Date   

Re: [meta-zephyr][PATCH] zephyr-sdk: upgrade 0.14.2 -> 0.15.1

Jon Mason
 

On Thu, Nov 10, 2022 at 09:19:54AM +0000, Saini, Naveen Kumar wrote:
Hi Mason

-----Original Message-----
From: yocto@... <yocto@...> On
Behalf Of Jon Mason
Sent: Thursday, October 27, 2022 2:14 AM
To: Saini, Naveen Kumar <naveen.kumar.saini@...>
Cc: yocto@...
Subject: Re: [yocto] [meta-zephyr][PATCH] zephyr-sdk: upgrade 0.14.2 ->
0.15.1

I added this and rebased it to be before the update to v3.2.0. The issues with
the versioning are now gone, but the following issues
remain:

"BUILD_ASSERT(IS_ENABLED(_RETARGETABLE_LOCKING), "Retargetable
locking must be enabled");"
for
zephyr-coap-client
https://gitlab.com/jonmason00/meta-zephyr/-/jobs/3231258971

zephyr-coap-server
https://gitlab.com/jonmason00/meta-zephyr/-/jobs/3231258983
https://gitlab.com/jonmason00/meta-zephyr/-/jobs/3231258987

zephyr-openthread-echo-client
https://gitlab.com/jonmason00/meta-zephyr/-/jobs/3231258972
[Naveen] I already sent patch to fix this issue.
I had one as well.
https://gitlab.com/jonmason00/meta-zephyr/-/commit/68a50789d28af04c0df8b46bb4d27a87e8d98cb3
Sorry for not sending it out. I was occupied almost all of last week.
I like your patch better :)







"region `SRAM' overflowed by 1104 bytes"
for
zephyr-philosophers
https://gitlab.com/jonmason00/meta-zephyr/-/jobs/3231259005
https://gitlab.com/jonmason00/meta-zephyr/-/jobs/3231259002
[Naveen]
As per my understanding available ram for qemu-cortex-m0 is only 16K, not sufficient for sample philosophers. So I think you should remove it for qemu-cortex-m0 machine.

From build logs:
SRAM (wx) : ORIGIN = 0x20000000, LENGTH = (16 * 1K)

And also listed in yaml too
https://github.com/zephyrproject-rtos/zephyr/blob/v3.2-branch/boards/arm/qemu_cortex_m0/qemu_cortex_m0.yaml#L10

I case see many tests and samples are being filter out based on 'min_ram'
https://github.com/zephyrproject-rtos/zephyr/blob/v3.2-branch/samples/net/sockets/http_client/sample.yaml#L3

Sure, I can do a patch shortly that will remove this from
qemu_cortex_m0.


This would leave the only outstanding issue the new poll test failure
on qemu_cortex_a9 (yocto toolchain only). I think it's okay to let
this fail while a solution is being found.

Thanks,
Jon





Thanks,
Jon


On Wed, Oct 26, 2022 at 01:29:45PM +0800, Naveen Saini wrote:
https://github.com/zephyrproject-rtos/sdk-ng/releases/tag/v0.15.1

Signed-off-by: Naveen Saini <naveen.kumar.saini@...>
---
.../zephyr-sdk/{zephyr-sdk_0.14.2.bb => zephyr-sdk_0.15.1.bb} | 4
++--
1 file changed, 2 insertions(+), 2 deletions(-) rename
meta-zephyr-core/recipes-devtools/zephyr-sdk/{zephyr-sdk_0.14.2.bb =>
zephyr-sdk_0.15.1.bb} (83%)

diff --git
a/meta-zephyr-core/recipes-devtools/zephyr-sdk/zephyr-sdk_0.14.2.bb
b/meta-zephyr-core/recipes-devtools/zephyr-sdk/zephyr-sdk_0.15.1.bb
similarity index 83%
rename from
meta-zephyr-core/recipes-devtools/zephyr-sdk/zephyr-sdk_0.14.2.bb
rename to
meta-zephyr-core/recipes-devtools/zephyr-sdk/zephyr-sdk_0.15.1.bb
index c893652..f5a9466 100644
---
a/meta-zephyr-core/recipes-devtools/zephyr-sdk/zephyr-sdk_0.14.2.bb
+++ b/meta-zephyr-core/recipes-devtools/zephyr-sdk/zephyr-
sdk_0.15.1.b
+++ b
@@ -14,8 +14,8 @@ SDK_ARCHIVE = "zephyr-sdk-${PV}_linux-
${BUILD_ARCH}.tar.gz"
SDK_NAME = "${BUILD_ARCH}"
SRC_URI = "https://github.com/zephyrproject-rtos/sdk-
ng/releases/download/v${PV}/${SDK_ARCHIVE};subdir=${S};name=${SDK_N
AME}"

-SRC_URI[x86_64.sha256sum] =
"2ff0e4d79bffe1468247a3e1958aa9183a0252225ab721cf1c37188bd4b649a2"
-SRC_URI[aarch64.sha256sum] =
"cbb616a50e940388ea737788d48dcea3624a85bb3ee04d9aae105496a21ae75e
"
+SRC_URI[x86_64.sha256sum] =
"0a7406045102197b9edc759b242499941814a1c6df29dd9fbd479ad50eb0fba9"
+SRC_URI[aarch64.sha256sum] =
"d2c5de994376a287e8bf12e5776ab8f5105eafa14826608df085142fd01b7f84"

do_configure[noexec] = "1"
do_compile[noexec] = "1"
--
2.25.1


[yocto-autobuilder-helper][langdale] config.json: use meta-agl master branch rather than next branch

Steve Sakoman
 

langdale is no longer supported on the next branch

Signed-off-by: Steve Sakoman <steve@...>
---
config.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config.json b/config.json
index 9dcc1db..694cbfd 100644
--- a/config.json
+++ b/config.json
@@ -1258,7 +1258,7 @@
},
"meta-agl": {
"url" : "https://git.automotivelinux.org/AGL/meta-agl",
- "branch" : "next",
+ "branch" : "master",
"revision" : "HEAD",
"no-layer-add" : true
},
--
2.25.1


[PATCH yocto-autobuilder-helper] config: set MACHINE=qemuarm64 for oe-selftest-armhost

Ross Burton
 

Many of the oe-selftest test cases boot up an image in qemu, but if the
host can't use KVM to accelerate the guest then the tests take a lot
longer and may randomly timeout.

Now that oe-selftest can run for qemuarm64[1], switch the
oe-selftest-armhost to use qemuarm64 so that KVM can be used. This
should mean faster and more reliable tests, which also cover another
architecture.

[1] oe-core 87fcee9fed915ff3af528b976d7d44737f9f1a95

Signed-off-by: Ross Burton <ross.burton@...>
---
config.json | 1 +
1 file changed, 1 insertion(+)

diff --git a/config.json b/config.json
index 24988f0..713afe5 100644
--- a/config.json
+++ b/config.json
@@ -873,6 +873,7 @@
"TEMPLATE" : "selftest"
},
"oe-selftest-armhost" : {
+ "MACHINE": "qemuarm64",
"SDKMACHINE": "aarch64",
"TEMPLATE" : "selftest"
},
--=20
2.34.1


Re: Shell function not expanding variable

Ross Burton
 

On 10 Nov 2022, at 15:18, Maik Vermeulen via lists.yoctoproject.org <maik.vermeulen=lightyear.one@...> wrote:

Hi,

We have a shell function that's being called from a do_install task:
custom_install() {
DIR=$1
echo "Operating on '${DIR}'"

install <some params> -m 0644 ${S}/$DIR/<some file> \
${D}${some_path}/<some_file>
}

do_install() {
custom_install "dev"
}

The output of the above is:
Operating on 'dev'

exit 1 from 'install <some params> -m 0644 <recipe path>/1.0-r0/<expanded S folder>/${DIR}/<some file>
<recipe path>/image/<some_path>/<some_file>'

Why is ${DIR} expanded inside the echo, but not in the install command? I also tried with and without quotes, and with and without curly braces..
We are on poky sumo.
First, Sumo was last updated in 2019 and is very dead, please move to a supported release: https://wiki.yoctoproject.org/wiki/Releases

I’m not convinced that your shell example and the error message match exactly: the error says ${DIR} but sh would have expanded that to either the value, or the empty string.

The problem is most likely that you’re using single quotes when you shouldn't. These disable expansion:

$ FOO=42
$ echo $FOO
42
$ echo "$FOO"
42
$ echo '$FOO'
$FOO

Also note that because bitbake’s parse and then sh’s parse can both use ${FOO} for variable expansion, it’s convention to use ${FOO} for *bitbake* variables and then just $FOO for sh variables, as bitbake only expands ${FOO} but sh will expand both ${FOO} and $FOO. If you do ${FOO} and bitbake doesn’t know the variable, it doesn’t get replaced with the empty string (contrary to sh behaviour) so that sh can have a go.

Ross


Re: failing postinstall scriptlet

Alexander Kanavin
 

You need to show the whole log.

Alex

On Fri, 11 Nov 2022 at 07:29, Mistyron <ron.eggler@...> wrote:

Hi,

I'm wondering how to resolve the following error:

ERROR: sample-image-cp-lwb5plus-1.0-r0 do_rootfs: Postinstall scriptlets of ['lrd-networkmanager-sterling'] have failed. If the intention is to defer them to first boot,
then please place them into pkg_postinst_ontarget_${PN} ().
Deferring to first boot via 'exit 1' is no longer supported.
Details of the failure are in /home/yocto/rzv_vlp_v3.0.0/build/tmp/work/smarc_rzv2l-poky-linux/sample-image-cp-lwb5plus/1.0-r0/temp/log.do_rootfs.
ERROR: Logfile of failure stored in: /home/yocto/rzv_vlp_v3.0.0/build/tmp/work/smarc_rzv2l-poky-linux/sample-image-cp-lwb5plus/1.0-r0/temp/log.do_rootfs.430788
ERROR: Task (/home/yocto/rzv_vlp_v3.0.0/build/../meta-mistylwb5p/meta-laird-cp-pre-3.4/recipes-packages/images/sample-image-cp-lwb5plus.bb:do_rootfs) failed with exit code '1'

the log file ~/rzv_vlp_v3.0.0/build/tmp/work/smarc_rzv2l-poky-linux/sample-image-cp-lwb5plus/1.0-r0/temp/log.do_rootfs.430788 contains the following on the bottom:

...
wayland-1.18.0-r0.aarch64

Complete!

ERROR: Postinstall scriptlets of ['lrd-networkmanager-sterling'] have failed. If the intention is to defer them to first boot,
then please place them into pkg_postinst_ontarget_${PN} ().
Deferring to first boot via 'exit 1' is no longer supported.
Details of the failure are in /home/yocto/rzv_vlp_v3.0.0/build/tmp/work/smarc_rzv2l-poky-linux/sample-image-cp-lwb5plus/1.0-r0/temp/log.do_rootfs.
DEBUG: Python function do_rootfs finished

and the same does /home/yocto/rzv_vlp_v3.0.0/build/tmp/work/smarc_rzv2l-poky-linux/sample-image-cp-lwb5plus/1.0-r0/temp/log.do_rootfs

Not very helpful, is it? How can I resolve this?
Ron
--
RON EGGLER Firmware Engineer (he/him/his) www.mistywest.com



failing postinstall scriptlet

Mistyron <ron.eggler@...>
 

Hi,

I'm wondering how to resolve the following error:

ERROR: sample-image-cp-lwb5plus-1.0-r0 do_rootfs: Postinstall scriptlets of ['lrd-networkmanager-sterling'] have failed. If the intention is to defer them to first boot,
then please place them into pkg_postinst_ontarget_${PN} ().
Deferring to first boot via 'exit 1' is no longer supported.
Details of the failure are in /home/yocto/rzv_vlp_v3.0.0/build/tmp/work/smarc_rzv2l-poky-linux/sample-image-cp-lwb5plus/1.0-r0/temp/log.do_rootfs.
ERROR: Logfile of failure stored in: /home/yocto/rzv_vlp_v3.0.0/build/tmp/work/smarc_rzv2l-poky-linux/sample-image-cp-lwb5plus/1.0-r0/temp/log.do_rootfs.430788
ERROR: Task (/home/yocto/rzv_vlp_v3.0.0/build/../meta-mistylwb5p/meta-laird-cp-pre-3.4/recipes-packages/images/sample-image-cp-lwb5plus.bb:do_rootfs) failed with exit code '1'

the log file ~/rzv_vlp_v3.0.0/build/tmp/work/smarc_rzv2l-poky-linux/sample-image-cp-lwb5plus/1.0-r0/temp/log.do_rootfs.430788 contains the following on the bottom:

   ...
  wayland-1.18.0-r0.aarch64

Complete!

ERROR: Postinstall scriptlets of ['lrd-networkmanager-sterling'] have failed. If the intention is to defer them to first boot,
then please place them into pkg_postinst_ontarget_${PN} ().
Deferring to first boot via 'exit 1' is no longer supported.
Details of the failure are in /home/yocto/rzv_vlp_v3.0.0/build/tmp/work/smarc_rzv2l-poky-linux/sample-image-cp-lwb5plus/1.0-r0/temp/log.do_rootfs.
DEBUG: Python function do_rootfs finished

and the same does /home/yocto/rzv_vlp_v3.0.0/build/tmp/work/smarc_rzv2l-poky-linux/sample-image-cp-lwb5plus/1.0-r0/temp/log.do_rootfs

Not very helpful, is it? How can I resolve this?
Ron
--
RON EGGLER Firmware Engineer (he/him/his) www.mistywest.com


[yocto-autobuilder-helper][kirkstone] config.json: use meta-agl master branch rather than next branch

Steve Sakoman
 

kirkstone is no longer supported on the next branch

Signed-off-by: Steve Sakoman <steve@...>
---
config.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config.json b/config.json
index 673b904..c709e6e 100644
--- a/config.json
+++ b/config.json
@@ -1202,7 +1202,7 @@
},
"meta-agl": {
"url" : "https://git.automotivelinux.org/AGL/meta-agl",
- "branch" : "next",
+ "branch" : "master",
"revision" : "HEAD",
"no-layer-add" : true
},
--
2.25.1


Minutes: Yocto Project Weekly Triage Meeting 11/10/2022

sakib.sajal@...
 

Wiki: https://wiki.yoctoproject.org/wiki/Bug_Triage

Attendees: Richard Purdie, Steve Sakoman, Stephen Jolley, Randy Macleod, Joshua Watt, Ross Burton, Alexandre Belloni,  Tim Orling, Zheng

ARs:

Notes:

Medium+ 4.2 Unassigned Enhancements/Bugs: 69 (Last week 69)

Medium+ 4.99 Unassigned Enhancements/Bugs: 45 (Last week 44)

AB Bugs: 61 (Last week 61)


Minutes: Yocto Project Weekly Triage Meeting 11/10/2022

sakib.sajal@...
 

Wiki: https://wiki.yoctoproject.org/wiki/Bug_Triage

Attendees: Richard Purdie, Steve Sakoman, Stephen Jolley, Randy Macleod, Joshua Watt, Ross Burton, Alexandre Belloni,  Tim Orling, Zheng

ARs:

Notes:

Medium+ 4.2 Unassigned Enhancements/Bugs: 69 (Last week 69)

Medium+ 4.99 Unassigned Enhancements/Bugs: 45 (Last week 44)

AB Bugs: 61 (Last week 61)


Shell function not expanding variable

Maik Vermeulen
 

Hi,

We have a shell function that's being called from a do_install task:
custom_install() {
    DIR=$1
    echo "Operating on '${DIR}'"

    install <some params> -m 0644 ${S}/$DIR/<some file> \
                                                       ${D}${some_path}/<some_file>
}

do_install() {
    custom_install "dev"
}

The output of the above is:
Operating on 'dev'

exit 1 from 'install <some params> -m 0644 <recipe path>/1.0-r0/<expanded S folder>/${DIR}/<some file>
<recipe path>/image/<some_path>/<some_file>'

Why is ${DIR} expanded inside the echo, but not in the install command? I also tried with and without quotes, and with and without curly braces..
We are on poky sumo.

Thanks,
Kind regards,

Maik Vermeulen

Embedded Software Engineer — Lightyear






Automotive Campus 70 —5708 JZ Helmond, the Netherlands

This email may contain information which is privileged and/or confidential. If you received this e-mail in error, please notify us immediately by e-mail and delete the email without copying or disclosing its contents to any other person. Lightyear is a trade name of Atlas Technologies B.V. and is registered at the Dutch Chamber of Commerce under number 67264298. 


Re: [meta-zephyr][PATCH] zephyr-sdk: upgrade 0.14.2 -> 0.15.1

Naveen Saini
 

Hi Mason

-----Original Message-----
From: yocto@... <yocto@...> On
Behalf Of Jon Mason
Sent: Thursday, October 27, 2022 2:14 AM
To: Saini, Naveen Kumar <naveen.kumar.saini@...>
Cc: yocto@...
Subject: Re: [yocto] [meta-zephyr][PATCH] zephyr-sdk: upgrade 0.14.2 ->
0.15.1

I added this and rebased it to be before the update to v3.2.0. The issues with
the versioning are now gone, but the following issues
remain:

"BUILD_ASSERT(IS_ENABLED(_RETARGETABLE_LOCKING), "Retargetable
locking must be enabled");"
for
zephyr-coap-client
https://gitlab.com/jonmason00/meta-zephyr/-/jobs/3231258971

zephyr-coap-server
https://gitlab.com/jonmason00/meta-zephyr/-/jobs/3231258983
https://gitlab.com/jonmason00/meta-zephyr/-/jobs/3231258987

zephyr-openthread-echo-client
https://gitlab.com/jonmason00/meta-zephyr/-/jobs/3231258972
[Naveen] I already sent patch to fix this issue.





"region `SRAM' overflowed by 1104 bytes"
for
zephyr-philosophers
https://gitlab.com/jonmason00/meta-zephyr/-/jobs/3231259005
https://gitlab.com/jonmason00/meta-zephyr/-/jobs/3231259002
[Naveen]
As per my understanding available ram for qemu-cortex-m0 is only 16K, not sufficient for sample philosophers. So I think you should remove it for qemu-cortex-m0 machine.

From build logs:
SRAM (wx) : ORIGIN = 0x20000000, LENGTH = (16 * 1K)

And also listed in yaml too
https://github.com/zephyrproject-rtos/zephyr/blob/v3.2-branch/boards/arm/qemu_cortex_m0/qemu_cortex_m0.yaml#L10

I case see many tests and samples are being filter out based on 'min_ram'
https://github.com/zephyrproject-rtos/zephyr/blob/v3.2-branch/samples/net/sockets/http_client/sample.yaml#L3





Thanks,
Jon


On Wed, Oct 26, 2022 at 01:29:45PM +0800, Naveen Saini wrote:
https://github.com/zephyrproject-rtos/sdk-ng/releases/tag/v0.15.1

Signed-off-by: Naveen Saini <naveen.kumar.saini@...>
---
.../zephyr-sdk/{zephyr-sdk_0.14.2.bb => zephyr-sdk_0.15.1.bb} | 4
++--
1 file changed, 2 insertions(+), 2 deletions(-) rename
meta-zephyr-core/recipes-devtools/zephyr-sdk/{zephyr-sdk_0.14.2.bb =>
zephyr-sdk_0.15.1.bb} (83%)

diff --git
a/meta-zephyr-core/recipes-devtools/zephyr-sdk/zephyr-sdk_0.14.2.bb
b/meta-zephyr-core/recipes-devtools/zephyr-sdk/zephyr-sdk_0.15.1.bb
similarity index 83%
rename from
meta-zephyr-core/recipes-devtools/zephyr-sdk/zephyr-sdk_0.14.2.bb
rename to
meta-zephyr-core/recipes-devtools/zephyr-sdk/zephyr-sdk_0.15.1.bb
index c893652..f5a9466 100644
---
a/meta-zephyr-core/recipes-devtools/zephyr-sdk/zephyr-sdk_0.14.2.bb
+++ b/meta-zephyr-core/recipes-devtools/zephyr-sdk/zephyr-
sdk_0.15.1.b
+++ b
@@ -14,8 +14,8 @@ SDK_ARCHIVE = "zephyr-sdk-${PV}_linux-
${BUILD_ARCH}.tar.gz"
SDK_NAME = "${BUILD_ARCH}"
SRC_URI = "https://github.com/zephyrproject-rtos/sdk-
ng/releases/download/v${PV}/${SDK_ARCHIVE};subdir=${S};name=${SDK_N
AME}"

-SRC_URI[x86_64.sha256sum] =
"2ff0e4d79bffe1468247a3e1958aa9183a0252225ab721cf1c37188bd4b649a2"
-SRC_URI[aarch64.sha256sum] =
"cbb616a50e940388ea737788d48dcea3624a85bb3ee04d9aae105496a21ae75e
"
+SRC_URI[x86_64.sha256sum] =
"0a7406045102197b9edc759b242499941814a1c6df29dd9fbd479ad50eb0fba9"
+SRC_URI[aarch64.sha256sum] =
"d2c5de994376a287e8bf12e5776ab8f5105eafa14826608df085142fd01b7f84"

do_configure[noexec] = "1"
do_compile[noexec] = "1"
--
2.25.1


[meta-zephyr][PATCH v2 5/5] newlib: add bbappend

Naveen Saini
 

Build newlib library to be thread-safe in multithreaded environment.

https://github.com/zephyrproject-rtos/zephyr/pull/21518
https://github.com/zephyrproject-rtos/zephyr/issues/21519
https://github.com/zephyrproject-rtos/zephyr/pull/36201

https://sourceware.org/legacy-ml/newlib/2016/msg01165.html
https://sourceware.org/git/?p=newlib-cygwin.git;a=commit;h=bd54749095ee45d7136b6e7c8a1e5218749c87b6

Error log:
newlib/libc-hooks.c:310:1: note: in expansion of macro 'BUILD_ASSERT'
BUILD_ASSERT(IS_ENABLED(_RETARGETABLE_LOCKING), "Retargetable locking must be enabled");

Signed-off-by: Naveen Saini <naveen.kumar.saini@...>
---
meta-zephyr-core/recipes-core/newlib/newlib_%.bbappend | 5 +++++
1 file changed, 5 insertions(+)
create mode 100644 meta-zephyr-core/recipes-core/newlib/newlib_%.bbappend

diff --git a/meta-zephyr-core/recipes-core/newlib/newlib_%.bbappend b/meta-zephyr-core/recipes-core/newlib/newlib_%.bbappend
new file mode 100644
index 0000000..1a20b06
--- /dev/null
+++ b/meta-zephyr-core/recipes-core/newlib/newlib_%.bbappend
@@ -0,0 +1,5 @@
+# BUILD_ASSERT(IS_ENABLED(_RETARGETABLE_LOCKING), "Retargetable locking must be enabled");
+
+EXTRA_OECONF:append = " \
+ --enable-newlib-retargetable-locking \
+ "
--
2.25.1


[meta-zephyr][PATCH v2 4/5] arc: drop obsolete recipes and bbappends

Naveen Saini
 

Remove recipes and bbappends which are not being used.

Signed-off-by: Naveen Saini <naveen.kumar.saini@...>
---
.../classes/siteinfo-zephyr.bbclass | 14 ---
.../recipes-core/newlib/newlib_%.bbappend | 22 -----
.../binutils/binutils-2.26arc.inc | 37 --------
.../binutils-cross-canadian_2.26arc.bb | 7 --
.../binutils/binutils-cross_2.26arc.bb | 8 --
...e54244cd02bdcf4f1057be3ce96631f35ac3.patch | 83 ------------------
.../recipes-devtools-arc/gcc/gcc-6.x.arc.inc | 85 -------------------
.../gcc/gcc-cross-canadian_6.x.arc.bb | 8 --
.../gcc/gcc-cross_6.x.arc .bb | 11 ---
.../gcc/gcc-source_6.x.arc.bb | 2 -
.../gcc/libgcc_6.x.arc.bb | 14 ---
.../gcc/gcc-cross_6.%.bbappend | 1 -
.../recipes-devtools/gcc/libgcc_6.%.bbappend | 3 -
13 files changed, 295 deletions(-)
delete mode 100644 meta-zephyr-core/recipes-core/newlib/newlib_%.bbappend
delete mode 100644 meta-zephyr-core/recipes-devtools-arc/binutils/binutils-2.26arc.inc
delete mode 100644 meta-zephyr-core/recipes-devtools-arc/binutils/binutils-cross-canadian_2.26arc.bb
delete mode 100644 meta-zephyr-core/recipes-devtools-arc/binutils/binutils-cross_2.26arc.bb
delete mode 100644 meta-zephyr-core/recipes-devtools-arc/gcc/files/cbd8e54244cd02bdcf4f1057be3ce96631f35ac3.patch
delete mode 100644 meta-zephyr-core/recipes-devtools-arc/gcc/gcc-6.x.arc.inc
delete mode 100644 meta-zephyr-core/recipes-devtools-arc/gcc/gcc-cross-canadian_6.x.arc.bb
delete mode 100644 meta-zephyr-core/recipes-devtools-arc/gcc/gcc-cross_6.x.arc .bb
delete mode 100644 meta-zephyr-core/recipes-devtools-arc/gcc/gcc-source_6.x.arc.bb
delete mode 100644 meta-zephyr-core/recipes-devtools-arc/gcc/libgcc_6.x.arc.bb
delete mode 100644 meta-zephyr-core/recipes-devtools/gcc/gcc-cross_6.%.bbappend
delete mode 100644 meta-zephyr-core/recipes-devtools/gcc/libgcc_6.%.bbappend

