allow-acpid-to-watch-th.patch b/recipes-security/refpolicy/refpolicy/0047-policy-modules-services-acpi-allow-acpid-to-watch-th.patch
similarity index 76%
rename from recipes-security/refpolicy/refpolicy/0061-policy-modules-services-acpi-allow-acpid-to-watch-th.patch
rename to recipes-security/refpolicy/refpolicy/0047-policy-modules-services-acpi-allow-acpid-to-watch-th.patch
index 8de3d5f..1cdcdf6 100644
--- a/recipes-security/refpolicy/refpolicy/0061-policy-modules-services-acpi-allow-acpid-to-watch-th.patch
+++ b/recipes-security/refpolicy/refpolicy/0047-policy-modules-services-acpi-allow-acpid-to-watch-th.patch
@@ -1,4 +1,4 @@
-From 7418cd97f2c92579bd4d18cbd9063f811ff9a81e Mon Sep 17 00:00:00 2001
+From a3064ede10818704c4d316fb98b331ab6b957100 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Tue, 9 Feb 2021 16:42:36 +0800
Subject: [PATCH] policy/modules/services/acpi: allow acpid to watch the
@@ -11,7 +11,7 @@ avc: denied { watch } for pid=269 comm="acpid" path="/dev/input"
dev="devtmpfs" ino=35 scontext=system_u:system_r:acpid_t:s0-s15:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=dir permissive=0

-Upstream-Status: Inappropriate [embedded specific]
+Upstream-Status: Pending

Signed-off-by: Yi Zhao <yi.zhao@...>
---
@@ -19,17 +19,17 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/acpi.te b/policy/modules/services/acpi.te
-index 69f1dab4a..5c22adecd 100644
+index 69f1dab4a..56f72081e 100644
--- a/policy/modules/services/acpi.te
+++ b/policy/modules/services/acpi.te
-@@ -105,6 +105,7 @@ dev_rw_acpi_bios(acpid_t)
+@@ -103,6 +103,7 @@ dev_read_realtime_clock(acpid_t)
+ dev_read_urand(acpid_t)
+ dev_rw_acpi_bios(acpid_t)
dev_rw_sysfs(acpid_t)
++dev_watch_dev_dirs(acpid_t)
dev_dontaudit_getattr_all_chr_files(acpid_t)
dev_dontaudit_getattr_all_blk_files(acpid_t)
-+dev_watch_dev_dirs(acpid_t)

- files_exec_etc_files(acpid_t)
- files_read_etc_runtime_files(acpid_t)
--
2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0063-policy-modules-system-modutils-allow-kmod_t-to-write.patch b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-modutils-allow-kmod_t-to-write.patch
similarity index 73%
rename from recipes-security/refpolicy/refpolicy/0063-policy-modules-system-modutils-allow-kmod_t-to-write.patch
rename to recipes-security/refpolicy/refpolicy/0048-policy-modules-system-modutils-allow-kmod_t-to-write.patch
index b644571..fac4cc1 100644
--- a/recipes-security/refpolicy/refpolicy/0063-policy-modules-system-modutils-allow-kmod_t-to-write.patch
+++ b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-modutils-allow-kmod_t-to-write.patch
@@ -1,4 +1,4 @@
-From 7002b4e33b949b474a0ce0b78a7f2e180dbbc9bb Mon Sep 17 00:00:00 2001
+From 919897d048ac0123ee6d144762835066fc8e8d8f Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Tue, 9 Feb 2021 17:31:55 +0800
Subject: [PATCH] policy/modules/system/modutils: allow kmod_t to write keys
@@ -14,22 +14,21 @@ Upstream-Status: Inappropriate [embedded specific]

Signed-off-by: Yi Zhao <yi.zhao@...>
---
- policy/modules/system/modutils.te | 2 ++
- 1 file changed, 2 insertions(+)
+ policy/modules/system/modutils.te | 1 +
+ 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index ee249ae04..b8769bc02 100644
+index 5b4f0aca1..008f286a8 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
-@@ -43,6 +43,8 @@ allow kmod_t self:rawip_socket create_socket_perms;
+@@ -42,6 +42,7 @@ allow kmod_t self:udp_socket create_socket_perms;
+ allow kmod_t self:rawip_socket create_socket_perms;

allow kmod_t self:lockdown confidentiality;
-
+allow kmod_t self:key write;
-+
+
# Read module config and dependency information
list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
- read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
--
2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-selinuxutil-allow-semanage_t-t.patch b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-selinuxutil-allow-semanage_t-t.patch
deleted file mode 100644
index 54dd451..0000000
--- a/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-selinuxutil-allow-semanage_t-t.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 74f611538d63cdf4157e6b5f4b982cafe0378b9a Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Mon, 29 Jun 2020 14:30:58 +0800
-Subject: [PATCH] policy/modules/system/selinuxutil: allow semanage_t to read
- /var/lib
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/selinuxutil.te | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 8f8f42ec7..a505b3987 100644
---- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -549,10 +549,8 @@ userdom_map_user_home_content_files(semanage_t)
- userdom_read_user_tmp_files(semanage_t)
- userdom_map_user_tmp_files(semanage_t)
-
--ifdef(`distro_debian',`
-- files_read_var_lib_files(semanage_t)
-- files_read_var_lib_symlinks(semanage_t)
--')
-+files_read_var_lib_files(semanage_t)
-+files_read_var_lib_symlinks(semanage_t)
-
- ifdef(`distro_ubuntu',`
- optional_policy(`
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0049-policy-modules-admin-su-allow-su-to-map-SELinux-stat.patch b/recipes-security/refpolicy/refpolicy/0049-policy-modules-admin-su-allow-su-to-map-SELinux-stat.patch
new file mode 100644
index 0000000..66a9177
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0049-policy-modules-admin-su-allow-su-to-map-SELinux-stat.patch
@@ -0,0 +1,68 @@
+From 7447fdc3d7d70a74c93ceec342650f37f6293150 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@...>
+Date: Sat, 18 Dec 2021 09:26:43 +0800
+Subject: [PATCH] policy/modules/admin/su: allow su to map SELinux status page
+
+We encountered a su runtime error with selinux 3.3:
+$ su - user1
+su: avc.c:73: avc_context_to_sid_raw: Assertion `avc_running' failed.
+Segmentation fault
+
+Fixes:
+avc: denied { map } for pid=558 comm="su"
+path="/sys/fs/selinux/status" dev="selinuxfs" ino=19
+scontext=root:sysadm_r:sysadm_su_t tcontext=system_u:object_r:security_t
+tclass=file permissive=0
+
+avc: denied { getattr } for pid=570 comm="su" name="/" dev="proc"
+ino=1 scontext=user_u:user_r:user_su_t tcontext=system_u:object_r:proc_t
+tclass=filesystem permissive=0
+
+avc: denied { use } for pid=344 comm="su"
+path="/run/systemd/sessions/c4.ref" dev="tmpfs" ino=661
+scontext=root:sysadm_r:sysadm_su_t
+tcontext=system_u:system_r:systemd_logind_t tclass=fd permissive=0
+
+Upstream-Status: Pending
+
+Signed-off-by: Yi Zhao <yi.zhao@...>
+---
+ policy/modules/admin/su.if | 2 ++
+ policy/modules/system/systemd.te | 1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
+index b780d13cf..cd34cd9dd 100644
+--- a/policy/modules/admin/su.if
++++ b/policy/modules/admin/su.if
+@@ -164,6 +164,7 @@ template(`su_role_template',`
+ kernel_read_kernel_sysctls($1_su_t)
+ kernel_search_key($1_su_t)
+ kernel_link_key($1_su_t)
++ kernel_dontaudit_getattr_proc($1_su_t)
+
+ # for SSP
+ dev_read_urand($1_su_t)
+@@ -172,6 +173,7 @@ template(`su_role_template',`
+
+ # needed for pam_rootok
+ selinux_compute_access_vector($1_su_t)
++ selinux_use_status_page($1_su_t)
+
+ auth_domtrans_chk_passwd($1_su_t)
+ auth_dontaudit_read_shadow($1_su_t)
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 9092bb8b4..43b5892d5 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -721,6 +721,7 @@ userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
+ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
+ userdom_setattr_user_ttys(systemd_logind_t)
+ userdom_use_user_ttys(systemd_logind_t)
++domain_read_all_domains_state(systemd_logind_t)
+
+ # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
+ # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0066-policy-modules-system-mount-make-mount_t-domain-MLS-.patch b/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-mount-make-mount_t-domain-MLS-.patch
similarity index 76%
rename from recipes-security/refpolicy/refpolicy/0066-policy-modules-system-mount-make-mount_t-domain-MLS-.patch
rename to recipes-security/refpolicy/refpolicy/0050-policy-modules-system-mount-make-mount_t-domain-MLS-.patch
index 1d6a3c4..818e4a5 100644
--- a/recipes-security/refpolicy/refpolicy/0066-policy-modules-system-mount-make-mount_t-domain-MLS-.patch
+++ b/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-mount-make-mount_t-domain-MLS-.patch
@@ -1,4 +1,4 @@
-From 0d69354886e0b635dd069876b9d53890a5a9cab1 Mon Sep 17 00:00:00 2001
+From 4138862484999c4e89317465472c55aeb2e00491 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@...>
Date: Sat, 15 Feb 2014 04:22:47 -0500
Subject: [PATCH] policy/modules/system/mount: make mount_t domain MLS trusted
@@ -15,22 +15,21 @@ Upstream-Status: Inappropriate [embedded specific]
Signen-off-by: Wenzong Fan <wenzong.fan@...>
Signed-off-by: Yi Zhao <yi.zhao@...>
---
- policy/modules/system/mount.te | 2 ++
- 1 file changed, 2 insertions(+)
+ policy/modules/system/mount.te | 1 +
+ 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index b628c3b2f..f55457bb0 100644
+index e39ab41a8..3481f9294 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
-@@ -116,6 +116,8 @@ fs_dontaudit_write_all_image_files(mount_t)
+@@ -116,6 +116,7 @@ fs_dontaudit_write_all_image_files(mount_t)
+
mls_file_read_all_levels(mount_t)
mls_file_write_all_levels(mount_t)
-
+mls_process_write_to_clearance(mount_t)
-+
+
selinux_get_enforce_mode(mount_t)

- storage_raw_read_fixed_disk(mount_t)
--
2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0067-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch b/recipes-security/refpolicy/refpolicy/0051-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
similarity index 80%
rename from recipes-security/refpolicy/refpolicy/0067-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
rename to recipes-security/refpolicy/refpolicy/0051-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
index f441742..f82ab6d 100644
--- a/recipes-security/refpolicy/refpolicy/0067-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
+++ b/recipes-security/refpolicy/refpolicy/0051-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
@@ -1,4 +1,4 @@
-From b83147aa97fe6f51c997256539dff827e3a44edc Mon Sep 17 00:00:00 2001
+From d3184fc3a339f4f3a9246ed704d29e58a4d987bc Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@...>
Date: Mon, 28 Jan 2019 14:05:18 +0800
Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance
@@ -19,23 +19,22 @@ Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Xin Ouyang <Xin.Ouyang@...>
Signed-off-by: Yi Zhao <yi.zhao@...>
---
- policy/modules/roles/sysadm.te | 3 +++
- 1 file changed, 3 insertions(+)
+ policy/modules/roles/sysadm.te | 2 ++
+ 1 file changed, 2 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index a4abaefe4..aaae73fc3 100644
+index e1933a5bd..0682ed31a 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -42,6 +42,9 @@ dev_read_kmsg(sysadm_t)
+@@ -44,6 +44,8 @@ logging_watch_all_logs(sysadm_t)
+ logging_watch_audit_log(sysadm_t)

mls_process_read_all_levels(sysadm_t)
-
+mls_file_read_all_levels(sysadm_t)
+mls_process_write_to_clearance(sysadm_t)
-+
+
selinux_read_policy(sysadm_t)

- ubac_process_exempt(sysadm_t)
--
2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-add-capability2-bpf-and-p.patch b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-add-capability2-bpf-and-p.patch
deleted file mode 100644
index f7758c5..0000000
--- a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-add-capability2-bpf-and-p.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 2d932ba7140d91cf2a8386b0240f4f1014124746 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Wed, 3 Feb 2021 09:47:59 +0800
-Subject: [PATCH] policy/modules/system/init: add capability2 bpf and perfmon
- for init_t
-
-Fixes:
-avc: denied { bpf } for pid=1 comm="systemd" capability=39
-scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t
-tclass=capability2 permissive=0
-avc: denied { perfmon } for pid=1 comm="systemd" capability=38
-scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t
-tclass=capability2 permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/init.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index e82177938..b7d494398 100644
---- a/policy/modules/system/init.te
-+++ b/policy/modules/system/init.te
-@@ -134,7 +134,7 @@ ifdef(`enable_mls',`
-
- # Use capabilities. old rule:
- allow init_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
--allow init_t self:capability2 { wake_alarm block_suspend };
-+allow init_t self:capability2 { wake_alarm block_suspend bpf perfmon };
- # is ~sys_module really needed? observed:
- # sys_boot
- # sys_tty_config
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0068-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch b/recipes-security/refpolicy/refpolicy/0052-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch
similarity index 65%
rename from recipes-security/refpolicy/refpolicy/0068-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch
rename to recipes-security/refpolicy/refpolicy/0052-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch
index 4403997..86e2262 100644
--- a/recipes-security/refpolicy/refpolicy/0068-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch
+++ b/recipes-security/refpolicy/refpolicy/0052-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch
@@ -1,4 +1,4 @@
-From 7b8290ba52052f90b6221c1b3ccb8f7536f4c41e Mon Sep 17 00:00:00 2001
+From 2839864245e45f57fd77c09136027b93cfd28dcc Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@...>
Date: Fri, 23 Aug 2013 12:01:53 +0800
Subject: [PATCH] policy/modules/services/rpc: make nfsd_t domain MLS trusted
@@ -11,12 +11,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@...>
Signed-off-by: Yi Zhao <yi.zhao@...>
---
policy/modules/kernel/kernel.te | 2 ++
- policy/modules/services/rpc.te | 2 ++
- policy/modules/services/rpcbind.te | 6 ++++++
- 3 files changed, 10 insertions(+)
+ policy/modules/services/rpcbind.te | 5 +++++
+ 2 files changed, 7 insertions(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 5ce6e041b..c1557ddb2 100644
+index ca951cb44..a32c59eb1 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -356,6 +356,8 @@ mls_process_read_all_levels(kernel_t)
@@ -28,24 +27,11 @@ index 5ce6e041b..c1557ddb2 100644

ifdef(`distro_redhat',`
# Bugzilla 222337
-diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index 87b6b4561..9618df04e 100644
---- a/policy/modules/services/rpc.te
-+++ b/policy/modules/services/rpc.te
-@@ -341,6 +341,8 @@ storage_raw_read_removable_device(nfsd_t)
-
- miscfiles_read_public_files(nfsd_t)
-
-+mls_file_read_to_clearance(nfsd_t)
-+
- tunable_policy(`allow_nfsd_anon_write',`
- miscfiles_manage_public_files(nfsd_t)
- ')
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
-index 8972980fa..5c89a1343 100644
+index e1eb7d5fc..da0994749 100644
--- a/policy/modules/services/rpcbind.te
+++ b/policy/modules/services/rpcbind.te
-@@ -73,6 +73,12 @@ logging_send_syslog_msg(rpcbind_t)
+@@ -73,6 +73,11 @@ logging_send_syslog_msg(rpcbind_t)

miscfiles_read_localization(rpcbind_t)

@@ -53,7 +39,6 @@ index 8972980fa..5c89a1343 100644
+# because the are running in different level. So add rules to allow this.
+mls_socket_read_all_levels(rpcbind_t)
+mls_socket_write_all_levels(rpcbind_t)
-+mls_file_read_to_clearance(rpcbind_t)
+
ifdef(`distro_debian',`
term_dontaudit_use_unallocated_ttys(rpcbind_t)
diff --git a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-allow-systemd_logind_t.patch b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-allow-systemd_logind_t.patch
deleted file mode 100644
index aa49ac7..0000000
--- a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-allow-systemd_logind_t.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 5db5b20728dff6c5e75dc07ea4feb6c507661b62 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Wed, 8 Jul 2020 13:53:28 +0800
-Subject: [PATCH] policy/modules/system/systemd: allow systemd_logind_t to
- watch initrc_runtime_t
-
-Fixes:
-avc: denied { watch } for pid=200 comm="systemd-logind"
-path="/run/utmp" dev="tmpfs" ino=12766
-scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:initrc_runtime_t:s0 tclass=file permissive=0
-
-systemd-logind[200]: Failed to create inotify watch on /var/run/utmp, ignoring: Permission denied
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/systemd.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 0411729ea..2d9d7d331 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -651,6 +651,8 @@ init_stop_all_units(systemd_logind_t)
- init_start_system(systemd_logind_t)
- init_stop_system(systemd_logind_t)
-
-+allow systemd_logind_t initrc_runtime_t:file watch;
-+
- locallogin_read_state(systemd_logind_t)
-
- seutil_libselinux_linked(systemd_logind_t)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0069-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0053-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch
similarity index 85%
rename from recipes-security/refpolicy/refpolicy/0069-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch
rename to recipes-security/refpolicy/refpolicy/0053-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch
index 02aa5e3..917010d 100644
--- a/recipes-security/refpolicy/refpolicy/0069-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch
+++ b/recipes-security/refpolicy/refpolicy/0053-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch
@@ -1,4 +1,4 @@
-From bc6872d164d09355ee82dc97c4e3d99a6b6669b3 Mon Sep 17 00:00:00 2001
+From 778913f4f6508e539f27e678e3fbd77fe4763ae8 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Tue, 30 Jun 2020 10:18:20 +0800
Subject: [PATCH] policy/modules/admin/dmesg: make dmesg_t MLS trusted reading
@@ -19,10 +19,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
-index 0f2835575..9f4f11397 100644
+index f3421fdbb..d87ee5583 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
-@@ -51,6 +51,8 @@ miscfiles_read_localization(dmesg_t)
+@@ -52,6 +52,8 @@ miscfiles_read_localization(dmesg_t)
userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
userdom_use_user_terminals(dmesg_t)