diff --git a/meta-zephyr-core/classes/siteinfo-zephyr.bbclass b/meta-zephyr-core/classes/siteinfo-zephyr.bbclass
index b84a9b2..fc883e0 100644
--- a/meta-zephyr-core/classes/siteinfo-zephyr.bbclass
+++ b/meta-zephyr-core/classes/siteinfo-zephyr.bbclass
@@ -1,17 +1,3 @@
-def arc_siteinfo_setfunc(archinfo, osinfo, targetinfo, d):
- archinfo['arc'] = "endian-little bit-32 "
- osinfo['linux'] = "common-linux common-glibc"
- targetinfo['arc-linux'] = "arc-linux"
- return archinfo, osinfo, targetinfo
-
-SITEINFO_EXTRA_DATAFUNCS += "arc_siteinfo_setfunc"
-
-def arc_machdata_setfunc(machdata, d):
- machdata["elf"]["arc"] = (195, 0, 0, True, 32)
- return machdata
-
-PACKAGEQA_EXTRA_MACHDEFFUNCS += "arc_machdata_setfunc"
-
def iamcu_siteinfo_setfunc(archinfo, osinfo, targetinfo, d):
archinfo['iamcu'] = "endian-little bit-32 "
osinfo['linux'] = "common-linux common-glibc"
diff --git a/meta-zephyr-core/recipes-core/newlib/newlib_%.bbappend b/meta-zephyr-core/recipes-core/newlib/newlib_%.bbappend
deleted file mode 100644
index dfecb99..0000000
--- a/meta-zephyr-core/recipes-core/newlib/newlib_%.bbappend
+++ /dev/null
@@ -1,22 +0,0 @@
-########################################################################
-#
-# ARC specific
-#
-########################################################################
-LIC_FILES_CHKSUM:arc = "file://COPYING;md5=59530bdf33659b29e73d4adb9f9f6552 \
- file://COPYING3.LIB;md5=6a6a8e020838b23406c81b19c1d46df6 \
- file://COPYING3;md5=d32239bcb673463ab874e80d47fae504 \
- file://COPYING.LIB;md5=9f604d8a4f8e74f4f5140845a21b6674 \
- file://COPYING.NEWLIB;md5=fced02ba02d66f274d4847d27e80af74 \
- file://newlib/libc/posix/COPYRIGHT;md5=103468ff1982be840fdf4ee9f8b51bbf \
- file://newlib/libc/sys/linux/linuxthreads/LICENSE;md5=73640207fbc79b198c7ffd4ad4d97aa0"
-
-#Tag arc-2016.03
-SRCREV:arc = "e4da0f88abe8dd2a0b947bcf7cb8b3736ab94f33"
-SRC_URI:arc = "git://github.com/foss-for-synopsys-dwc-arc-processors/newlib.git;branch=arc-2.3"
-S:arc = "${WORKDIR}/git"
-
-# ERROR: QA Issue: Architecture did not match (195 to 93)
-INSANE_SKIP:${PN}:arc += " arch "
-
-
diff --git a/meta-zephyr-core/recipes-devtools-arc/binutils/binutils-2.26arc.inc b/meta-zephyr-core/recipes-devtools-arc/binutils/binutils-2.26arc.inc
deleted file mode 100644
index bfe0960..0000000
--- a/meta-zephyr-core/recipes-devtools-arc/binutils/binutils-2.26arc.inc
+++ /dev/null
@@ -1,37 +0,0 @@
-LIC_FILES_CHKSUM="\
- file://COPYING;md5=59530bdf33659b29e73d4adb9f9f6552\
- file://COPYING.LIB;md5=9f604d8a4f8e74f4f5140845a21b6674\
- file://COPYING3;md5=d32239bcb673463ab874e80d47fae504\
- file://COPYING3.LIB;md5=6a6a8e020838b23406c81b19c1d46df6\
- file://gas/COPYING;md5=d32239bcb673463ab874e80d47fae504\
- file://include/COPYING;md5=59530bdf33659b29e73d4adb9f9f6552\
- file://include/COPYING3;md5=d32239bcb673463ab874e80d47fae504\
- file://libiberty/COPYING.LIB;md5=a916467b91076e631dd8edb7424769c7\
- file://bfd/COPYING;md5=d32239bcb673463ab874e80d47fae504\
- "
-
-def binutils_branch_version(d):
- pvsplit = d.getVar('PV', True).split('.')
- return pvsplit[0] + "_" + pvsplit[1]
-
-BINUPV = "${@binutils_branch_version(d)}"
-
-PV = "2.26+gitarc"
-
-#SRCREV = "bcbe0bfce780e426f2e3b78013cb49326ee76824"
-SRCREV="3bfd1155a7f0ff9e10c5ba91f089ae0bb5bfbde1"
-SRC_URI = "\
- git://github.com/foss-for-synopsys-dwc-arc-processors/binutils-gdb.git;branch=arc-2.26-dev \
- "
-
-S = "${WORKDIR}/git"
-
-do_configure:prepend () {
- rm -rf ${S}/gdb ${S}/libdecnumber ${S}/readline ${S}/sim
-}
-
-CONFIG_SHELL = "/bin/bash"
-
-sysroot_stage_all:append() {
- sysroot_stage_dir ${D}${exec_prefix}/extlib ${SYSROOT_DESTDIR}${exec_prefix}/extlib
-}
diff --git a/meta-zephyr-core/recipes-devtools-arc/binutils/binutils-cross-canadian_2.26arc.bb b/meta-zephyr-core/recipes-devtools-arc/binutils/binutils-cross-canadian_2.26arc.bb
deleted file mode 100644
index 88f0ad7..0000000
--- a/meta-zephyr-core/recipes-devtools-arc/binutils/binutils-cross-canadian_2.26arc.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-require recipes-devtools/binutils/binutils.inc
-require recipes-devtools-arc/binutils/binutils-2.26arc.inc
-require recipes-devtools/binutils/binutils-cross-canadian.inc
-
-do_install:append () {
- rm -f ${D}/${libdir}/../lib/libiberty*
-}
diff --git a/meta-zephyr-core/recipes-devtools-arc/binutils/binutils-cross_2.26arc.bb b/meta-zephyr-core/recipes-devtools-arc/binutils/binutils-cross_2.26arc.bb
deleted file mode 100644
index 3d94fea..0000000
--- a/meta-zephyr-core/recipes-devtools-arc/binutils/binutils-cross_2.26arc.bb
+++ /dev/null
@@ -1,8 +0,0 @@
-require recipes-devtools/binutils/binutils.inc
-require binutils-2.26arc.inc
-require recipes-devtools/binutils/binutils-cross.inc
-
-SRC_URI:remove = "file://no-tooldirpaths.patch"
-SRC_URI:remove = "file://0002-binutils-cross-Do-not-generate-linker-script-directo.patch"
-
-#COMPATIBLE_MACHINE = "arc"
diff --git a/meta-zephyr-core/recipes-devtools-arc/gcc/files/cbd8e54244cd02bdcf4f1057be3ce96631f35ac3.patch b/meta-zephyr-core/recipes-devtools-arc/gcc/files/cbd8e54244cd02bdcf4f1057be3ce96631f35ac3.patch
deleted file mode 100644
index d709cd0..0000000
--- a/meta-zephyr-core/recipes-devtools-arc/gcc/files/cbd8e54244cd02bdcf4f1057be3ce96631f35ac3.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From cbd8e54244cd02bdcf4f1057be3ce96631f35ac3 Mon Sep 17 00:00:00 2001
-From: Claudiu Zissulescu <claziss@...>
-Date: Tue, 3 Jan 2017 12:06:28 -0500
-Subject: [PATCH] [ARC] Prevent moving stores to the frame before the stack
- adjustment.
-
-If the stack pointer is needed, emit a special barrier that will prevent
-the scheduler from moving stores to the frame before the stack adjustment.
-
-2017-01-03 Claudiu Zissulescu <claziss@...>
-
- * config/arc/arc.c (arc_expand_prologue): Emit a special barrier
- to prevent store reordering.
- * config/arc/arc.md (UNSPEC_ARC_STKTIE): Define.
- (type): Add block type.
- (stack_tie): Define special instruction to be used in
- expand_prologue.
----
- gcc/config/arc/arc.c | 10 +++++++++-
- gcc/config/arc/arc.md | 15 ++++++++++++++-
- 2 files changed, 23 insertions(+), 2 deletions(-)
-
-diff --git a/gcc/config/arc/arc.c b/gcc/config/arc/arc.c
-index 6f21fc3..110556c 100644
---- a/gcc/config/arc/arc.c
-+++ b/gcc/config/arc/arc.c
-@@ -3101,7 +3101,15 @@ arc_expand_prologue (void)
- frame_size_to_allocate -= first_offset;
- /* Allocate the stack frame. */
- if (frame_size_to_allocate > 0)
-- frame_stack_add ((HOST_WIDE_INT) 0 - frame_size_to_allocate);
-+ {
-+ frame_stack_add ((HOST_WIDE_INT) 0 - frame_size_to_allocate);
-+ /* If the frame pointer is needed, emit a special barrier that
-+ will prevent the scheduler from moving stores to the frame
-+ before the stack adjustment. */
-+ if (arc_frame_pointer_needed ())
-+ emit_insn (gen_stack_tie (stack_pointer_rtx,
-+ hard_frame_pointer_rtx));
-+ }
-
- /* Setup the gp register, if needed. */
- if (crtl->uses_pic_offset_table)
-diff --git a/gcc/config/arc/arc.md b/gcc/config/arc/arc.md
-index 16f71b3..448157c 100644
---- a/gcc/config/arc/arc.md
-+++ b/gcc/config/arc/arc.md
-@@ -135,6 +135,7 @@
- UNSPEC_ARC_VMAC2HU
- UNSPEC_ARC_VMPY2H
- UNSPEC_ARC_VMPY2HU
-+ UNSPEC_ARC_STKTIE
- ])
-
- (define_c_enum "vunspec" [
-@@ -204,7 +205,7 @@
- simd_vcompare, simd_vpermute, simd_vpack, simd_vpack_with_acc,
- simd_valign, simd_valign_with_acc, simd_vcontrol,
- simd_vspecial_3cycle, simd_vspecial_4cycle, simd_dma, mul16_em, div_rem,
-- fpu"
-+ fpu, block"
- (cond [(eq_attr "is_sfunc" "yes")
- (cond [(match_test "!TARGET_LONG_CALLS_SET && (!TARGET_MEDIUM_CALLS || GET_CODE (PATTERN (insn)) != COND_EXEC)") (const_string "call")
- (match_test "flag_pic") (const_string "sfunc")]
-@@ -6480,6 +6481,18 @@
- (set_attr "predicable" "yes,no,no,yes,no")
- (set_attr "cond" "canuse,nocond,nocond,canuse_limm,nocond")])
-
-+(define_insn "stack_tie"
-+ [(set (mem:BLK (scratch))
-+ (unspec:BLK [(match_operand:SI 0 "register_operand" "rb")
-+ (match_operand:SI 1 "register_operand" "rb")]
-+ UNSPEC_ARC_STKTIE))]
-+ ""
-+ ""
-+ [(set_attr "length" "0")
-+ (set_attr "iscompact" "false")
-+ (set_attr "type" "block")]
-+ )
-+
- ;; include the arc-FPX instructions
- (include "fpx.md")
-
diff --git a/meta-zephyr-core/recipes-devtools-arc/gcc/gcc-6.x.arc.inc b/meta-zephyr-core/recipes-devtools-arc/gcc/gcc-6.x.arc.inc
deleted file mode 100644
index 5b3772e..0000000
--- a/meta-zephyr-core/recipes-devtools-arc/gcc/gcc-6.x.arc.inc
+++ /dev/null
@@ -1,85 +0,0 @@
-require recipes-devtools/gcc/gcc-common.inc
-
-# Third digit in PV should be incremented after a minor release
-
-PV = "6.x.arc"
-
-# BINV should be incremented to a revision after a minor gcc release
-
-BINV = "6.3.0"
-
-FILESEXTRAPATHS =. "${FILE_DIRNAME}/gcc:${COREBASE}/meta/recipes-devtools/gcc/gcc-6.2:"
-
-DEPENDS =+ "mpfr gmp libmpc zlib"
-NATIVEDEPS = "mpfr-native gmp-native libmpc-native zlib-native"
-
-LICENSE = "GPL-3.0-with-GCC-exception & GPLv3"
-
-LIC_FILES_CHKSUM = "\
- file://COPYING;md5=59530bdf33659b29e73d4adb9f9f6552 \
- file://COPYING3;md5=d32239bcb673463ab874e80d47fae504 \
- file://COPYING3.LIB;md5=6a6a8e020838b23406c81b19c1d46df6 \
- file://COPYING.LIB;md5=2d5025d4aa3495befef8f17206a5b0a1 \
- file://COPYING.RUNTIME;md5=fe60d87048567d4fe8c8a0ed2448bcc8 \
-"
-
-# tag arc-2017.03-eng009
-SRCREV = "7fe9c76c79cd9d263b839b4c8bd701943150e059"
-
-SRC_URI = "\
- git://github.com/foss-for-synopsys-dwc-arc-processors/gcc.git;protocol=https;branch=arc-2017.03 \
-"
-
-S = "${TMPDIR}/work-shared/gcc-${PV}-${PR}/git"
-B = "${WORKDIR}/gcc-${PV}/build.${HOST_SYS}.${TARGET_SYS}"
-
-# Language Overrides
-FORTRAN = ""
-JAVA = ""
-
-LTO = "--enable-lto"
-
-EXTRA_OECONF_BASE = "\
- ${LTO} \
- --enable-libssp \
- --disable-bootstrap \
- --disable-libmudflap \
- --with-system-zlib \
- --enable-linker-build-id \
- --with-ppl=no \
- --with-cloog=no \
- --enable-checking=release \
- --enable-cheaders=c_global \
-"
-
-EXTRA_OECONF_INITIAL = "\
- --disable-libmudflap \
- --disable-libgomp \
- --disable-libssp \
- --disable-libquadmath \
- --with-system-zlib \
- --disable-lto \
- --disable-plugin \
- --enable-decimal-float=no \
-"
-
-EXTRA_OECONF_INTERMEDIATE = "\
- --disable-libmudflap \
- --disable-libgomp \
- --disable-libquadmath \
- --with-system-zlib \
- --disable-lto \
- --disable-plugin \
- --disable-libssp \
-"
-
-EXTRA_OECONF:append:libc-uclibc = " --disable-decimal-float "
-
-EXTRA_OECONF:append:arc = ' --with-pkgversion="ARCompact/ARCv2 ISA elf32 toolchain ${SRCREV}"'
-
-EXTRA_OECONF_PATHS = "\
- --with-gxx-include-dir=${STAGING_DIR_TARGET}${target_includedir}/c++/${BINV} \
- --with-sysroot=${STAGING_DIR_TARGET} \
- --with-build-sysroot=${STAGING_DIR_TARGET} \
-"
-
diff --git a/meta-zephyr-core/recipes-devtools-arc/gcc/gcc-cross-canadian_6.x.arc.bb b/meta-zephyr-core/recipes-devtools-arc/gcc/gcc-cross-canadian_6.x.arc.bb
deleted file mode 100644
index bc4a3b3..0000000
--- a/meta-zephyr-core/recipes-devtools-arc/gcc/gcc-cross-canadian_6.x.arc.bb
+++ /dev/null
@@ -1,8 +0,0 @@
-require recipes-devtools-arc/gcc/gcc-${PV}.inc
-require recipes-devtools/gcc/gcc-cross-canadian.inc
-
-EXTRA_OECONF:append:libc-baremetal = " --without-headers"
-EXTRA_OECONF:remove:libc-baremetal = "--with-sysroot=/not/exist"
-EXTRA_OECONF:remove:libc-baremetal = "--with-build-sysroot=${STAGING_DIR_TARGET}"
-EXTRA_OECONF:append:libc-baremetal = " --enable-plugin "
-
diff --git a/meta-zephyr-core/recipes-devtools-arc/gcc/gcc-cross_6.x.arc .bb b/meta-zephyr-core/recipes-devtools-arc/gcc/gcc-cross_6.x.arc .bb
deleted file mode 100644
index 6cf71c6..0000000
--- a/meta-zephyr-core/recipes-devtools-arc/gcc/gcc-cross_6.x.arc .bb
+++ /dev/null
@@ -1,11 +0,0 @@
-require recipes-devtools-arc/gcc/gcc-6.x.arc.inc
-require recipes-devtools/gcc/gcc-cross.inc
-
-DEPENDS:remove:libc-baremetal := "virtual/${TARGET_PREFIX}libc-for-gcc"
-EXTRA_OECONF:append:libc-baremetal = " --without-headers"
-EXTRA_OECONF:remove:libc-baremetal = "--with-sysroot=/not/exist"
-EXTRA_OECONF:remove:libc-baremetal = "--enable-threads=posix"
-
-#COMPATIBLE_MACHINE = "arc"
-
-BBCLASSEXTEND = "nativesdk"
diff --git a/meta-zephyr-core/recipes-devtools-arc/gcc/gcc-source_6.x.arc.bb b/meta-zephyr-core/recipes-devtools-arc/gcc/gcc-source_6.x.arc.bb
deleted file mode 100644
index 6272f7d..0000000
--- a/meta-zephyr-core/recipes-devtools-arc/gcc/gcc-source_6.x.arc.bb
+++ /dev/null
@@ -1,2 +0,0 @@
-require recipes-devtools-arc/gcc/gcc-6.x.arc.inc
-require recipes-devtools/gcc/gcc-source.inc
diff --git a/meta-zephyr-core/recipes-devtools-arc/gcc/libgcc_6.x.arc.bb b/meta-zephyr-core/recipes-devtools-arc/gcc/libgcc_6.x.arc.bb
deleted file mode 100644
index 2ad8d34..0000000
--- a/meta-zephyr-core/recipes-devtools-arc/gcc/libgcc_6.x.arc.bb
+++ /dev/null
@@ -1,14 +0,0 @@
-require recipes-devtools-arc/gcc/gcc-6.x.arc.inc
-require recipes-devtools/gcc/libgcc.inc
-
-INHIBIT_PACKAGE_DEBUG_SPLIT = "1"
-#COMPATIBLE_MACHINE = "arc"
-
-EXTRA_OECONF:append:arc = " --disable-multilib"
-#EXTRA_OECONF_append_arc = " --enable-multilib"
-
-# ERROR: QA Issue: Architecture did not match (195 to 93)
-INSANE_SKIP:${PN}-dev += "arch"
-
-# ERROR: QA Issue: non -staticdev package contains static .a library
-INSANE_SKIP:${PN}-dev += "staticdev"
diff --git a/meta-zephyr-core/recipes-devtools/gcc/gcc-cross_6.%.bbappend b/meta-zephyr-core/recipes-devtools/gcc/gcc-cross_6.%.bbappend
deleted file mode 100644
index 2b2c713..0000000
--- a/meta-zephyr-core/recipes-devtools/gcc/gcc-cross_6.%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-EXTRA_OECONF:append:armv7m = " --with-arch=armv7-m --with-mode=thumb "
diff --git a/meta-zephyr-core/recipes-devtools/gcc/libgcc_6.%.bbappend b/meta-zephyr-core/recipes-devtools/gcc/libgcc_6.%.bbappend
deleted file mode 100644
index 80bb46c..0000000
--- a/meta-zephyr-core/recipes-devtools/gcc/libgcc_6.%.bbappend
+++ /dev/null
@@ -1,3 +0,0 @@
-EXTRA_OECONF:remove = "--enable_multilib"
-EXTRA_OECONF:append = " --disable-multilib"
-
--
2.25.1


[meta-zephyr][PATCH v2 3/5] zephyr-sdk: upgrade 0.14.2 -> 0.15.1

Naveen Saini
 

https://github.com/zephyrproject-rtos/sdk-ng/releases/tag/v0.15.1

Signed-off-by: Naveen Saini <naveen.kumar.saini@...>
---
.../zephyr-sdk/{zephyr-sdk_0.14.2.bb => zephyr-sdk_0.15.1.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta-zephyr-core/recipes-devtools/zephyr-sdk/{zephyr-sdk_0.14.2.bb => zephyr-sdk_0.15.1.bb} (83%)

diff --git a/meta-zephyr-core/recipes-devtools/zephyr-sdk/zephyr-sdk_0.14.2.bb b/meta-zephyr-core/recipes-devtools/zephyr-sdk/zephyr-sdk_0.15.1.bb
similarity index 83%
rename from meta-zephyr-core/recipes-devtools/zephyr-sdk/zephyr-sdk_0.14.2.bb
rename to meta-zephyr-core/recipes-devtools/zephyr-sdk/zephyr-sdk_0.15.1.bb
index c893652..f5a9466 100644
--- a/meta-zephyr-core/recipes-devtools/zephyr-sdk/zephyr-sdk_0.14.2.bb
+++ b/meta-zephyr-core/recipes-devtools/zephyr-sdk/zephyr-sdk_0.15.1.bb
@@ -14,8 +14,8 @@ SDK_ARCHIVE = "zephyr-sdk-${PV}_linux-${BUILD_ARCH}.tar.gz"
SDK_NAME = "${BUILD_ARCH}"
SRC_URI = "https://github.com/zephyrproject-rtos/sdk-ng/releases/download/v${PV}/${SDK_ARCHIVE};subdir=${S};name=${SDK_NAME}"

-SRC_URI[x86_64.sha256sum] = "2ff0e4d79bffe1468247a3e1958aa9183a0252225ab721cf1c37188bd4b649a2"
-SRC_URI[aarch64.sha256sum] = "cbb616a50e940388ea737788d48dcea3624a85bb3ee04d9aae105496a21ae75e"
+SRC_URI[x86_64.sha256sum] = "0a7406045102197b9edc759b242499941814a1c6df29dd9fbd479ad50eb0fba9"
+SRC_URI[aarch64.sha256sum] = "d2c5de994376a287e8bf12e5776ab8f5105eafa14826608df085142fd01b7f84"

do_configure[noexec] = "1"
do_compile[noexec] = "1"
--
2.25.1


[meta-zephyr][PATCH v2 2/5] zephyr-kernel-src: drop support for v2.7.3

Naveen Saini
 

Support for zephyr v3.2.0 is already being added. So time to drop it.

Signed-off-by: Naveen Saini <naveen.kumar.saini@...>
---
.../0001-2.7-cmake-add-yocto-toolchain.patch | 63 ------
...ry-generation-issue-in-cross-compila.patch | 80 -------
.../zephyr-kernel/files/dtc.patch | 43 ----
.../zephyr-kernel/zephyr-kernel-src-2.7.3.inc | 196 ------------------
4 files changed, 382 deletions(-)
delete mode 100644 meta-zephyr-core/recipes-kernel/zephyr-kernel/files/0001-2.7-cmake-add-yocto-toolchain.patch
delete mode 100644 meta-zephyr-core/recipes-kernel/zephyr-kernel/files/0001-2.7-x86-fix-efi-binary-generation-issue-in-cross-compila.patch
delete mode 100644 meta-zephyr-core/recipes-kernel/zephyr-kernel/files/dtc.patch
delete mode 100644 meta-zephyr-core/recipes-kernel/zephyr-kernel/zephyr-kernel-src-2.7.3.inc