diff --git a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch
deleted file mode 100644
index a4b387a..0000000
--- a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From a92be78e20a0838c2f04cf8d2781dcf918f8d7ab Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Tue, 14 May 2019 16:02:19 +0800
-Subject: [PATCH] policy/modules/system/logging: set label devlog_t to symlink
- /dev/log
-
-* Set labe devlog_t to symlink /dev/log
-* Allow syslogd_t to manage devlog_t link file
-
-Fixes:
-avc: denied { unlink } for pid=250 comm="rsyslogd" name="log"
-dev="devtmpfs" ino=10997
-scontext=system_u:system_r:syslogd_t:s15:c0.c1023
-tcontext=system_u:object_r:device_t:s0 tclass=lnk_file permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/logging.fc | 2 ++
- policy/modules/system/logging.if | 4 ++++
- policy/modules/system/logging.te | 1 +
- 3 files changed, 7 insertions(+)
-
-diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index a4ecd570a..02f0b6270 100644
---- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
-@@ -1,4 +1,5 @@
- /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
-+/dev/log -l gen_context(system_u:object_r:devlog_t,s0)
-
- /etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
-@@ -24,6 +25,7 @@
- /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
- /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
- /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
-+/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
- /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-
-diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 9bb3afdb2..7233a108c 100644
---- a/policy/modules/system/logging.if
-+++ b/policy/modules/system/logging.if
-@@ -661,6 +661,7 @@ interface(`logging_send_syslog_msg',`
- ')
-
- allow $1 devlog_t:sock_file write_sock_file_perms;
-+ allow $1 devlog_t:lnk_file read_lnk_file_perms;
-
- # systemd journal socket is in /run/systemd/journal/dev-log
- init_search_run($1)
-@@ -722,6 +723,7 @@ interface(`logging_relabelto_devlog_sock_files',`
- ')
-
- allow $1 devlog_t:sock_file relabelto_sock_file_perms;
-+ allow $1 devlog_t:lnk_file relabelto_lnk_file_perms;
- ')
-
- ########################################
-@@ -741,6 +743,8 @@ interface(`logging_create_devlog',`
-
- allow $1 devlog_t:sock_file manage_sock_file_perms;
- dev_filetrans($1, devlog_t, sock_file)
-+ allow $1 devlog_t:lnk_file manage_lnk_file_perms;
-+ dev_filetrans($1, devlog_t, lnk_file)
- init_runtime_filetrans($1, devlog_t, sock_file, "syslog")
- ')
-
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 9b3254f63..d864cfd3d 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -398,6 +398,7 @@ allow syslogd_t syslog_conf_t:dir list_dir_perms;
-
- # Create and bind to /dev/log or /var/run/log.
- allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
-+allow syslogd_t devlog_t:lnk_file manage_lnk_file_perms;
- files_runtime_filetrans(syslogd_t, devlog_t, sock_file)
- init_runtime_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
-
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0070-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0054-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
similarity index 91%
rename from recipes-security/refpolicy/refpolicy/0070-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
rename to recipes-security/refpolicy/refpolicy/0054-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
index 733fbad..2d97631 100644
--- a/recipes-security/refpolicy/refpolicy/0070-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
+++ b/recipes-security/refpolicy/refpolicy/0054-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
@@ -1,4 +1,4 @@
-From e7b9af24946f5f76e8e6831bfeb444c0153298be Mon Sep 17 00:00:00 2001
+From d43a88f8455fbd1ddf627a478f6a7c5422aca1dd Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@...>
Date: Fri, 13 Oct 2017 07:20:40 +0000
Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for
@@ -55,23 +55,22 @@ Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Wenzong Fan <wenzong.fan@...>
Signed-off-by: Yi Zhao <yi.zhao@...>
---
- policy/modules/kernel/kernel.te | 3 +++
- 1 file changed, 3 insertions(+)
+ policy/modules/kernel/kernel.te | 2 ++
+ 1 file changed, 2 insertions(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index c1557ddb2..8f67c6ec9 100644
+index a32c59eb1..1c53754ee 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
-@@ -359,6 +359,9 @@ mls_file_read_all_levels(kernel_t)
+@@ -358,6 +358,8 @@ mls_file_write_all_levels(kernel_t)
+ mls_file_read_all_levels(kernel_t)
mls_socket_write_all_levels(kernel_t)
mls_fd_use_all_levels(kernel_t)
-
+# https://bugzilla.redhat.com/show_bug.cgi?id=667370
+mls_file_downgrade(kernel_t)
-+
+
ifdef(`distro_redhat',`
# Bugzilla 222337
- fs_rw_tmpfs_chr_files(kernel_t)
--
2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch
deleted file mode 100644
index f7abefb..0000000
--- a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch
+++ /dev/null
@@ -1,189 +0,0 @@
-From bd77e8e51962bb6a8c5708f3e5362007c915498e Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Thu, 4 Feb 2021 10:48:54 +0800
-Subject: [PATCH] policy/modules/system/systemd: support systemd --user
-
-Fixes:
-$ systemctl status user@0.service
-* user@0.service - User Manager for UID 0
- Loaded: loaded (/lib/systemd/system/user@.service; static)
- Active: failed (Result: exit-code) since Thu 2021-02-04 02:57:32 UTC; 11s ago
- Docs: man:user@.service(5)
- Process: 1502 ExecStart=/lib/systemd/systemd --user (code=exited, status=1/FAILURE)
- Main PID: 1502 (code=exited, status=1/FAILURE)
-
-Feb 04 02:57:32 intel-x86-64 systemd[1]: Starting User Manager for UID 0...
-Feb 04 02:57:32 intel-x86-64 systemd[1502]: selinux_status_open() failed to open the status page, using the netlink fallback.
-Feb 04 02:57:32 intel-x86-64 systemd[1502]: Failed to initialize SELinux labeling handle: Permission denied
-Feb 04 02:57:32 intel-x86-64 systemd[1]: user@0.service: Main process exited, code=exited, status=1/FAILURE
-Feb 04 02:57:32 intel-x86-64 systemd[1]: user@0.service: Failed with result 'exit-code'.
-Feb 04 02:57:32 intel-x86-64 systemd[1]: Failed to start User Manager for UID 0.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/roles/sysadm.te | 2 +
- policy/modules/system/init.if | 1 +
- policy/modules/system/logging.te | 5 ++-
- policy/modules/system/systemd.if | 75 +++++++++++++++++++++++++++++++-
- 4 files changed, 81 insertions(+), 2 deletions(-)
-
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 1642f3b93..1de7e441d 100644
---- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -81,6 +81,8 @@ ifdef(`init_systemd',`
- # Allow sysadm to resolve the username of dynamic users by calling
- # LookupDynamicUserByUID on org.freedesktop.systemd1.
- init_dbus_chat(sysadm_t)
-+
-+ systemd_sysadm_user(sysadm_t)
- ')
-
- tunable_policy(`allow_ptrace',`
-diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index ba533ba1a..98e94283f 100644
---- a/policy/modules/system/init.if
-+++ b/policy/modules/system/init.if
-@@ -943,6 +943,7 @@ interface(`init_unix_stream_socket_connectto',`
- ')
-
- allow $1 init_t:unix_stream_socket connectto;
-+ allow $1 initrc_t:unix_stream_socket connectto;
- ')
-
- ########################################
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index d864cfd3d..bdd97631c 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -519,7 +519,7 @@ ifdef(`init_systemd',`
- # for systemd-journal
- allow syslogd_t self:netlink_audit_socket connected_socket_perms;
- allow syslogd_t self:capability2 audit_read;
-- allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
-+ allow syslogd_t self:capability { chown setgid setuid sys_ptrace dac_read_search };
- allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
-
- # remove /run/log/journal when switching to permanent storage
-@@ -555,6 +555,9 @@ ifdef(`init_systemd',`
- systemd_manage_journal_files(syslogd_t)
-
- udev_read_runtime_files(syslogd_t)
-+
-+ userdom_search_user_runtime(syslogd_t)
-+ systemd_search_user_runtime(syslogd_t)
- ')
-
- ifdef(`distro_gentoo',`
-diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 6a66a2d79..152139261 100644
---- a/policy/modules/system/systemd.if
-+++ b/policy/modules/system/systemd.if
-@@ -30,6 +30,7 @@ template(`systemd_role_template',`
- attribute systemd_user_session_type, systemd_log_parse_env_type;
- type systemd_user_runtime_t, systemd_user_runtime_notify_t;
- type systemd_run_exec_t, systemd_analyze_exec_t;
-+ type session_dbusd_runtime_t, systemd_user_runtime_dir_t;
- ')
-
- #################################
-@@ -55,10 +56,42 @@ template(`systemd_role_template',`
-
- allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-
-+ allow $1_systemd_t systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
-+ allow $1_systemd_t systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
-+ allow $1_systemd_t systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-+ allow $1_systemd_t systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-+ allow $1_systemd_t systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-+ allow $1_systemd_t systemd_user_runtime_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
-+ allow $1_systemd_t systemd_user_runtime_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
-+ allow $1_systemd_t systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-+ allow $1_systemd_t session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-+ allow $1_systemd_t self:netlink_kobject_uevent_socket getopt;
-+ allow $1_systemd_t self:process setrlimit;
-+
-+ kernel_getattr_proc($1_systemd_t)
-+ fs_watch_cgroup_files($1_systemd_t)
-+ files_watch_etc_dirs($1_systemd_t)
-+
-+ userdom_search_user_home_dirs($1_systemd_t)
-+ allow $1_systemd_t $3:dir search_dir_perms;
-+ allow $1_systemd_t $3:file read_file_perms;
-+
-+ allow $3 $1_systemd_t:unix_stream_socket { getattr read write };
-+
-+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
-+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
-+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
-+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
-+ allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-+ allow systemd_user_runtime_dir_t session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-+
- # This domain is per-role because of the below transitions.
- # See the systemd --user section of systemd.te for the
- # remainder of the rules.
-- allow $1_systemd_t $3:process { setsched rlimitinh };
-+ allow $1_systemd_t $3:process { setsched rlimitinh noatsecure siginh };
- corecmd_shell_domtrans($1_systemd_t, $3)
- corecmd_bin_domtrans($1_systemd_t, $3)
- allow $1_systemd_t self:process signal;
-@@ -479,6 +512,7 @@ interface(`systemd_stream_connect_userdb', `
- init_search_runtime($1)
- allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
- allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
-+ allow $1 systemd_userdb_runtime_t:lnk_file read_lnk_file_perms;
- init_unix_stream_socket_connectto($1)
- ')
-
-@@ -1353,3 +1387,42 @@ interface(`systemd_use_inherited_machined_ptys', `
- allow $1 systemd_machined_t:fd use;
- allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
- ')
-+
-+#########################################
-+## <summary>
-+## sysadm user for systemd --user
-+## </summary>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`systemd_sysadm_user',`
-+ gen_require(`
-+ type sysadm_systemd_t;
-+ ')
-+
-+ allow sysadm_systemd_t self:capability { mknod sys_admin };
-+ allow sysadm_systemd_t self:capability2 { bpf perfmon };
-+ allow $1 sysadm_systemd_t:system reload;
-+')
-+
-+#######################################
-+## <summary>
-+## Search systemd users runtime directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`systemd_search_user_runtime',`
-+ gen_require(`
-+ type systemd_user_runtime_t;
-+ ')
-+
-+ allow $1 systemd_user_runtime_t:dir search_dir_perms;
-+ allow $1 systemd_user_runtime_t:lnk_file read_lnk_file_perms;
-+')
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0071-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
similarity index 90%
rename from recipes-security/refpolicy/refpolicy/0071-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
rename to recipes-security/refpolicy/refpolicy/0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
index 74d7428..ccdd020 100644
--- a/recipes-security/refpolicy/refpolicy/0071-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
+++ b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
@@ -1,4 +1,4 @@
-From ee3e2bbaf3b94902aadebbb085c7e86b8d074e98 Mon Sep 17 00:00:00 2001
+From 385e966658eecba2c7025b05b164087fd4f7af40 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@...>
Date: Fri, 15 Jan 2016 03:47:05 -0500
Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for
@@ -27,10 +27,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index b7d494398..b6750015e 100644
+index 932d1f7b3..36becaa6e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
-@@ -210,6 +210,10 @@ mls_process_write_all_levels(init_t)
+@@ -219,6 +219,10 @@ mls_process_write_all_levels(init_t)
mls_fd_use_all_levels(init_t)
mls_process_set_level(init_t)

diff --git a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-allow-systemd-generato.patch b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-allow-systemd-generato.patch
deleted file mode 100644
index 9d4bbf7..0000000
--- a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-allow-systemd-generato.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 954a49ec0a4dc64fd9e513abe7a737d956b337ca Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Tue, 9 Feb 2021 17:50:24 +0800
-Subject: [PATCH] policy/modules/system/systemd: allow systemd-generators to
- get the attributes of tmpfs and cgroup
-
-* Allow systemd-generators to get the attributes of a tmpfs
-* Allow systemd-generators to get the attributes of cgroup filesystems
-
-Fixes:
-systemd[95]: /lib/systemd/system-generators/systemd-fstab-generator failed with exit status 1.
-
-avc: denied { getattr } for pid=102 comm="systemd-run-gen" name="/"
-dev="tmpfs" ino=11208 scontext=system_u:system_r:systemd_generator_t
-tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
-
-avc: denied { getattr } for pid=98 comm="systemd-getty-g" name="/"
-dev="tmpfs" ino=11208 scontext=system_u:system_r:systemd_generator_t
-tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
-
-avc: denied { getattr } for pid=104 comm="systemd-sysv-ge" name="/"
-dev="tmpfs" ino=11208 scontext=system_u:system_r:systemd_generator_t
-tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
-
-avc: denied { getattr } for pid=97 comm="systemd-fstab-g" name="/"
-dev="tmpfs" ino=11208 scontext=system_u:system_r:systemd_generator_t
-tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
-
-avc: denied { getattr } for pid=102 comm="systemd-run-gen" name="/"
-dev="cgroup" ino=1 scontext=system_u:system_r:systemd_generator_t
-tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0
-
-avc: denied { getattr } for pid=100 comm="systemd-hiberna" name="/"
-dev="cgroup" ino=1 scontext=system_u:system_r:systemd_generator_t
-tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0
-
-avc: denied { getattr } for pid=99 comm="systemd-gpt-aut" name="/"
-dev="cgroup2" ino=1 scontext=system_u:system_r:systemd_generator_t
-tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0
-
-avc: denied { getattr } for pid=97 comm="systemd-fstab-g"
-path="/var/volatile" dev="vda" ino=37131
-scontext=system_u:system_r:systemd_generator_t
-tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/systemd.te | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 2d9d7d331..c1111198d 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -431,6 +431,9 @@ files_list_usr(systemd_generator_t)
-
- fs_list_efivars(systemd_generator_t)
- fs_getattr_xattr_fs(systemd_generator_t)
-+fs_getattr_tmpfs(systemd_generator_t)
-+fs_getattr_cgroup(systemd_generator_t)
-+kernel_getattr_unlabeled_dirs(systemd_generator_t)
-
- init_create_runtime_files(systemd_generator_t)
- init_manage_runtime_dirs(systemd_generator_t)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-systemd-allow-systemd_backligh.patch b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-systemd-allow-systemd_backligh.patch
deleted file mode 100644
index 1c1b459..0000000
--- a/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-systemd-allow-systemd_backligh.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 8b0bb1e349e2ea021acec1639be0802ac4d7d0c2 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Thu, 4 Feb 2021 15:13:50 +0800
-Subject: [PATCH] policy/modules/system/systemd: allow systemd_backlight_t to
- read kernel sysctl
-
-Fixes:
-avc: denied { search } for pid=354 comm="systemd-backlig" name="sys"
-dev="proc" ino=4026531854
-scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/systemd.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index c1111198d..7d2ba2796 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -324,6 +324,8 @@ udev_read_runtime_files(systemd_backlight_t)
-
- files_search_var_lib(systemd_backlight_t)
-
-+kernel_read_kernel_sysctls(systemd_backlight_t)
-+
- #######################################
- #
- # Binfmt local policy
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0072-policy-modules-system-systemd-make-systemd-tmpfiles_.patch b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
similarity index 92%
rename from recipes-security/refpolicy/refpolicy/0072-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
rename to recipes-security/refpolicy/refpolicy/0056-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
index 2832681..d664d03 100644
--- a/recipes-security/refpolicy/refpolicy/0072-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
+++ b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
@@ -1,4 +1,4 @@
-From 8cdcca3702d69ed5f3aa9ce9d769ad483f977094 Mon Sep 17 00:00:00 2001
+From f0714bf417de5f7d6e3183a494153d568e1526b8 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@...>
Date: Thu, 4 Feb 2016 06:03:19 -0500
Subject: [PATCH] policy/modules/system/systemd: make systemd-tmpfiles_t domain
@@ -43,10 +43,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 7d2ba2796..c50a2ba64 100644
+index 43b5892d5..ae155ffae 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
-@@ -1396,6 +1396,11 @@ sysnet_relabel_config(systemd_tmpfiles_t)
+@@ -1483,6 +1483,11 @@ sysnet_relabel_config(systemd_tmpfiles_t)

systemd_log_parse_environment(systemd_tmpfiles_t)

diff --git a/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-fix-systemd-journald-s.patch b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-fix-systemd-journald-s.patch
deleted file mode 100644
index d283879..0000000
--- a/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-fix-systemd-journald-s.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 5973dc3824b395ce9f6620e3ae432664cc357b66 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@...>
-Date: Thu, 4 Feb 2016 02:10:15 -0500
-Subject: [PATCH] policy/modules/system/logging: fix systemd-journald startup
- failures
-
-Fixes:
-avc: denied { audit_control } for pid=109 comm="systemd-journal"
-capability=30 scontext=system_u:system_r:syslogd_t
-tcontext=system_u:system_r:syslogd_t tclass=capability permissive=0
-
-avc: denied { search } for pid=233 comm="systemd-journal" name="/"
-dev="tmpfs" ino=12398 scontext=system_u:system_r:syslogd_t
-tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/logging.te | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index bdd97631c..62caa7a56 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -492,6 +492,7 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
-
- fs_getattr_all_fs(syslogd_t)
- fs_search_auto_mountpoints(syslogd_t)
-+fs_search_tmpfs(syslogd_t)
-
- mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
-
-@@ -552,6 +553,8 @@ ifdef(`init_systemd',`
- # needed for systemd-initrd case when syslog socket is unlabelled
- logging_send_syslog_msg(syslogd_t)
-
-+ logging_set_loginuid(syslogd_t)
-+
- systemd_manage_journal_files(syslogd_t)
-
- udev_read_runtime_files(syslogd_t)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-systemd-systemd-make-systemd_-.patch b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-systemd-systemd-make-systemd_-.patch
new file mode 100644
index 0000000..d4ec3c8
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-systemd-systemd-make-systemd_-.patch
@@ -0,0 +1,91 @@
+From e8a5081176bfb6d377371a575d233ac7a43ba57b Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@...>
+Date: Thu, 18 Jun 2020 09:59:58 +0800
+Subject: [PATCH] policy/modules/system/systemd: systemd-*: make systemd_*_t
+ MLS trusted for writing/reading from files up to its clearance
+
+Fixes:
+audit: type=1400 audit(1592892455.376:3): avc: denied { write } for
+pid=120 comm="systemd-gpt-aut" name="kmsg" dev="devtmpfs" ino=10032
+scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+
+audit: type=1400 audit(1592892455.381:4): avc: denied { write } for
+pid=119 comm="systemd-getty-g" name="kmsg" dev="devtmpfs" ino=10032
+scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+
+avc: denied { read } for pid=125 comm="systemd-gpt-aut" name="sdb"
+dev="devtmpfs" ino=42
+scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023
+tclass=blk_file permissive=0
+
+avc: denied { write } for pid=233 comm="systemd-rfkill" name="kmsg"
+dev="devtmpfs" ino=2060
+scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+
+avc: denied { write } for pid=354 comm="systemd-backlig" name="kmsg"
+dev="devtmpfs" ino=3081
+scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@...>
+---
+ policy/modules/system/systemd.te | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index ae155ffae..76bf7be68 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -341,6 +341,9 @@ fs_getattr_tmpfs(systemd_backlight_t)
+ fs_search_cgroup_dirs(systemd_backlight_t)
+ fs_getattr_cgroup(systemd_backlight_t)
+
++mls_file_read_to_clearance(systemd_backlight_t)
++mls_file_write_to_clearance(systemd_backlight_t)
++
+ #######################################
+ #
+ # Binfmt local policy
+@@ -479,6 +482,9 @@ term_use_unallocated_ttys(systemd_generator_t)
+
+ udev_search_runtime(systemd_generator_t)
+
++mls_file_read_to_clearance(systemd_generator_t)
++mls_file_write_to_clearance(systemd_generator_t)
++
+ ifdef(`distro_gentoo',`
+ corecmd_shell_entry_type(systemd_generator_t)
+ ')
+@@ -723,6 +729,9 @@ userdom_setattr_user_ttys(systemd_logind_t)
+ userdom_use_user_ttys(systemd_logind_t)
+ domain_read_all_domains_state(systemd_logind_t)
+
++mls_file_read_to_clearance(systemd_logind_t)
++mls_file_write_to_clearance(systemd_logind_t)
++
+ # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
+ # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
+ # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
+@@ -1204,6 +1213,9 @@ fs_getattr_tmpfs(systemd_rfkill_t)
+ fs_search_cgroup_dirs(systemd_rfkill_t)
+ fs_getattr_cgroup(systemd_rfkill_t)
+
++mls_file_read_to_clearance(systemd_rfkill_t)
++mls_file_write_to_clearance(systemd_rfkill_t)
++
+ #########################################
+ #
+ # Resolved local policy
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0058-policy-modules-services-cron-allow-crond_t-to-search.patch b/recipes-security/refpolicy/refpolicy/0058-policy-modules-services-cron-allow-crond_t-to-search.patch
deleted file mode 100644
index b7e7c1d..0000000
--- a/recipes-security/refpolicy/refpolicy/0058-policy-modules-services-cron-allow-crond_t-to-search.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From e8ff96c9bb98305d1b50fccce67025df3ebbf184 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Thu, 23 May 2019 15:52:17 +0800
-Subject: [PATCH] policy/modules/services/cron: allow crond_t to search
- logwatch_cache_t
-
-Fixes:
-avc: denied { search } for pid=234 comm="crond" name="logcheck"
-dev="vda" ino=29080 scontext=system_u:system_r:crond_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:logwatch_cache_t:s0 tclass=dir permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/services/cron.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index 2902820b0..36eb33060 100644
---- a/policy/modules/services/cron.te
-+++ b/policy/modules/services/cron.te
-@@ -318,6 +318,8 @@ miscfiles_read_localization(crond_t)
-
- userdom_list_user_home_dirs(crond_t)
-
-+logwatch_search_cache_dir(crond_t)
-+
- tunable_policy(`cron_userdomain_transition',`
- dontaudit crond_t cronjob_t:process transition;
- dontaudit crond_t cronjob_t:fd use;
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0073-policy-modules-system-logging-add-the-syslogd_t-to-t.patch b/recipes-security/refpolicy/refpolicy/0058-policy-modules-system-logging-add-the-syslogd_t-to-t.patch
similarity index 84%
rename from recipes-security/refpolicy/refpolicy/0073-policy-modules-system-logging-add-the-syslogd_t-to-t.patch
rename to recipes-security/refpolicy/refpolicy/0058-policy-modules-system-logging-add-the-syslogd_t-to-t.patch
index d208752..f81dd8d 100644
--- a/recipes-security/refpolicy/refpolicy/0073-policy-modules-system-logging-add-the-syslogd_t-to-t.patch
+++ b/recipes-security/refpolicy/refpolicy/0058-policy-modules-system-logging-add-the-syslogd_t-to-t.patch
@@ -1,4 +1,4 @@
-From 4e7b0040ff558f2d69c8b9a30e73223acb20f35f Mon Sep 17 00:00:00 2001
+From 4149475fabf2315b1a9fa3a5847464369b2f09fd Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@...>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] policy/modules/system/logging: add the syslogd_t to trusted
@@ -18,15 +18,15 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 62caa7a56..e608327fe 100644
+index 5b4b5ec5d..e67c25a9e 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -495,6 +495,10 @@ fs_search_auto_mountpoints(syslogd_t)
+@@ -498,6 +498,10 @@ fs_search_auto_mountpoints(syslogd_t)
fs_search_tmpfs(syslogd_t)

mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
+mls_file_read_all_levels(syslogd_t)
-+mls_socket_write_all_levels(syslogd_t) # Neet to be able to sendto dgram
++mls_socket_write_all_levels(syslogd_t) # Need to be able to sendto dgram
+mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log
+mls_fd_use_all_levels(syslogd_t)