diff --git a/meta-zephyr-core/recipes-kernel/zephyr-kernel/files/0001-2.7-cmake-add-yocto-toolchain.patch b/meta-zephyr-core/recipes-kernel/zephyr-kernel/files/0001-2.7-cmake-add-yocto-toolchain.patch
deleted file mode 100644
index 563af7d..0000000
--- a/meta-zephyr-core/recipes-kernel/zephyr-kernel/files/0001-2.7-cmake-add-yocto-toolchain.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From bfab268c870548e3e7a24ea67ebed2a0513b2307 Mon Sep 17 00:00:00 2001
-From: Naveen Saini <naveen.kumar.saini@...>
-Date: Wed, 7 Jul 2021 13:53:05 +0800
-Subject: [PATCH] cmake: add yocto toolchain
-
-Upstream status: inappropriate [OE specific]
-
-Signed-off-by: Naveen Saini <naveen.kumar.saini@...>
----
- cmake/compiler/gcc/target.cmake | 7 -------
- cmake/toolchain/yocto/generic.cmake | 13 +++++++++++++
- cmake/toolchain/yocto/target.cmake | 1 +
- 3 files changed, 14 insertions(+), 7 deletions(-)
- create mode 100644 cmake/toolchain/yocto/generic.cmake
- create mode 100644 cmake/toolchain/yocto/target.cmake
-
-diff --git a/cmake/compiler/gcc/target.cmake b/cmake/compiler/gcc/target.cmake
-index 2b90c5d2ef..b6f28b2f87 100644
---- a/cmake/compiler/gcc/target.cmake
-+++ b/cmake/compiler/gcc/target.cmake
-@@ -68,13 +68,6 @@ execute_process(
- OUTPUT_STRIP_TRAILING_WHITESPACE
- )
-
--assert_exists(LIBGCC_FILE_NAME)
--
--get_filename_component(LIBGCC_DIR ${LIBGCC_FILE_NAME} DIRECTORY)
--
--assert_exists(LIBGCC_DIR)
--
--LIST(APPEND LIB_INCLUDE_DIR "-L\"${LIBGCC_DIR}\"")
- LIST(APPEND TOOLCHAIN_LIBS gcc)
-
- if(SYSROOT_DIR)
-diff --git a/cmake/toolchain/yocto/generic.cmake b/cmake/toolchain/yocto/generic.cmake
-new file mode 100644
-index 0000000000..45e5777e2a
---- /dev/null
-+++ b/cmake/toolchain/yocto/generic.cmake
-@@ -0,0 +1,13 @@
-+set(COMPILER gcc)
-+set(LINKER ld)
-+set(BINTOOLS gnu)
-+
-+set(ZEPHYR_SYSROOT ${ZEPHYR_SYSROOT})
-+set(SYSROOT_DIR ${ZEPHYR_SYSROOT})
-+set(LIBC_LIBRARY_DIR "\"${SYSROOT_DIR}\"/")
-+set(LIBC_INCLUDE_DIR ${SYSROOT_DIR}/include)
-+LIST(APPEND TOOLCHAIN_LIBS gcc)
-+
-+LIST(APPEND LIB_INCLUDE_DIR "-L\"${STAGING_LIBDIR}\"")
-+
-+set(TOOLCHAIN_LIBS gcc)
-diff --git a/cmake/toolchain/yocto/target.cmake b/cmake/toolchain/yocto/target.cmake
-new file mode 100644
-index 0000000000..9881313609
---- /dev/null
-+++ b/cmake/toolchain/yocto/target.cmake
-@@ -0,0 +1 @@
-+# SPDX-License-Identifier: Apache-2.0
---
-2.17.1
-
diff --git a/meta-zephyr-core/recipes-kernel/zephyr-kernel/files/0001-2.7-x86-fix-efi-binary-generation-issue-in-cross-compila.patch b/meta-zephyr-core/recipes-kernel/zephyr-kernel/files/0001-2.7-x86-fix-efi-binary-generation-issue-in-cross-compila.patch
deleted file mode 100644
index fd6fc6b..0000000
--- a/meta-zephyr-core/recipes-kernel/zephyr-kernel/files/0001-2.7-x86-fix-efi-binary-generation-issue-in-cross-compila.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From cfde3b1018c3151b6cc1fbe3e9e163d0aaf16954 Mon Sep 17 00:00:00 2001
-From: Naveen Saini <naveen.kumar.saini@...>
-Date: Tue, 11 May 2021 13:46:39 +0800
-Subject: [PATCH] x86: fix efi binary generation issue in cross compilation env
-
-Set root directory for headers.
-
-Upstream-Status: Inappropriate [Cross-compilation specific]
-
-Signed-off-by: Naveen Saini <naveen.kumar.saini@...>
----
- arch/x86/zefi/zefi.py | 6 +++++-
- boards/x86/ehl_crb/CMakeLists.txt | 1 +
- boards/x86/qemu_x86/CMakeLists.txt | 1 +
- boards/x86/up_squared/CMakeLists.txt | 1 +
- 4 files changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/zefi/zefi.py b/arch/x86/zefi/zefi.py
-index d3514391a8..b9eccbfa10 100755
---- a/arch/x86/zefi/zefi.py
-+++ b/arch/x86/zefi/zefi.py
-@@ -106,7 +106,10 @@ def build_elf(elf_file):
- # + We need pic to enforce that the linker adds no relocations
- # + UEFI can take interrupts on our stack, so no red zone
- # + UEFI API assumes 16-bit wchar_t
-- cmd = [args.compiler, "-shared", "-Wall", "-Werror", "-I.",
-+
-+ # Pass --sysroot path for cross compilation
-+ sysrootarg = "--sysroot=" + args.sysroot
-+ cmd = [args.compiler, "-shared", "-Wall", "-Werror", "-I.", sysrootarg,
- "-fno-stack-protector", "-fpic", "-mno-red-zone", "-fshort-wchar",
- "-Wl,-nostdlib", "-T", ldscript, "-o", "zefi.elf", cfile]
- verbose(" ".join(cmd))
-@@ -145,6 +148,7 @@ def parse_args():
- parser.add_argument("-o", "--objcopy", required=True, help="objcopy to be used")
- parser.add_argument("-f", "--elf-file", required=True, help="Input file")
- parser.add_argument("-v", "--verbose", action="store_true", help="Verbose output")
-+ parser.add_argument("-s", "--sysroot", required=True, help="Cross compilation --sysroot=path")
-
- return parser.parse_args()
-
-diff --git a/boards/x86/ehl_crb/CMakeLists.txt b/boards/x86/ehl_crb/CMakeLists.txt
-index 0d572eff30..6a228107dc 100644
---- a/boards/x86/ehl_crb/CMakeLists.txt
-+++ b/boards/x86/ehl_crb/CMakeLists.txt
-@@ -5,6 +5,7 @@ set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
- -c ${CMAKE_C_COMPILER}
- -o ${CMAKE_OBJCOPY}
- -f ${PROJECT_BINARY_DIR}/${CONFIG_KERNEL_BIN_NAME}.elf
-+ -s ${SYSROOT_DIR}
- $<$<BOOL:${CMAKE_VERBOSE_MAKEFILE}>:--verbose>
- WORKING_DIRECTORY ${PROJECT_BINARY_DIR}
- )
-diff --git a/boards/x86/qemu_x86/CMakeLists.txt b/boards/x86/qemu_x86/CMakeLists.txt
-index 1131a5c7ce..489f17192b 100644
---- a/boards/x86/qemu_x86/CMakeLists.txt
-+++ b/boards/x86/qemu_x86/CMakeLists.txt
-@@ -4,6 +4,7 @@ set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
- -c ${CMAKE_C_COMPILER}
- -o ${CMAKE_OBJCOPY}
- -f ${PROJECT_BINARY_DIR}/${CONFIG_KERNEL_BIN_NAME}.elf
-+ -s ${SYSROOT_DIR}
- $<$<BOOL:${CMAKE_VERBOSE_MAKEFILE}>:--verbose>
- WORKING_DIRECTORY ${PROJECT_BINARY_DIR}
- )
-diff --git a/boards/x86/up_squared/CMakeLists.txt b/boards/x86/up_squared/CMakeLists.txt
-index 0eaa9753fc..2e8ce7cfbc 100644
---- a/boards/x86/up_squared/CMakeLists.txt
-+++ b/boards/x86/up_squared/CMakeLists.txt
-@@ -5,6 +5,7 @@ set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
- -c ${CMAKE_C_COMPILER}
- -o ${CMAKE_OBJCOPY}
- -f ${PROJECT_BINARY_DIR}/${CONFIG_KERNEL_BIN_NAME}.elf
-+ -s ${SYSROOT_DIR}
- $<$<BOOL:${CMAKE_VERBOSE_MAKEFILE}>:--verbose>
- WORKING_DIRECTORY ${PROJECT_BINARY_DIR}
- )
---
-2.17.1
-
diff --git a/meta-zephyr-core/recipes-kernel/zephyr-kernel/files/dtc.patch b/meta-zephyr-core/recipes-kernel/zephyr-kernel/files/dtc.patch
deleted file mode 100644
index 971995b..0000000
--- a/meta-zephyr-core/recipes-kernel/zephyr-kernel/files/dtc.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-Upstream-Status: Backport [https://github.com/zephyrproject-rtos/zephyr/commit/a4da64033dac55108215857659831b7d027513de]
-Signed-off-by: Ross Burton <ross.burton@...>
-
-From deb6e9b29d77f0d86eb188fb3c5fc6f470277d3d Mon Sep 17 00:00:00 2001
-From: Ross Burton <ross.burton@...>
-Date: Mon, 15 Nov 2021 14:01:47 +0000
-Subject: [PATCH] cmake: expand DTC version regex
-
-DTC can be built with both traditional Makefiles or Meson. When built
-with Makefiles the --version output looks like 'Version: DTC
-1.6.1-dirty' but when built with Meson the output is 'Version: DTC
-v1.6.1+.
-
-This fails to match the version regex and the cmake then fails:
-
-CMake Error at cmake/host-tools.cmake:28 (if):
- if given arguments:
- "VERSION_GREATER" "1.4.6"
- Unknown arguments specified
-
-Expanding the regex with an optional 'v' covers both cases and the build
-succeeds.
-
-Signed-off-by: Ross Burton <ross.burton@...>
----
- cmake/host-tools.cmake | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/cmake/host-tools.cmake b/cmake/host-tools.cmake
-index cb7bf2e281..93d33d6390 100644
---- a/cmake/host-tools.cmake
-+++ b/cmake/host-tools.cmake
-@@ -20,7 +20,7 @@ if(DTC)
- )
-
- if(${dtc_status} EQUAL 0)
-- string(REGEX MATCH "Version: DTC ([0-9]+[.][0-9]+[.][0-9]+).*" out_var ${dtc_version_output})
-+ string(REGEX MATCH "Version: DTC v?([0-9]+[.][0-9]+[.][0-9]+).*" out_var ${dtc_version_output})
-
- # Since it is optional, an outdated version is not an error. If an
- # outdated version is discovered, print a warning and proceed as if
---
-2.25.1
diff --git a/meta-zephyr-core/recipes-kernel/zephyr-kernel/zephyr-kernel-src-2.7.3.inc b/meta-zephyr-core/recipes-kernel/zephyr-kernel/zephyr-kernel-src-2.7.3.inc
deleted file mode 100644
index 2d20888..0000000
--- a/meta-zephyr-core/recipes-kernel/zephyr-kernel/zephyr-kernel-src-2.7.3.inc
+++ /dev/null
@@ -1,196 +0,0 @@
-# Auto-generated from zephyr-kernel-src.inc.jinja
-
-SRCREV_FORMAT = "default"
-
-SRCREV_default = "003de78ce0dd213a1c7b3d159b967fb19a12aa45"
-SRCREV_canopennode = "f167efe85c8c7de886f1bc47f9173cfb8a346bb5"
-SRCREV_civetweb = "094aeb41bb93e9199d24d665ee43e9e05d6d7b1c"
-SRCREV_cmsis = "b0612c97c1401feeb4160add6462c3627fe90fc7"
-SRCREV_edtt = "31badfbbd04f2948e3df6ebf329f930317550961"
-SRCREV_fatfs = "94fcd6bfb3801ac0a5e12ea2f52187e0a688b90e"
-SRCREV_hal_altera = "23c1c1dd7a0c1cc9a399509d1819375847c95b97"
-SRCREV_hal_atmel = "9f78f520f6cbb997e5b44fe8ab17dd5bf2448095"
-SRCREV_hal_cypress = "81a059f21435bc7e315bccd720da5a9b615bbb50"
-SRCREV_hal_espressif = "3400257534944d3a6a4194d1dbf8f0cd1670d64e"
-SRCREV_hal_infineon = "f1fa8241f8786198ba41155413243de36ed878a5"
-SRCREV_hal_microchip = "870d05e6a64ea9548da6b907058b03c8c9420826"
-SRCREV_hal_nordic = "a6e5299041f152da5ae0ab17b2e44e088bb96d6d"
-SRCREV_hal_nuvoton = "b4d31f33238713a568e23618845702fadd67386f"
-SRCREV_hal_nxp = "78efc4ba7c1057c1cf2bf06e3e27ed7cc33e1da7"
-SRCREV_hal_openisa = "40d049f69c50b58ea20473bee14cf93f518bf262"
-SRCREV_hal_quicklogic = "b3a66fe6d04d87fd1533a5c8de51d0599fcd08d0"
-SRCREV_hal_silabs = "be39d4eebeddac6e18e9c0c3ba1b31ad1e82eaed"
-SRCREV_hal_st = "575de9d461aa6f430cf62c58a053675377e700f3"
-SRCREV_hal_stm32 = "5c8275071ec1cf160bfe8c18bbd9330a7d714dc8"
-SRCREV_hal_telink = "ffcfd6282aa213f1dc0848dbca6279b098f6b143"
-SRCREV_hal_ti = "1992a4c536554c4f409c36896eda6abdc414d277"
-SRCREV_hal_xtensa = "6e1cf3c483e87df4888e87c5396b4534570f01af"
-SRCREV_libmetal = "39d049d4ae68e6f6d595fce7de1dcfc1024fb4eb"
-SRCREV_littlefs = "9e4498d1c73009acd84bb36036ee5e2869112a6c"
-SRCREV_loramac-node = "12019623bbad9eb54fe51066847a7cbd4b4eac57"
-SRCREV_lvgl = "783c1f78c8e39751fe89d0883c8bce7336f55e94"
-SRCREV_lz4 = "8e303c264fc21c2116dc612658003a22e933124d"
-SRCREV_mbedtls = "5765cb7f75a9973ae9232d438e361a9d7bbc49e7"
-SRCREV_mcuboot = "70bfbd21cdf5f6d1402bc8d0031e197222ed2ec0"
-SRCREV_mcumgr = "9ffebd5e92d9d069667b9af2a3a028f4a033cfd3"
-SRCREV_mipi-sys-t = "75e671550ac1acb502f315fe4952514dc73f7bfb"
-SRCREV_nanopb = "d148bd26718e4c10414f07a7eb1bd24c62e56c5d"
-SRCREV_net-tools = "f49bd1354616fae4093bf36e5eaee43c51a55127"
-SRCREV_nrf_hw_models = "a47e326ca772ddd14cc3b9d4ca30a9ab44ecca16"
-SRCREV_open-amp = "6010f0523cbc75f551d9256cf782f173177acdef"
-SRCREV_openthread = "5d706547ebcb0a85e11412bcd88e80e2af98c74d"
-SRCREV_segger = "3a52ab222133193802d3c3b4d21730b9b1f1d2f6"
-SRCREV_sof = "76feb11d1b8f425021b5691668af2250fee444ac"
-SRCREV_tflite-micro = "9156d050927012da87079064db59d07f03b8baf6"
-SRCREV_tinycbor = "40daca97b478989884bffb5226e9ab73ca54b8c4"
-SRCREV_tinycrypt = "3e9a49d2672ec01435ffbf0d788db6d95ef28de0"
-SRCREV_TraceRecorderSource = "36c577727642457b0db7274298a4b96558374832"
-SRCREV_trusted-firmware-m = "c74be3890c9d975976fde1b1a3b2f5742bec34c0"
-
-SRC_URI_ZEPHYR ?= "git://github.com/zephyrproject-rtos/zephyr.git;protocol=https"
-SRC_URI_CANOPENNODE ?= "git://github.com/zephyrproject-rtos/canopennode;protocol=https"
-SRC_URI_CIVETWEB ?= "git://github.com/zephyrproject-rtos/civetweb;protocol=https"
-SRC_URI_CMSIS ?= "git://github.com/zephyrproject-rtos/cmsis;protocol=https"
-SRC_URI_EDTT ?= "git://github.com/zephyrproject-rtos/edtt;protocol=https"
-SRC_URI_FATFS ?= "git://github.com/zephyrproject-rtos/fatfs;protocol=https"
-SRC_URI_HAL_ALTERA ?= "git://github.com/zephyrproject-rtos/hal_altera;protocol=https"
-SRC_URI_HAL_ATMEL ?= "git://github.com/zephyrproject-rtos/hal_atmel;protocol=https"
-SRC_URI_HAL_CYPRESS ?= "git://github.com/zephyrproject-rtos/hal_cypress;protocol=https"
-SRC_URI_HAL_ESPRESSIF ?= "git://github.com/zephyrproject-rtos/hal_espressif;protocol=https"
-SRC_URI_HAL_INFINEON ?= "git://github.com/zephyrproject-rtos/hal_infineon;protocol=https"
-SRC_URI_HAL_MICROCHIP ?= "git://github.com/zephyrproject-rtos/hal_microchip;protocol=https"
-SRC_URI_HAL_NORDIC ?= "git://github.com/zephyrproject-rtos/hal_nordic;protocol=https"
-SRC_URI_HAL_NUVOTON ?= "git://github.com/zephyrproject-rtos/hal_nuvoton;protocol=https"
-SRC_URI_HAL_NXP ?= "git://github.com/zephyrproject-rtos/hal_nxp;protocol=https"
-SRC_URI_HAL_OPENISA ?= "git://github.com/zephyrproject-rtos/hal_openisa;protocol=https"
-SRC_URI_HAL_QUICKLOGIC ?= "git://github.com/zephyrproject-rtos/hal_quicklogic;protocol=https"
-SRC_URI_HAL_SILABS ?= "git://github.com/zephyrproject-rtos/hal_silabs;protocol=https"
-SRC_URI_HAL_ST ?= "git://github.com/zephyrproject-rtos/hal_st;protocol=https"
-SRC_URI_HAL_STM32 ?= "git://github.com/zephyrproject-rtos/hal_stm32;protocol=https"
-SRC_URI_HAL_TELINK ?= "git://github.com/zephyrproject-rtos/hal_telink;protocol=https"
-SRC_URI_HAL_TI ?= "git://github.com/zephyrproject-rtos/hal_ti;protocol=https"
-SRC_URI_HAL_XTENSA ?= "git://github.com/zephyrproject-rtos/hal_xtensa;protocol=https"
-SRC_URI_LIBMETAL ?= "git://github.com/zephyrproject-rtos/libmetal;protocol=https"
-SRC_URI_LITTLEFS ?= "git://github.com/zephyrproject-rtos/littlefs;protocol=https"
-SRC_URI_LORAMAC_NODE ?= "git://github.com/zephyrproject-rtos/loramac-node;protocol=https"
-SRC_URI_LVGL ?= "git://github.com/zephyrproject-rtos/lvgl;protocol=https"
-SRC_URI_LZ4 ?= "git://github.com/zephyrproject-rtos/lz4;protocol=https"
-SRC_URI_MBEDTLS ?= "git://github.com/zephyrproject-rtos/mbedtls;protocol=https"
-SRC_URI_MCUBOOT ?= "git://github.com/zephyrproject-rtos/mcuboot;protocol=https"
-SRC_URI_MCUMGR ?= "git://github.com/zephyrproject-rtos/mcumgr;protocol=https"
-SRC_URI_MIPI_SYS_T ?= "git://github.com/zephyrproject-rtos/mipi-sys-t;protocol=https"
-SRC_URI_NANOPB ?= "git://github.com/zephyrproject-rtos/nanopb;protocol=https"
-SRC_URI_NET_TOOLS ?= "git://github.com/zephyrproject-rtos/net-tools;protocol=https"
-SRC_URI_NRF_HW_MODELS ?= "git://github.com/zephyrproject-rtos/nrf_hw_models;protocol=https"
-SRC_URI_OPEN_AMP ?= "git://github.com/zephyrproject-rtos/open-amp;protocol=https"
-SRC_URI_OPENTHREAD ?= "git://github.com/zephyrproject-rtos/openthread;protocol=https"
-SRC_URI_SEGGER ?= "git://github.com/zephyrproject-rtos/segger;protocol=https"
-SRC_URI_SOF ?= "git://github.com/zephyrproject-rtos/sof;protocol=https"
-SRC_URI_TFLITE_MICRO ?= "git://github.com/zephyrproject-rtos/tflite-micro;protocol=https"
-SRC_URI_TINYCBOR ?= "git://github.com/zephyrproject-rtos/tinycbor;protocol=https"
-SRC_URI_TINYCRYPT ?= "git://github.com/zephyrproject-rtos/tinycrypt;protocol=https"
-SRC_URI_TRACERECORDERSOURCE ?= "git://github.com/zephyrproject-rtos/TraceRecorderSource;protocol=https"
-SRC_URI_TRUSTED_FIRMWARE_M ?= "git://github.com/zephyrproject-rtos/trusted-firmware-m;protocol=https"
-
-SRC_URI_PATCHES ?= "\
- file://dtc.patch;patchdir=zephyr \
- file://0001-2.7-cmake-add-yocto-toolchain.patch;patchdir=zephyr \
- file://0001-2.7-x86-fix-efi-binary-generation-issue-in-cross-compila.patch;patchdir=zephyr \
-"
-
-SRC_URI = "\
- ${SRC_URI_ZEPHYR};branch=${ZEPHYR_BRANCH};name=default;destsuffix=git/zephyr \
- ${SRC_URI_CANOPENNODE};name=canopennode;nobranch=1;destsuffix=git/modules/lib/canopennode \
- ${SRC_URI_CIVETWEB};name=civetweb;nobranch=1;destsuffix=git/modules/lib/civetweb \
- ${SRC_URI_CMSIS};name=cmsis;nobranch=1;destsuffix=git/modules/hal/cmsis \
- ${SRC_URI_EDTT};name=edtt;nobranch=1;destsuffix=git/tools/edtt \
- ${SRC_URI_FATFS};name=fatfs;nobranch=1;destsuffix=git/modules/fs/fatfs \
- ${SRC_URI_HAL_ALTERA};name=hal_altera;nobranch=1;destsuffix=git/modules/hal/altera \
- ${SRC_URI_HAL_ATMEL};name=hal_atmel;nobranch=1;destsuffix=git/modules/hal/atmel \
- ${SRC_URI_HAL_CYPRESS};name=hal_cypress;nobranch=1;destsuffix=git/modules/hal/cypress \
- ${SRC_URI_HAL_ESPRESSIF};name=hal_espressif;nobranch=1;destsuffix=git/modules/hal/espressif \
- ${SRC_URI_HAL_INFINEON};name=hal_infineon;nobranch=1;destsuffix=git/modules/hal/infineon \
- ${SRC_URI_HAL_MICROCHIP};name=hal_microchip;nobranch=1;destsuffix=git/modules/hal/microchip \
- ${SRC_URI_HAL_NORDIC};name=hal_nordic;nobranch=1;destsuffix=git/modules/hal/nordic \
- ${SRC_URI_HAL_NUVOTON};name=hal_nuvoton;nobranch=1;destsuffix=git/modules/hal/nuvoton \
- ${SRC_URI_HAL_NXP};name=hal_nxp;nobranch=1;destsuffix=git/modules/hal/nxp \
- ${SRC_URI_HAL_OPENISA};name=hal_openisa;nobranch=1;destsuffix=git/modules/hal/openisa \
- ${SRC_URI_HAL_QUICKLOGIC};name=hal_quicklogic;nobranch=1;destsuffix=git/modules/hal/quicklogic \
- ${SRC_URI_HAL_SILABS};name=hal_silabs;nobranch=1;destsuffix=git/modules/hal/silabs \
- ${SRC_URI_HAL_ST};name=hal_st;nobranch=1;destsuffix=git/modules/hal/st \
- ${SRC_URI_HAL_STM32};name=hal_stm32;nobranch=1;destsuffix=git/modules/hal/stm32 \
- ${SRC_URI_HAL_TELINK};name=hal_telink;nobranch=1;destsuffix=git/modules/hal/telink \
- ${SRC_URI_HAL_TI};name=hal_ti;nobranch=1;destsuffix=git/modules/hal/ti \
- ${SRC_URI_HAL_XTENSA};name=hal_xtensa;nobranch=1;destsuffix=git/modules/hal/xtensa \
- ${SRC_URI_LIBMETAL};name=libmetal;nobranch=1;destsuffix=git/modules/hal/libmetal \
- ${SRC_URI_LITTLEFS};name=littlefs;nobranch=1;destsuffix=git/modules/fs/littlefs \
- ${SRC_URI_LORAMAC_NODE};name=loramac-node;nobranch=1;destsuffix=git/modules/lib/loramac-node \
- ${SRC_URI_LVGL};name=lvgl;nobranch=1;destsuffix=git/modules/lib/gui/lvgl \
- ${SRC_URI_LZ4};name=lz4;nobranch=1;destsuffix=git/modules/lib/lz4 \
- ${SRC_URI_MBEDTLS};name=mbedtls;nobranch=1;destsuffix=git/modules/crypto/mbedtls \
- ${SRC_URI_MCUBOOT};name=mcuboot;nobranch=1;destsuffix=git/bootloader/mcuboot \
- ${SRC_URI_MCUMGR};name=mcumgr;nobranch=1;destsuffix=git/modules/lib/mcumgr \
- ${SRC_URI_MIPI_SYS_T};name=mipi-sys-t;nobranch=1;destsuffix=git/modules/debug/mipi-sys-t \
- ${SRC_URI_NANOPB};name=nanopb;nobranch=1;destsuffix=git/modules/lib/nanopb \
- ${SRC_URI_NET_TOOLS};name=net-tools;nobranch=1;destsuffix=git/tools/net-tools \
- ${SRC_URI_NRF_HW_MODELS};name=nrf_hw_models;nobranch=1;destsuffix=git/modules/bsim_hw_models/nrf_hw_models \
- ${SRC_URI_OPEN_AMP};name=open-amp;nobranch=1;destsuffix=git/modules/lib/open-amp \
- ${SRC_URI_OPENTHREAD};name=openthread;nobranch=1;destsuffix=git/modules/lib/openthread \
- ${SRC_URI_SEGGER};name=segger;nobranch=1;destsuffix=git/modules/debug/segger \
- ${SRC_URI_SOF};name=sof;nobranch=1;destsuffix=git/modules/audio/sof \
- ${SRC_URI_TFLITE_MICRO};name=tflite-micro;nobranch=1;destsuffix=git/modules/lib/tflite-micro \
- ${SRC_URI_TINYCBOR};name=tinycbor;nobranch=1;destsuffix=git/modules/lib/tinycbor \
- ${SRC_URI_TINYCRYPT};name=tinycrypt;nobranch=1;destsuffix=git/modules/crypto/tinycrypt \
- ${SRC_URI_TRACERECORDERSOURCE};name=TraceRecorderSource;nobranch=1;destsuffix=git/modules/debug/TraceRecorder \
- ${SRC_URI_TRUSTED_FIRMWARE_M};name=trusted-firmware-m;nobranch=1;destsuffix=git/modules/tee/tfm \
- ${SRC_URI_PATCHES} \
-"
-
-ZEPHYR_MODULES = "\
-${S}/modules/lib/canopennode\;\
-${S}/modules/lib/civetweb\;\
-${S}/modules/hal/cmsis\;\
-${S}/tools/edtt\;\
-${S}/modules/fs/fatfs\;\
-${S}/modules/hal/altera\;\
-${S}/modules/hal/atmel\;\
-${S}/modules/hal/cypress\;\
-${S}/modules/hal/espressif\;\
-${S}/modules/hal/infineon\;\
-${S}/modules/hal/microchip\;\
-${S}/modules/hal/nordic\;\
-${S}/modules/hal/nuvoton\;\
-${S}/modules/hal/nxp\;\
-${S}/modules/hal/openisa\;\
-${S}/modules/hal/quicklogic\;\
-${S}/modules/hal/silabs\;\
-${S}/modules/hal/st\;\
-${S}/modules/hal/stm32\;\
-${S}/modules/hal/telink\;\
-${S}/modules/hal/ti\;\
-${S}/modules/hal/xtensa\;\
-${S}/modules/hal/libmetal\;\
-${S}/modules/fs/littlefs\;\
-${S}/modules/lib/loramac-node\;\
-${S}/modules/lib/gui/lvgl\;\
-${S}/modules/lib/lz4\;\
-${S}/modules/crypto/mbedtls\;\
-${S}/bootloader/mcuboot\;\
-${S}/modules/lib/mcumgr\;\
-${S}/modules/debug/mipi-sys-t\;\
-${S}/modules/lib/nanopb\;\
-${S}/tools/net-tools\;\
-${S}/modules/bsim_hw_models/nrf_hw_models\;\
-${S}/modules/lib/open-amp\;\
-${S}/modules/lib/openthread\;\
-${S}/modules/debug/segger\;\
-${S}/modules/audio/sof\;\
-${S}/modules/lib/tflite-micro\;\
-${S}/modules/lib/tinycbor\;\
-${S}/modules/crypto/tinycrypt\;\
-${S}/modules/debug/TraceRecorder\;\
-${S}/modules/tee/tfm\;\
-"
-
-ZEPHYR_BRANCH = "v2.7-branch"
-PV = "2.7.3+git${SRCPV}"
--
2.25.1


[meta-zephyr][PATCH v2 1/5] zephyr-kernel-src: add support for v3.2.0

Naveen Saini
 

https://github.com/zephyrproject-rtos/zephyr/releases/tag/v3.2.0

Signed-off-by: Naveen Saini <naveen.kumar.saini@...>
---
.../zephyr-kernel/zephyr-kernel-src-3.2.0.inc | 239 ++++++++++++++++++
.../zephyr-kernel/zephyr-kernel-src.inc | 2 +-
2 files changed, 240 insertions(+), 1 deletion(-)
create mode 100644 meta-zephyr-core/recipes-kernel/zephyr-kernel/zephyr-kernel-src-3.2.0.inc

diff --git a/meta-zephyr-core/recipes-kernel/zephyr-kernel/zephyr-kernel-src-3.2.0.inc b/meta-zephyr-core/recipes-kernel/zephyr-kernel/zephyr-kernel-src-3.2.0.inc
new file mode 100644
index 0000000..5d8ddfa
--- /dev/null
+++ b/meta-zephyr-core/recipes-kernel/zephyr-kernel/zephyr-kernel-src-3.2.0.inc
@@ -0,0 +1,239 @@
+# Auto-generated from zephyr-kernel-src.inc.jinja
+
+SRCREV_FORMAT = "default"
+
+SRCREV_default = "4b58ae97f30338dd343f110fef068b21b94b6555"
+SRCREV_canopennode = "53d3415c14d60f8f4bfca54bfbc5d5a667d7e724"
+SRCREV_chre = "ef76d3456db07e4959df555047d6962279528c8d"
+SRCREV_cmsis = "093de61c2a7d12dc9253daf8692f61f793a9254a"
+SRCREV_edtt = "1ea61a390d2bfcf3b2ecdba8f8b0b98dfdffbd11"
+SRCREV_fatfs = "a30531af3a95a9a3ea7d771ea8a578ebfed45514"
+SRCREV_fff = "6ce5ba26486e93d5b7696a3e23f0585932c14b16"
+SRCREV_hal_altera = "0d225ddd314379b32355a00fb669eacf911e750d"
+SRCREV_hal_atmel = "1d237f2e2f262751975b6da6e03af569b2b49b2b"
+SRCREV_hal_espressif = "2cb20ac6c5b25f3c91b35e7997451db47030b7cb"
+SRCREV_hal_gigadevice = "dd0e0322474462b58059e6fedaf1d67d2a0864d0"
+SRCREV_hal_infineon = "4af06965f57ba1e7d170e6a97d24c33785543a8c"
+SRCREV_hal_microchip = "5d079f1683a00b801373bbbbf5d181d4e33b30d5"
+SRCREV_hal_nordic = "249199ec5a5c31d170659921048764e96d05cc0e"
+SRCREV_hal_nuvoton = "b4d31f33238713a568e23618845702fadd67386f"
+SRCREV_hal_nxp = "708c95825b0d5279620935a1356299fff5dfbc6e"
+SRCREV_hal_openisa = "40d049f69c50b58ea20473bee14cf93f518bf262"
+SRCREV_hal_quicklogic = "b3a66fe6d04d87fd1533a5c8de51d0599fcd08d0"
+SRCREV_hal_renesas = "468d3f2146d18c7f86a4640fc641cc1d20a4a100"
+SRCREV_hal_rpi_pico = "a094c060e0c2d43c7f9d8f5c06cc0665117e0c18"
+SRCREV_hal_silabs = "1ec8dd99aa4ac3e8632d2aa28a7438049bb27102"
+SRCREV_hal_st = "cccbc24c14decfd3f93959f7b14514536af973c7"
+SRCREV_hal_stm32 = "642e199c59828137dc6b1c7044a289d4269886d1"
+SRCREV_hal_telink = "38573af589173259801ae6c2b34b7d4c9e626746"
+SRCREV_hal_ti = "000b944a788b6005d7776198e1348f5c8a657259"
+SRCREV_hal_wurthelektronik = "24ca9873c3d608fad1fea0431836bc8f144c132e"
+SRCREV_hal_xtensa = "63f655362423aa49507da7977a2d37142e8debeb"
+SRCREV_libmetal = "2f586b4f1276fb075ee145421bdf6cbe5403aa41"
+SRCREV_liblc3 = "448f3de31f49a838988a162ef1e23a89ddf2d2ed"
+SRCREV_littlefs = "ca583fd297ceb48bced3c2548600dc615d67af24"
+SRCREV_loramac-node = "ce57712f3e426bbbb13acaec97b45369f716f43a"
+SRCREV_lvgl = "af95bdfcf6784edd958ea08139c713e2d3dee7af"
+SRCREV_lz4 = "8e303c264fc21c2116dc612658003a22e933124d"
+SRCREV_mbedtls = "7fed49c9b9f983ad6416986661ef637459723bcb"
+SRCREV_mcuboot = "13f63976bca672ee018f9d55f1e31f02f4135b64"
+SRCREV_mipi-sys-t = "0d521d8055f3b2b4842f728b0365d3f0ece9c37f"
+SRCREV_nanopb = "dc4deed54fd4c7e1935e3b6387eedf21bb45dc38"
+SRCREV_net-tools = "e0828aa9629b533644dc96ff6d1295c939bd713c"
+SRCREV_nrf_hw_models = "65bc5305d432c08e24a3f343006d1e7deaff4908"
+SRCREV_open-amp = "8d53544871e1f300c478224faca6be8384ab0d04"
+SRCREV_openthread = "b21e99b4b3d823f71c902b9174ff62b964c124f0"
+SRCREV_picolibc = "04ada5951cbaf8e7b17f8226ce31cb6837c28ba7"
+SRCREV_segger = "d4e568a920b4bd087886170a5624c167b2d0665e"
+SRCREV_sof = "fed466c264ad078c66f7bff9218ba1d3fa0eb201"
+SRCREV_tflite-micro = "9156d050927012da87079064db59d07f03b8baf6"
+SRCREV_tinycbor = "9e1f34bc08123aaad7666d3652aaa839e8178b3b"
+SRCREV_tinycrypt = "3e9a49d2672ec01435ffbf0d788db6d95ef28de0"
+SRCREV_TraceRecorderSource = "9893bf1cf649a2c4ee2e27293f887994f3d0da5b"
+SRCREV_trusted-firmware-m = "231235f26f5295ac4faf8c5617dbb9779869d821"
+SRCREV_trusted-firmware-a = "d29cddecde614d81cbec1fb0086cdaebd77d3575"
+SRCREV_tf-m-tests = "c99a86b295c4887520da9d8402566d7f225c974e"
+SRCREV_psa-arch-tests = "f4fc2442b8e29e2a03d9899e46e5a3ea3df8c2c9"
+SRCREV_uoscore-uedhoc = "e8920192b66db4f909eb9cd3f155d5245c1ae825"
+SRCREV_zcbor = "a0d6981f14d4001d6f0d608d1a427f9bc6bb6d02"
+SRCREV_zscilib = "ca070ddabdaf67175a2da901d0bd62e8899371c5"
+
+SRC_URI_ZEPHYR ?= "git://github.com/zephyrproject-rtos/zephyr.git;protocol=https"
+SRC_URI_CANOPENNODE ?= "git://github.com/zephyrproject-rtos/canopennode;protocol=https"
+SRC_URI_CHRE ?= "git://github.com/zephyrproject-rtos/chre;protocol=https"
+SRC_URI_CMSIS ?= "git://github.com/zephyrproject-rtos/cmsis;protocol=https"
+SRC_URI_EDTT ?= "git://github.com/zephyrproject-rtos/edtt;protocol=https"
+SRC_URI_FATFS ?= "git://github.com/zephyrproject-rtos/fatfs;protocol=https"
+SRC_URI_FFF ?= "git://github.com/zephyrproject-rtos/fff;protocol=https"
+SRC_URI_HAL_ALTERA ?= "git://github.com/zephyrproject-rtos/hal_altera;protocol=https"
+SRC_URI_HAL_ATMEL ?= "git://github.com/zephyrproject-rtos/hal_atmel;protocol=https"
+SRC_URI_HAL_ESPRESSIF ?= "git://github.com/zephyrproject-rtos/hal_espressif;protocol=https"
+SRC_URI_HAL_GIGADEVICE ?= "git://github.com/zephyrproject-rtos/hal_gigadevice;protocol=https"
+SRC_URI_HAL_INFINEON ?= "git://github.com/zephyrproject-rtos/hal_infineon;protocol=https"
+SRC_URI_HAL_MICROCHIP ?= "git://github.com/zephyrproject-rtos/hal_microchip;protocol=https"
+SRC_URI_HAL_NORDIC ?= "git://github.com/zephyrproject-rtos/hal_nordic;protocol=https"
+SRC_URI_HAL_NUVOTON ?= "git://github.com/zephyrproject-rtos/hal_nuvoton;protocol=https"
+SRC_URI_HAL_NXP ?= "git://github.com/zephyrproject-rtos/hal_nxp;protocol=https"
+SRC_URI_HAL_OPENISA ?= "git://github.com/zephyrproject-rtos/hal_openisa;protocol=https"
+SRC_URI_HAL_QUICKLOGIC ?= "git://github.com/zephyrproject-rtos/hal_quicklogic;protocol=https"
+SRC_URI_HAL_RENESAS ?= "git://github.com/zephyrproject-rtos/hal_renesas;protocol=https"
+SRC_URI_HAL_RPI_PICO ?= "git://github.com/zephyrproject-rtos/hal_rpi_pico;protocol=https"
+SRC_URI_HAL_SILABS ?= "git://github.com/zephyrproject-rtos/hal_silabs;protocol=https"
+SRC_URI_HAL_ST ?= "git://github.com/zephyrproject-rtos/hal_st;protocol=https"
+SRC_URI_HAL_STM32 ?= "git://github.com/zephyrproject-rtos/hal_stm32;protocol=https"
+SRC_URI_HAL_TELINK ?= "git://github.com/zephyrproject-rtos/hal_telink;protocol=https"
+SRC_URI_HAL_TI ?= "git://github.com/zephyrproject-rtos/hal_ti;protocol=https"
+SRC_URI_HAL_WURTHELEKTRONIK ?= "git://github.com/zephyrproject-rtos/hal_wurthelektronik;protocol=https"
+SRC_URI_HAL_XTENSA ?= "git://github.com/zephyrproject-rtos/hal_xtensa;protocol=https"
+SRC_URI_LIBMETAL ?= "git://github.com/zephyrproject-rtos/libmetal;protocol=https"
+SRC_URI_LIBLC3 ?= "git://github.com/zephyrproject-rtos/liblc3;protocol=https"
+SRC_URI_LITTLEFS ?= "git://github.com/zephyrproject-rtos/littlefs;protocol=https"
+SRC_URI_LORAMAC_NODE ?= "git://github.com/zephyrproject-rtos/loramac-node;protocol=https"
+SRC_URI_LVGL ?= "git://github.com/zephyrproject-rtos/lvgl;protocol=https"
+SRC_URI_LZ4 ?= "git://github.com/zephyrproject-rtos/lz4;protocol=https"
+SRC_URI_MBEDTLS ?= "git://github.com/zephyrproject-rtos/mbedtls;protocol=https"
+SRC_URI_MCUBOOT ?= "git://github.com/zephyrproject-rtos/mcuboot;protocol=https"
+SRC_URI_MIPI_SYS_T ?= "git://github.com/zephyrproject-rtos/mipi-sys-t;protocol=https"
+SRC_URI_NANOPB ?= "git://github.com/zephyrproject-rtos/nanopb;protocol=https"
+SRC_URI_NET_TOOLS ?= "git://github.com/zephyrproject-rtos/net-tools;protocol=https"
+SRC_URI_NRF_HW_MODELS ?= "git://github.com/zephyrproject-rtos/nrf_hw_models;protocol=https"
+SRC_URI_OPEN_AMP ?= "git://github.com/zephyrproject-rtos/open-amp;protocol=https"
+SRC_URI_OPENTHREAD ?= "git://github.com/zephyrproject-rtos/openthread;protocol=https"
+SRC_URI_PICOLIBC ?= "git://github.com/zephyrproject-rtos/picolibc;protocol=https"
+SRC_URI_SEGGER ?= "git://github.com/zephyrproject-rtos/segger;protocol=https"
+SRC_URI_SOF ?= "git://github.com/zephyrproject-rtos/sof;protocol=https"
+SRC_URI_TFLITE_MICRO ?= "git://github.com/zephyrproject-rtos/tflite-micro;protocol=https"
+SRC_URI_TINYCBOR ?= "git://github.com/zephyrproject-rtos/tinycbor;protocol=https"
+SRC_URI_TINYCRYPT ?= "git://github.com/zephyrproject-rtos/tinycrypt;protocol=https"
+SRC_URI_TRACERECORDERSOURCE ?= "git://github.com/zephyrproject-rtos/TraceRecorderSource;protocol=https"
+SRC_URI_TRUSTED_FIRMWARE_M ?= "git://github.com/zephyrproject-rtos/trusted-firmware-m;protocol=https"
+SRC_URI_TRUSTED_FIRMWARE_A ?= "git://github.com/zephyrproject-rtos/trusted-firmware-a;protocol=https"
+SRC_URI_TF_M_TESTS ?= "git://github.com/zephyrproject-rtos/tf-m-tests;protocol=https"
+SRC_URI_PSA_ARCH_TESTS ?= "git://github.com/zephyrproject-rtos/psa-arch-tests;protocol=https"
+SRC_URI_UOSCORE_UEDHOC ?= "git://github.com/zephyrproject-rtos/uoscore-uedhoc;protocol=https"
+SRC_URI_ZCBOR ?= "git://github.com/zephyrproject-rtos/zcbor;protocol=https"
+SRC_URI_ZSCILIB ?= "git://github.com/zephyrproject-rtos/zscilib;protocol=https"
+
+SRC_URI_PATCHES ?= "\
+ file://0001-3.1-cmake-add-yocto-toolchain.patch;patchdir=zephyr \
+ file://0001-3.1-x86-fix-efi-binary-generation-issue-in-cross-compila.patch;patchdir=zephyr \
+"
+
+SRC_URI = "\
+ ${SRC_URI_ZEPHYR};branch=${ZEPHYR_BRANCH};name=default;destsuffix=git/zephyr \
+ ${SRC_URI_CANOPENNODE};name=canopennode;nobranch=1;destsuffix=git/modules/lib/canopennode \
+ ${SRC_URI_CHRE};name=chre;nobranch=1;destsuffix=git/modules/lib/chre \
+ ${SRC_URI_CMSIS};name=cmsis;nobranch=1;destsuffix=git/modules/hal/cmsis \
+ ${SRC_URI_EDTT};name=edtt;nobranch=1;destsuffix=git/tools/edtt \
+ ${SRC_URI_FATFS};name=fatfs;nobranch=1;destsuffix=git/modules/fs/fatfs \
+ ${SRC_URI_FFF};name=fff;nobranch=1;destsuffix=git/modules/lib/fff \
+ ${SRC_URI_HAL_ALTERA};name=hal_altera;nobranch=1;destsuffix=git/modules/hal/altera \
+ ${SRC_URI_HAL_ATMEL};name=hal_atmel;nobranch=1;destsuffix=git/modules/hal/atmel \
+ ${SRC_URI_HAL_ESPRESSIF};name=hal_espressif;nobranch=1;destsuffix=git/modules/hal/espressif \
+ ${SRC_URI_HAL_GIGADEVICE};name=hal_gigadevice;nobranch=1;destsuffix=git/modules/hal/gigadevice \
+ ${SRC_URI_HAL_INFINEON};name=hal_infineon;nobranch=1;destsuffix=git/modules/hal/infineon \
+ ${SRC_URI_HAL_MICROCHIP};name=hal_microchip;nobranch=1;destsuffix=git/modules/hal/microchip \
+ ${SRC_URI_HAL_NORDIC};name=hal_nordic;nobranch=1;destsuffix=git/modules/hal/nordic \
+ ${SRC_URI_HAL_NUVOTON};name=hal_nuvoton;nobranch=1;destsuffix=git/modules/hal/nuvoton \
+ ${SRC_URI_HAL_NXP};name=hal_nxp;nobranch=1;destsuffix=git/modules/hal/nxp \
+ ${SRC_URI_HAL_OPENISA};name=hal_openisa;nobranch=1;destsuffix=git/modules/hal/openisa \
+ ${SRC_URI_HAL_QUICKLOGIC};name=hal_quicklogic;nobranch=1;destsuffix=git/modules/hal/quicklogic \
+ ${SRC_URI_HAL_RENESAS};name=hal_renesas;nobranch=1;destsuffix=git/modules/hal/renesas \
+ ${SRC_URI_HAL_RPI_PICO};name=hal_rpi_pico;nobranch=1;destsuffix=git/modules/hal/rpi_pico \
+ ${SRC_URI_HAL_SILABS};name=hal_silabs;nobranch=1;destsuffix=git/modules/hal/silabs \
+ ${SRC_URI_HAL_ST};name=hal_st;nobranch=1;destsuffix=git/modules/hal/st \
+ ${SRC_URI_HAL_STM32};name=hal_stm32;nobranch=1;destsuffix=git/modules/hal/stm32 \
+ ${SRC_URI_HAL_TELINK};name=hal_telink;nobranch=1;destsuffix=git/modules/hal/telink \
+ ${SRC_URI_HAL_TI};name=hal_ti;nobranch=1;destsuffix=git/modules/hal/ti \
+ ${SRC_URI_HAL_WURTHELEKTRONIK};name=hal_wurthelektronik;nobranch=1;destsuffix=git/modules/hal/wurthelektronik \
+ ${SRC_URI_HAL_XTENSA};name=hal_xtensa;nobranch=1;destsuffix=git/modules/hal/xtensa \
+ ${SRC_URI_LIBMETAL};name=libmetal;nobranch=1;destsuffix=git/modules/hal/libmetal \
+ ${SRC_URI_LIBLC3};name=liblc3;nobranch=1;destsuffix=git/modules/lib/liblc3 \
+ ${SRC_URI_LITTLEFS};name=littlefs;nobranch=1;destsuffix=git/modules/fs/littlefs \
+ ${SRC_URI_LORAMAC_NODE};name=loramac-node;nobranch=1;destsuffix=git/modules/lib/loramac-node \
+ ${SRC_URI_LVGL};name=lvgl;nobranch=1;destsuffix=git/modules/lib/gui/lvgl \
+ ${SRC_URI_LZ4};name=lz4;nobranch=1;destsuffix=git/modules/lib/lz4 \
+ ${SRC_URI_MBEDTLS};name=mbedtls;nobranch=1;destsuffix=git/modules/crypto/mbedtls \
+ ${SRC_URI_MCUBOOT};name=mcuboot;nobranch=1;destsuffix=git/bootloader/mcuboot \
+ ${SRC_URI_MIPI_SYS_T};name=mipi-sys-t;nobranch=1;destsuffix=git/modules/debug/mipi-sys-t \
+ ${SRC_URI_NANOPB};name=nanopb;nobranch=1;destsuffix=git/modules/lib/nanopb \
+ ${SRC_URI_NET_TOOLS};name=net-tools;nobranch=1;destsuffix=git/tools/net-tools \
+ ${SRC_URI_NRF_HW_MODELS};name=nrf_hw_models;nobranch=1;destsuffix=git/modules/bsim_hw_models/nrf_hw_models \
+ ${SRC_URI_OPEN_AMP};name=open-amp;nobranch=1;destsuffix=git/modules/lib/open-amp \
+ ${SRC_URI_OPENTHREAD};name=openthread;nobranch=1;destsuffix=git/modules/lib/openthread \
+ ${SRC_URI_PICOLIBC};name=picolibc;nobranch=1;destsuffix=git/modules/lib/picolibc \
+ ${SRC_URI_SEGGER};name=segger;nobranch=1;destsuffix=git/modules/debug/segger \
+ ${SRC_URI_SOF};name=sof;nobranch=1;destsuffix=git/modules/audio/sof \
+ ${SRC_URI_TFLITE_MICRO};name=tflite-micro;nobranch=1;destsuffix=git/modules/lib/tflite-micro \
+ ${SRC_URI_TINYCBOR};name=tinycbor;nobranch=1;destsuffix=git/modules/lib/tinycbor \
+ ${SRC_URI_TINYCRYPT};name=tinycrypt;nobranch=1;destsuffix=git/modules/crypto/tinycrypt \
+ ${SRC_URI_TRACERECORDERSOURCE};name=TraceRecorderSource;nobranch=1;destsuffix=git/modules/debug/TraceRecorder \
+ ${SRC_URI_TRUSTED_FIRMWARE_M};name=trusted-firmware-m;nobranch=1;destsuffix=git/modules/tee/tf-m/trusted-firmware-m \
+ ${SRC_URI_TRUSTED_FIRMWARE_A};name=trusted-firmware-a;nobranch=1;destsuffix=git/modules/tee/tf-a/trusted-firmware-a \
+ ${SRC_URI_TF_M_TESTS};name=tf-m-tests;nobranch=1;destsuffix=git/modules/tee/tf-m/tf-m-tests \
+ ${SRC_URI_PSA_ARCH_TESTS};name=psa-arch-tests;nobranch=1;destsuffix=git/modules/tee/tf-m/psa-arch-tests \
+ ${SRC_URI_UOSCORE_UEDHOC};name=uoscore-uedhoc;nobranch=1;destsuffix=git/modules/lib/uoscore-uedhoc \
+ ${SRC_URI_ZCBOR};name=zcbor;nobranch=1;destsuffix=git/modules/lib/zcbor \
+ ${SRC_URI_ZSCILIB};name=zscilib;nobranch=1;destsuffix=git/modules/lib/zscilib \
+ ${SRC_URI_PATCHES} \
+"
+
+ZEPHYR_MODULES = "\
+${S}/modules/lib/canopennode\;\
+${S}/modules/lib/chre\;\
+${S}/modules/hal/cmsis\;\
+${S}/tools/edtt\;\
+${S}/modules/fs/fatfs\;\
+${S}/modules/lib/fff\;\
+${S}/modules/hal/altera\;\
+${S}/modules/hal/atmel\;\
+${S}/modules/hal/espressif\;\
+${S}/modules/hal/gigadevice\;\
+${S}/modules/hal/infineon\;\
+${S}/modules/hal/microchip\;\
+${S}/modules/hal/nordic\;\
+${S}/modules/hal/nuvoton\;\
+${S}/modules/hal/nxp\;\
+${S}/modules/hal/openisa\;\
+${S}/modules/hal/quicklogic\;\
+${S}/modules/hal/renesas\;\
+${S}/modules/hal/rpi_pico\;\
+${S}/modules/hal/silabs\;\
+${S}/modules/hal/st\;\
+${S}/modules/hal/stm32\;\
+${S}/modules/hal/telink\;\
+${S}/modules/hal/ti\;\
+${S}/modules/hal/wurthelektronik\;\
+${S}/modules/hal/xtensa\;\
+${S}/modules/hal/libmetal\;\
+${S}/modules/lib/liblc3\;\
+${S}/modules/fs/littlefs\;\
+${S}/modules/lib/loramac-node\;\
+${S}/modules/lib/gui/lvgl\;\
+${S}/modules/lib/lz4\;\
+${S}/modules/crypto/mbedtls\;\
+${S}/bootloader/mcuboot\;\
+${S}/modules/debug/mipi-sys-t\;\
+${S}/modules/lib/nanopb\;\
+${S}/tools/net-tools\;\
+${S}/modules/bsim_hw_models/nrf_hw_models\;\
+${S}/modules/lib/open-amp\;\
+${S}/modules/lib/openthread\;\
+${S}/modules/lib/picolibc\;\
+${S}/modules/debug/segger\;\
+${S}/modules/audio/sof\;\
+${S}/modules/lib/tflite-micro\;\
+${S}/modules/lib/tinycbor\;\
+${S}/modules/crypto/tinycrypt\;\
+${S}/modules/debug/TraceRecorder\;\
+${S}/modules/tee/tf-m/trusted-firmware-m\;\
+${S}/modules/tee/tf-a/trusted-firmware-a\;\
+${S}/modules/tee/tf-m/tf-m-tests\;\
+${S}/modules/tee/tf-m/psa-arch-tests\;\
+${S}/modules/lib/uoscore-uedhoc\;\
+${S}/modules/lib/zcbor\;\
+${S}/modules/lib/zscilib\;\
+"
+
+ZEPHYR_BRANCH = "v3.2-branch"
+PV = "3.2.0+git${SRCPV}"
diff --git a/meta-zephyr-core/recipes-kernel/zephyr-kernel/zephyr-kernel-src.inc b/meta-zephyr-core/recipes-kernel/zephyr-kernel/zephyr-kernel-src.inc
index f28d1d4..aa299e0 100644
--- a/meta-zephyr-core/recipes-kernel/zephyr-kernel/zephyr-kernel-src.inc
+++ b/meta-zephyr-core/recipes-kernel/zephyr-kernel/zephyr-kernel-src.inc
@@ -12,5 +12,5 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
S = "${WORKDIR}/git"