diff --git a/recipes-security/refpolicy/refpolicy/0059-policy-modules-services-crontab-allow-sysadm_r-to-ru.patch b/recipes-security/refpolicy/refpolicy/0059-policy-modules-services-crontab-allow-sysadm_r-to-ru.patch
deleted file mode 100644
index d5e40d0..0000000
--- a/recipes-security/refpolicy/refpolicy/0059-policy-modules-services-crontab-allow-sysadm_r-to-ru.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 1571e6da8a90bb325a94330dcd130d56bae30b37 Mon Sep 17 00:00:00 2001
-From: Roy Li <rongqing.li@...>
-Date: Thu, 20 Feb 2014 17:07:05 +0800
-Subject: [PATCH] policy/modules/services/crontab: allow sysadm_r to run
- crontab
-
-This permission has been given if release is not redhat; but we want it
-even we define distro_redhat
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Roy Li <rongqing.li@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/roles/sysadm.te | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 1de7e441d..129e94229 100644
---- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -1277,6 +1277,10 @@ optional_policy(`
- zebra_admin(sysadm_t, sysadm_r)
- ')
-
-+optional_policy(`
-+ cron_admin_role(sysadm_r, sysadm_t)
-+')
-+
- ifndef(`distro_redhat',`
- optional_policy(`
- auth_role(sysadm_r, sysadm_t)
-@@ -1295,10 +1299,6 @@ ifndef(`distro_redhat',`
- chromium_role(sysadm_r, sysadm_t)
- ')
-
-- optional_policy(`
-- cron_admin_role(sysadm_r, sysadm_t)
-- ')
--
- optional_policy(`
- cryfs_role(sysadm_r, sysadm_t)
- ')
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0074-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0059-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
similarity index 86%
rename from recipes-security/refpolicy/refpolicy/0074-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
rename to recipes-security/refpolicy/refpolicy/0059-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
index b7dcaa8..1fdd81e 100644
--- a/recipes-security/refpolicy/refpolicy/0074-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
+++ b/recipes-security/refpolicy/refpolicy/0059-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
@@ -1,4 +1,4 @@
-From bbb405ac6270ef945db21cfddda63d283ee5d8af Mon Sep 17 00:00:00 2001
+From caa54da237e9c46810fb30c44e080c4b0de0efcf Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Tue, 28 May 2019 16:41:37 +0800
Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for
@@ -17,10 +17,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index b6750015e..962c675b0 100644
+index 36becaa6e..9c0a98eb7 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
-@@ -209,6 +209,7 @@ mls_file_write_all_levels(init_t)
+@@ -218,6 +218,7 @@ mls_file_write_all_levels(init_t)
mls_process_write_all_levels(init_t)
mls_fd_use_all_levels(init_t)
mls_process_set_level(init_t)
diff --git a/recipes-security/refpolicy/refpolicy/0075-policy-modules-system-init-all-init_t-to-read-any-le.patch b/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-init-all-init_t-to-read-any-le.patch
similarity index 88%
rename from recipes-security/refpolicy/refpolicy/0075-policy-modules-system-init-all-init_t-to-read-any-le.patch
rename to recipes-security/refpolicy/refpolicy/0060-policy-modules-system-init-all-init_t-to-read-any-le.patch
index de7271f..1ab6f41 100644
--- a/recipes-security/refpolicy/refpolicy/0075-policy-modules-system-init-all-init_t-to-read-any-le.patch
+++ b/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-init-all-init_t-to-read-any-le.patch
@@ -1,4 +1,4 @@
-From 2780811e48663df0265676749a4041c077ae6a89 Mon Sep 17 00:00:00 2001
+From eb7d2a22afe8348771411c5fffa0a107e32b2049 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@...>
Date: Wed, 3 Feb 2016 04:16:06 -0500
Subject: [PATCH] policy/modules/system/init: all init_t to read any level
@@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 962c675b0..aa57a5661 100644
+index 9c0a98eb7..5a19f0e43 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
-@@ -215,6 +215,9 @@ mls_key_write_all_levels(init_t)
+@@ -224,6 +224,9 @@ mls_key_write_all_levels(init_t)
mls_file_downgrade(init_t)
mls_file_upgrade(init_t)

diff --git a/recipes-security/refpolicy/refpolicy/0076-policy-modules-system-logging-allow-auditd_t-to-writ.patch b/recipes-security/refpolicy/refpolicy/0061-policy-modules-system-logging-allow-auditd_t-to-writ.patch
similarity index 88%
rename from recipes-security/refpolicy/refpolicy/0076-policy-modules-system-logging-allow-auditd_t-to-writ.patch
rename to recipes-security/refpolicy/refpolicy/0061-policy-modules-system-logging-allow-auditd_t-to-writ.patch
index cd93c08..1d37d08 100644
--- a/recipes-security/refpolicy/refpolicy/0076-policy-modules-system-logging-allow-auditd_t-to-writ.patch
+++ b/recipes-security/refpolicy/refpolicy/0061-policy-modules-system-logging-allow-auditd_t-to-writ.patch
@@ -1,4 +1,4 @@
-From a74584ba424cd5e392db2a64b4ec66ebb307eb4c Mon Sep 17 00:00:00 2001
+From 1c96c052fc3768ecdea041372b88dc4486b9a595 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@...>
Date: Thu, 25 Feb 2016 04:25:08 -0500
Subject: [PATCH] policy/modules/system/logging: allow auditd_t to write socket
@@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index e608327fe..bdd5c9dff 100644
+index e67c25a9e..f8d8b73f0 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -211,6 +211,8 @@ miscfiles_read_localization(auditd_t)
+@@ -215,6 +215,8 @@ miscfiles_read_localization(auditd_t)

mls_file_read_all_levels(auditd_t)
mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
diff --git a/recipes-security/refpolicy/refpolicy/0077-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0062-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
similarity index 73%
rename from recipes-security/refpolicy/refpolicy/0077-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
rename to recipes-security/refpolicy/refpolicy/0062-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
index 6b84403..6eea91c 100644
--- a/recipes-security/refpolicy/refpolicy/0077-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
+++ b/recipes-security/refpolicy/refpolicy/0062-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
@@ -1,4 +1,4 @@
-From 1bcb41c20d666761bb407bf34c9e3391e16449a7 Mon Sep 17 00:00:00 2001
+From e562fa7a9fc4df3aebf9dc1087d8c04bce684e8c Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Thu, 31 Oct 2019 17:35:59 +0800
Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for
@@ -11,22 +11,21 @@ Upstream-Status: Inappropriate [embedded specific]