# Default to a stable version
-PREFERRED_VERSION_zephyr-kernel ??= "3.1.0"
+PREFERRED_VERSION_zephyr-kernel ??= "3.2.0"
include zephyr-kernel-src-${PREFERRED_VERSION_zephyr-kernel}.inc
--
2.25.1


[PATCH][meta-rockchip][master][kirkstone][honister] rockchip.wic.inc: let wic update fstab again

Quentin Schulz
 

From: Quentin Schulz <quentin.schulz@...>

The commit ed3a97f7b2e4 ("rockchip-wic.inc: don't let wic edit fstab")
removing this ability was introduced to fix an issue in the wic tool in
OE-Core in which wic partitions whose "mountpoint" is not a valid path
are still added to fstab.
This was eventually fixed in OE-Core in commit 7aa678ce804c
("wic:direct.py: ignore invalid mountpoints during fstab update") which
is part of release Honister (3.4) and later.

Therefore, it should be safe to now let wic update fstab again for
partitions with a valid mountpoint path. The benefit being that the wic
partitions with a mountpoint are now automounted at boot.

Cc: Quentin Schulz <foss+yocto@...>
Signed-off-by: Quentin Schulz <quentin.schulz@...>
---
restore fstab update by wic

Since wic now correctly handles partitions without a valid mountpoint path and
does not add them to fstab, we can let wic update fstab again so let's do it.

This makes partition automounting work again.

This was tested on a Kirkstone (4.0.4) poky-based core-image-minimal on a
PX30-uQ7 (Ringneck) SoM on Haikou devkit
(https://git.theobroma-systems.com/yocto-layers/meta-theobroma-systems-bsp.git/)

This should be safe to backport to kirkstone and honister too.

Cc: Markus Volk <f_l_k@...>
Cc: Trevor Woerner <twoerner@...>
---
conf/machine/include/rockchip-wic.inc | 3 ---
1 file changed, 3 deletions(-)

diff --git a/conf/machine/include/rockchip-wic.inc b/conf/machine/include/rockchip-wic.inc
index 6fa5367..635288c 100644
--- a/conf/machine/include/rockchip-wic.inc
+++ b/conf/machine/include/rockchip-wic.inc
@@ -27,6 +27,3 @@ WICVARS:append = " \
SPL_BINARY \
UBOOT_SUFFIX \
"
-
-# Do not update fstab file while creating wic images
-WIC_CREATE_EXTRA_ARGS ?= "--no-fstab-update"

---
base-commit: f2b4e6efde0e2e8ed9a15694d716add3eb4d14dc
change-id: 20221109-wic-fstab-7206c7a213c2

Best regards,
--
Quentin Schulz <quentin.schulz@...>


[meta-selinux][PATCH 4/4 V2] refpolicy: upgrade 20210908+git -> 20221101+git

Yi Zhao
 

* Update to latest git rev.
* Drop obsolete and useless patches.
* Rebase patches.

Signed-off-by: Yi Zhao <yi.zhao@...>
---
.../refpolicy/refpolicy-minimum_git.bb | 91 +++---
.../refpolicy/refpolicy-targeted_git.bb | 1 -
...tile-alias-common-var-volatile-paths.patch | 4 +-
...inimum-make-sysadmin-module-optional.patch | 12 +-
...ed-make-unconfined_u-the-default-sel.patch | 12 +-
...box-set-aliases-for-bin-sbin-and-usr.patch | 4 +-
...icy-minimum-make-xdg-module-optional.patch | 8 +-
...ed-add-capability2-bpf-and-perfmon-f.patch | 52 ----
...y-policy-to-common-yocto-hostname-al.patch | 4 +-
...efpolicy-minimum-enable-nscd_use_shm.patch | 35 ---
...cy-minimum-make-dbus-module-optional.patch | 36 +++
...sr-bin-bash-context-to-bin-bash.bash.patch | 6 +-
...abel-resolv.conf-in-var-run-properly.patch | 4 +-
...-apply-login-context-to-login.shadow.patch | 4 +-
...-fc-hwclock-add-hwclock-alternatives.patch | 4 +-
...g-apply-policy-to-dmesg-alternatives.patch | 4 +-
...ssh-apply-policy-to-ssh-alternatives.patch | 8 +-
...ply-policy-to-network-commands-alter.patch | 4 +-
...v-apply-policy-to-udevadm-in-libexec.patch | 4 +-
...ply-rpm_exec-policy-to-cpio-binaries.patch | 8 +-
...c-su-apply-policy-to-su-alternatives.patch | 4 +-
...fc-fstools-fix-real-path-for-fstools.patch | 17 +-
...fix-update-alternatives-for-sysvinit.patch | 10 +-
...l-apply-policy-to-brctl-alternatives.patch | 4 +-
...apply-policy-to-nologin-alternatives.patch | 8 +-
...apply-policy-to-sulogin-alternatives.patch | 4 +-
...tp-apply-policy-to-ntpd-alternatives.patch | 4 +-
...pply-policy-to-kerberos-alternatives.patch | 4 +-
...ap-apply-policy-to-ldap-alternatives.patch | 4 +-
...ply-policy-to-postgresql-alternative.patch | 4 +-
...-apply-policy-to-screen-alternatives.patch | 4 +-
...ply-policy-to-usermanage-alternative.patch | 26 +-
...etty-add-file-context-to-start_getty.patch | 4 +-
...k-apply-policy-to-vlock-alternatives.patch | 4 +-
...for-init-scripts-and-systemd-service.patch | 8 +-
...bs_dist-set-aliase-for-root-director.patch | 4 +-
...ystem-logging-add-rules-for-the-syml.patch | 6 +-
...ystem-logging-add-rules-for-syslogd-.patch | 8 +-
...ernel-files-add-rules-for-the-symlin.patch | 26 +-
...ystem-logging-fix-auditd-startup-fai.patch | 10 +-
...ernel-terminal-don-t-audit-tty_devic.patch | 6 +-
...rvices-rpcbind-allow-rpcbind_t-to-c.patch} | 23 +-
...ystem-modutils-allow-mod_t-to-access.patch | 67 -----
...ystem-getty-allow-getty_t-to-search-.patch | 32 ---
...stem-systemd-enable-support-for-sys.patch} | 10 +-
...stem-systemd-allow-systemd_logind_t.patch} | 8 +-
...dmin-usermanage-allow-useradd-to-rel.patch | 71 -----
...oles-sysadm-allow-sysadm-to-use-init.patch | 36 +++
...es-system-systemd-systemd-user-fixes.patch | 84 ++++++
...stem-mount-make-mount_t-domain-MLS-.patch} | 8 +-
...ystem-systemd-fix-systemd-resolved-s.patch | 60 ----
...les-sysadm-MLS-sysadm-rw-to-clearan.patch} | 10 +-
...ystem-systemd-allow-systemd_-_t-to-g.patch | 156 -----------
...rvices-rpc-make-nfsd_t-domain-MLS-t.patch} | 12 +-
...ystem-logging-fix-syslogd-failures-f.patch | 55 ----
...min-dmesg-make-dmesg_t-MLS-trusted-.patch} | 6 +-
...es-system-systemd-systemd-user-fixes.patch | 172 ------------
...rnel-kernel-make-kernel_t-MLS-trust.patch} | 8 +-
...ystem-sysnetwork-support-priviledge-.patch | 132 ---------
...stem-init-make-init_t-MLS-trusted-f.patch} | 8 +-
...ystem-modutils-allow-kmod_t-to-write.patch | 34 ---
...stem-systemd-make-systemd-tmpfiles_.patch} | 8 +-
...stem-systemd-systemd-make-systemd_-.patch} | 26 +-
...stem-logging-add-the-syslogd_t-to-t.patch} | 15 +-
...stem-init-make-init_t-MLS-trusted-f.patch} | 8 +-
...stem-init-all-init_t-to-read-any-le.patch} | 8 +-
...stem-logging-allow-auditd_t-to-writ.patch} | 8 +-
...rnel-kernel-make-kernel_t-MLS-trust.patch} | 8 +-
...stem-setrans-allow-setrans_t-use-fd.patch} | 8 +-
...stem-systemd-make-_systemd_t-MLS-tr.patch} | 8 +-
...stem-logging-make-syslogd_runtime_t.patch} | 12 +-
...emd-resolved-is-linked-to-libselinux.patch | 33 ---
...md-allow-DNS-resolution-over-io.syst.patch | 63 -----
...systemd-to-watch-and-watch-reads-on-.patch | 94 -------
...-transition-for-systemd-networkd-run.patch | 32 ---
...ing-file-context-for-run-systemd-net.patch | 29 --
...-contexts-for-systemd-network-genera.patch | 38 ---
...ow-udev-to-read-systemd-networkd-run.patch | 34 ---
...s-apply-policy-to-findfs-alternative.patch | 29 --
.../refpolicy/refpolicy_common.inc | 261 +++++++++---------
recipes-security/refpolicy/refpolicy_git.inc | 4 +-
81 files changed, 556 insertions(+), 1636 deletions(-)
delete mode 100644 recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0003-refpolicy-minimum-enable-nscd_use_shm.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0003-refpolicy-minimum-make-dbus-module-optional.patch
rename recipes-security/refpolicy/refpolicy/{0036-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch => 0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch} (52%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0035-policy-modules-system-getty-allow-getty_t-to-search-.patch
rename recipes-security/refpolicy/refpolicy/{0038-policy-modules-system-systemd-enable-support-for-sys.patch => 0035-policy-modules-system-systemd-enable-support-for-sys.patch} (91%)
rename recipes-security/refpolicy/refpolicy/{0045-policy-modules-system-systemd-allow-systemd_logind_t.patch => 0036-policy-modules-system-systemd-allow-systemd_logind_t.patch} (88%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch
rename recipes-security/refpolicy/refpolicy/{0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch => 0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch} (84%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch
rename recipes-security/refpolicy/refpolicy/{0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch => 0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch} (83%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch
rename recipes-security/refpolicy/refpolicy/{0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch => 0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch} (84%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0041-policy-modules-system-logging-fix-syslogd-failures-f.patch
rename recipes-security/refpolicy/refpolicy/{0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch => 0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch} (90%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch
rename recipes-security/refpolicy/refpolicy/{0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch => 0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch} (94%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch
rename recipes-security/refpolicy/refpolicy/{0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch => 0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch} (89%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch
rename recipes-security/refpolicy/refpolicy/{0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch => 0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch} (92%)
rename recipes-security/refpolicy/refpolicy/{0053-policy-modules-system-systemd-systemd-make-systemd_-.patch => 0046-policy-modules-system-systemd-systemd-make-systemd_-.patch} (82%)
rename recipes-security/refpolicy/refpolicy/{0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch => 0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch} (78%)
rename recipes-security/refpolicy/refpolicy/{0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch => 0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch} (85%)
rename recipes-security/refpolicy/refpolicy/{0056-policy-modules-system-init-all-init_t-to-read-any-le.patch => 0049-policy-modules-system-init-all-init_t-to-read-any-le.patch} (88%)
rename recipes-security/refpolicy/refpolicy/{0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch => 0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch} (87%)
rename recipes-security/refpolicy/refpolicy/{0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch => 0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch} (83%)
rename recipes-security/refpolicy/refpolicy/{0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch => 0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch} (83%)
rename recipes-security/refpolicy/refpolicy/{0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch => 0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch} (88%)
rename recipes-security/refpolicy/refpolicy/{0061-policy-modules-system-logging-make-syslogd_runtime_t.patch => 0054-policy-modules-system-logging-make-syslogd_runtime_t.patch} (84%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0062-systemd-systemd-resolved-is-linked-to-libselinux.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0063-sysnetwork-systemd-allow-DNS-resolution-over-io.syst.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0064-term-init-allow-systemd-to-watch-and-watch-reads-on-.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0065-systemd-add-file-transition-for-systemd-networkd-run.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0066-systemd-add-missing-file-context-for-run-systemd-net.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0067-systemd-add-file-contexts-for-systemd-network-genera.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0068-systemd-udev-allow-udev-to-read-systemd-networkd-run.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0069-fc-fstools-apply-policy-to-findfs-alternative.patch

diff --git a/recipes-security/refpolicy/refpolicy-minimum_git.bb b/recipes-security/refpolicy/refpolicy-minimum_git.bb
index 2e95b9f..a50a4cd 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_git.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_git.bb
@@ -14,28 +14,28 @@ domains are unconfined. \
SRC_URI += " \
file://0001-refpolicy-minimum-make-sysadmin-module-optional.patch \
file://0002-refpolicy-minimum-make-xdg-module-optional.patch \
- file://0003-refpolicy-minimum-enable-nscd_use_shm.patch \
+ file://0003-refpolicy-minimum-make-dbus-module-optional.patch \
"

POLICY_NAME = "minimum"

CORE_POLICY_MODULES = "unconfined \
- selinuxutil \
- storage \
- sysnetwork \
- application \
- libraries \
- miscfiles \
- logging \
- userdomain \
- init \
- mount \
- modutils \
- getty \
- authlogin \
- locallogin \
- "
-#systemd dependent policy modules
+ selinuxutil \
+ storage \
+ sysnetwork \
+ application \
+ libraries \
+ miscfiles \
+ logging \
+ userdomain \
+ init \
+ mount \
+ modutils \
+ getty \
+ authlogin \
+ locallogin \
+ "
+# systemd dependent policy modules
CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev fstools dbus', '', d)}"

# nscd caches libc-issued requests to the name service.
@@ -60,39 +60,38 @@ EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils"
#
# PURGE_POLICY_MODULES += "xdg xen"

-
POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"

-# re-write the same func from refpolicy_common.inc
-prepare_policy_store () {
- oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
- POL_PRIORITY=100
- POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
- POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
- POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
+# Re-write the same func from refpolicy_common.inc
+prepare_policy_store() {
+ oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
+ POL_PRIORITY=100
+ POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
+ POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
+ POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}

- # Prepare to create policy store
- mkdir -p ${POL_STORE}
- mkdir -p ${POL_ACTIVE_MODS}
+ # Prepare to create policy store
+ mkdir -p ${POL_STORE}
+ mkdir -p ${POL_ACTIVE_MODS}

- # get hll type from suffix on base policy module
- HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
- HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
+ # Get hll type from suffix on base policy module
+ HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
+ HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}

- for i in base ${POLICY_MODULES_MIN}; do
- MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE}
- MOD_DIR=${POL_ACTIVE_MODS}/${i}
- mkdir -p ${MOD_DIR}
- echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
+ for i in base ${POLICY_MODULES_MIN}; do
+ MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE}
+ MOD_DIR=${POL_ACTIVE_MODS}/${i}
+ mkdir -p ${MOD_DIR}
+ echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext

- if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then
- ${HLL_BIN} ${MOD_FILE} | bzip2 --stdout > ${MOD_DIR}/cil
- bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2 ${MOD_FILE}
- else
- bunzip2 --stdout ${MOD_FILE} | \
- ${HLL_BIN} | \
- bzip2 --stdout > ${MOD_DIR}/cil
- fi
- cp ${MOD_FILE} ${MOD_DIR}/hll
- done
+ if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then
+ ${HLL_BIN} ${MOD_FILE} | bzip2 --stdout > ${MOD_DIR}/cil
+ bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2 ${MOD_FILE}
+ else
+ bunzip2 --stdout ${MOD_FILE} | \
+ ${HLL_BIN} | \
+ bzip2 --stdout > ${MOD_DIR}/cil
+ fi
+ cp ${MOD_FILE} ${MOD_DIR}/hll
+ done
}
diff --git a/recipes-security/refpolicy/refpolicy-targeted_git.bb b/recipes-security/refpolicy/refpolicy-targeted_git.bb
index 15226db..de81d46 100644
--- a/recipes-security/refpolicy/refpolicy-targeted_git.bb
+++ b/recipes-security/refpolicy/refpolicy-targeted_git.bb
@@ -14,5 +14,4 @@ include refpolicy_${PV}.inc

SRC_URI += " \
file://0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch \
- file://0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch \
"
diff --git a/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
index c3a03f3..1605d90 100644
--- a/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
+++ b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
@@ -1,4 +1,4 @@
-From d39f2ddbfcfd6e224a50bf327a7bd0031d74d0c6 Mon Sep 17 00:00:00 2001
+From ee66387c393af77b88c833f5d271efe48036112c Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Thu, 28 Mar 2019 16:14:09 -0400
Subject: [PATCH] fc/subs/volatile: alias common /var/volatile paths
@@ -29,5 +29,5 @@ index ba22ce7e7..23d4328f7 100644
+/var/volatile/log /var/log
+/var/volatile/tmp /var/tmp
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch
index f607cbb..657c5cd 100644
--- a/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch
+++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch
@@ -1,4 +1,4 @@
-From 669293ddf351f231b34979a7d708601ccbd11930 Mon Sep 17 00:00:00 2001
+From 0e3b79ae0ae468640d7092c9a91a91d258d07645 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Fri, 5 Apr 2019 11:53:28 -0400
Subject: [PATCH] refpolicy-minimum: make sysadmin module optional
@@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 5a19f0e43..1f4a671dc 100644
+index 671b5aef3..8ce3d5956 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
-@@ -556,13 +556,15 @@ ifdef(`init_systemd',`
+@@ -615,13 +615,15 @@ ifdef(`init_systemd',`
unconfined_write_keys(init_t)
')
',`
@@ -48,10 +48,10 @@ index 5a19f0e43..1f4a671dc 100644
')
')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 109980e79..313112371 100644
+index 7728de804..a8ff403dd 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
-@@ -265,7 +265,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -274,7 +274,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)

@@ -63,5 +63,5 @@ index 109980e79..313112371 100644
# by default, sulogin does not use pam...
# sulogin_pam might need to be defined otherwise
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch
index 9939b59..64e658e 100644
--- a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch
+++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch
@@ -1,14 +1,14 @@
-From bf7b74e7c38b546e162eb5a3bd4774e3d84d593d Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
+From 60b4e5ea5668a71b2a0660461daecea66fd11d51 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@...>
Date: Mon, 20 Apr 2020 11:50:03 +0800
Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux
user

For targeted policy type, we define unconfined_u as the default selinux
-user for root and normal users, so users could login in and run most
+user for root and normal users, so users could login and run most
commands and services on unconfined domains.

-Upstream-Status: Inappropriate [configuration]
+Upstream-Status: Inappropriate [embedded specific]

Signed-off-by: Xin Ouyang <Xin.Ouyang@...>
Signed-off-by: Joe MacDonald <joe_macdonald@...>
@@ -38,7 +38,7 @@ index ce614b41b..c0903d98b 100644
+root:unconfined_u:s0-mcs_systemhigh
+__default__:unconfined_u:s0
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 4972094cb..b6d769412 100644
+index d116a1b9b..32720f68f 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t;
@@ -77,5 +77,5 @@ index ca203758c..e737cd9cc 100644
+ gen_user(root, sysadm, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
')
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
index d2b8139..ef00602 100644
--- a/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
+++ b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
@@ -1,4 +1,4 @@
-From 974befcafcee1377e122f19a4182f74eea757158 Mon Sep 17 00:00:00 2001
+From 8fa6c5b7b99a50b09e9dffd142c066fa41319750 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Thu, 28 Mar 2019 20:48:10 -0400
Subject: [PATCH] fc/subs/busybox: set aliases for bin, sbin and usr
@@ -29,5 +29,5 @@ index 23d4328f7..690007f22 100644
+/usr/lib/busybox/sbin /usr/sbin
+/usr/lib/busybox/usr /usr
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch
index 84764e5..25afa3b 100644
--- a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch
+++ b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch
@@ -1,4 +1,4 @@
-From 1ff0e212ce737bba59d90977a58a15250bc84ea9 Mon Sep 17 00:00:00 2001
+From 9a8d6b634d4f714fc63125be5e23228c565d1aaf Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Wed, 29 Sep 2021 11:08:49 +0800
Subject: [PATCH] refpolicy-minimum: make xdg module optional
@@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 8cea6baa1..218834495 100644
+index 7b717d3ba..3b07b368d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
-@@ -276,10 +276,14 @@ files_type(systemd_update_run_t)
+@@ -298,10 +298,14 @@ init_unit_file(systemd_user_manager_unit_t)

type systemd_conf_home_t;
init_unit_file(systemd_conf_home_t)
@@ -36,5 +36,5 @@ index 8cea6baa1..218834495 100644
type systemd_user_runtime_notify_t;
userdom_user_runtime_content(systemd_user_runtime_notify_t)
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch b/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch
deleted file mode 100644
index e4c081d..0000000
--- a/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From b46903aaf7e52f9c4c51a2fa7fe7a85190da98b1 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Wed, 29 Sep 2021 16:43:54 +0800
-Subject: [PATCH] refpolicy-targeted: add capability2 bpf and perfmon for
- unconfined_t
-
-Fixes:
-avc: denied { bpf } for pid=433 comm="systemd" capability=39
-scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-tclass=capability2 permissive=0
-
-avc: denied { perfmon } for pid=433 comm="systemd" capability=38
-scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-tclass=capability2 permissive=0
-
-type=USER_AVC msg=audit(1632901631.693:86): pid=433 uid=0 auid=0 ses=3
-subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='avc:
-denied { reload } for auid=n/a uid=0 gid=0 cmdline=""
-scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-tclass=system permissive=0 exe="/lib/systemd/systemd" sauid=0
-hostname=? addr=? terminal=?'UID="root" AUID="root" AUID="root"
-UID="root" GID="root" SAUID="root"
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/unconfined.if | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index a139cfe78..807e959c3 100644
---- a/policy/modules/system/unconfined.if
-+++ b/policy/modules/system/unconfined.if
-@@ -66,6 +66,11 @@ interface(`unconfined_domain_noaudit',`
- files_start_etc_service($1)
- files_stop_etc_service($1)
-
-+ ifdef(`init_systemd',`
-+ allow $1 self:capability2 { bpf perfmon };
-+ allow $1 self:system reload;
-+ ')
-+
- tunable_policy(`allow_execheap',`
- # Allow making the stack executable via mprotect.
- allow $1 self:process execheap;
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
index 6596e76..94ac31b 100644
--- a/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
+++ b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
@@ -1,4 +1,4 @@
-From 9c6f3c5acc01607a67277f69faa67e34dc98232b Mon Sep 17 00:00:00 2001
+From 5a0bbd1920205f488b6a4565f7217b9d0825067b Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@...>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] fc/hostname: apply policy to common yocto hostname
@@ -22,5 +22,5 @@ index 83ddeb573..cf523bc4c 100644
+/usr/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0)
+/usr/bin/hostname\.coreutils -- gen_context(system_u:object_r:hostname_exec_t,s0)
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0003-refpolicy-minimum-enable-nscd_use_shm.patch b/recipes-security/refpolicy/refpolicy/0003-refpolicy-minimum-enable-nscd_use_shm.patch
deleted file mode 100644
index edf9caa..0000000
--- a/recipes-security/refpolicy/refpolicy/0003-refpolicy-minimum-enable-nscd_use_shm.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 5f992b59a74cc6cde8fd20162a11065dc30fd7ab Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Fri, 26 Feb 2021 09:13:23 +0800
-Subject: [PATCH] refpolicy-minimum: enable nscd_use_shm
-
-Fixes:
-avc: denied { listen } for pid=199 comm="systemd-resolve"
-path="/run/systemd/resolve/io.systemd.Resolve"
-scontext=system_u:system_r:systemd_resolved_t:s0
-tcontext=system_u:system_r:systemd_resolved_t:s0
-tclass=unix_stream_socket permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/services/nscd.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
-index ada67edb1..9801fc228 100644
---- a/policy/modules/services/nscd.te
-+++ b/policy/modules/services/nscd.te
-@@ -15,7 +15,7 @@ gen_require(`
- ## can use nscd shared memory.
- ## </p>
- ## </desc>
--gen_tunable(nscd_use_shm, false)
-+gen_tunable(nscd_use_shm, true)
-
- attribute_role nscd_roles;
-
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0003-refpolicy-minimum-make-dbus-module-optional.patch b/recipes-security/refpolicy/refpolicy/0003-refpolicy-minimum-make-dbus-module-optional.patch
new file mode 100644
index 0000000..d545d2a
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0003-refpolicy-minimum-make-dbus-module-optional.patch
@@ -0,0 +1,36 @@
+From e28807393f105a16528cb5304283bde0b771fc4e Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@...>
+Date: Wed, 9 Nov 2022 10:53:26 +0800
+Subject: [PATCH] refpolicy-minimum: make dbus module optional
+
+The mount module invokes interface
+dbus_dontaudit_write_system_bus_runtime_named_sockets which is from dbus
+module. Since dbus is not a core moudle in sysvinit system, we could
+make this interface optional in mount module by optional_policy. Then we
+could make the minimum policy without dbus module.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@...>
+---
+ policy/modules/system/mount.te | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index 97f49e58e..b59529a01 100644
+--- a/policy/modules/system/mount.te
++++ b/policy/modules/system/mount.te
+@@ -146,7 +146,9 @@ selinux_getattr_fs(mount_t)
+
+ userdom_use_all_users_fds(mount_t)
+
+-dbus_dontaudit_write_system_bus_runtime_named_sockets(mount_t)
++optional_policy(`
++ dbus_dontaudit_write_system_bus_runtime_named_sockets(mount_t)
++')
+
+ ifdef(`distro_redhat',`
+ optional_policy(`
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
index cf333f1..eff0255 100644
--- a/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
+++ b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
@@ -1,4 +1,4 @@
-From bbc8b58fe5fe709dfadbffc86e17ebd2d76a257c Mon Sep 17 00:00:00 2001
+From c9219d2f7be1e641b3866b770a9b570c12333b93 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Thu, 28 Mar 2019 21:37:32 -0400
Subject: [PATCH] fc/bash: apply /usr/bin/bash context to /bin/bash.bash
@@ -15,7 +15,7 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 4c18154ce..9187e50af 100644
+index 0c05c693d..b70940928 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -142,6 +142,7 @@ ifdef(`distro_gentoo',`
@@ -27,5 +27,5 @@ index 4c18154ce..9187e50af 100644
/usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
index 078c246..06c8087 100644
--- a/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
+++ b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
@@ -1,4 +1,4 @@
-From 3cccdec2aaa273ca09100ca957f4968a25f4f3a3 Mon Sep 17 00:00:00 2001
+From 51631a7eaaea1fab4b36a2488497cf725317ce6e Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Thu, 4 Apr 2019 10:45:03 -0400
Subject: [PATCH] fc/resolv.conf: label resolv.conf in var/run/ properly
@@ -25,5 +25,5 @@ index 14505efe9..c9ec4e5ab 100644
ifdef(`distro_gentoo',`
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch
index b4747f7..70c5566 100644
--- a/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch
+++ b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch
@@ -1,4 +1,4 @@
-From 9a1e1c7b65cb3f5ab97ce05463ca02a3eaa57d86 Mon Sep 17 00:00:00 2001
+From 1c61b10d21a22d4110bc880b23477295f6cd9efb Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Thu, 28 Mar 2019 21:43:53 -0400
Subject: [PATCH] fc/login: apply login context to login.shadow
@@ -24,5 +24,5 @@ index 50efcff7b..5cb48882c 100644
/usr/bin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
/usr/bin/tcb_convert -- gen_context(system_u:object_r:updpwd_exec_t,s0)
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch
index 33f6a10..2f9f703 100644
--- a/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch
@@ -1,4 +1,4 @@
-From 73716015ab28a9474912902e9467f2d2a864ecd0 Mon Sep 17 00:00:00 2001
+From e4d7d9fb1cb157bf205874e1a81d5719017866a1 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Thu, 28 Mar 2019 21:59:18 -0400
Subject: [PATCH] fc/hwclock: add hwclock alternatives
@@ -21,5 +21,5 @@ index 301965892..139485835 100644
/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0)
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
index 5f2ffdf..6e576a8 100644
--- a/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
@@ -1,4 +1,4 @@
-From 504e8429500ab0984adfd52bb09a3e993b87f2f1 Mon Sep 17 00:00:00 2001
+From ac6536f04674ccc051744e6eb3644e68fe38da33 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Fri, 29 Mar 2019 08:26:55 -0400
Subject: [PATCH] fc/dmesg: apply policy to dmesg alternatives
@@ -19,5 +19,5 @@ index e52fdfcf8..526b92ed2 100644
/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0)
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch b/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch
index 585850b..611c0d3 100644
--- a/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch
@@ -1,4 +1,4 @@
-From 8ad451ceff2ba4ea26290a7ba9918406a90bb10f Mon Sep 17 00:00:00 2001
+From a56887ca448b60ad6715348b2cfe533e8109a040 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Fri, 29 Mar 2019 09:20:58 -0400
Subject: [PATCH] fc/ssh: apply policy to ssh alternatives
@@ -12,11 +12,11 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 60060c35c..518043a9b 100644
+index 5c512e972..0448c1877 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -4,6 +4,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
- /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+ /etc/ssh/ssh_host.*_key(\.pub)? -- gen_context(system_u:object_r:sshd_key_t,s0)

/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
+/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
@@ -24,5 +24,5 @@ index 60060c35c..518043a9b 100644
/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
/usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch b/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch
index 0621923..7af147d 100644
--- a/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch
+++ b/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch
@@ -1,4 +1,4 @@
-From c85fd7d9c45770b31de44bb35521e2251882df10 Mon Sep 17 00:00:00 2001
+From 47a5e9a0bd4960534998798ab1a5ab62e77b2b61 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@...>
Date: Tue, 9 Jun 2015 21:22:52 +0530
Subject: [PATCH] fc/sysnetwork: apply policy to network commands alternatives
@@ -43,5 +43,5 @@ index c9ec4e5ab..4ca151524 100644
/usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)

--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch
index cc3e529..434fc1d 100644
--- a/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch
+++ b/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch
@@ -1,4 +1,4 @@
-From aa2635a54f9c36205ebc469f799a56ece01ac610 Mon Sep 17 00:00:00 2001
+From bbc6eb20e9509a61236051df7a5fa552a8f2654d Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Fri, 29 Mar 2019 09:36:08 -0400
Subject: [PATCH] fc/udev: apply policy to udevadm in libexec
@@ -25,5 +25,5 @@ index 7898ff01c..bc717e60c 100644
/usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
')
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
index b039f53..bf562d6 100644
--- a/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
+++ b/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
@@ -1,4 +1,4 @@
-From faf757c732c9a022499b584cea64ce1fcc78e118 Mon Sep 17 00:00:00 2001
+From 00533fded8e2264f8bdc68c8ed79644a10e4e2ad Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Fri, 29 Mar 2019 09:54:07 -0400
Subject: [PATCH] fc/rpm: apply rpm_exec policy to cpio binaries
@@ -12,10 +12,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
-index aaf530c2b..618b18cec 100644
+index 3f842f942..12973ac8b 100644
--- a/policy/modules/admin/rpm.fc
+++ b/policy/modules/admin/rpm.fc
-@@ -66,4 +66,6 @@ ifdef(`distro_redhat',`
+@@ -71,4 +71,6 @@ ifdef(`distro_redhat',`

ifdef(`enable_mls',`
/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -23,5 +23,5 @@ index aaf530c2b..618b18cec 100644
+/usr/bin/cpio\.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch b/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch
index 14c7d5b..32d38f1 100644
--- a/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch
@@ -1,4 +1,4 @@
-From 52853ae9ee13038c5ffae8616858c442d412a2b8 Mon Sep 17 00:00:00 2001
+From 4b202554e646a60000c1acad7bbdfae1078bdc10 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@...>
Date: Thu, 13 Feb 2014 00:33:07 -0500
Subject: [PATCH] fc/su: apply policy to su alternatives
@@ -23,5 +23,5 @@ index 3375c9692..a9868cd58 100644
+/usr/bin/su\.shadow -- gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/su\.util-linux -- gen_context(system_u:object_r:su_exec_t,s0)
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch b/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch
index c2e0ca8..de0aad7 100644
--- a/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch
+++ b/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch
@@ -1,4 +1,4 @@
-From 4f3a637c0385204c0b87806d158e106fb9f88972 Mon Sep 17 00:00:00 2001
+From f64a5d6a2f2e72ae6c5122220eb759117b6384c8 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@...>
Date: Mon, 27 Jan 2014 03:54:01 -0500
Subject: [PATCH] fc/fstools: fix real path for fstools
@@ -10,14 +10,14 @@ Signed-off-by: Shrikant Bobade <shrikant_bobade@...>
Signed-off-by: Joe MacDonald <joe_macdonald@...>
Signed-off-by: Yi Zhao <yi.zhao@...>
---
- policy/modules/system/fstools.fc | 10 ++++++++++
- 1 file changed, 10 insertions(+)
+ policy/modules/system/fstools.fc | 11 +++++++++++
+ 1 file changed, 11 insertions(+)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index d871294e8..bef711850 100644
+index 8fbd5ce44..2842afbcc 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
-@@ -59,7 +59,9 @@
+@@ -58,7 +58,9 @@
/usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -27,12 +27,13 @@ index d871294e8..bef711850 100644
/usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/delpart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -73,10 +75,12 @@
+@@ -72,10 +74,13 @@
/usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/findfs\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -40,7 +41,7 @@ index d871294e8..bef711850 100644
/usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -84,24 +88,30 @@
+@@ -83,24 +88,30 @@
/usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -72,5 +73,5 @@ index d871294e8..bef711850 100644
/usr/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0)
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch b/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch
index b3ab0cc..5e9c197 100644
--- a/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch
+++ b/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch
@@ -1,4 +1,4 @@
-From e1439aa43af6ef15b35eac3cdbf0cea561768362 Mon Sep 17 00:00:00 2001
+From 6d2a96abd1e292d0c34ff77501e618cfc193655f Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@...>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] fc/init: fix update-alternatives for sysvinit
@@ -26,7 +26,7 @@ index bf51c103f..91ed72be0 100644

/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_runtime_t,s0)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 9187e50af..0ecabe34e 100644
+index b70940928..e6077fd5b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -151,6 +151,8 @@ ifdef(`distro_gentoo',`
@@ -39,10 +39,10 @@ index 9187e50af..0ecabe34e 100644
/usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 63cf195e6..5268bddb2 100644
+index 1a99e5824..7f0b7c699 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
-@@ -40,6 +40,7 @@ ifdef(`distro_gentoo',`
+@@ -41,6 +41,7 @@ ifdef(`distro_gentoo',`
/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)

/usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
@@ -51,5 +51,5 @@ index 63cf195e6..5268bddb2 100644
/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)

--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch b/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch
index b9812b7..b0ba609 100644
--- a/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch
@@ -1,4 +1,4 @@
-From 274066b3397b53d63134aee94a0148d9c7d1886d Mon Sep 17 00:00:00 2001
+From 2e9c22ee83b7d4fea7b177ca8111c06e69338db9 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Fri, 15 Nov 2019 10:19:54 +0800
Subject: [PATCH] fc/brctl: apply policy to brctl alternatives
@@ -20,5 +20,5 @@ index ed472f095..2a852b0fd 100644
/usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0)
+/usr/sbin/brctl\.bridge-utils -- gen_context(system_u:object_r:brctl_exec_t,s0)
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch
index e0ddc5e..58ac463 100644
--- a/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch
@@ -1,4 +1,4 @@
-From ab0267f77e38bcda797cfe00ba6fa49ba89e334a Mon Sep 17 00:00:00 2001
+From c43f2d7ddf1d0c2185796e0297dd9f85b9663aaf Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Fri, 15 Nov 2019 10:21:51 +0800
Subject: [PATCH] fc/corecommands: apply policy to nologin alternatives
@@ -11,10 +11,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 2 insertions(+)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 0ecabe34e..e27e701ef 100644
+index e6077fd5b..0df59e837 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
-@@ -304,6 +304,8 @@ ifdef(`distro_debian',`
+@@ -306,6 +306,8 @@ ifdef(`distro_debian',`
/usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -24,5 +24,5 @@ index 0ecabe34e..e27e701ef 100644
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch
index 2fe3740..3c43254 100644
--- a/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch
@@ -1,4 +1,4 @@
-From cfb86acce9fe9da9b88c853c0b22d48d99602fbb Mon Sep 17 00:00:00 2001
+From 11c95928e325aea7e4c41a9cdf969f9bdd306611 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Fri, 15 Nov 2019 10:43:28 +0800
Subject: [PATCH] fc/locallogin: apply policy to sulogin alternatives
@@ -21,5 +21,5 @@ index fc8d58507..59e6e9601 100644
+/usr/sbin/sulogin\.util-linux -- gen_context(system_u:object_r:sulogin_exec_t,s0)
/usr/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch b/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch
index 4b046ce..cbae4c5 100644
--- a/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch
@@ -1,4 +1,4 @@
-From e159e70b533b500390337ec666d678c7424afb90 Mon Sep 17 00:00:00 2001
+From 5841a5bd25e6017b6ccff4f56628ad6e950eadad Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Fri, 15 Nov 2019 10:45:23 +0800
Subject: [PATCH] fc/ntp: apply policy to ntpd alternatives
@@ -23,5 +23,5 @@ index cd69ea5d5..49ffe6f68 100644
/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)

--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch b/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch
index 9d2e6fa..76e7fe9 100644
--- a/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch
@@ -1,4 +1,4 @@
-From 95797c20fb68558b9f37ded3f1cc9a4ef09717f9 Mon Sep 17 00:00:00 2001
+From 8126ec521e5a0f72da098f5d90b5b5b392006b7c Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Fri, 15 Nov 2019 10:55:05 +0800
Subject: [PATCH] fc/kerberos: apply policy to kerberos alternatives
@@ -46,5 +46,5 @@ index df21fcc78..ce0166edd 100644
/var/log/kadmin\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0)
/var/log/kadmind\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0)
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch b/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch
index e0b7b9e..a46c9c9 100644
--- a/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch
@@ -1,4 +1,4 @@
-From 6b43af067ec45bce1b7059fc549e246f53311d3a Mon Sep 17 00:00:00 2001
+From c71ea08245069001b56aadd7bb0af28e019f45e4 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Fri, 15 Nov 2019 11:06:13 +0800
Subject: [PATCH] fc/ldap: apply policy to ldap alternatives
@@ -36,5 +36,5 @@ index 0a1d08d0f..65b202962 100644
/run/openldap(/.*)? gen_context(system_u:object_r:slapd_runtime_t,s0)
/run/slapd.* -s gen_context(system_u:object_r:slapd_runtime_t,s0)
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch b/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch
index 4a1a2dc..0a0464f 100644
--- a/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch
+++ b/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch
@@ -1,4 +1,4 @@
-From 5f664c3a38853129fa1703032822c203dbeaf0a6 Mon Sep 17 00:00:00 2001
+From 72726c1bc51628e6eb56e758f1e334f9b9a0f17e Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Fri, 15 Nov 2019 11:13:16 +0800
Subject: [PATCH] fc/postgresql: apply policy to postgresql alternatives
@@ -33,5 +33,5 @@ index f31a52cf8..f9bf46870 100644
/usr/share/jonas/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
')
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch b/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch
index 9ae9435..e95cb3c 100644
--- a/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch
@@ -1,4 +1,4 @@
-From 2d1634127f8f5c9ec98f866711b8d15b7df815d1 Mon Sep 17 00:00:00 2001
+From 003a22f73563ef7b8b4ab6a6a0cb4a920a43570f Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Fri, 15 Nov 2019 11:15:33 +0800
Subject: [PATCH] fc/screen: apply policy to screen alternatives
@@ -21,5 +21,5 @@ index e51e01d97..238dc263e 100644
+/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0)
/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch b/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch
index 2dbdcf4..a92b809 100644
--- a/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch
+++ b/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch
@@ -1,4 +1,4 @@
-From 2323a6ab69c4a74ab127c16e38f14616a289b3d1 Mon Sep 17 00:00:00 2001
+From fdf7c2d27b6ecf08c88bb98e52a7d8284ac828af Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Fri, 15 Nov 2019 11:25:34 +0800
Subject: [PATCH] fc/usermanage: apply policy to usermanage alternatives
@@ -7,26 +7,28 @@ Upstream-Status: Inappropriate [embedded specific]

Signed-off-by: Yi Zhao <yi.zhao@...>
---
- policy/modules/admin/usermanage.fc | 6 ++++++
- 1 file changed, 6 insertions(+)
+ policy/modules/admin/usermanage.fc | 8 ++++++++
+ 1 file changed, 8 insertions(+)

diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
-index 620eefc6f..bf1ff09ab 100644
+index 7209a8dd0..c9dc1f000 100644
--- a/policy/modules/admin/usermanage.fc
+++ b/policy/modules/admin/usermanage.fc
-@@ -4,7 +4,11 @@ ifdef(`distro_debian',`
+@@ -4,8 +4,13 @@ ifdef(`distro_debian',`

/usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
/usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
+/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
+/usr/bin/chfn\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0)
+ /usr/bin/chpasswd -- gen_context(system_u:object_r:passwd_exec_t,s0)
++/usr/bin/chpasswd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0)
/usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
+/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
+/usr/bin/chsh\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0)
/usr/bin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
/usr/bin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
/usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
-@@ -14,6 +18,7 @@ ifdef(`distro_debian',`
+@@ -15,6 +20,7 @@ ifdef(`distro_debian',`
/usr/bin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
/usr/bin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
/usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
@@ -34,7 +36,15 @@ index 620eefc6f..bf1ff09ab 100644
/usr/bin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
/usr/bin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
/usr/bin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0)
-@@ -39,6 +44,7 @@ ifdef(`distro_debian',`
+@@ -26,6 +32,7 @@ ifdef(`distro_debian',`
+ /usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0)
+
+ /usr/sbin/chpasswd -- gen_context(system_u:object_r:passwd_exec_t,s0)
++/usr/sbin/chpasswd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0)
+ /usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
+ /usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
+ /usr/sbin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
+@@ -41,6 +48,7 @@ ifdef(`distro_debian',`
/usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0)
/usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
/usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
@@ -43,5 +53,5 @@ index 620eefc6f..bf1ff09ab 100644
/usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0)

--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch b/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch
index c0d9cf4..f6fa8a0 100644
--- a/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch
+++ b/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch
@@ -1,4 +1,4 @@
-From dbd399143d6fbda828cfc9f2546bc730e0da584c Mon Sep 17 00:00:00 2001
+From 863ece4fd9815997486c04ce89180707435669e4 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Fri, 15 Nov 2019 16:07:30 +0800
Subject: [PATCH] fc/getty: add file context to start_getty
@@ -23,5 +23,5 @@ index 116ea6421..53ff6137b 100644
/usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)

--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch
index 71521e8..7f63b14 100644
--- a/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch
@@ -1,4 +1,4 @@
-From 0280f05e2c9665f094d7098cd03e11d75908bcdb Mon Sep 17 00:00:00 2001
+From 5bb33b7d9d7915399cca7d8c6fbdd9c0e27c1cd8 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Wed, 18 Dec 2019 15:04:41 +0800
Subject: [PATCH] fc/vlock: apply policy to vlock alternatives
@@ -21,5 +21,5 @@ index f668cde9c..c4bc50984 100644

/usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0)
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch b/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch
index ca9b644..cfb2fd5 100644
--- a/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch
+++ b/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch
@@ -1,4 +1,4 @@
-From 7f8b07b7af0c3cd8bbec49082b42011ac433df45 Mon Sep 17 00:00:00 2001
+From 574df1810c8f32bbf24b223f72f6622b0df7e82c Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Tue, 30 Jun 2020 10:45:57 +0800
Subject: [PATCH] fc: add fcontext for init scripts and systemd service files
@@ -34,7 +34,7 @@ index 382c067f9..0ecc5acc4 100644
/usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)

diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
-index 88d2acaf0..d9c0a4aa7 100644
+index 75c2f0617..fa881ba2e 100644
--- a/policy/modules/services/rpc.fc
+++ b/policy/modules/services/rpc.fc
@@ -1,7 +1,9 @@
@@ -46,7 +46,7 @@ index 88d2acaf0..d9c0a4aa7 100644
+/etc/rc\.d/init\.d/nfscommon -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)

- /usr/bin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+ /usr/bin/nfsdcld -- gen_context(system_u:object_r:rpcd_exec_t,s0)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 5681acb51..4ff5f990a 100644
--- a/policy/modules/system/logging.fc
@@ -60,5 +60,5 @@ index 5681acb51..4ff5f990a 100644
/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)

--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch b/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch
index dc10350..82b4708 100644
--- a/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch
+++ b/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch
@@ -1,4 +1,4 @@
-From 0bb081084a2d12f9041bfae195481d898b5a0ba1 Mon Sep 17 00:00:00 2001
+From 01f57c996e09fb68daf3d97805c46c27a6d34304 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Sun, 5 Apr 2020 22:03:45 +0800
Subject: [PATCH] file_contexts.subs_dist: set aliase for /root directory
@@ -26,5 +26,5 @@ index 690007f22..f80499ebf 100644
+# Add an aliase for it
+/root /home/root
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch
index f8a4cec..06b792a 100644
--- a/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch
+++ b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch
@@ -1,4 +1,4 @@
-From 9c676fe5ff2a14206f25bf8ed932c305f13dcfdc Mon Sep 17 00:00:00 2001
+From 2e9b42143ccb92f04d8d57430b3ae1e9f55eb00e Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@...>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] policy/modules/system/logging: add rules for the symlink of
@@ -30,7 +30,7 @@ index 4ff5f990a..dee26a9f4 100644
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
/var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 341763730..30d402c75 100644
+index cf7ef1721..b627cacb8 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1086,10 +1086,12 @@ interface(`logging_append_all_inherited_logs',`
@@ -100,5 +100,5 @@ index 341763730..30d402c75 100644

########################################
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch b/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch
index a06b3f4..ecfc018 100644
--- a/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch
+++ b/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch
@@ -1,4 +1,4 @@
-From c9759b1024873819cf594fe7ac3bf06bcf0d959d Mon Sep 17 00:00:00 2001
+From 26dc5529db7664ae248eba4dbc5d17915c371137 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@...>
Date: Fri, 29 Mar 2019 10:33:18 -0400
Subject: [PATCH] policy/modules/system/logging: add rules for syslogd symlink
@@ -18,10 +18,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 21e3285a9..abee7df9c 100644
+index abd61e6bd..90d8ccd31 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -411,6 +411,7 @@ files_search_spool(syslogd_t)
+@@ -420,6 +420,7 @@ files_search_spool(syslogd_t)

# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
@@ -30,5 +30,5 @@ index 21e3285a9..abee7df9c 100644
# for systemd but can not be conditional
files_runtime_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch
index ffa78ac..48e8acf 100644
--- a/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch
+++ b/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch
@@ -1,4 +1,4 @@
-From fd55f9f292617c7475c62c07ed6c478b4bd9eda5 Mon Sep 17 00:00:00 2001
+From 9052089dfc4f7466fcf304ab282c2e32933a5881 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@...>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] policy/modules/kernel/files: add rules for the symlink of
@@ -18,10 +18,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
2 files changed, 9 insertions(+)

diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 826722f4e..677ae96c3 100644
+index f6ff6b079..279df3d3c 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
-@@ -172,6 +172,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -170,6 +170,7 @@ HOME_ROOT/lost\+found/.* <<none>>
# /tmp
#
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
@@ -30,10 +30,10 @@ index 826722f4e..677ae96c3 100644
/tmp/\.journal <<none>>

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 495cbe2f4..b308eefd9 100644
+index f7217b226..451f302af 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
-@@ -4555,6 +4555,7 @@ interface(`files_search_tmp',`
+@@ -4750,6 +4750,7 @@ interface(`files_search_tmp',`
')

allow $1 tmp_t:dir search_dir_perms;
@@ -41,7 +41,7 @@ index 495cbe2f4..b308eefd9 100644
')

########################################
-@@ -4591,6 +4592,7 @@ interface(`files_list_tmp',`
+@@ -4786,6 +4787,7 @@ interface(`files_list_tmp',`
')

allow $1 tmp_t:dir list_dir_perms;
@@ -49,7 +49,7 @@ index 495cbe2f4..b308eefd9 100644
')

########################################
-@@ -4627,6 +4629,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4822,6 +4824,7 @@ interface(`files_delete_tmp_dir_entry',`
')

allow $1 tmp_t:dir del_entry_dir_perms;
@@ -57,7 +57,7 @@ index 495cbe2f4..b308eefd9 100644
')

########################################
-@@ -4645,6 +4648,7 @@ interface(`files_read_generic_tmp_files',`
+@@ -4840,6 +4843,7 @@ interface(`files_read_generic_tmp_files',`
')

read_files_pattern($1, tmp_t, tmp_t)
@@ -65,7 +65,7 @@ index 495cbe2f4..b308eefd9 100644
')

########################################
-@@ -4663,6 +4667,7 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4858,6 +4862,7 @@ interface(`files_manage_generic_tmp_dirs',`
')

manage_dirs_pattern($1, tmp_t, tmp_t)
@@ -73,7 +73,7 @@ index 495cbe2f4..b308eefd9 100644
')

########################################
-@@ -4699,6 +4704,7 @@ interface(`files_manage_generic_tmp_files',`
+@@ -4894,6 +4899,7 @@ interface(`files_manage_generic_tmp_files',`
')

manage_files_pattern($1, tmp_t, tmp_t)
@@ -81,7 +81,7 @@ index 495cbe2f4..b308eefd9 100644
')

########################################
-@@ -4735,6 +4741,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4930,6 +4936,7 @@ interface(`files_rw_generic_tmp_sockets',`
')

rw_sock_files_pattern($1, tmp_t, tmp_t)
@@ -89,7 +89,7 @@ index 495cbe2f4..b308eefd9 100644
')

########################################
-@@ -4942,6 +4949,7 @@ interface(`files_tmp_filetrans',`
+@@ -5137,6 +5144,7 @@ interface(`files_tmp_filetrans',`
')

filetrans_pattern($1, tmp_t, $2, $3, $4)
@@ -98,5 +98,5 @@ index 495cbe2f4..b308eefd9 100644

########################################
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch b/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch
index 3f10d06..22ce8f2 100644
--- a/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch
+++ b/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch
@@ -1,4 +1,4 @@
-From a196ae5e13b3f8e0d2e7ff27c8d481c9376b18e9 Mon Sep 17 00:00:00 2001
+From eed095029b270bbc49dc67d6b7b6b2fe9c3bca07 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@...>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures
@@ -17,10 +17,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index abee7df9c..cc530a2be 100644
+index 90d8ccd31..d3b06db7d 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -161,6 +161,7 @@ dontaudit auditd_t auditd_etc_t:file map;
+@@ -169,6 +169,7 @@ dontaudit auditd_t auditd_etc_t:file map;
manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
allow auditd_t auditd_log_t:dir setattr;
manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
@@ -28,7 +28,7 @@ index abee7df9c..cc530a2be 100644
allow auditd_t var_log_t:dir search_dir_perms;

manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
-@@ -290,6 +291,7 @@ optional_policy(`
+@@ -298,6 +299,7 @@ optional_policy(`
allow audisp_remote_t self:capability { setpcap setuid };
allow audisp_remote_t self:process { getcap setcap };
allow audisp_remote_t self:tcp_socket create_socket_perms;
@@ -37,5 +37,5 @@ index abee7df9c..cc530a2be 100644

manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch b/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch
index 3421a43..f62db74 100644
--- a/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch
+++ b/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch
@@ -1,4 +1,4 @@
-From bfcb86c9c9ad6a9f10a8556320443d8c96adedc9 Mon Sep 17 00:00:00 2001
+From 3f24b88886fcd1a17248d8d674a02d01061d937a Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@...>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] policy/modules/kernel/terminal: don't audit tty_device_t in
@@ -17,7 +17,7 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 3 insertions(+)

diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 55c18dffb..e8c0735eb 100644
+index e5645c7c5..6e9f654ac 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -335,9 +335,12 @@ interface(`term_use_console',`
@@ -34,5 +34,5 @@ index 55c18dffb..e8c0735eb 100644

########################################
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0036-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch b/recipes-security/refpolicy/refpolicy/0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
similarity index 52%
rename from recipes-security/refpolicy/refpolicy/0036-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
rename to recipes-security/refpolicy/refpolicy/0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
index f9aa158..0b00f5a 100644
--- a/recipes-security/refpolicy/refpolicy/0036-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
+++ b/recipes-security/refpolicy/refpolicy/0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
@@ -1,4 +1,4 @@
-From d1352b688603b16eb6da7a30198d8b7abfc55d1e Mon Sep 17 00:00:00 2001
+From 9c84425bbcaef5913fb6e309b8811639134714ed Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Wed, 1 Jul 2020 08:44:07 +0800
Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create
@@ -13,14 +13,14 @@ Upstream-Status: Inappropriate [embedded specific]

Signed-off-by: Yi Zhao <yi.zhao@...>
---
- policy/modules/services/rpcbind.te | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
+ policy/modules/services/rpcbind.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
-index 168c28ca3..e1eb7d5fc 100644
+index 137c21ece..2a712192b 100644
--- a/policy/modules/services/rpcbind.te
+++ b/policy/modules/services/rpcbind.te
-@@ -25,16 +25,17 @@ files_type(rpcbind_var_lib_t)
+@@ -25,7 +25,7 @@ files_type(rpcbind_var_lib_t)
# Local policy
#