Signed-off-by: Yi Zhao <yi.zhao@...>
---
- policy/modules/kernel/kernel.te | 2 ++
- 1 file changed, 2 insertions(+)
+ policy/modules/kernel/kernel.te | 1 +
+ 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8f67c6ec9..fbcf1413f 100644
+index 1c53754ee..2031576e0 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
-@@ -362,6 +362,8 @@ mls_fd_use_all_levels(kernel_t)
+@@ -360,6 +360,7 @@ mls_socket_write_all_levels(kernel_t)
+ mls_fd_use_all_levels(kernel_t)
# https://bugzilla.redhat.com/show_bug.cgi?id=667370
mls_file_downgrade(kernel_t)
-
+mls_key_write_all_levels(kernel_t)
-+
+
ifdef(`distro_redhat',`
# Bugzilla 222337
- fs_rw_tmpfs_chr_files(kernel_t)
--
2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0062-policy-modules-system-setrans-allow-setrans-to-acces.patch b/recipes-security/refpolicy/refpolicy/0062-policy-modules-system-setrans-allow-setrans-to-acces.patch
deleted file mode 100644
index b692012..0000000
--- a/recipes-security/refpolicy/refpolicy/0062-policy-modules-system-setrans-allow-setrans-to-acces.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 84c69d220ffdd039b88a34f9afc127274a985541 Mon Sep 17 00:00:00 2001
-From: Roy Li <rongqing.li@...>
-Date: Sat, 22 Feb 2014 13:35:38 +0800
-Subject: [PATCH] policy/modules/system/setrans: allow setrans to access
- /sys/fs/selinux
-
-1. mcstransd failed to boot-up since the below permission is denied
-statfs("/sys/fs/selinux", 0x7ffff2b80370) = -1 EACCES (Permission denied)
-
-2. other programs can not connect to /run/setrans/.setrans-unix
-avc: denied { connectto } for pid=2055 comm="ls"
-path="/run/setrans/.setrans-unix"
-scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:setrans_t:s15:c0.c1023
-tclass=unix_stream_socket
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Roy Li <rongqing.li@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/setrans.te | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
-index 25aadfc5f..78bd6e2eb 100644
---- a/policy/modules/system/setrans.te
-+++ b/policy/modules/system/setrans.te
-@@ -23,9 +23,7 @@ mls_trusted_object(setrans_runtime_t)
- type setrans_unit_t;
- init_unit_file(setrans_unit_t)
-
--ifdef(`distro_debian',`
-- init_daemon_runtime_file(setrans_runtime_t, dir, "setrans")
--')
-+init_daemon_runtime_file(setrans_runtime_t, dir, "setrans")
-
- ifdef(`enable_mcs',`
- init_ranged_daemon_domain(setrans_t, setrans_exec_t, s0 - mcs_systemhigh)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0082-policy-modules-system-setrans-allow-setrans_t-use-fd.patch b/recipes-security/refpolicy/refpolicy/0063-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
similarity index 83%
rename from recipes-security/refpolicy/refpolicy/0082-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
rename to recipes-security/refpolicy/refpolicy/0063-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
index b67f069..8b55dc7 100644
--- a/recipes-security/refpolicy/refpolicy/0082-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
+++ b/recipes-security/refpolicy/refpolicy/0063-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
@@ -1,4 +1,4 @@
-From e6a08769138d68582c72fe28ed7dd51c118654a5 Mon Sep 17 00:00:00 2001
+From 1f3ce550828f75e85992658ee1660c6de14f0ebe Mon Sep 17 00:00:00 2001
From: Roy Li <rongqing.li@...>
Date: Sat, 22 Feb 2014 13:35:38 +0800
Subject: [PATCH] policy/modules/system/setrans: allow setrans_t use fd at any
@@ -13,10 +13,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
-index 78bd6e2eb..0dd3a63cd 100644
+index 25aadfc5f..564e2d4d1 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
-@@ -71,6 +71,8 @@ mls_net_receive_all_levels(setrans_t)
+@@ -73,6 +73,8 @@ mls_net_receive_all_levels(setrans_t)
mls_socket_write_all_levels(setrans_t)
mls_process_read_all_levels(setrans_t)
mls_socket_read_all_levels(setrans_t)
diff --git a/recipes-security/refpolicy/refpolicy/0064-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch b/recipes-security/refpolicy/refpolicy/0064-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch
deleted file mode 100644
index dbd1390..0000000
--- a/recipes-security/refpolicy/refpolicy/0064-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 291d3329c280b6b8b70fcc3092ac4d3399936825 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Mon, 29 Jun 2020 10:32:25 +0800
-Subject: [PATCH] policy/modules/roles/sysadm: allow sysadm_t to watch runtime
- dirs
-
-Fixes:
-Failed to add a watch for /run/systemd/ask-password: Permission denied
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/roles/sysadm.te | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 129e94229..a4abaefe4 100644
---- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -83,6 +83,9 @@ ifdef(`init_systemd',`
- init_dbus_chat(sysadm_t)
-
- systemd_sysadm_user(sysadm_t)
-+
-+ systemd_filetrans_passwd_runtime_dirs(sysadm_t)
-+ allow sysadm_t systemd_passwd_runtime_t:dir watch;
- ')
-
- tunable_policy(`allow_ptrace',`
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0090-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch b/recipes-security/refpolicy/refpolicy/0064-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
similarity index 82%
rename from recipes-security/refpolicy/refpolicy/0090-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
rename to recipes-security/refpolicy/refpolicy/0064-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
index 0a18ca3..0617e58 100644
--- a/recipes-security/refpolicy/refpolicy/0090-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
+++ b/recipes-security/refpolicy/refpolicy/0064-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
@@ -1,4 +1,4 @@
-From abb0ef8967130c6a31b45d6dfb0970cf8415fec6 Mon Sep 17 00:00:00 2001
+From c622361394994e7162fc5e65ad0bcd27a6a6a8fb Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Mon, 22 Feb 2021 11:28:12 +0800
Subject: [PATCH] policy/modules/system/systemd: make *_systemd_t MLS trusted
@@ -24,13 +24,13 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 152139261..320619289 100644
+index 5c44d8d8a..5f2038f22 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
-@@ -113,6 +113,9 @@ template(`systemd_role_template',`
-
- seutil_read_file_contexts($1_systemd_t)
- seutil_search_default_contexts($1_systemd_t)
+@@ -171,6 +171,9 @@ template(`systemd_role_template',`
+ xdg_read_config_files($1_systemd_t)
+ xdg_read_data_files($1_systemd_t)
+ ')
+
+ mls_file_read_all_levels($1_systemd_t)
+ mls_file_write_all_levels($1_systemd_t)
diff --git a/recipes-security/refpolicy/refpolicy/0065-policy-modules-system-logging-make-syslogd_runtime_t.patch b/recipes-security/refpolicy/refpolicy/0065-policy-modules-system-logging-make-syslogd_runtime_t.patch
new file mode 100644
index 0000000..9af58ea
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0065-policy-modules-system-logging-make-syslogd_runtime_t.patch
@@ -0,0 +1,48 @@
+From 11b29e8f71a6dcba4bad6c77de3ec6e7cb339ee8 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@...>
+Date: Sat, 18 Dec 2021 17:31:45 +0800
+Subject: [PATCH] policy/modules/system/logging: make syslogd_runtime_t MLS
+ trusted.
+
+Make syslogd_runtime_t MLS trusted to allow all levels to read and write
+the object.
+
+Fixes:
+avc: denied { search } for pid=314 comm="useradd" name="journal"
+dev="tmpfs" ino=34 scontext=root:sysadm_r:useradd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
+permissive=0
+
+avc: denied { search } for pid=319 comm="passwd" name="journal"
+dev="tmpfs" ino=34 scontext=root:sysadm_r:passwd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
+permissive=0
+
+avc: denied { search } for pid=374 comm="rpc.statd" name="journal"
+dev="tmpfs" ino=9854 scontext=system_u:system_r:rpcd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 tclass=dir
+permissive=0
+
+Upstream-Status: Pending
+
+Signed-off-by: Yi Zhao <yi.zhao@...>
+---
+ policy/modules/system/logging.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index f8d8b73f0..badf56f16 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -438,6 +438,8 @@ allow syslogd_t syslogd_runtime_t:file map;
+ manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
+ files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file)
+
++mls_trusted_object(syslogd_runtime_t)
++
+ kernel_read_crypto_sysctls(syslogd_t)
+ kernel_read_system_state(syslogd_t)
+ kernel_read_network_state(syslogd_t)
+--
+2.17.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0065-policy-modules-system-selinux-allow-setfiles_t-to-re.patch b/recipes-security/refpolicy/refpolicy/0065-policy-modules-system-selinux-allow-setfiles_t-to-re.patch
deleted file mode 100644
index a824004..0000000
--- a/recipes-security/refpolicy/refpolicy/0065-policy-modules-system-selinux-allow-setfiles_t-to-re.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From bc821718f7e9575a67c4667decad937cbe5f8514 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Tue, 2 Mar 2021 14:25:03 +0800
-Subject: [PATCH] policy/modules/system/selinux: allow setfiles_t to read
- kernel sysctl
-
-Fixes:
-avc: denied { read } for pid=171 comm="restorecon" name="cap_last_cap"
-dev="proc" ino=1241
-scontext=system_u:system_r:setfiles_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0
-
-avc: denied { open } for pid=171 comm="restorecon"
-path="/proc/sys/kernel/cap_last_cap" dev="proc" ino=1241
-scontext=system_u:system_r:setfiles_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0
-
-avc: denied { getattr } for pid=171 comm="restorecon" name="/"
-dev="proc" ino=1 scontext=system_u:system_r:setfiles_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/selinuxutil.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index a505b3987..a26f8db03 100644
---- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -597,6 +597,8 @@ kernel_rw_unix_dgram_sockets(setfiles_t)
- kernel_dontaudit_list_all_proc(setfiles_t)
- kernel_dontaudit_list_all_sysctls(setfiles_t)
- kernel_getattr_debugfs(setfiles_t)
-+kernel_read_kernel_sysctls(setfiles_t)
-+kernel_getattr_proc(setfiles_t)
-
- dev_read_urand(setfiles_t)
- dev_relabel_all_dev_nodes(setfiles_t)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-make-systemd-logind-do.patch b/recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-make-systemd-logind-do.patch
deleted file mode 100644
index 5ac5a19..0000000
--- a/recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-make-systemd-logind-do.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 7021844f20c5d5c885edf87abf8ce3329bcc5836 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@...>
-Date: Mon, 23 Jan 2017 08:42:44 +0000
-Subject: [PATCH] policy/modules/system/systemd: make systemd-logind domain MLS
- trusted for reading from files up to its clearance.
-
-Fixes:
-avc: denied { search } for pid=184 comm="systemd-logind"
-name="journal" dev="tmpfs" ino=10949
-scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
-permissive=1
-
-avc: denied { watch } for pid=184 comm="systemd-logind"
-path="/run/utmp" dev="tmpfs" ino=12725
-scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:initrc_runtime_t:s0 tclass=file permissive=1
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/systemd.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index c50a2ba64..a7390b1cd 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -693,6 +693,8 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
- userdom_setattr_user_ttys(systemd_logind_t)
- userdom_use_user_ttys(systemd_logind_t)
-
-+mls_file_read_to_clearance(systemd_logind_t)
-+
- # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
- # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
- # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0079-policy-modules-system-systemd-systemd-user-sessions-.patch b/recipes-security/refpolicy/refpolicy/0079-policy-modules-system-systemd-systemd-user-sessions-.patch
deleted file mode 100644
index 3ea0085..0000000
--- a/recipes-security/refpolicy/refpolicy/0079-policy-modules-system-systemd-systemd-user-sessions-.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 6e3e1a5f79d6deab2966fc74c64720e90d248f3d Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Thu, 18 Jun 2020 09:39:23 +0800
-Subject: [PATCH] policy/modules/system/systemd: systemd-user-sessions: make
- systemd_sessions_t MLS trusted for reading/writing from files at all levels
-
-Fixes:
-avc: denied { search } for pid=229 comm="systemd-user-se"
-name="journal" dev="tmpfs" ino=10956
-scontext=system_u:system_r:systemd_sessions_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
-permissive=0
-avc: denied { write } for pid=229 comm="systemd-user-se" name="kmsg"
-dev="devtmpfs" ino=10032
-scontext=system_u:system_r:systemd_sessions_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
-permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/systemd.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index a7390b1cd..f0b0e8b92 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -1261,6 +1261,8 @@ seutil_read_file_contexts(systemd_sessions_t)
-
- systemd_log_parse_environment(systemd_sessions_t)
-
-+mls_file_read_to_clearance(systemd_sessions_t)
-+mls_file_write_all_levels(systemd_sessions_t)
-
- #########################################
- #
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch b/recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch
deleted file mode 100644
index cb8e821..0000000
--- a/recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-From 05ec2d78b44e57ecf188472b903fe66eeb568951 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Thu, 18 Jun 2020 09:59:58 +0800
-Subject: [PATCH] policy/modules/system/systemd: systemd-*: make systemd_*_t
- MLS trusted for writing/reading from files up to its clearance
-
-Fixes:
-avc: denied { search } for pid=219 comm="systemd-network"
-name="journal" dev="tmpfs" ino=10956
-scontext=system_u:system_r:systemd_networkd_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
-permissive=0
-
-avc: denied { search } for pid=220 comm="systemd-resolve"
-name="journal" dev="tmpfs" ino=10956
-scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
-permissive=0
-avc: denied { search } for pid=220 comm="systemd-resolve" name="/"
-dev="tmpfs" ino=15102
-scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
-
-avc: denied { search } for pid=142 comm="systemd-modules"
-name="journal" dev="tmpfs" ino=10990
-scontext=system_u:system_r:systemd_modules_load_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
-permissive=0
-
-audit: type=1400 audit(1592892455.376:3): avc: denied { write } for
-pid=120 comm="systemd-gpt-aut" name="kmsg" dev="devtmpfs" ino=10032
-scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
-permissive=0
-
-audit: type=1400 audit(1592892455.381:4): avc: denied { write } for
-pid=119 comm="systemd-getty-g" name="kmsg" dev="devtmpfs" ino=10032
-scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
-permissive=0
-
-avc: denied { read } for pid=125 comm="systemd-gpt-aut" name="sdb"
-dev="devtmpfs" ino=42
-scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023
-tclass=blk_file permissive=0
-
-avc: denied { search } for pid=302 comm="systemd-hostnam"
-name="journal" dev="tmpfs" ino=14165
-scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
-permissive=0
-
-avc: denied { search } for pid=302 comm="systemd-hostnam" name="/"
-dev="tmpfs" ino=17310
-scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
-
-avc: denied { search } for pid=233 comm="systemd-rfkill"
-name="journal" dev="tmpfs" ino=14165
-scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
-permissive=0
-
-avc: denied { write } for pid=233 comm="systemd-rfkill" name="kmsg"
-dev="devtmpfs" ino=2060
-scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
-permissive=0
-
-avc: denied { search } for pid=354 comm="systemd-backlig"
-name="journal" dev="tmpfs" ino=1183
-scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
-permissive=0
-
-avc: denied { write } for pid=354 comm="systemd-backlig" name="kmsg"
-dev="devtmpfs" ino=3081
-scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
-permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/systemd.te | 17 +++++++++++++++++
- 1 file changed, 17 insertions(+)
-
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index f0b0e8b92..7b2d359b7 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -326,6 +326,9 @@ files_search_var_lib(systemd_backlight_t)
-
- kernel_read_kernel_sysctls(systemd_backlight_t)
-
-+mls_file_write_to_clearance(systemd_backlight_t)
-+mls_file_read_to_clearance(systemd_backlight_t)
-+
- #######################################
- #
- # Binfmt local policy
-@@ -460,6 +463,9 @@ systemd_log_parse_environment(systemd_generator_t)
-
- term_use_unallocated_ttys(systemd_generator_t)
-
-+mls_file_write_to_clearance(systemd_generator_t)
-+mls_file_read_to_clearance(systemd_generator_t)
-+
- ifdef(`distro_gentoo',`
- corecmd_shell_entry_type(systemd_generator_t)
- ')
-@@ -497,6 +503,8 @@ sysnet_manage_config(systemd_hostnamed_t)
-
- systemd_log_parse_environment(systemd_hostnamed_t)
-
-+mls_file_read_to_clearance(systemd_hostnamed_t)
-+
- optional_policy(`
- dbus_connect_system_bus(systemd_hostnamed_t)
- dbus_system_bus_client(systemd_hostnamed_t)
-@@ -818,6 +826,8 @@ modutils_read_module_deps(systemd_modules_load_t)
-
- systemd_log_parse_environment(systemd_modules_load_t)
-
-+mls_file_read_to_clearance(systemd_modules_load_t)
-+
- ########################################
- #
- # networkd local policy
-@@ -876,6 +886,8 @@ sysnet_read_config(systemd_networkd_t)
-
- systemd_log_parse_environment(systemd_networkd_t)
-
-+mls_file_read_to_clearance(systemd_networkd_t)
-+
- optional_policy(`
- dbus_system_bus_client(systemd_networkd_t)
- dbus_connect_system_bus(systemd_networkd_t)
-@@ -1159,6 +1171,9 @@ udev_read_runtime_files(systemd_rfkill_t)
-
- systemd_log_parse_environment(systemd_rfkill_t)
-
-+mls_file_write_to_clearance(systemd_rfkill_t)
-+mls_file_read_to_clearance(systemd_rfkill_t)
-+
- #########################################
- #
- # Resolved local policy
-@@ -1202,6 +1217,8 @@ init_dgram_send(systemd_resolved_t)
-
- seutil_read_file_contexts(systemd_resolved_t)
-
-+mls_file_read_to_clearance(systemd_resolved_t)
-+
- systemd_log_parse_environment(systemd_resolved_t)
- systemd_read_networkd_runtime(systemd_resolved_t)
-
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0081-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0081-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch
deleted file mode 100644
index 250d89b..0000000
--- a/recipes-security/refpolicy/refpolicy/0081-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From a105ea8b48c5e9ada567c7f6347f3875df7098a0 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Thu, 18 Jun 2020 10:21:04 +0800
-Subject: [PATCH] policy/modules/services/ntp: make nptd_t MLS trusted for
- reading from files at all levels
-
-Fixes:
-avc: denied { search } for pid=193 comm="systemd-timesyn"
-name="journal" dev="tmpfs" ino=10956
-scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
-permissive=0
-avc: denied { read } for pid=193 comm="systemd-timesyn" name="dbus"
-dev="tmpfs" ino=13971 scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=dir
-permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/services/ntp.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
-index 1626ae87a..c8a1f041b 100644
---- a/policy/modules/services/ntp.te
-+++ b/policy/modules/services/ntp.te
-@@ -138,6 +138,8 @@ miscfiles_read_localization(ntpd_t)
- userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
- userdom_list_user_home_dirs(ntpd_t)
-
-+mls_file_read_all_levels(ntpd_t)
-+
- ifdef(`init_systemd',`
- allow ntpd_t self:process setfscreate;
-
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0083-policy-modules-services-acpi-make-acpid_t-domain-MLS.patch b/recipes-security/refpolicy/refpolicy/0083-policy-modules-services-acpi-make-acpid_t-domain-MLS.patch
deleted file mode 100644
index cc2d5dd..0000000
--- a/recipes-security/refpolicy/refpolicy/0083-policy-modules-services-acpi-make-acpid_t-domain-MLS.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 15c99854aa21564a6eb1121f58f55a9626ba6297 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Fri, 10 Jul 2020 09:07:00 +0800
-Subject: [PATCH] policy/modules/services/acpi: make acpid_t domain MLS trusted
- for reading from files up to its clearance
-
-Fixes:
-avc: denied { search } for pid=265 comm="acpid" name="journal"
-dev="tmpfs" ino=14165 scontext=system_u:system_r:acpid_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
-permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/services/acpi.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/services/acpi.te b/policy/modules/services/acpi.te
-index 5c22adecd..bd442ff8a 100644
---- a/policy/modules/services/acpi.te
-+++ b/policy/modules/services/acpi.te
-@@ -157,6 +157,8 @@ userdom_dontaudit_use_unpriv_user_fds(acpid_t)
- userdom_dontaudit_search_user_home_dirs(acpid_t)
- userdom_dontaudit_search_user_home_content(acpid_t)
-
-+mls_file_read_to_clearance(acpid_t)
-+
- optional_policy(`
- automount_domtrans(acpid_t)
- ')
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0084-policy-modules-services-avahi-make-avahi_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0084-policy-modules-services-avahi-make-avahi_t-MLS-trust.patch
deleted file mode 100644
index 3cfe2c0..0000000
--- a/recipes-security/refpolicy/refpolicy/0084-policy-modules-services-avahi-make-avahi_t-MLS-trust.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 5cd8a1121685c269238c89ea22743441541cf108 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Tue, 23 Jun 2020 08:19:16 +0800
-Subject: [PATCH] policy/modules/services/avahi: make avahi_t MLS trusted for
- reading from files up to its clearance
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/services/avahi.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
-index 674cdcb81..8ddd922e5 100644
---- a/policy/modules/services/avahi.te
-+++ b/policy/modules/services/avahi.te
-@@ -95,6 +95,8 @@ sysnet_etc_filetrans_config(avahi_t)
- userdom_dontaudit_use_unpriv_user_fds(avahi_t)
- userdom_dontaudit_search_user_home_dirs(avahi_t)
-
-+mls_file_read_to_clearance(avahi_t)
-+
- optional_policy(`
- dbus_system_domain(avahi_t, avahi_exec_t)
-
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0085-policy-modules-services-bluetooth-make-bluetooth_t-d.patch b/recipes-security/refpolicy/refpolicy/0085-policy-modules-services-bluetooth-make-bluetooth_t-d.patch
deleted file mode 100644
index a784657..0000000
--- a/recipes-security/refpolicy/refpolicy/0085-policy-modules-services-bluetooth-make-bluetooth_t-d.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 3c74f403cb38410ea7e1de0e61dafa80a60c5ba5 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Fri, 10 Jul 2020 09:18:12 +0800
-Subject: [PATCH] policy/modules/services/bluetooth: make bluetooth_t domain
- MLS trusted for reading from files up to its clearance
-
-Fixes:
-avc: denied { search } for pid=268 comm="bluetoothd" name="journal"
-dev="tmpfs" ino=14165
-scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
-permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/services/bluetooth.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
-index b3df695db..931021346 100644
---- a/policy/modules/services/bluetooth.te
-+++ b/policy/modules/services/bluetooth.te
-@@ -132,6 +132,8 @@ userdom_dontaudit_search_user_home_dirs(bluetooth_t)
- init_dbus_send_script(bluetooth_t)
- systemd_dbus_chat_hostnamed(bluetooth_t)
-
-+mls_file_read_to_clearance(bluetooth_t)
-+
- optional_policy(`
- dbus_system_bus_client(bluetooth_t)
- dbus_connect_system_bus(bluetooth_t)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0086-policy-modules-system-sysnetwork-make-dhcpc_t-domain.patch b/recipes-security/refpolicy/refpolicy/0086-policy-modules-system-sysnetwork-make-dhcpc_t-domain.patch
deleted file mode 100644
index 2ba3100..0000000
--- a/recipes-security/refpolicy/refpolicy/0086-policy-modules-system-sysnetwork-make-dhcpc_t-domain.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 1ab2ca67db9205f484ebce022be9c9a42bacc802 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@...>
-Date: Thu, 23 Feb 2017 08:18:36 +0000
-Subject: [PATCH] policy/modules/system/sysnetwork: make dhcpc_t domain MLS
- trusted for reading from files up to its clearance
-
-Allow dhcpc_t to search /run/systemd/journal
-
-Fixes:
-avc: denied { search } for pid=218 comm="dhclient" name="journal"
-dev="tmpfs" ino=10990 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
-permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/sysnetwork.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a9297f976..b6fd3f907 100644
---- a/policy/modules/system/sysnetwork.te
-+++ b/policy/modules/system/sysnetwork.te
-@@ -170,6 +170,8 @@ sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
- userdom_use_user_terminals(dhcpc_t)
- userdom_dontaudit_search_user_home_dirs(dhcpc_t)
-
-+mls_file_read_to_clearance(dhcpc_t)
-+
- ifdef(`distro_redhat', `
- files_exec_etc_files(dhcpc_t)
- ')
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0087-policy-modules-services-inetd-make-inetd_t-domain-ML.patch b/recipes-security/refpolicy/refpolicy/0087-policy-modules-services-inetd-make-inetd_t-domain-ML.patch
deleted file mode 100644
index abf5cd9..0000000
--- a/recipes-security/refpolicy/refpolicy/0087-policy-modules-services-inetd-make-inetd_t-domain-ML.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 2a54a7cab41aaddc113ed71d68f82e37661c3487 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Fri, 3 Jul 2020 08:57:51 +0800
-Subject: [PATCH] policy/modules/services/inetd: make inetd_t domain MLS
- trusted for reading from files up to its clearance
-
-Allow inetd_t to search /run/systemd/journal
-
-Fixes:
-avc: denied { search } for pid=286 comm="xinetd" name="journal"
-dev="tmpfs" ino=10990 scontext=system_u:system_r:inetd_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
-permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/services/inetd.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
-index 1a6ad6e1a..8d1fc0241 100644
---- a/policy/modules/services/inetd.te
-+++ b/policy/modules/services/inetd.te
-@@ -161,6 +161,7 @@ mls_socket_read_to_clearance(inetd_t)
- mls_socket_write_to_clearance(inetd_t)
- mls_net_outbound_all_levels(inetd_t)
- mls_process_set_level(inetd_t)
-+mls_file_read_to_clearance(inetd_t)
-
- userdom_dontaudit_use_unpriv_user_fds(inetd_t)
- userdom_dontaudit_search_user_home_dirs(inetd_t)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0088-policy-modules-services-bind-make-named_t-domain-MLS.patch b/recipes-security/refpolicy/refpolicy/0088-policy-modules-services-bind-make-named_t-domain-MLS.patch
deleted file mode 100644
index 5be48df..0000000
--- a/recipes-security/refpolicy/refpolicy/0088-policy-modules-services-bind-make-named_t-domain-MLS.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 0e93ad162cda033935fbac584787417b97b4bc17 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Fri, 3 Jul 2020 09:42:21 +0800
-Subject: [PATCH] policy/modules/services/bind: make named_t domain MLS trusted
- for reading from files up to its clearance
-
-Allow named_t to search /run/systemd/journal
-
-Fixes:
-avc: denied { search } for pid=295 comm="isc-worker0000"
-name="journal" dev="tmpfs" ino=10990
-scontext=system_u:system_r:named_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
-permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/services/bind.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
-index bf50763bd..be1813cb9 100644
---- a/policy/modules/services/bind.te
-+++ b/policy/modules/services/bind.te
-@@ -165,6 +165,8 @@ miscfiles_read_generic_tls_privkey(named_t)
- userdom_dontaudit_use_unpriv_user_fds(named_t)
- userdom_dontaudit_search_user_home_dirs(named_t)
-
-+mls_file_read_to_clearance(named_t)
-+
- tunable_policy(`named_tcp_bind_http_port',`
- corenet_sendrecv_http_server_packets(named_t)
- corenet_tcp_bind_http_port(named_t)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0089-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0089-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch
deleted file mode 100644
index 7adaea0..0000000
--- a/recipes-security/refpolicy/refpolicy/0089-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 58cdf21546b973b458a26ea4b3a523275a80aca5 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Thu, 30 May 2019 08:30:06 +0800
-Subject: [PATCH] policy/modules/services/rpc: make rpcd_t MLS trusted for
- reading from files up to its clearance
-
-Fixes:
-type=AVC msg=audit(1559176077.169:242): avc: denied { search } for
-pid=374 comm="rpc.statd" name="journal" dev="tmpfs" ino=9854
-scontext=system_u:system_r:rpcd_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 tclass=dir
-permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/services/rpc.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index 9618df04e..84caefbbb 100644
---- a/policy/modules/services/rpc.te
-+++ b/policy/modules/services/rpc.te
-@@ -275,6 +275,8 @@ seutil_dontaudit_search_config(rpcd_t)
-
- userdom_signal_all_users(rpcd_t)
-
-+mls_file_read_to_clearance(rpcd_t)
-+
- ifdef(`distro_debian',`
- term_dontaudit_use_unallocated_ttys(rpcd_t)
- ')
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0091-fc-usermanage-update-file-context-for-chfn-chsh.patch b/recipes-security/refpolicy/refpolicy/0091-fc-usermanage-update-file-context-for-chfn-chsh.patch
deleted file mode 100644
index 370bc64..0000000
--- a/recipes-security/refpolicy/refpolicy/0091-fc-usermanage-update-file-context-for-chfn-chsh.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 311d4759340f2af1e1e157d571802e4367e0a46b Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Mon, 2 Aug 2021 09:38:39 +0800
-Subject: [PATCH] fc/usermanage: update file context for chfn/chsh
-
-The util-linux has provided chfn and chsh since oe-core commit
-804c6b5bd3d398d5ea2a45d6bcc23c76e328ea3f. Update the file context for
-them.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/admin/usermanage.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
-index 6a051f8a5..bf1ff09ab 100644
---- a/policy/modules/admin/usermanage.fc
-+++ b/policy/modules/admin/usermanage.fc
-@@ -5,8 +5,10 @@ ifdef(`distro_debian',`
- /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
- /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
- /usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
-+/usr/bin/chfn\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0)
- /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
- /usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
-+/usr/bin/chsh\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0)
- /usr/bin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
- /usr/bin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
- /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 3d2eb89..4eefeb1 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -1,5 +1,3 @@
-DEFAULT_ENFORCING ??= "enforcing"
-
SECTION = "admin"
LICENSE = "GPLv2"