@@ -29,17 +29,6 @@ index 168c28ca3..e1eb7d5fc 100644
# net_admin is for SO_SNDBUFFORCE
dontaudit rpcbind_t self:capability net_admin;
allow rpcbind_t self:fifo_file rw_fifo_file_perms;
- allow rpcbind_t self:unix_stream_socket { accept listen };
- allow rpcbind_t self:tcp_socket { accept listen };
-
-+manage_dirs_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t)
- manage_files_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t)
- manage_sock_files_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t)
--files_runtime_filetrans(rpcbind_t, rpcbind_runtime_t, { file sock_file })
-+files_runtime_filetrans(rpcbind_t, rpcbind_runtime_t, { file sock_file dir })
-
- manage_dirs_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
- manage_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch
deleted file mode 100644
index e7ce388..0000000
--- a/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From b3ff2e8572cd929c419775e57b547f309ba9d8fb Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Mon, 24 Aug 2020 11:29:09 +0800
-Subject: [PATCH] policy/modules/system/modutils: allow mod_t to access
- confidentiality of class lockdown
-
-The SELinux lockdown implementation was introduced since kernel 5.6 by
-commit 59438b46471ae6cdfb761afc8c9beaf1e428a331. We need to allow mod_t
-and udev_t to access confidentiality of class lockdown to mount tracefs.
-
-Fixes:
-kernel: Could not create tracefs 'iwlwifi_data/filter' entry
-kernel: Could not create tracefs 'enable' entry
-kernel: Could not create tracefs 'id' entry
-kernel: Could not create tracefs 'filter' entry
-kernel: Could not create tracefs 'trigger' entry
-kernel: Could not create tracefs 'format' entry
-
-audit[170]: AVC avc: denied { confidentiality } for pid=170
-comm="modprobe" lockdown_reason="use of tracefs"
-scontext=system_u:system_r:kmod_t:s15:c0.c1023
-tcontext=system_u:system_r:kmod_t:s15:c0.c1023 tclass=lockdown
-permissive=0
-
-audit[190]: AVC avc: denied { confidentiality } for pid=190
-comm="systemd-udevd" lockdown_reason="use of tracefs"
-scontext=system_u:system_r:udev_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=lockdown
-permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/modutils.te | 2 ++
- policy/modules/system/udev.te | 2 ++
- 2 files changed, 4 insertions(+)
-
-diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index b0a419dc1..5b4f0aca1 100644
---- a/policy/modules/system/modutils.te
-+++ b/policy/modules/system/modutils.te
-@@ -41,6 +41,8 @@ dontaudit kmod_t self:capability sys_admin;
- allow kmod_t self:udp_socket create_socket_perms;
- allow kmod_t self:rawip_socket create_socket_perms;
-
-+allow kmod_t self:lockdown confidentiality;
-+
- # Read module config and dependency information
- list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
- read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
-diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index c50ff68c1..4c5a690fb 100644
---- a/policy/modules/system/udev.te
-+++ b/policy/modules/system/udev.te
-@@ -67,6 +67,8 @@ ifdef(`init_systemd',`
- # for systemd-udevd to rename interfaces
- allow udev_t self:netlink_route_socket nlmsg_write;
-
-+allow udev_t self:lockdown confidentiality;
-+
- can_exec(udev_t, udev_exec_t)
-
- allow udev_t udev_helper_exec_t:dir list_dir_perms;
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-getty-allow-getty_t-to-search-.patch b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-getty-allow-getty_t-to-search-.patch
deleted file mode 100644
index 0dfe0ee..0000000
--- a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-getty-allow-getty_t-to-search-.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 175b493e7fe69de274388a7f251e74ec9cd56c41 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Tue, 23 Jun 2020 08:39:44 +0800
-Subject: [PATCH] policy/modules/system/getty: allow getty_t to search tmpfs
-
-Fixes:
-avc: denied { search } for pid=211 comm="agetty" name="/" dev="tmpfs"
-ino=1 scontext=system_u:system_r:getty_t
-tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/getty.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index e6e76a93b..c704ddb82 100644
---- a/policy/modules/system/getty.te
-+++ b/policy/modules/system/getty.te
-@@ -68,6 +68,7 @@ files_read_etc_runtime_files(getty_t)
- files_read_etc_files(getty_t)
- files_search_spool(getty_t)
- files_dontaudit_search_var_lib(getty_t)
-+fs_search_tmpfs(getty_t)
-
- fs_search_auto_mountpoints(getty_t)
- # for error condition handling
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-enable-support-for-sys.patch b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-systemd-enable-support-for-sys.patch
similarity index 91%
rename from recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-enable-support-for-sys.patch
rename to recipes-security/refpolicy/refpolicy/0035-policy-modules-system-systemd-enable-support-for-sys.patch
index cc29c7b..43b2f4d 100644
--- a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-enable-support-for-sys.patch
+++ b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-systemd-enable-support-for-sys.patch
@@ -1,4 +1,4 @@
-From 93d4f198bd469a8728f5ce0cc51ff18f8a58b23b Mon Sep 17 00:00:00 2001
+From 6465e39b6dfe8daa88cab321e3cf44ccc9f1441d Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@...>
Date: Thu, 4 Feb 2016 06:03:19 -0500
Subject: [PATCH] policy/modules/system/systemd: enable support for
@@ -36,10 +36,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 3d9198342..31d28a0e3 100644
+index ef25974ac..362248d17 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
-@@ -10,7 +10,7 @@ policy_module(systemd, 1.12.6)
+@@ -10,7 +10,7 @@ policy_module(systemd)
## Enable support for systemd-tmpfiles to manage all non-security files.
## </p>
## </desc>
@@ -48,7 +48,7 @@ index 3d9198342..31d28a0e3 100644

## <desc>
## <p>
-@@ -1396,6 +1396,10 @@ files_relabelfrom_home(systemd_tmpfiles_t)
+@@ -1640,6 +1640,10 @@ files_relabelfrom_home(systemd_tmpfiles_t)
files_relabelto_home(systemd_tmpfiles_t)
files_relabelto_etc_dirs(systemd_tmpfiles_t)
files_setattr_lock_dirs(systemd_tmpfiles_t)
@@ -60,5 +60,5 @@ index 3d9198342..31d28a0e3 100644
files_manage_etc_symlinks(systemd_tmpfiles_t)

--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-allow-systemd_logind_t.patch b/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch
similarity index 88%
rename from recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-allow-systemd_logind_t.patch
rename to recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch
index 49aa7a6..56b6119 100644
--- a/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-allow-systemd_logind_t.patch
+++ b/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch
@@ -1,4 +1,4 @@
-From 4e2df7ca542b6c94e74345daaecb33efc82d749a Mon Sep 17 00:00:00 2001
+From 2acb5ddbd04c578a420418e3bcb572bbd2dfbae6 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Sat, 18 Dec 2021 09:26:43 +0800
Subject: [PATCH] policy/modules/system/systemd: allow systemd_logind_t to read
@@ -27,10 +27,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 847895e63..1a83148c1 100644
+index 362248d17..4a1e06640 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
-@@ -721,6 +721,7 @@ userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
+@@ -920,6 +920,7 @@ userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
userdom_relabelto_user_runtime_dirs(systemd_logind_t)
userdom_setattr_user_ttys(systemd_logind_t)
userdom_use_user_ttys(systemd_logind_t)
@@ -39,5 +39,5 @@ index 847895e63..1a83148c1 100644
# Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
# The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch b/recipes-security/refpolicy/refpolicy/0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch
deleted file mode 100644
index 9465a3e..0000000
--- a/recipes-security/refpolicy/refpolicy/0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 07866ad826b299194c1bfd7978e5077dde72a68e Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Mon, 11 Oct 2021 10:10:10 +0800
-Subject: [PATCH] policy/modules/admin/usermanage: allow useradd to relabel
- user home files
-
-Fixes:
-avc: denied { relabelfrom } for pid=491 comm="useradd" name=".bashrc"
-dev="vda" ino=12641 scontext=root:sysadm_r:useradd_t
-tcontext=user_u:object_r:user_home_t tclass=file permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/admin/usermanage.te | 2 ++
- policy/modules/system/userdomain.if | 18 ++++++++++++++++++
- 2 files changed, 20 insertions(+)
-
-diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 98646b4b4..50c479498 100644
---- a/policy/modules/admin/usermanage.te
-+++ b/policy/modules/admin/usermanage.te
-@@ -496,6 +496,7 @@ files_read_etc_runtime_files(useradd_t)
-
- fs_search_auto_mountpoints(useradd_t)
- fs_getattr_xattr_fs(useradd_t)
-+fs_search_tmpfs(useradd_t)
-
- mls_file_upgrade(useradd_t)
-
-@@ -541,6 +542,7 @@ userdom_home_filetrans_user_home_dir(useradd_t)
- userdom_manage_user_home_content_dirs(useradd_t)
- userdom_manage_user_home_content_files(useradd_t)
- userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
-+userdom_relabel_user_home_content_files(useradd_t)
-
- optional_policy(`
- mta_manage_spool(useradd_t)
-diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 22b3c1bf7..ec625170d 100644
---- a/policy/modules/system/userdomain.if
-+++ b/policy/modules/system/userdomain.if
-@@ -2362,6 +2362,24 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
- dontaudit $1 user_home_t:file relabel_file_perms;
- ')
-
-+########################################
-+## <summary>
-+## Relabel user home files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_relabel_user_home_content_files',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
-+ allow $1 user_home_t:file relabel_file_perms;
-+')
-+
- ########################################
- ## <summary>
- ## Read user home subdirectory symbolic links.
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch b/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch
new file mode 100644
index 0000000..78c4dc8
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch
@@ -0,0 +1,36 @@
+From 51a7f8058fee569322c1a0597fccd36c318ad943 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@...>
+Date: Fri, 28 Oct 2022 11:56:09 +0800
+Subject: [PATCH] policy/modules/roles/sysadm: allow sysadm to use init file
+ descriptors
+
+Root can not login via console without this.
+
+Fixes:
+avc: denied { use } for pid=323 comm="sh" path="/dev/tty1"
+dev="devtmpfs" ino=21 scontext=root:sysadm_r:sysadm_t
+tcontext=system_u:system_r:init_t tclass=fd permissive=0
+
+Upstream-Status: Pending
+
+Signed-off-by: Yi Zhao <yi.zhao@...>
+---
+ policy/modules/roles/sysadm.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index bb715a847..088c954f5 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -86,6 +86,8 @@ ifdef(`init_systemd',`
+ # LookupDynamicUserByUID on org.freedesktop.systemd1.
+ init_dbus_chat(sysadm_t)
+
++ init_use_fds(sysadm_t)
++
+ # Allow sysadm to get the status of and set properties of other users,
+ # sessions, and seats on the system.
+ systemd_dbus_chat_logind(sysadm_t)
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch
new file mode 100644
index 0000000..85bb82b
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch
@@ -0,0 +1,84 @@
+From 5b6f3fcb1ddabd0a66541959306e7b0adfe2b2b0 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@...>
+Date: Thu, 4 Feb 2021 10:48:54 +0800
+Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes
+
+Fixes:
+systemctl[277]: Failed to connect to bus: No medium found
+
+avc: denied { mknod } for pid=297 comm="systemd" capability=27
+scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0
+
+avc: denied { bpf } for pid=297 comm="systemd" capability=39
+scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0
+
+avc: denied { sys_admin } for pid=297 comm="systemd" capability=21
+scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0
+
+avc: denied { perfmon } for pid=297 comm="systemd" capability=38
+scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@...>
+---
+ policy/modules/roles/sysadm.te | 2 ++
+ policy/modules/system/systemd.if | 21 ++++++++++++++++++++-
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 088c954f5..92f50fd5a 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -98,6 +98,8 @@ ifdef(`init_systemd',`
+
+ # Allow sysadm to follow logs in the journal, i.e. with podman logs -f
+ systemd_watch_journal_dirs(sysadm_t)
++
++ systemd_sysadm_user(sysadm_t)
+ ')
+
+ tunable_policy(`allow_ptrace',`
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index 9dc91fbb7..325ca548b 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -58,7 +58,7 @@ template(`systemd_role_template',`
+ allow $1_systemd_t self:process { getsched signal };
+ allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
+- allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
++ allow $1_systemd_t $3:process { setsched rlimitinh signal_perms noatsecure };
+ corecmd_shell_domtrans($1_systemd_t, $3)
+ corecmd_bin_domtrans($1_systemd_t, $3)
+
+@@ -2613,3 +2613,22 @@ interface(`systemd_use_inherited_machined_ptys', `
+ allow $1 systemd_machined_t:fd use;
+ allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
+ ')
++
++#########################################
++## <summary>
++## sysadm user for systemd --user
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_sysadm_user',`
++ gen_require(`
++ type sysadm_systemd_t;
++ ')
++
++ allow sysadm_systemd_t self:capability { mknod sys_admin };
++ allow sysadm_systemd_t self:capability2 { bpf perfmon };
++')
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch
similarity index 84%
rename from recipes-security/refpolicy/refpolicy/0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch
rename to recipes-security/refpolicy/refpolicy/0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch
index 4cae8c6..c3b4b55 100644
--- a/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch
+++ b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch
@@ -1,4 +1,4 @@
-From 705008ba8ef960cf2e4813b4b8c5a87b919d545f Mon Sep 17 00:00:00 2001
+From ccdd22cc2776b695f96faffc88699aa2b182e085 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@...>
Date: Sat, 15 Feb 2014 04:22:47 -0500
Subject: [PATCH] policy/modules/system/mount: make mount_t domain MLS trusted
@@ -19,10 +19,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index e39ab41a8..3481f9294 100644
+index d028723ce..97f49e58e 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
-@@ -116,6 +116,7 @@ fs_dontaudit_write_all_image_files(mount_t)
+@@ -112,6 +112,7 @@ fs_dontaudit_write_all_image_files(mount_t)

mls_file_read_all_levels(mount_t)
mls_file_write_all_levels(mount_t)
@@ -31,5 +31,5 @@ index e39ab41a8..3481f9294 100644
selinux_get_enforce_mode(mount_t)

--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch
deleted file mode 100644
index ea8af31..0000000
--- a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 99139408a7919282e97e1b2fcd5da33248386d73 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Mon, 25 Jan 2021 14:14:59 +0800
-Subject: [PATCH] policy/modules/system/systemd: fix systemd-resolved startup
- failures
-
-* Allow systemd_resolved_t to manage systemd_resolved_runtime_t link
- files
-* Allow systemd_resolved_t to send and recevie messages from dhcpc over
- dbus
-
-Fixes:
-avc: denied { create } for pid=329 comm="systemd-resolve"
-name=".#stub-resolv.conf53cb7f9d1e3aa72b"
-scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:systemd_resolved_runtime_t:s0 tclass=lnk_file
-permissive=0
-
-avc: denied { send_msg } for msgtype=method_call
-interface=org.freedesktop.resolve1.Manager member=RevertLink
-dest=org.freedesktop.resolve1 spid=340 tpid=345
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
-tclass=dbus permissive=0
-
-avc: denied { send_msg } for msgtype=method_return dest=:1.6 spid=345
-tpid=340 scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=dbus
-permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/systemd.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 31d28a0e3..448905ff7 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -1199,6 +1199,7 @@ allow systemd_resolved_t systemd_networkd_runtime_t:dir watch;
-
- manage_dirs_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
- manage_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
-+manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
- manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
- init_runtime_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir)
-
-@@ -1236,6 +1237,7 @@ optional_policy(`
- dbus_system_bus_client(systemd_resolved_t)
- dbus_watch_system_bus_runtime_dirs(systemd_resolved_t)
- dbus_watch_system_bus_runtime_named_sockets(systemd_resolved_t)
-+ sysnet_dbus_chat_dhcpc(systemd_resolved_t)
- ')
-
- #########################################
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch b/recipes-security/refpolicy/refpolicy/0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
similarity index 83%
rename from recipes-security/refpolicy/refpolicy/0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
rename to recipes-security/refpolicy/refpolicy/0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
index 86317b3..d711612 100644
--- a/recipes-security/refpolicy/refpolicy/0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
+++ b/recipes-security/refpolicy/refpolicy/0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
@@ -1,4 +1,4 @@
-From ef2b9196f3a51745a3644489d316bda7cd67f72d Mon Sep 17 00:00:00 2001
+From 64498d6cd30a0a65a24e3e7ab22cca5921c2db89 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@...>
Date: Mon, 28 Jan 2019 14:05:18 +0800
Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance
@@ -7,7 +7,7 @@ The two new rules make sysadm_t domain MLS trusted for:
- reading from files at all levels.
- writing to processes up to its clearance(s0-s15).

-With default MLS policy, root user would login in as sysadm_t:s0 by
+With default MLS policy, root user would login as sysadm_t:s0 by
default. Most processes will run in sysadm_t:s0 because no
domtrans/rangetrans rules, as a result, even root could not access
high level files/processes.
@@ -23,10 +23,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 2 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e1933a5bd..0682ed31a 100644
+index 92f50fd5a..8c154d474 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -44,6 +44,8 @@ logging_watch_all_logs(sysadm_t)
+@@ -45,6 +45,8 @@ logging_watch_all_logs(sysadm_t)
logging_watch_audit_log(sysadm_t)

mls_process_read_all_levels(sysadm_t)
@@ -36,5 +36,5 @@ index e1933a5bd..0682ed31a 100644
selinux_read_policy(sysadm_t)

--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch b/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch
deleted file mode 100644
index 91588f1..0000000
--- a/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch
+++ /dev/null
@@ -1,156 +0,0 @@
-From 81e63f86d6d030eaf0204796e32011c08e7b5e52 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Tue, 28 Sep 2021 10:03:04 +0800
-Subject: [PATCH] policy/modules/system/systemd: allow systemd_*_t to get the
- attributes of tmpfs and cgroups
-
-Fixes:
-avc: denied { getattr } for pid=245 comm="systemd-network" name="/"
-dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_networkd_t
-tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
-
-avc: denied { getattr } for pid=252 comm="systemd-resolve" name="/"
-dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_resolved_t
-tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
-
-avc: denied { getattr } for pid=260 comm="systemd-user-se" name="/"
-dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_sessions_t
-tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
-
-avc: denied { search } for pid=293 comm="systemd-user-ru" name="/"
-dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_user_runtime_dir_t
-tcontext=system_u:object_r:cgroup_t tclass=dir permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/systemd.te | 35 ++++++++++++++++++++++++++++++++
- 1 file changed, 35 insertions(+)
-
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 448905ff7..847895e63 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -337,6 +337,10 @@ udev_read_runtime_files(systemd_backlight_t)
-
- files_search_var_lib(systemd_backlight_t)
-
-+fs_getattr_tmpfs(systemd_backlight_t)
-+fs_search_cgroup_dirs(systemd_backlight_t)
-+fs_getattr_cgroup(systemd_backlight_t)
-+
- #######################################
- #
- # Binfmt local policy
-@@ -447,6 +451,7 @@ files_list_usr(systemd_generator_t)
- fs_list_efivars(systemd_generator_t)
- fs_getattr_cgroup(systemd_generator_t)
- fs_getattr_xattr_fs(systemd_generator_t)
-+fs_getattr_tmpfs(systemd_generator_t)
-
- init_create_runtime_files(systemd_generator_t)
- init_manage_runtime_dirs(systemd_generator_t)
-@@ -515,6 +520,10 @@ systemd_log_parse_environment(systemd_hostnamed_t)
- # Allow reading /run/udev/data/+dmi:id
- udev_read_runtime_files(systemd_hostnamed_t)
-
-+fs_getattr_tmpfs(systemd_hostnamed_t)
-+fs_search_cgroup_dirs(systemd_hostnamed_t)
-+fs_getattr_cgroup(systemd_hostnamed_t)
-+
- optional_policy(`
- dbus_connect_system_bus(systemd_hostnamed_t)
- dbus_system_bus_client(systemd_hostnamed_t)
-@@ -835,6 +844,10 @@ dev_read_sysfs(systemd_modules_load_t)
- files_mmap_read_kernel_modules(systemd_modules_load_t)
- files_read_etc_files(systemd_modules_load_t)
-
-+fs_getattr_tmpfs(systemd_modules_load_t)
-+fs_search_cgroup_dirs(systemd_modules_load_t)
-+fs_getattr_cgroup(systemd_modules_load_t)
-+
- modutils_read_module_config(systemd_modules_load_t)
- modutils_read_module_deps(systemd_modules_load_t)
-
-@@ -885,6 +898,7 @@ files_watch_runtime_dirs(systemd_networkd_t)
- files_watch_root_dirs(systemd_networkd_t)
- files_list_runtime(systemd_networkd_t)
- fs_getattr_xattr_fs(systemd_networkd_t)
-+fs_getattr_tmpfs(systemd_networkd_t)
- fs_getattr_cgroup(systemd_networkd_t)
- fs_search_cgroup_dirs(systemd_networkd_t)
- fs_read_nsfs_files(systemd_networkd_t)
-@@ -1185,6 +1199,10 @@ udev_read_runtime_files(systemd_rfkill_t)
-
- systemd_log_parse_environment(systemd_rfkill_t)
-
-+fs_getattr_tmpfs(systemd_rfkill_t)
-+fs_search_cgroup_dirs(systemd_rfkill_t)
-+fs_getattr_cgroup(systemd_rfkill_t)
-+
- #########################################
- #
- # Resolved local policy
-@@ -1224,6 +1242,9 @@ auth_use_nsswitch(systemd_resolved_t)
- files_watch_root_dirs(systemd_resolved_t)
- files_watch_runtime_dirs(systemd_resolved_t)
- files_list_runtime(systemd_resolved_t)
-+fs_getattr_tmpfs(systemd_resolved_t)
-+fs_search_cgroup_dirs(systemd_resolved_t)
-+fs_getattr_cgroup(systemd_resolved_t)
-
- init_dgram_send(systemd_resolved_t)
-
-@@ -1288,6 +1309,10 @@ seutil_read_file_contexts(systemd_sessions_t)
-
- systemd_log_parse_environment(systemd_sessions_t)
-
-+fs_getattr_tmpfs(systemd_sessions_t)
-+fs_search_cgroup_dirs(systemd_sessions_t)
-+fs_getattr_cgroup(systemd_sessions_t)
-+
- ########################################
- #
- # sysctl local policy
-@@ -1304,6 +1329,9 @@ kernel_rw_all_sysctls(systemd_sysctl_t)
- kernel_dontaudit_getattr_proc(systemd_sysctl_t)
-
- files_read_etc_files(systemd_sysctl_t)
-+fs_getattr_tmpfs(systemd_sysctl_t)
-+fs_search_cgroup_dirs(systemd_sysctl_t)
-+fs_getattr_cgroup(systemd_sysctl_t)
-
- systemd_log_parse_environment(systemd_sysctl_t)
-
-@@ -1409,6 +1437,8 @@ fs_getattr_tmpfs(systemd_tmpfiles_t)
- fs_getattr_xattr_fs(systemd_tmpfiles_t)
- fs_list_tmpfs(systemd_tmpfiles_t)
- fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
-+fs_search_cgroup_dirs(systemd_tmpfiles_t)
-+fs_getattr_cgroup(systemd_tmpfiles_t)
-
- selinux_get_fs_mount(systemd_tmpfiles_t)
- selinux_use_status_page(systemd_tmpfiles_t)
-@@ -1497,6 +1527,10 @@ allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
- files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file)
- files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)
-
-+fs_getattr_tmpfs(systemd_update_done_t)
-+fs_search_cgroup_dirs(systemd_update_done_t)
-+fs_getattr_cgroup(systemd_update_done_t)
-+
- kernel_read_kernel_sysctls(systemd_update_done_t)
-
- selinux_use_status_page(systemd_update_done_t)
-@@ -1601,6 +1635,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t)
- fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
- fs_read_cgroup_files(systemd_user_runtime_dir_t)
- fs_getattr_cgroup(systemd_user_runtime_dir_t)
-+fs_search_cgroup_dirs(systemd_user_runtime_dir_t)
-
- kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
- kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch b/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch
similarity index 84%
rename from recipes-security/refpolicy/refpolicy/0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch
rename to recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch
index f659e7e..d22dacf 100644
--- a/recipes-security/refpolicy/refpolicy/0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch
+++ b/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch
@@ -1,4 +1,4 @@
-From 18ad027229a06fdcb833482dff0c2ae637d08e78 Mon Sep 17 00:00:00 2001
+From e82c43e60ef52ba00e8f2af5b46b2a6d49331209 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@...>
Date: Fri, 23 Aug 2013 12:01:53 +0800
Subject: [PATCH] policy/modules/services/rpc: make nfsd_t domain MLS trusted
@@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
2 files changed, 7 insertions(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index ca951cb44..a32c59eb1 100644
+index 5124ae016..a40db8507 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
-@@ -356,6 +356,8 @@ mls_process_read_all_levels(kernel_t)
+@@ -368,6 +368,8 @@ mls_process_read_all_levels(kernel_t)
mls_process_write_all_levels(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
@@ -28,7 +28,7 @@ index ca951cb44..a32c59eb1 100644
ifdef(`distro_redhat',`
# Bugzilla 222337
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
-index e1eb7d5fc..da0994749 100644
+index 2a712192b..923e48db7 100644
--- a/policy/modules/services/rpcbind.te
+++ b/policy/modules/services/rpcbind.te
@@ -73,6 +73,11 @@ logging_send_syslog_msg(rpcbind_t)
@@ -36,7 +36,7 @@ index e1eb7d5fc..da0994749 100644
miscfiles_read_localization(rpcbind_t)

+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
-+# because the are running in different level. So add rules to allow this.
++# because they are running in different level. So add rules to allow this.
+mls_socket_read_all_levels(rpcbind_t)
+mls_socket_write_all_levels(rpcbind_t)
+
@@ -44,5 +44,5 @@ index e1eb7d5fc..da0994749 100644
term_dontaudit_use_unallocated_ttys(rpcbind_t)
')
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-logging-fix-syslogd-failures-f.patch b/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-logging-fix-syslogd-failures-f.patch
deleted file mode 100644
index 2232d48..0000000
--- a/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-logging-fix-syslogd-failures-f.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From dc2c9c91219311f6c4d985169dff6c5931a465d7 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@...>
-Date: Thu, 4 Feb 2016 02:10:15 -0500
-Subject: [PATCH] policy/modules/system/logging: fix syslogd failures for
- systemd
-
-Fixes:
-syslogd[243]: Error opening log file: /var/log/auth.log: Permission denied
-syslogd[243]: Error opening log file: /var/log/syslog: Permission denied
-syslogd[243]: Error opening log file: /var/log/kern.log: Permission denied
-syslogd[243]: Error opening log file: /var/log/mail.log: Permission denied
-syslogd[243]: Error opening log file: /var/log/mail.err: Permission denied
-syslogd[243]: Error opening log file: /var/log/messages: Permission denied
-
-avc: denied { search } for pid=243 comm="syslogd" name="/"
-dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t
-tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0
-
-avc: denied { write } for pid=162 comm="systemd-journal"
-name="syslog" dev="tmpfs" ino=515 scontext=system_u:system_r:syslogd_t
-tcontext=system_u:object_r:syslogd_runtime_t tclass=sock_file
-permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/logging.te | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index cc530a2be..5b4b5ec5d 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -431,7 +431,7 @@ files_search_var_lib(syslogd_t)
-
- # manage runtime files
- allow syslogd_t syslogd_runtime_t:dir create_dir_perms;
--allow syslogd_t syslogd_runtime_t:sock_file { create setattr unlink };
-+allow syslogd_t syslogd_runtime_t:sock_file { create setattr unlink write };
- allow syslogd_t syslogd_runtime_t:file map;
- manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
- files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file)
-@@ -495,6 +495,7 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
-
- fs_getattr_all_fs(syslogd_t)
- fs_search_auto_mountpoints(syslogd_t)
-+fs_search_tmpfs(syslogd_t)
-
- mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
-
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch
similarity index 90%
rename from recipes-security/refpolicy/refpolicy/0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch
rename to recipes-security/refpolicy/refpolicy/0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch
index ace056a..30c84f6 100644
--- a/recipes-security/refpolicy/refpolicy/0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch
+++ b/recipes-security/refpolicy/refpolicy/0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch
@@ -1,4 +1,4 @@
-From b41a910654f5c5fe198b1695df18b6f6a1af7904 Mon Sep 17 00:00:00 2001
+From 9343914c0486b5aa6ff7cceeb8f6c399115e5fb3 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Tue, 30 Jun 2020 10:18:20 +0800
Subject: [PATCH] policy/modules/admin/dmesg: make dmesg_t MLS trusted reading
@@ -19,7 +19,7 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
-index f3421fdbb..d87ee5583 100644
+index f1da315a9..89478c38e 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -52,6 +52,8 @@ miscfiles_read_localization(dmesg_t)
@@ -32,5 +32,5 @@ index f3421fdbb..d87ee5583 100644
seutil_sigchld_newrole(dmesg_t)
')
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch
deleted file mode 100644
index 108f62f..0000000
--- a/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch
+++ /dev/null
@@ -1,172 +0,0 @@
-From 20b2608718064a92f9255adb459a97d95fdbc22e Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Thu, 4 Feb 2021 10:48:54 +0800
-Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes
-
-Fixes:
-systemctl[1598]: Failed to connect to bus: $DBUS_SESSION_BUS_ADDRESS and
-$XDG_RUNTIME_DIR not defined (consider using --machine=<user>@.host
---user to connect to bus of other user)
-
-avc: denied { connectto } for pid=293 comm="login"
-path="/run/systemd/userdb/io.systemd.Multiplexer"
-scontext=system_u:system_r:local_login_t
-tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
-permissive=0
-
-avc: denied { read } for pid=293 comm="login" name="io.systemd.DropIn"
-dev="tmpfs" ino=44 scontext=system_u:system_r:local_login_t
-tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
-permissive=0
-
-avc: denied { read } for pid=293 comm="login"
-name="io.systemd.NameServiceSwitch" dev="tmpfs" ino=43
-scontext=system_u:system_r:local_login_t
-tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
-permissive=0
-
-avc: denied { connectto } for pid=244 comm="systemd-logind"
-path="/run/systemd/userdb/io.systemd.Multiplexer"
-scontext=system_u:system_r:systemd_logind_t
-tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
-permissive=0
-
-avc: denied { read } for pid=244 comm="systemd-logind"
-name="io.systemd.DropIn" dev="tmpfs" ino=44
-scontext=system_u:system_r:systemd_logind_t
-tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
-permissive=0
-
-avc: denied { read } for pid=244 comm="systemd-logind"
-name="io.systemd.NameServiceSwitch" dev="tmpfs" ino=43
-scontext=system_u:system_r:systemd_logind_t
-tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
-permissive=0
-
-avc: denied { mknod } for pid=297 comm="systemd" capability=27
-scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0
-
-avc: denied { setrlimit } for pid=297 comm="systemd"
-scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=root:sysadm_r:sysadm_systemd_t tclass=process permissive=0
-
-avc: denied { bpf } for pid=297 comm="systemd" capability=39
-scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0
-
-avc: denied { sys_admin } for pid=297 comm="systemd" capability=21
-scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0
-
-avc: denied { perfmon } for pid=297 comm="systemd" capability=38
-scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0
-
-avc: denied { watch } for pid=297 comm="systemd" path="/etc" dev="vda"
-ino=173 scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=system_u:object_r:etc_t tclass=dir permissive=0
-
-avc: denied { getattr } for pid=297 comm="systemd" name="/" dev="vda"
-ino=2 scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0
-
-avc: denied { read } for pid=297 comm="systemd" name="unix" dev="proc"
-ino=4026532057 scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=system_u:object_r:proc_net_t tclass=file permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/roles/sysadm.te | 2 ++
- policy/modules/system/init.if | 1 +
- policy/modules/system/systemd.if | 27 ++++++++++++++++++++++++++-
- 3 files changed, 29 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 46d3e2f0b..e1933a5bd 100644
---- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -92,6 +92,8 @@ ifdef(`init_systemd',`
- # Allow sysadm to query and set networking settings on the system.
- systemd_dbus_chat_networkd(sysadm_t)
- fs_read_nsfs_files(sysadm_t)
-+
-+ systemd_sysadm_user(sysadm_t)
- ')
-
- tunable_policy(`allow_ptrace',`
-diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 0171ee299..8ca29f654 100644
---- a/policy/modules/system/init.if
-+++ b/policy/modules/system/init.if
-@@ -959,6 +959,7 @@ interface(`init_unix_stream_socket_connectto',`
- ')
-
- allow $1 init_t:unix_stream_socket connectto;
-+ allow $1 initrc_t:unix_stream_socket connectto;
- ')
-
- ########################################
-diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 38adf050c..5c44d8d8a 100644
---- a/policy/modules/system/systemd.if
-+++ b/policy/modules/system/systemd.if
-@@ -57,7 +57,7 @@ template(`systemd_role_template',`
- allow $1_systemd_t self:process { getsched signal };
- allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms;
- allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
-- allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
-+ allow $1_systemd_t $3:process { setsched rlimitinh signal_perms noatsecure };
- corecmd_shell_domtrans($1_systemd_t, $3)
- corecmd_bin_domtrans($1_systemd_t, $3)
-
-@@ -88,8 +88,11 @@ template(`systemd_role_template',`
-
- fs_manage_cgroup_files($1_systemd_t)
- fs_watch_cgroup_files($1_systemd_t)
-+ files_watch_etc_dirs($1_systemd_t)
-+ fs_getattr_xattr_fs($1_systemd_t)
-
- kernel_dontaudit_getattr_proc($1_systemd_t)
-+ kernel_read_network_state($1_systemd_t)
-
- selinux_use_status_page($1_systemd_t)
-
-@@ -1052,6 +1055,7 @@ interface(`systemd_stream_connect_userdb', `
- init_search_runtime($1)
- allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
- allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
-+ allow $1 systemd_userdb_runtime_t:lnk_file read_lnk_file_perms;
- init_unix_stream_socket_connectto($1)
- ')
-
-@@ -2003,3 +2007,24 @@ interface(`systemd_use_inherited_machined_ptys', `
- allow $1 systemd_machined_t:fd use;
- allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
- ')
-+
-+#########################################
-+## <summary>
-+## sysadm user for systemd --user
-+## </summary>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`systemd_sysadm_user',`
-+ gen_require(`
-+ type sysadm_systemd_t;
-+ ')
-+
-+ allow sysadm_systemd_t self:capability { mknod sys_admin };
-+ allow sysadm_systemd_t self:capability2 { bpf perfmon };
-+ allow sysadm_systemd_t self:process setrlimit;
-+ allow $1 sysadm_systemd_t:system reload;
-+')
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
similarity index 94%
rename from recipes-security/refpolicy/refpolicy/0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
rename to recipes-security/refpolicy/refpolicy/0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
index 8b9f98c..932047a 100644
--- a/recipes-security/refpolicy/refpolicy/0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
+++ b/recipes-security/refpolicy/refpolicy/0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
@@ -1,4 +1,4 @@
-From c2e99e27acc1454d792b3e8d6f24d3a2a3be29e3 Mon Sep 17 00:00:00 2001
+From 057e4e6a6e2e87edcd6a93dd533620700b00b1c2 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@...>
Date: Fri, 13 Oct 2017 07:20:40 +0000
Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for
@@ -59,10 +59,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 2 insertions(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index a32c59eb1..1c53754ee 100644
+index a40db8507..40cd52825 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
-@@ -358,6 +358,8 @@ mls_file_write_all_levels(kernel_t)
+@@ -370,6 +370,8 @@ mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
mls_socket_write_all_levels(kernel_t)
mls_fd_use_all_levels(kernel_t)
@@ -72,5 +72,5 @@ index a32c59eb1..1c53754ee 100644
ifdef(`distro_redhat',`
# Bugzilla 222337
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch b/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch
deleted file mode 100644
index 504e028..0000000
--- a/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-From d1c159d4400722e783d12cc3684c1cf15004f7a9 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Thu, 24 Sep 2020 14:05:52 +0800
-Subject: [PATCH] policy/modules/system/sysnetwork: support priviledge
- separation for dhcpcd
-
-Fixes:
-
-avc: denied { sys_chroot } for pid=332 comm="dhcpcd" capability=18
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
-permissive=0
-
-avc: denied { setgid } for pid=332 comm="dhcpcd" capability=6
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
-permissive=0
-
-avc: denied { setuid } for pid=332 comm="dhcpcd" capability=7
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
-permissive=0
-
-avc: denied { setrlimit } for pid=332 comm="dhcpcd"
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=process
-permissive=0
-
-avc: denied { create } for pid=330 comm="dhcpcd"
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tclass=netlink_kobject_uevent_socket permissive=0
-
-avc: denied { setopt } for pid=330 comm="dhcpcd"
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tclass=netlink_kobject_uevent_socket permissive=0
-
-avc: denied { bind } for pid=330 comm="dhcpcd"
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tclass=netlink_kobject_uevent_socket permissive=0
-
-avc: denied { getattr } for pid=330 comm="dhcpcd"
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tclass=netlink_kobject_uevent_socket permissive=0
-
-avc: denied { read } for pid=330 comm="dhcpcd" name="n1" dev="tmpfs"
-ino=15616 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0
-
-avc: denied { open } for pid=330 comm="dhcpcd"
-path="/run/udev/data/n1" dev="tmpfs" ino=15616
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0
-
-avc: denied { getattr } for pid=330 comm="dhcpcd"
-path="/run/udev/data/n1" dev="tmpfs" ino=15616
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0
-
-avc: denied { connectto } for pid=1600 comm="dhcpcd"
-path="/run/dhcpcd/unpriv.sock"
-scontext=root:sysadm_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tclass=unix_stream_socket permissive=0
-
-avc: denied { kill } for pid=314 comm="dhcpcd" capability=5
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
-permissive=0
-
-avc: denied { getattr } for pid=300 comm="dhcpcd"
-path="net:[4026532008]" dev="nsfs" ino=4026532008
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/sysnetwork.te | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 4c317cc4c..05a9a52b8 100644
---- a/policy/modules/system/sysnetwork.te
-+++ b/policy/modules/system/sysnetwork.te
-@@ -58,10 +58,11 @@ ifdef(`distro_debian',`
- # DHCP client local policy
- #
- allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config };
-+allow dhcpc_t self:capability { setgid setuid sys_chroot kill };
- dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
- # for access("/etc/bashrc", X_OK) on Red Hat
- dontaudit dhcpc_t self:capability { dac_read_search sys_module };
--allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
-+allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms setrlimit };
-
- allow dhcpc_t self:fifo_file rw_fifo_file_perms;
- allow dhcpc_t self:tcp_socket create_stream_socket_perms;
-@@ -69,8 +70,10 @@ allow dhcpc_t self:udp_socket create_socket_perms;
- allow dhcpc_t self:packet_socket create_socket_perms;
- allow dhcpc_t self:netlink_generic_socket create_socket_perms;
- allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms;
-+allow dhcpc_t self:netlink_kobject_uevent_socket create_socket_perms;
- allow dhcpc_t self:rawip_socket create_socket_perms;
- allow dhcpc_t self:unix_dgram_socket { create_socket_perms sendto };
-+allow dhcpc_t self:unix_stream_socket connectto;
-
- allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
- read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
-@@ -146,6 +149,7 @@ files_manage_var_files(dhcpc_t)
- fs_getattr_all_fs(dhcpc_t)
- fs_search_auto_mountpoints(dhcpc_t)
- fs_search_cgroup_dirs(dhcpc_t)
-+fs_read_nsfs_files(dhcpc_t)
-
- term_dontaudit_use_all_ttys(dhcpc_t)
- term_dontaudit_use_all_ptys(dhcpc_t)
-@@ -181,6 +185,7 @@ ifdef(`init_systemd',`
- init_stream_connect(dhcpc_t)
- init_get_all_units_status(dhcpc_t)
- init_search_units(dhcpc_t)
-+ udev_read_runtime_files(dhcpc_t)
- ')
-
- optional_policy(`
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
similarity index 89%
rename from recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
rename to recipes-security/refpolicy/refpolicy/0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
index b4da47d..9e52b7f 100644
--- a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
+++ b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
@@ -1,4 +1,4 @@
-From 7bcc117ea39532427df297299c10ca1d2948a70c Mon Sep 17 00:00:00 2001
+From c47e288e8950e7e92e3c90972ca7ef8ef9fc6a7f Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@...>
Date: Fri, 15 Jan 2016 03:47:05 -0500
Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for
@@ -27,10 +27,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 932d1f7b3..36becaa6e 100644
+index 97a75cf86..fee846cb5 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
-@@ -219,6 +219,10 @@ mls_process_write_all_levels(init_t)
+@@ -229,6 +229,10 @@ mls_process_write_all_levels(init_t)
mls_fd_use_all_levels(init_t)
mls_process_set_level(init_t)

@@ -42,5 +42,5 @@ index 932d1f7b3..36becaa6e 100644
# otherwise the call fails and sysvinit tries to load the policy
# again when using the initramfs
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch
deleted file mode 100644
index 2f94974..0000000
--- a/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 8343ff97a265836ba1e1e2f4159f888c21e5cabe Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Tue, 9 Feb 2021 17:31:55 +0800
-Subject: [PATCH] policy/modules/system/modutils: allow kmod_t to write keys
-
-Fixes:
-kernel: cfg80211: Problem loading in-kernel X.509 certificate (-13)
-
-avc: denied { write } for pid=219 comm="modprobe"
-scontext=system_u:system_r:kmod_t tcontext=system_u:system_r:kmod_t
-tclass=key permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/modutils.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 5b4f0aca1..008f286a8 100644
---- a/policy/modules/system/modutils.te
-+++ b/policy/modules/system/modutils.te
-@@ -42,6 +42,7 @@ allow kmod_t self:udp_socket create_socket_perms;
- allow kmod_t self:rawip_socket create_socket_perms;
-
- allow kmod_t self:lockdown confidentiality;
-+allow kmod_t self:key write;
-
- # Read module config and dependency information
- list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch b/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
similarity index 92%
rename from recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
rename to recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
index 4b768e0..1bfbb16 100644
--- a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
+++ b/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
@@ -1,4 +1,4 @@
-From d965e6a02854a07c4783cf33e95bf3c7cf9f56f1 Mon Sep 17 00:00:00 2001
+From afd35f6c73551c674e5bfe7cc1832b6a0ea717a6 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@...>
Date: Thu, 4 Feb 2016 06:03:19 -0500
Subject: [PATCH] policy/modules/system/systemd: make systemd-tmpfiles_t domain
@@ -43,10 +43,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 1a83148c1..736107fad 100644
+index 4a1e06640..b44b9b2d7 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
-@@ -1483,6 +1483,11 @@ sysnet_relabel_config(systemd_tmpfiles_t)
+@@ -1694,6 +1694,11 @@ sysnet_relabel_config(systemd_tmpfiles_t)

systemd_log_parse_environment(systemd_tmpfiles_t)

@@ -59,5 +59,5 @@ index 1a83148c1..736107fad 100644
userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)

--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-systemd-make-systemd_-.patch b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-systemd-systemd-make-systemd_-.patch
similarity index 82%
rename from recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-systemd-make-systemd_-.patch
rename to recipes-security/refpolicy/refpolicy/0046-policy-modules-system-systemd-systemd-make-systemd_-.patch
index 60f7dae..800439c 100644
--- a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-systemd-make-systemd_-.patch
+++ b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-systemd-systemd-make-systemd_-.patch
@@ -1,4 +1,4 @@
-From 71986d0c6775408a1c89415dd5d4e7ea03302248 Mon Sep 17 00:00:00 2001
+From 8aa70c13d63e093bff87ea938d35dcc76e5bdd56 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Thu, 18 Jun 2020 09:59:58 +0800
Subject: [PATCH] policy/modules/system/systemd: systemd-*: make systemd_*_t
@@ -43,12 +43,12 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 12 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 736107fad..8cea6baa1 100644
+index b44b9b2d7..7b717d3ba 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
-@@ -341,6 +341,9 @@ fs_getattr_tmpfs(systemd_backlight_t)
+@@ -373,6 +373,9 @@ files_search_var_lib(systemd_backlight_t)
+ fs_getattr_all_fs(systemd_backlight_t)
fs_search_cgroup_dirs(systemd_backlight_t)
- fs_getattr_cgroup(systemd_backlight_t)

+mls_file_read_to_clearance(systemd_backlight_t)
+mls_file_write_to_clearance(systemd_backlight_t)
@@ -56,9 +56,9 @@ index 736107fad..8cea6baa1 100644
#######################################
#
# Binfmt local policy
-@@ -479,6 +482,9 @@ term_use_unallocated_ttys(systemd_generator_t)
+@@ -528,6 +531,9 @@ term_use_unallocated_ttys(systemd_generator_t)

- udev_search_runtime(systemd_generator_t)
+ udev_read_runtime_files(systemd_generator_t)

+mls_file_read_to_clearance(systemd_generator_t)
+mls_file_write_to_clearance(systemd_generator_t)
@@ -66,19 +66,19 @@ index 736107fad..8cea6baa1 100644
ifdef(`distro_gentoo',`
corecmd_shell_entry_type(systemd_generator_t)
')
-@@ -723,6 +729,9 @@ userdom_setattr_user_ttys(systemd_logind_t)
+@@ -922,6 +928,9 @@ userdom_setattr_user_ttys(systemd_logind_t)
userdom_use_user_ttys(systemd_logind_t)
domain_read_all_domains_state(systemd_logind_t)

-+mls_file_read_to_clearance(systemd_logind_t)
-+mls_file_write_to_clearance(systemd_logind_t)
++mls_file_read_all_levels(systemd_logind_t)
++mls_file_write_all_levels(systemd_logind_t)
+
# Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
# The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
# should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
-@@ -1204,6 +1213,9 @@ fs_getattr_tmpfs(systemd_rfkill_t)
- fs_search_cgroup_dirs(systemd_rfkill_t)
- fs_getattr_cgroup(systemd_rfkill_t)
+@@ -1412,6 +1421,9 @@ udev_read_runtime_files(systemd_rfkill_t)
+
+ systemd_log_parse_environment(systemd_rfkill_t)

+mls_file_read_to_clearance(systemd_rfkill_t)
+mls_file_write_to_clearance(systemd_rfkill_t)
@@ -87,5 +87,5 @@ index 736107fad..8cea6baa1 100644
#
# Resolved local policy
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch b/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch
similarity index 78%
rename from recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch
rename to recipes-security/refpolicy/refpolicy/0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch
index 75be11d..cb3894c 100644
--- a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch
+++ b/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch
@@ -1,4 +1,4 @@
-From 511f7fdad45a150f7ea3666eb51463573eabab0a Mon Sep 17 00:00:00 2001
+From 2afa5753f2ef8c7cee5ad0511c521d252bedf3e5 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@...>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] policy/modules/system/logging: add the syslogd_t to trusted
@@ -14,18 +14,17 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@...>
Signed-off-by: Joe MacDonald <joe_macdonald@...>
Signed-off-by: Yi Zhao <yi.zhao@...>
---
- policy/modules/system/logging.te | 4 ++++
- 1 file changed, 4 insertions(+)
+ policy/modules/system/logging.te | 3 +++
+ 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 5b4b5ec5d..e67c25a9e 100644
+index d3b06db7d..f63965d4d 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -498,6 +498,10 @@ fs_search_auto_mountpoints(syslogd_t)
- fs_search_tmpfs(syslogd_t)
+@@ -505,6 +505,9 @@ fs_getattr_all_fs(syslogd_t)
+ fs_search_auto_mountpoints(syslogd_t)

mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
-+mls_file_read_all_levels(syslogd_t)
+mls_socket_write_all_levels(syslogd_t) # Need to be able to sendto dgram
+mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log
+mls_fd_use_all_levels(syslogd_t)
@@ -33,5 +32,5 @@ index 5b4b5ec5d..e67c25a9e 100644
term_write_console(syslogd_t)
# Allow syslog to a terminal
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
similarity index 85%
rename from recipes-security/refpolicy/refpolicy/0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
rename to recipes-security/refpolicy/refpolicy/0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
index 5c01ef4..16f0e4e 100644
--- a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
+++ b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
@@ -1,4 +1,4 @@
-From 3f875fae6d9a4538b3e7d33f30dd2a98fc9ea2bd Mon Sep 17 00:00:00 2001
+From f87bb3cb0843af69f9aecaef0a4052e04b15a630 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Tue, 28 May 2019 16:41:37 +0800
Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for
@@ -17,10 +17,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 36becaa6e..9c0a98eb7 100644
+index fee846cb5..df7f87f17 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
-@@ -218,6 +218,7 @@ mls_file_write_all_levels(init_t)
+@@ -228,6 +228,7 @@ mls_file_write_all_levels(init_t)
mls_process_write_all_levels(init_t)
mls_fd_use_all_levels(init_t)
mls_process_set_level(init_t)
@@ -29,5 +29,5 @@ index 36becaa6e..9c0a98eb7 100644
# MLS trusted for lowering/raising the level of files
mls_file_downgrade(init_t)
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-init-all-init_t-to-read-any-le.patch b/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-init-all-init_t-to-read-any-le.patch
similarity index 88%
rename from recipes-security/refpolicy/refpolicy/0056-policy-modules-system-init-all-init_t-to-read-any-le.patch
rename to recipes-security/refpolicy/refpolicy/0049-policy-modules-system-init-all-init_t-to-read-any-le.patch
index d3ddcd2..fb56eca 100644
--- a/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-init-all-init_t-to-read-any-le.patch
+++ b/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-init-all-init_t-to-read-any-le.patch
@@ -1,4 +1,4 @@
-From a59dae035b7d5063e0f25c4cf40b5b180ad69022 Mon Sep 17 00:00:00 2001
+From f3c0f18b647631fd2ffc1e86c9e3f51cbf74d60f Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@...>
Date: Wed, 3 Feb 2016 04:16:06 -0500
Subject: [PATCH] policy/modules/system/init: all init_t to read any level
@@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 9c0a98eb7..5a19f0e43 100644
+index df7f87f17..671b5aef3 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
-@@ -224,6 +224,9 @@ mls_key_write_all_levels(init_t)
+@@ -234,6 +234,9 @@ mls_key_write_all_levels(init_t)
mls_file_downgrade(init_t)
mls_file_upgrade(init_t)

@@ -36,5 +36,5 @@ index 9c0a98eb7..5a19f0e43 100644
# otherwise the call fails and sysvinit tries to load the policy
# again when using the initramfs
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch b/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch
similarity index 87%
rename from recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch
rename to recipes-security/refpolicy/refpolicy/0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch
index 47328be..aa02eb1 100644
--- a/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch
+++ b/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch
@@ -1,4 +1,4 @@
-From 96437ba860d352304246fbe3381030da0665f239 Mon Sep 17 00:00:00 2001
+From cb7a4ff6081f19d05b109512275ec9a537f2f6d2 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@...>
Date: Thu, 25 Feb 2016 04:25:08 -0500
Subject: [PATCH] policy/modules/system/logging: allow auditd_t to write socket
@@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index e67c25a9e..f8d8b73f0 100644
+index f63965d4d..7e41596f4 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -215,6 +215,8 @@ miscfiles_read_localization(auditd_t)
+@@ -223,6 +223,8 @@ miscfiles_read_localization(auditd_t)

mls_file_read_all_levels(auditd_t)
mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
@@ -35,5 +35,5 @@ index e67c25a9e..f8d8b73f0 100644
seutil_dontaudit_read_config(auditd_t)

--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
similarity index 83%
rename from recipes-security/refpolicy/refpolicy/0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
rename to recipes-security/refpolicy/refpolicy/0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
index ad92c7f..16bdf84 100644
--- a/recipes-security/refpolicy/refpolicy/0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
+++ b/recipes-security/refpolicy/refpolicy/0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
@@ -1,4 +1,4 @@
-From 102255e89863c5a31d0d6c8df67b258d819b9a68 Mon Sep 17 00:00:00 2001
+From 023e7b92a805103c54aec06bbd9465e4fbf7a6f2 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Thu, 31 Oct 2019 17:35:59 +0800
Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for
@@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 1c53754ee..2031576e0 100644
+index 40cd52825..d08610543 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
-@@ -360,6 +360,7 @@ mls_socket_write_all_levels(kernel_t)
+@@ -372,6 +372,7 @@ mls_socket_write_all_levels(kernel_t)
mls_fd_use_all_levels(kernel_t)
# https://bugzilla.redhat.com/show_bug.cgi?id=667370
mls_file_downgrade(kernel_t)
@@ -27,5 +27,5 @@ index 1c53754ee..2031576e0 100644
ifdef(`distro_redhat',`
# Bugzilla 222337
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
similarity index 83%
rename from recipes-security/refpolicy/refpolicy/0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
rename to recipes-security/refpolicy/refpolicy/0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
index 96d0588..b916084 100644
--- a/recipes-security/refpolicy/refpolicy/0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
+++ b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
@@ -1,4 +1,4 @@
-From 5fa9e03a3b90f97e573a7724cd9d49b53730d083 Mon Sep 17 00:00:00 2001
+From 55fe90eba640e6d52bb269176f45a3a5e2c3ed80 Mon Sep 17 00:00:00 2001
From: Roy Li <rongqing.li@...>
Date: Sat, 22 Feb 2014 13:35:38 +0800
Subject: [PATCH] policy/modules/system/setrans: allow setrans_t use fd at any
@@ -13,10 +13,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
-index 25aadfc5f..564e2d4d1 100644
+index 12e66aad9..5510f7fac 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
-@@ -73,6 +73,8 @@ mls_net_receive_all_levels(setrans_t)
+@@ -69,6 +69,8 @@ mls_net_receive_all_levels(setrans_t)
mls_socket_write_all_levels(setrans_t)
mls_process_read_all_levels(setrans_t)
mls_socket_read_all_levels(setrans_t)
@@ -26,5 +26,5 @@ index 25aadfc5f..564e2d4d1 100644
selinux_compute_access_vector(setrans_t)

--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
similarity index 88%
rename from recipes-security/refpolicy/refpolicy/0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
rename to recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
index 8bfe607..c4dc87b 100644
--- a/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
+++ b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
@@ -1,4 +1,4 @@
-From fe70aaf9a104b4b0c3439d2767eccb0136951f08 Mon Sep 17 00:00:00 2001
+From c9afe0dc30f51f7ad7b93b8878c88df1146272a0 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Mon, 22 Feb 2021 11:28:12 +0800
Subject: [PATCH] policy/modules/system/systemd: make *_systemd_t MLS trusted
@@ -24,10 +24,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 5c44d8d8a..5f2038f22 100644
+index 325ca548b..b23b9bb0a 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
-@@ -171,6 +171,9 @@ template(`systemd_role_template',`
+@@ -196,6 +196,9 @@ template(`systemd_role_template',`
xdg_read_config_files($1_systemd_t)
xdg_read_data_files($1_systemd_t)
')
@@ -38,5 +38,5 @@ index 5c44d8d8a..5f2038f22 100644

######################################
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0061-policy-modules-system-logging-make-syslogd_runtime_t.patch b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-make-syslogd_runtime_t.patch
similarity index 84%
rename from recipes-security/refpolicy/refpolicy/0061-policy-modules-system-logging-make-syslogd_runtime_t.patch
rename to recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-make-syslogd_runtime_t.patch
index 7bdc9d6..ab87039 100644
--- a/recipes-security/refpolicy/refpolicy/0061-policy-modules-system-logging-make-syslogd_runtime_t.patch
+++ b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-make-syslogd_runtime_t.patch
@@ -1,4 +1,4 @@
-From f8a12b28b70689ab520e7ae94d306afe9dcbb556 Mon Sep 17 00:00:00 2001
+From 7a65c9f3636b43f3a29349ea1c045d5281efa5aa Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@...>
Date: Sat, 18 Dec 2021 17:31:45 +0800
Subject: [PATCH] policy/modules/system/logging: make syslogd_runtime_t MLS
@@ -23,7 +23,7 @@ dev="tmpfs" ino=9854 scontext=system_u:system_r:rpcd_t:s0-s15:c0.c1023
tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 tclass=dir
permissive=0

-Upstream-Status: Pending
+Upstream-Status: Inappropriate [embedded specific]

Signed-off-by: Yi Zhao <yi.zhao@...>
---
@@ -31,18 +31,18 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index f8d8b73f0..badf56f16 100644
+index 7e41596f4..0c25457d6 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -438,6 +438,8 @@ allow syslogd_t syslogd_runtime_t:file map;
+@@ -447,6 +447,8 @@ allow syslogd_t syslogd_runtime_t:file map;
manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file)