@@ -24,91 +22,65 @@ SRC_URI += " \
file://0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch \
file://0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch \
file://0006-fc-login-apply-login-context-to-login.shadow.patch \
- file://0007-fc-bind-fix-real-path-for-bind.patch \
- file://0008-fc-hwclock-add-hwclock-alternatives.patch \
- file://0009-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \
- file://0010-fc-ssh-apply-policy-to-ssh-alternatives.patch \
- file://0011-fc-sysnetwork-apply-policy-to-ip-alternatives.patch \
- file://0012-fc-udev-apply-policy-to-udevadm-in-libexec.patch \
- file://0013-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \
- file://0014-fc-su-apply-policy-to-su-alternatives.patch \
- file://0015-fc-fstools-fix-real-path-for-fstools.patch \
- file://0016-fc-init-fix-update-alternatives-for-sysvinit.patch \
- file://0017-fc-brctl-apply-policy-to-brctl-alternatives.patch \
- file://0018-fc-corecommands-apply-policy-to-nologin-alternatives.patch \
- file://0019-fc-locallogin-apply-policy-to-sulogin-alternatives.patch \
- file://0020-fc-ntp-apply-policy-to-ntpd-alternatives.patch \
- file://0021-fc-kerberos-apply-policy-to-kerberos-alternatives.patch \
- file://0022-fc-ldap-apply-policy-to-ldap-alternatives.patch \
- file://0023-fc-postgresql-apply-policy-to-postgresql-alternative.patch \
- file://0024-fc-screen-apply-policy-to-screen-alternatives.patch \
- file://0025-fc-usermanage-apply-policy-to-usermanage-alternative.patch \
- file://0026-fc-getty-add-file-context-to-start_getty.patch \
- file://0027-fc-init-add-file-context-to-etc-network-if-files.patch \
- file://0028-fc-vlock-apply-policy-to-vlock-alternatives.patch \
- file://0029-fc-cron-apply-policy-to-etc-init.d-crond.patch \
- file://0030-fc-sysnetwork-update-file-context-for-ifconfig.patch \
- file://0031-file_contexts.subs_dist-set-aliase-for-root-director.patch \
- file://0032-policy-modules-system-logging-add-rules-for-the-syml.patch \
- file://0033-policy-modules-system-logging-add-rules-for-syslogd-.patch \
- file://0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch \
- file://0035-policy-modules-system-logging-fix-auditd-startup-fai.patch \
- file://0036-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \
- file://0037-policy-modules-system-modutils-allow-mod_t-to-access.patch \
- file://0038-policy-modules-services-avahi-allow-avahi_t-to-watch.patch \
- file://0039-policy-modules-system-getty-allow-getty_t-to-search-.patch \
- file://0040-policy-modules-services-bluetooth-fix-bluetoothd-sta.patch \
- file://0041-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch \
- file://0042-policy-modules-services-rpc-add-capability-dac_read_.patch \
- file://0043-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \
- file://0044-policy-modules-services-rngd-fix-security-context-fo.patch \
- file://0045-policy-modules-services-ssh-allow-ssh_keygen_t-to-re.patch \
- file://0046-policy-modules-services-ssh-make-respective-init-scr.patch \
- file://0047-policy-modules-kernel-terminal-allow-loging-to-reset.patch \
- file://0048-policy-modules-system-selinuxutil-allow-semanage_t-t.patch \
- file://0049-policy-modules-system-systemd-enable-support-for-sys.patch \
- file://0050-policy-modules-system-systemd-fix-systemd-resolved-s.patch \
- file://0051-policy-modules-system-init-add-capability2-bpf-and-p.patch \
- file://0052-policy-modules-system-systemd-allow-systemd_logind_t.patch \
- file://0053-policy-modules-system-logging-set-label-devlog_t-to-.patch \
- file://0054-policy-modules-system-systemd-support-systemd-user.patch \
- file://0055-policy-modules-system-systemd-allow-systemd-generato.patch \
- file://0056-policy-modules-system-systemd-allow-systemd_backligh.patch \
- file://0057-policy-modules-system-logging-fix-systemd-journald-s.patch \
- file://0058-policy-modules-services-cron-allow-crond_t-to-search.patch \
- file://0059-policy-modules-services-crontab-allow-sysadm_r-to-ru.patch \
- file://0060-policy-modules-system-sysnetwork-support-priviledge-.patch \
- file://0061-policy-modules-services-acpi-allow-acpid-to-watch-th.patch \
- file://0062-policy-modules-system-setrans-allow-setrans-to-acces.patch \
- file://0063-policy-modules-system-modutils-allow-kmod_t-to-write.patch \
- file://0064-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch \
- file://0065-policy-modules-system-selinux-allow-setfiles_t-to-re.patch \
- file://0066-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \
- file://0067-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \
- file://0068-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch \
- file://0069-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \
- file://0070-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
- file://0071-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
- file://0072-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \
- file://0073-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \
- file://0074-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
- file://0075-policy-modules-system-init-all-init_t-to-read-any-le.patch \
- file://0076-policy-modules-system-logging-allow-auditd_t-to-writ.patch \
- file://0077-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
- file://0078-policy-modules-system-systemd-make-systemd-logind-do.patch \
- file://0079-policy-modules-system-systemd-systemd-user-sessions-.patch \
- file://0080-policy-modules-system-systemd-systemd-make-systemd_-.patch \
- file://0081-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch \
- file://0082-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
- file://0083-policy-modules-services-acpi-make-acpid_t-domain-MLS.patch \
- file://0084-policy-modules-services-avahi-make-avahi_t-MLS-trust.patch \
- file://0085-policy-modules-services-bluetooth-make-bluetooth_t-d.patch \
- file://0086-policy-modules-system-sysnetwork-make-dhcpc_t-domain.patch \
- file://0087-policy-modules-services-inetd-make-inetd_t-domain-ML.patch \
- file://0088-policy-modules-services-bind-make-named_t-domain-MLS.patch \
- file://0089-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch \
- file://0090-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
- file://0091-fc-usermanage-update-file-context-for-chfn-chsh.patch \
+ file://0007-fc-hwclock-add-hwclock-alternatives.patch \
+ file://0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \
+ file://0009-fc-ssh-apply-policy-to-ssh-alternatives.patch \
+ file://0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch \
+ file://0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch \
+ file://0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \
+ file://0013-fc-su-apply-policy-to-su-alternatives.patch \
+ file://0014-fc-fstools-fix-real-path-for-fstools.patch \
+ file://0015-fc-init-fix-update-alternatives-for-sysvinit.patch \
+ file://0016-fc-brctl-apply-policy-to-brctl-alternatives.patch \
+ file://0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch \
+ file://0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch \
+ file://0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch \
+ file://0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch \
+ file://0021-fc-ldap-apply-policy-to-ldap-alternatives.patch \
+ file://0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch \
+ file://0023-fc-screen-apply-policy-to-screen-alternatives.patch \
+ file://0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch \
+ file://0025-fc-getty-add-file-context-to-start_getty.patch \
+ file://0026-fc-vlock-apply-policy-to-vlock-alternatives.patch \
+ file://0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch \
+ file://0028-file_contexts.subs_dist-set-aliase-for-root-director.patch \
+ file://0029-policy-modules-system-logging-add-rules-for-the-syml.patch \
+ file://0030-policy-modules-system-logging-add-rules-for-syslogd-.patch \
+ file://0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch \
+ file://0032-policy-modules-system-logging-fix-auditd-startup-fai.patch \
+ file://0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \
+ file://0034-policy-modules-system-modutils-allow-mod_t-to-access.patch \
+ file://0035-policy-modules-system-getty-allow-getty_t-to-search-.patch \
+ file://0036-policy-modules-services-bluetooth-allow-bluetooth_t-.patch \
+ file://0037-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \
+ file://0038-policy-modules-services-ssh-do-not-audit-attempts-by.patch \
+ file://0039-policy-modules-admin-usermanage-allow-useradd-to-rel.patch \
+ file://0040-policy-modules-system-systemd-enable-support-for-sys.patch \
+ file://0041-policy-modules-system-systemd-fix-systemd-resolved-s.patch \
+ file://0042-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch \
+ file://0043-policy-modules-system-systemd-allow-systemd_hostname.patch \
+ file://0044-policy-modules-system-logging-fix-syslogd-failures-f.patch \
+ file://0045-policy-modules-system-systemd-systemd-user-fixes.patch \
+ file://0046-policy-modules-system-sysnetwork-support-priviledge-.patch \
+ file://0047-policy-modules-services-acpi-allow-acpid-to-watch-th.patch \
+ file://0048-policy-modules-system-modutils-allow-kmod_t-to-write.patch \
+ file://0049-policy-modules-admin-su-allow-su-to-map-SELinux-stat.patch \
+ file://0050-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \
+ file://0051-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \
+ file://0052-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch \
+ file://0053-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \
+ file://0054-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
+ file://0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
+ file://0056-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \
+ file://0057-policy-modules-system-systemd-systemd-make-systemd_-.patch \
+ file://0058-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \
+ file://0059-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
+ file://0060-policy-modules-system-init-all-init_t-to-read-any-le.patch \
+ file://0061-policy-modules-system-logging-allow-auditd_t-to-writ.patch \
+ file://0062-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
+ file://0063-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
+ file://0064-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
+ file://0065-policy-modules-system-logging-make-syslogd_runtime_t.patch \
"

S = "${WORKDIR}/refpolicy"
@@ -138,8 +110,10 @@ inherit python3native

PARALLEL_MAKE = ""

+DEFAULT_ENFORCING ??= "enforcing"
+
POLICY_NAME ?= "${POLICY_TYPE}"
-POLICY_DISTRO ?= "redhat"
+POLICY_DISTRO ?= "debian"
POLICY_UBAC ?= "n"
POLICY_UNK_PERMS ?= "allow"
POLICY_DIRECT_INITRC ?= "y"
@@ -238,7 +212,7 @@ path = ${STAGING_DIR_NATIVE}${sbindir_native}/sefcontext_compile
args = \$@
[end]

-policy-version = 31
+policy-version = 33
EOF

# Create policy store and build the policy
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc
index 1d56403..9eb7374 100644
--- a/recipes-security/refpolicy/refpolicy_git.inc
+++ b/recipes-security/refpolicy/refpolicy_git.inc
@@ -1,8 +1,8 @@
-PV = "2.20210203+git${SRCPV}"
+PV = "2.20210908+git${SRCPV}"

SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=master;name=refpolicy;destsuffix=refpolicy"

-SRCREV_refpolicy ?= "1167739da1882f9c89281095d2595da5ea2d9d6b"
+SRCREV_refpolicy ?= "42c9eb9bcd2db1c279a576c67a937fa14ab6ffb7"

UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)"

--
2.17.1

2161 - 2180 of 57764