+mls_trusted_object(syslogd_runtime_t)
+
- kernel_read_crypto_sysctls(syslogd_t)
kernel_read_system_state(syslogd_t)
kernel_read_network_state(syslogd_t)
+ kernel_read_kernel_sysctls(syslogd_t)
--
-2.17.1
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0062-systemd-systemd-resolved-is-linked-to-libselinux.patch b/recipes-security/refpolicy/refpolicy/0062-systemd-systemd-resolved-is-linked-to-libselinux.patch
deleted file mode 100644
index e0db7d3..0000000
--- a/recipes-security/refpolicy/refpolicy/0062-systemd-systemd-resolved-is-linked-to-libselinux.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 52a4222397f5d3b28ca15a45bb2ace209a4afc3e Mon Sep 17 00:00:00 2001
-From: Kenton Groombridge <me@...>
-Date: Thu, 31 Mar 2022 13:09:10 -0400
-Subject: [PATCH] systemd: systemd-resolved is linked to libselinux
-
-systemd-resolved as of systemd 250 fails to start with this error:
-
-Failed to initialize SELinux labeling handle: No such file or directory
-
-Upstream-Status: Backport
-[https://github.com/SELinuxProject/refpolicy/commit/3a22db2410de479e5baa88f3f668a7a4ac198950]
-
-Signed-off-by: Kenton Groombridge <me@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/systemd.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 8cea6baa1..beb301cc6 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -1261,6 +1261,7 @@ fs_getattr_cgroup(systemd_resolved_t)
-
- init_dgram_send(systemd_resolved_t)
-
-+seutil_libselinux_linked(systemd_resolved_t)
- seutil_read_file_contexts(systemd_resolved_t)
-
- systemd_log_parse_environment(systemd_resolved_t)
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0063-sysnetwork-systemd-allow-DNS-resolution-over-io.syst.patch b/recipes-security/refpolicy/refpolicy/0063-sysnetwork-systemd-allow-DNS-resolution-over-io.syst.patch
deleted file mode 100644
index 63da7cd..0000000
--- a/recipes-security/refpolicy/refpolicy/0063-sysnetwork-systemd-allow-DNS-resolution-over-io.syst.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 1ba0911e157c64ea15636c5707f38f1bdc9a46c8 Mon Sep 17 00:00:00 2001
-From: Kenton Groombridge <me@...>
-Date: Wed, 27 Apr 2022 01:09:52 -0400
-Subject: [PATCH] sysnetwork, systemd: allow DNS resolution over
- io.systemd.Resolve
-
-Upstream-Status: Backport
-[https://github.com/SELinuxProject/refpolicy/commit/1a0acc9c0d8c7c49ad4ca2cabd44bc66450f45e0]
-
-Signed-off-by: Kenton Groombridge <me@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/sysnetwork.if | 1 +
- policy/modules/system/systemd.if | 21 +++++++++++++++++++++
- 2 files changed, 22 insertions(+)
-
-diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 8664a67c8..140d48508 100644
---- a/policy/modules/system/sysnetwork.if
-+++ b/policy/modules/system/sysnetwork.if
-@@ -844,6 +844,7 @@ interface(`sysnet_dns_name_resolve',`
- ifdef(`init_systemd',`
- optional_policy(`
- systemd_dbus_chat_resolved($1)
-+ systemd_stream_connect_resolved($1)
- ')
- # This seems needed when the mymachines NSS module is used
- optional_policy(`
-diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 5f2038f22..9143fb4c0 100644
---- a/policy/modules/system/systemd.if
-+++ b/policy/modules/system/systemd.if
-@@ -1835,6 +1835,27 @@ interface(`systemd_tmpfilesd_managed',`
- ')
- ')
-
-+#######################################
-+## <summary>
-+## Connect to systemd resolved over
-+## /run/systemd/resolve/io.systemd.Resolve .
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`systemd_stream_connect_resolved',`
-+ gen_require(`
-+ type systemd_resolved_t;
-+ type systemd_resolved_runtime_t;
-+ ')
-+
-+ files_search_runtime($1)
-+ stream_connect_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t, systemd_resolved_t)
-+')
-+
- ########################################
- ## <summary>
- ## Send and receive messages from
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0064-term-init-allow-systemd-to-watch-and-watch-reads-on-.patch b/recipes-security/refpolicy/refpolicy/0064-term-init-allow-systemd-to-watch-and-watch-reads-on-.patch
deleted file mode 100644
index 88f070d..0000000
--- a/recipes-security/refpolicy/refpolicy/0064-term-init-allow-systemd-to-watch-and-watch-reads-on-.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 50670946f04257cc2110facbc61884e2cf0d8327 Mon Sep 17 00:00:00 2001
-From: Kenton Groombridge <me@...>
-Date: Fri, 6 May 2022 21:16:29 -0400
-Subject: [PATCH] term, init: allow systemd to watch and watch reads on
- unallocated ttys
-
-As of systemd 250, systemd needs to be able to add a watch on and watch
-reads on unallocated ttys in order to start getty.
-
-systemd[55548]: getty@...: Failed to set up standard input: Permission denied
-systemd[55548]: getty@...: Failed at step STDIN spawning /sbin/agetty: Permission denied
-
-time->Fri May 6 21:17:58 2022
-type=PROCTITLE msg=audit(1651886278.452:1770): proctitle="(agetty)"
-type=PATH msg=audit(1651886278.452:1770): item=0 name="/dev/tty1" inode=18 dev=00:05 mode=020620 ouid=0 ogid=5 rdev=04:01 obj=system_u:object_r:tty_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
-type=CWD msg=audit(1651886278.452:1770): cwd="/"
-type=SYSCALL msg=audit(1651886278.452:1770): arch=c000003e syscall=254 success=no exit=-13 a0=3 a1=60ba5c21e020 a2=18 a3=23 items=1 ppid=1 pid=55551 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(agetty)" exe="/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
-type=AVC msg=audit(1651886278.452:1770): avc: denied { watch watch_reads } for pid=55551 comm="(agetty)" path="/dev/tty1" dev="devtmpfs" ino=18 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0
-
-Upstream-Status: Backport
-[https://github.com/SELinuxProject/refpolicy/commit/308ab9f69a4623f5dace8da151e70c6316f055a8]
-
-Signed-off-by: Kenton Groombridge <me@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/kernel/terminal.if | 38 +++++++++++++++++++++++++++++++
- policy/modules/system/init.te | 2 ++
- 2 files changed, 40 insertions(+)
-
-diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index e8c0735eb..6e9f654ac 100644
---- a/policy/modules/kernel/terminal.if
-+++ b/policy/modules/kernel/terminal.if
-@@ -1287,6 +1287,44 @@ interface(`term_dontaudit_use_unallocated_ttys',`
- dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
- ')
-
-+########################################
-+## <summary>
-+## Watch unallocated ttys.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`term_watch_unallocated_ttys',`
-+ gen_require(`
-+ type tty_device_t;
-+ ')
-+
-+ dev_list_all_dev_nodes($1)
-+ allow $1 tty_device_t:chr_file watch;
-+')
-+
-+########################################
-+## <summary>
-+## Watch reads on unallocated ttys.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`term_watch_reads_unallocated_ttys',`
-+ gen_require(`
-+ type tty_device_t;
-+ ')
-+
-+ dev_list_all_dev_nodes($1)
-+ allow $1 tty_device_t:chr_file watch_reads;
-+')
-+
- ########################################
- ## <summary>
- ## Get the attributes of all tty device nodes.
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 5a19f0e43..24cef0924 100644
---- a/policy/modules/system/init.te
-+++ b/policy/modules/system/init.te
-@@ -518,6 +518,8 @@ ifdef(`init_systemd',`
- term_create_devpts_dirs(init_t)
- term_create_ptmx(init_t)
- term_create_controlling_term(init_t)
-+ term_watch_unallocated_ttys(init_t)
-+ term_watch_reads_unallocated_ttys(init_t)
-
- # udevd is a "systemd kobject uevent socket activated daemon"
- udev_create_kobject_uevent_sockets(init_t)
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0065-systemd-add-file-transition-for-systemd-networkd-run.patch b/recipes-security/refpolicy/refpolicy/0065-systemd-add-file-transition-for-systemd-networkd-run.patch
deleted file mode 100644
index 1029490..0000000
--- a/recipes-security/refpolicy/refpolicy/0065-systemd-add-file-transition-for-systemd-networkd-run.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 6f8a8ecd8bafd6e8a3515b53db2a2982a02ff254 Mon Sep 17 00:00:00 2001
-From: Kenton Groombridge <me@...>
-Date: Thu, 31 Mar 2022 13:22:37 -0400
-Subject: [PATCH] systemd: add file transition for systemd-networkd runtime
-
-systemd-networkd creates the /run/systemd/network directory which should
-be labeled appropriately.
-
-Upstream-Status: Backport
-[https://github.com/SELinuxProject/refpolicy/commit/663b62f27cb12c22f056eba9326cf3f7f78d8a9e]
-
-Signed-off-by: Kenton Groombridge <me@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/systemd.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index beb301cc6..654c6a42a 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -917,6 +917,7 @@ auth_use_nsswitch(systemd_networkd_t)
-
- init_dgram_send(systemd_networkd_t)
- init_read_state(systemd_networkd_t)
-+init_runtime_filetrans(systemd_networkd_t, systemd_networkd_runtime_t, dir)
-
- logging_send_syslog_msg(systemd_networkd_t)
-
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0066-systemd-add-missing-file-context-for-run-systemd-net.patch b/recipes-security/refpolicy/refpolicy/0066-systemd-add-missing-file-context-for-run-systemd-net.patch
deleted file mode 100644
index f84eb4a..0000000
--- a/recipes-security/refpolicy/refpolicy/0066-systemd-add-missing-file-context-for-run-systemd-net.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 2e3f371b59bee343c42e4c69495df0f3719b6e24 Mon Sep 17 00:00:00 2001
-From: Kenton Groombridge <me@...>
-Date: Sat, 2 Apr 2022 15:44:01 -0400
-Subject: [PATCH] systemd: add missing file context for /run/systemd/network
-
-Upstream-Status: Backport
-[https://github.com/SELinuxProject/refpolicy/commit/f2fe1ae15485da7b6269b7d0d7dbed9a834f1876]
-
-Signed-off-by: Kenton Groombridge <me@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/systemd.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
-index 34db8c034..d21914227 100644
---- a/policy/modules/system/systemd.fc
-+++ b/policy/modules/system/systemd.fc
-@@ -85,6 +85,7 @@ HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_data
-
- /run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
- /run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
-+/run/systemd/network(/.*)? gen_context(system_u:object_r:systemd_networkd_runtime_t,s0)
- /run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_runtime_t,s0)
- /run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
- /run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0067-systemd-add-file-contexts-for-systemd-network-genera.patch b/recipes-security/refpolicy/refpolicy/0067-systemd-add-file-contexts-for-systemd-network-genera.patch
deleted file mode 100644
index 0aaf096..0000000
--- a/recipes-security/refpolicy/refpolicy/0067-systemd-add-file-contexts-for-systemd-network-genera.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 143d339b2e6611c56cd0210279757ebee9632731 Mon Sep 17 00:00:00 2001
-From: Kenton Groombridge <me@...>
-Date: Thu, 19 May 2022 11:42:51 -0400
-Subject: [PATCH] systemd: add file contexts for systemd-network-generator
-
-Upstream-Status: Backport
-[https://github.com/SELinuxProject/refpolicy/commit/73adba0a39b7409bc4bbfa0e962108c2b1e5f2a5]
-
-Thanks-To: Zhao Yi
-Signed-off-by: Kenton Groombridge <me@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/systemd.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
-index d21914227..1a35bd65c 100644
---- a/policy/modules/system/systemd.fc
-+++ b/policy/modules/system/systemd.fc
-@@ -35,6 +35,7 @@
- /usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
- /usr/lib/systemd/systemd-modules-load -- gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
- /usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
-+/usr/lib/systemd/systemd-network-generator -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
- /usr/lib/systemd/systemd-pstore -- gen_context(system_u:object_r:systemd_pstore_exec_t,s0)
- /usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
- /usr/lib/systemd/systemd-rfkill -- gen_context(system_u:object_r:systemd_rfkill_exec_t,s0)
-@@ -60,6 +61,7 @@ HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_data
- /usr/lib/systemd/system/systemd-backlight.* -- gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
- /usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
- /usr/lib/systemd/system/systemd-networkd.* gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
-+/usr/lib/systemd/system/systemd-network-generator.* gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
- /usr/lib/systemd/system/systemd-rfkill.* -- gen_context(system_u:object_r:systemd_rfkill_unit_t,s0)
- /usr/lib/systemd/system/systemd-socket-proxyd\.service -- gen_context(system_u:object_r:systemd_socket_proxyd_unit_file_t,s0)
-
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0068-systemd-udev-allow-udev-to-read-systemd-networkd-run.patch b/recipes-security/refpolicy/refpolicy/0068-systemd-udev-allow-udev-to-read-systemd-networkd-run.patch
deleted file mode 100644
index 259863c..0000000
--- a/recipes-security/refpolicy/refpolicy/0068-systemd-udev-allow-udev-to-read-systemd-networkd-run.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 6508bc8a3440525384fcfcd8ad55a4cd5c79b912 Mon Sep 17 00:00:00 2001
-From: Kenton Groombridge <me@...>
-Date: Thu, 19 May 2022 11:43:44 -0400
-Subject: [PATCH] systemd, udev: allow udev to read systemd-networkd runtime
-
-udev searches for .link files and applies custom udev rules to devices
-as they come up.
-
-Upstream-Status: Backport
-[https://github.com/SELinuxProject/refpolicy/commit/998ef975f38c70d57e7220b88ae5e62c88ebb770]
-
-Thanks-To: Zhao Yi
-Signed-off-by: Kenton Groombridge <me@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/udev.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 4c5a690fb..8e243c0f2 100644
---- a/policy/modules/system/udev.te
-+++ b/policy/modules/system/udev.te
-@@ -270,6 +270,8 @@ ifdef(`init_systemd',`
- systemd_read_hwdb(udev_t)
- systemd_read_logind_sessions_files(udev_t)
- systemd_read_logind_runtime_files(udev_t)
-+ # udev searches for .link files and applies custom udev rules
-+ systemd_read_networkd_runtime(udev_t)
-
- optional_policy(`
- init_dbus_chat(udev_t)
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0069-fc-fstools-apply-policy-to-findfs-alternative.patch b/recipes-security/refpolicy/refpolicy/0069-fc-fstools-apply-policy-to-findfs-alternative.patch
deleted file mode 100644
index 6535a4b..0000000
--- a/recipes-security/refpolicy/refpolicy/0069-fc-fstools-apply-policy-to-findfs-alternative.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 3e3ec39659ae068d20efbb5f13054d90960c3c3f Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Thu, 19 May 2022 16:51:49 +0800
-Subject: [PATCH] fc/fstools: apply policy to findfs alternative
-
-Add file context for findfs alternative which is provided by util-linux.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/fstools.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index bef711850..91be0ef3d 100644
---- a/policy/modules/system/fstools.fc
-+++ b/policy/modules/system/fstools.fc
-@@ -77,6 +77,7 @@
- /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/findfs\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index bb0c0dd..a51312f 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -7,10 +7,10 @@ PROVIDES = "virtual/refpolicy"
RPROVIDES:${PN} = "refpolicy"

# Specific config files for Poky
-SRC_URI += "file://customizable_types \
- file://setrans-mls.conf \
- file://setrans-mcs.conf \
- "
+SRC_URI += "file://customizable_types \
+ file://setrans-mls.conf \
+ file://setrans-mcs.conf \
+ "

# Base patches applied to all Yocto-based platforms. Your own version of
# refpolicy should provide a version of these and place them in your own
@@ -49,64 +49,49 @@ SRC_URI += " \
file://0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch \
file://0032-policy-modules-system-logging-fix-auditd-startup-fai.patch \
file://0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \
- file://0034-policy-modules-system-modutils-allow-mod_t-to-access.patch \
- file://0035-policy-modules-system-getty-allow-getty_t-to-search-.patch \
- file://0036-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \
- file://0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch \
- file://0038-policy-modules-system-systemd-enable-support-for-sys.patch \
- file://0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch \
- file://0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch \
- file://0041-policy-modules-system-logging-fix-syslogd-failures-f.patch \
- file://0042-policy-modules-system-systemd-systemd-user-fixes.patch \
- file://0043-policy-modules-system-sysnetwork-support-priviledge-.patch \
- file://0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch \
- file://0045-policy-modules-system-systemd-allow-systemd_logind_t.patch \
- file://0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \
- file://0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \
- file://0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch \
- file://0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \
- file://0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
- file://0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
- file://0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \
- file://0053-policy-modules-system-systemd-systemd-make-systemd_-.patch \
- file://0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \
- file://0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
- file://0056-policy-modules-system-init-all-init_t-to-read-any-le.patch \
- file://0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch \
- file://0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
- file://0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
- file://0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
- file://0061-policy-modules-system-logging-make-syslogd_runtime_t.patch \
- file://0062-systemd-systemd-resolved-is-linked-to-libselinux.patch \
- file://0063-sysnetwork-systemd-allow-DNS-resolution-over-io.syst.patch \
- file://0064-term-init-allow-systemd-to-watch-and-watch-reads-on-.patch \
- file://0065-systemd-add-file-transition-for-systemd-networkd-run.patch \
- file://0066-systemd-add-missing-file-context-for-run-systemd-net.patch \
- file://0067-systemd-add-file-contexts-for-systemd-network-genera.patch \
- file://0068-systemd-udev-allow-udev-to-read-systemd-networkd-run.patch \
- file://0069-fc-fstools-apply-policy-to-findfs-alternative.patch \
+ file://0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \
+ file://0035-policy-modules-system-systemd-enable-support-for-sys.patch \
+ file://0036-policy-modules-system-systemd-allow-systemd_logind_t.patch \
+ file://0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \
+ file://0038-policy-modules-system-systemd-systemd-user-fixes.patch \
+ file://0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \
+ file://0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \
+ file://0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch \
+ file://0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \
+ file://0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
+ file://0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
+ file://0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \
+ file://0046-policy-modules-system-systemd-systemd-make-systemd_-.patch \
+ file://0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \
+ file://0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
+ file://0049-policy-modules-system-init-all-init_t-to-read-any-le.patch \
+ file://0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch \
+ file://0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
+ file://0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
+ file://0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
+ file://0054-policy-modules-system-logging-make-syslogd_runtime_t.patch \
"

S = "${WORKDIR}/refpolicy"

-CONFFILES:${PN} += "${sysconfdir}/selinux/config"
+CONFFILES:${PN} = "${sysconfdir}/selinux/config"
FILES:${PN} += " \
- ${sysconfdir}/selinux/${POLICY_NAME}/ \
- ${datadir}/selinux/${POLICY_NAME}/*.pp \
- ${localstatedir}/lib/selinux/${POLICY_NAME}/ \
- "
+ ${sysconfdir}/selinux/${POLICY_NAME}/ \
+ ${datadir}/selinux/${POLICY_NAME}/*.pp \
+ ${localstatedir}/lib/selinux/${POLICY_NAME}/ \
+ "
FILES:${PN}-dev =+ " \
- ${datadir}/selinux/${POLICY_NAME}/include/ \
- ${sysconfdir}/selinux/sepolgen.conf \
-"
+ ${datadir}/selinux/${POLICY_NAME}/include/ \
+ ${sysconfdir}/selinux/sepolgen.conf \
+ "

EXTRANATIVEPATH += "bzip2-native"

-DEPENDS += "bzip2-replacement-native checkpolicy-native policycoreutils-native semodule-utils-native m4-native"
+DEPENDS = "bzip2-replacement-native checkpolicy-native policycoreutils-native semodule-utils-native m4-native"

-RDEPENDS:${PN}-dev =+ " \
- python3-core \
-"
+RDEPENDS:${PN}-dev = " \
+ python3-core \
+ "

PACKAGE_ARCH = "${MACHINE_ARCH}"

@@ -129,83 +114,83 @@ POLICY_MLS_SENS ?= "16"
POLICY_MLS_CATS ?= "1024"
POLICY_MCS_CATS ?= "1024"

-EXTRA_OEMAKE += "NAME=${POLICY_NAME} \
- TYPE=${POLICY_TYPE} \
- DISTRO=${POLICY_DISTRO} \
- UBAC=${POLICY_UBAC} \
- UNK_PERMS=${POLICY_UNK_PERMS} \
- DIRECT_INITRC=${POLICY_DIRECT_INITRC} \
- SYSTEMD=${POLICY_SYSTEMD} \
- MONOLITHIC=${POLICY_MONOLITHIC} \
- CUSTOM_BUILDOPT=${POLICY_CUSTOM_BUILDOPT} \
- QUIET=${POLICY_QUIET} \
- MLS_SENS=${POLICY_MLS_SENS} \
- MLS_CATS=${POLICY_MLS_CATS} \
- MCS_CATS=${POLICY_MCS_CATS}"
+EXTRA_OEMAKE = "NAME=${POLICY_NAME} \
+ TYPE=${POLICY_TYPE} \
+ DISTRO=${POLICY_DISTRO} \
+ UBAC=${POLICY_UBAC} \
+ UNK_PERMS=${POLICY_UNK_PERMS} \
+ DIRECT_INITRC=${POLICY_DIRECT_INITRC} \
+ SYSTEMD=${POLICY_SYSTEMD} \
+ MONOLITHIC=${POLICY_MONOLITHIC} \
+ CUSTOM_BUILDOPT=${POLICY_CUSTOM_BUILDOPT} \
+ QUIET=${POLICY_QUIET} \
+ MLS_SENS=${POLICY_MLS_SENS} \
+ MLS_CATS=${POLICY_MLS_CATS} \
+ MCS_CATS=${POLICY_MCS_CATS}"

EXTRA_OEMAKE += "tc_usrbindir=${STAGING_BINDIR_NATIVE}"
EXTRA_OEMAKE += "OUTPUT_POLICY=`${STAGING_BINDIR_NATIVE}/checkpolicy -V | cut -d' ' -f1`"
EXTRA_OEMAKE += "CC='${BUILD_CC}' CFLAGS='${BUILD_CFLAGS}' PYTHON='${PYTHON}'"

-python __anonymous () {
+python __anonymous() {
import re

- # make sure DEFAULT_ENFORCING is something sane
+ # Make sure DEFAULT_ENFORCING is something sane
if not re.match('^(enforcing|permissive|disabled)$',
d.getVar('DEFAULT_ENFORCING'),
flags=0):
d.setVar('DEFAULT_ENFORCING', 'permissive')
}

-disable_policy_modules () {
- for module in ${PURGE_POLICY_MODULES} ; do
- sed -i "s/^\(\<${module}\>\) *= *.*$/\1 = off/" ${S}/policy/modules.conf
- done
+disable_policy_modules() {
+ for module in ${PURGE_POLICY_MODULES} ; do
+ sed -i "s/^\(\<${module}\>\) *= *.*$/\1 = off/" ${S}/policy/modules.conf
+ done
}

do_compile() {
- if [ -f "${WORKDIR}/modules.conf" ] ; then
- cp -f ${WORKDIR}/modules.conf ${S}/policy/modules.conf
- fi
- oe_runmake conf
- disable_policy_modules
- oe_runmake policy
+ if [ -f "${WORKDIR}/modules.conf" ] ; then
+ cp -f ${WORKDIR}/modules.conf ${S}/policy/modules.conf
+ fi
+ oe_runmake conf
+ disable_policy_modules
+ oe_runmake policy
}

-prepare_policy_store () {
- oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
- POL_PRIORITY=100
- POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
- POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
- POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
-
- # Prepare to create policy store
- mkdir -p ${POL_STORE}
- mkdir -p ${POL_ACTIVE_MODS}
-
- # get hll type from suffix on base policy module
- HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
- HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
-
- for i in ${POL_SRC}/*.${HLL_TYPE}; do
- MOD_NAME=$(basename $i | sed "s/\.${HLL_TYPE}$//")
- MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME}
- mkdir -p ${MOD_DIR}
- echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
- if ! bzip2 -t $i >/dev/null 2>&1; then
- ${HLL_BIN} $i | bzip2 --stdout > ${MOD_DIR}/cil
- bzip2 -f $i && mv -f $i.bz2 $i
- else
- bunzip2 --stdout $i | \
- ${HLL_BIN} | \
- bzip2 --stdout > ${MOD_DIR}/cil
- fi
- cp $i ${MOD_DIR}/hll
- done
+prepare_policy_store() {
+ oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
+ POL_PRIORITY=100
+ POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
+ POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
+ POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
+
+ # Prepare to create policy store
+ mkdir -p ${POL_STORE}
+ mkdir -p ${POL_ACTIVE_MODS}
+
+ # Get hll type from suffix on base policy module
+ HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
+ HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
+
+ for i in ${POL_SRC}/*.${HLL_TYPE}; do
+ MOD_NAME=$(basename $i | sed "s/\.${HLL_TYPE}$//")
+ MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME}
+ mkdir -p ${MOD_DIR}
+ echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
+ if ! bzip2 -t $i >/dev/null 2>&1; then
+ ${HLL_BIN} $i | bzip2 --stdout > ${MOD_DIR}/cil
+ bzip2 -f $i && mv -f $i.bz2 $i
+ else
+ bunzip2 --stdout $i | \
+ ${HLL_BIN} | \
+ bzip2 --stdout > ${MOD_DIR}/cil
+ fi
+ cp $i ${MOD_DIR}/hll
+ done
}

-rebuild_policy () {
- cat <<-EOF > ${D}${sysconfdir}/selinux/semanage.conf
+rebuild_policy() {
+ cat <<-EOF > ${D}${sysconfdir}/selinux/semanage.conf
module-store = direct
[setfiles]
path = ${STAGING_DIR_NATIVE}${base_sbindir_native}/setfiles
@@ -219,29 +204,29 @@ args = \$@
policy-version = 33
EOF

- # Create policy store and build the policy
- semodule -p ${D} -s ${POLICY_NAME} -n -B
- rm -f ${D}${sysconfdir}/selinux/semanage.conf
- # no need to leave final dir created by semanage laying around
- rm -rf ${D}${localstatedir}/lib/selinux/final
+ # Create policy store and build the policy
+ semodule -p ${D} -s ${POLICY_NAME} -n -B
+ rm -f ${D}${sysconfdir}/selinux/semanage.conf
+ # No need to leave final dir created by semanage laying around
+ rm -rf ${D}${localstatedir}/lib/selinux/final
}

-install_misc_files () {
- cat ${WORKDIR}/customizable_types >> \
- ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/customizable_types
+install_misc_files() {
+ cat ${WORKDIR}/customizable_types >> \
+ ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/customizable_types

- # install setrans.conf for mls/mcs policy
- if [ -f ${WORKDIR}/setrans-${POLICY_TYPE}.conf ]; then
- install -m 0644 ${WORKDIR}/setrans-${POLICY_TYPE}.conf \
- ${D}${sysconfdir}/selinux/${POLICY_NAME}/setrans.conf
- fi
+ # Install setrans.conf for mls/mcs policy
+ if [ -f ${WORKDIR}/setrans-${POLICY_TYPE}.conf ]; then
+ install -m 0644 ${WORKDIR}/setrans-${POLICY_TYPE}.conf \
+ ${D}${sysconfdir}/selinux/${POLICY_NAME}/setrans.conf
+ fi

- # install policy headers
- oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
+ # Install policy headers
+ oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
}

-install_config () {
- echo "\
+install_config() {
+ echo "\
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
@@ -256,22 +241,22 @@ SELINUX=${DEFAULT_ENFORCING}
# mcs - Multi Category Security protection.
SELINUXTYPE=${POLICY_NAME}
" > ${WORKDIR}/config
- install -d ${D}/${sysconfdir}/selinux
- install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
+ install -d ${D}/${sysconfdir}/selinux
+ install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
}

-do_install () {
- prepare_policy_store
- rebuild_policy
- install_misc_files
- install_config
+do_install() {
+ prepare_policy_store
+ rebuild_policy
+ install_misc_files
+ install_config
}

-do_install:append(){
- # While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
- echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
+do_install:append() {
+ # While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
+ echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
}

-sysroot_stage_all:append () {
- sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
+sysroot_stage_all:append() {
+ sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
}
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc
index 9e78aed..54e0890 100644
--- a/recipes-security/refpolicy/refpolicy_git.inc
+++ b/recipes-security/refpolicy/refpolicy_git.inc
@@ -1,8 +1,8 @@
-PV = "2.20210908+git${SRCPV}"
+PV = "2.20221101+git${SRCPV}"

SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=master;name=refpolicy;destsuffix=refpolicy"

-SRCREV_refpolicy ?= "23a8d103f379361cfe63a9ee064564624e108196"
+SRCREV_refpolicy ?= "03d486e306555da161b653c88e804ce23f3a0ea4"

UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)"

--
2.25.1


Re: [meta-selinux][PATCH 4/4] refpolicy: upgrade 20210908+git -> 20221101+git

Yi Zhao
 

On 11/8/22 10:29, Yi Zhao wrote:

On 11/8/22 03:33, Joe MacDonald wrote:
Hi Yi,

Can you explain the reason for moving the dbus module to the list of
always-on modules and out of the systemd conditional for
refpolicy-minimum_git.bb?

This is introduced by commit e1cdd5a94493db1da7d4a815760453a54c45f11c in refpolicy:

commit e1cdd5a94493db1da7d4a815760453a54c45f11c
Author: Kenton Groombridge <me@...>
Date:   Sun Oct 2 19:07:08 2022 -0400

    dbus, init, mount, rpc: minor fixes for mount.nfs

    mount.nfs will attempt to start the rpc-statd.service unit but will fall
    back to executing start-statd directly. Dontaudit attempts to start the
    unit and perform a domain transition to start-statd from mount.

    Signed-off-by: Kenton Groombridge <me@...>


diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index e75a9eeed..d028723ce 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
[snip]
@@ -141,6 +145,8 @@ selinux_getattr_fs(mount_t)

 userdom_use_all_users_fds(mount_t)

+dbus_dontaudit_write_system_bus_runtime_named_sockets(mount_t)
+
 ifdef(`distro_redhat',`
        optional_policy(`
                auth_read_pam_console_data(mount_t)
@@ -210,6 +216,10 @@ optional_policy(`
        puppet_rw_tmp(mount_t)
 ')
[snip]


Now dbus module is required by mount module.

Hi Joe,


We could make this interface optional by optional_policy. I think it's better than adding dbus to core module.

I will send V2.


//Yi




//Yi



Thanks,
-Joe.

[[meta-selinux][PATCH 4/4] refpolicy: upgrade 20210908+git -> 20221101+git] On 22.11.02 (Wed 15:30) Yi Zhao wrote:

* Update to latest git rev.
* Drop obsolete and useless patches.
* Rebase patches.

Signed-off-by: Yi Zhao <yi.zhao@...>
---
  .../refpolicy/refpolicy-minimum_git.bb        |  93 +++----
  .../refpolicy/refpolicy-targeted_git.bb       |   1 -
  ...tile-alias-common-var-volatile-paths.patch |   4 +-
  ...inimum-make-sysadmin-module-optional.patch |  12 +-
  ...ed-make-unconfined_u-the-default-sel.patch |  12 +-
  ...box-set-aliases-for-bin-sbin-and-usr.patch |   4 +-
  ...icy-minimum-make-xdg-module-optional.patch |   8 +-
  ...ed-add-capability2-bpf-and-perfmon-f.patch |  52 ----
  ...y-policy-to-common-yocto-hostname-al.patch |   4 +-
  ...efpolicy-minimum-enable-nscd_use_shm.patch |  35 ---
  ...sr-bin-bash-context-to-bin-bash.bash.patch |   6 +-
  ...abel-resolv.conf-in-var-run-properly.patch |   4 +-
  ...-apply-login-context-to-login.shadow.patch |   4 +-
  ...-fc-hwclock-add-hwclock-alternatives.patch |   4 +-
  ...g-apply-policy-to-dmesg-alternatives.patch |   4 +-
  ...ssh-apply-policy-to-ssh-alternatives.patch |   8 +-
  ...ply-policy-to-network-commands-alter.patch |   4 +-
  ...v-apply-policy-to-udevadm-in-libexec.patch |   4 +-
  ...ply-rpm_exec-policy-to-cpio-binaries.patch |   8 +-
  ...c-su-apply-policy-to-su-alternatives.patch |   4 +-
  ...fc-fstools-fix-real-path-for-fstools.patch |  17 +-
  ...fix-update-alternatives-for-sysvinit.patch |  10 +-
  ...l-apply-policy-to-brctl-alternatives.patch |   4 +-
  ...apply-policy-to-nologin-alternatives.patch |   8 +-
  ...apply-policy-to-sulogin-alternatives.patch |   4 +-
  ...tp-apply-policy-to-ntpd-alternatives.patch |   4 +-
  ...pply-policy-to-kerberos-alternatives.patch |   4 +-
  ...ap-apply-policy-to-ldap-alternatives.patch |   4 +-
  ...ply-policy-to-postgresql-alternative.patch |   4 +-
  ...-apply-policy-to-screen-alternatives.patch |   4 +-
  ...ply-policy-to-usermanage-alternative.patch |  26 +-
  ...etty-add-file-context-to-start_getty.patch |   4 +-
  ...k-apply-policy-to-vlock-alternatives.patch |   4 +-
  ...for-init-scripts-and-systemd-service.patch |   8 +-
  ...bs_dist-set-aliase-for-root-director.patch |   4 +-
  ...ystem-logging-add-rules-for-the-syml.patch |   6 +-
  ...ystem-logging-add-rules-for-syslogd-.patch |   8 +-
  ...ernel-files-add-rules-for-the-symlin.patch |  26 +-
  ...ystem-logging-fix-auditd-startup-fai.patch |  10 +-
  ...ernel-terminal-don-t-audit-tty_devic.patch |   6 +-
  ...rvices-rpcbind-allow-rpcbind_t-to-c.patch} |  23 +-
  ...ystem-modutils-allow-mod_t-to-access.patch |  67 -----
  ...ystem-getty-allow-getty_t-to-search-.patch |  32 ---
  ...stem-systemd-enable-support-for-sys.patch} |  10 +-
  ...stem-systemd-allow-systemd_logind_t.patch} |   8 +-
  ...dmin-usermanage-allow-useradd-to-rel.patch |  71 -----
  ...oles-sysadm-allow-sysadm-to-use-init.patch |  36 +++
  ...es-system-systemd-systemd-user-fixes.patch |  84 ++++++
  ...stem-mount-make-mount_t-domain-MLS-.patch} |   8 +-
  ...ystem-systemd-fix-systemd-resolved-s.patch |  60 ----
  ...les-sysadm-MLS-sysadm-rw-to-clearan.patch} |  10 +-
  ...ystem-systemd-allow-systemd_-_t-to-g.patch | 156 -----------
  ...rvices-rpc-make-nfsd_t-domain-MLS-t.patch} |  12 +-
  ...ystem-logging-fix-syslogd-failures-f.patch |  55 ----
  ...min-dmesg-make-dmesg_t-MLS-trusted-.patch} |   6 +-
  ...es-system-systemd-systemd-user-fixes.patch | 172 ------------
  ...rnel-kernel-make-kernel_t-MLS-trust.patch} |   8 +-
  ...ystem-sysnetwork-support-priviledge-.patch | 132 ---------
  ...stem-init-make-init_t-MLS-trusted-f.patch} |   8 +-
  ...ystem-modutils-allow-kmod_t-to-write.patch |  34 ---
  ...stem-systemd-make-systemd-tmpfiles_.patch} |   8 +-
  ...stem-systemd-systemd-make-systemd_-.patch} |  26 +-
  ...stem-logging-add-the-syslogd_t-to-t.patch} |  15 +-
  ...stem-init-make-init_t-MLS-trusted-f.patch} |   8 +-
  ...stem-init-all-init_t-to-read-any-le.patch} |   8 +-
  ...stem-logging-allow-auditd_t-to-writ.patch} |   8 +-
  ...rnel-kernel-make-kernel_t-MLS-trust.patch} |   8 +-
  ...stem-setrans-allow-setrans_t-use-fd.patch} |   8 +-
  ...stem-systemd-make-_systemd_t-MLS-tr.patch} |   8 +-
  ...stem-logging-make-syslogd_runtime_t.patch} |  12 +-
  ...emd-resolved-is-linked-to-libselinux.patch |  33 ---
  ...md-allow-DNS-resolution-over-io.syst.patch |  63 -----
  ...systemd-to-watch-and-watch-reads-on-.patch |  94 -------
  ...-transition-for-systemd-networkd-run.patch |  32 ---
  ...ing-file-context-for-run-systemd-net.patch |  29 --
  ...-contexts-for-systemd-network-genera.patch |  38 ---
  ...ow-udev-to-read-systemd-networkd-run.patch |  34 ---
  ...s-apply-policy-to-findfs-alternative.patch |  29 --
  .../refpolicy/refpolicy_common.inc            | 261 +++++++++---------
  recipes-security/refpolicy/refpolicy_git.inc  |   4 +-
  80 files changed, 521 insertions(+), 1637 deletions(-)
  delete mode 100644 recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch
  delete mode 100644 recipes-security/refpolicy/refpolicy/0003-refpolicy-minimum-enable-nscd_use_shm.patch
  rename recipes-security/refpolicy/refpolicy/{0036-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch => 0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch} (52%)
  delete mode 100644 recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch
  delete mode 100644 recipes-security/refpolicy/refpolicy/0035-policy-modules-system-getty-allow-getty_t-to-search-.patch
  rename recipes-security/refpolicy/refpolicy/{0038-policy-modules-system-systemd-enable-support-for-sys.patch => 0035-policy-modules-system-systemd-enable-support-for-sys.patch} (91%)
  rename recipes-security/refpolicy/refpolicy/{0045-policy-modules-system-systemd-allow-systemd_logind_t.patch => 0036-policy-modules-system-systemd-allow-systemd_logind_t.patch} (88%)
  delete mode 100644 recipes-security/refpolicy/refpolicy/0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch
  create mode 100644 recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch
  create mode 100644 recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch
  rename recipes-security/refpolicy/refpolicy/{0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch => 0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch} (84%)
  delete mode 100644 recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch
  rename recipes-security/refpolicy/refpolicy/{0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch => 0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch} (83%)
  delete mode 100644 recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch
  rename recipes-security/refpolicy/refpolicy/{0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch => 0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch} (84%)
  delete mode 100644 recipes-security/refpolicy/refpolicy/0041-policy-modules-system-logging-fix-syslogd-failures-f.patch
  rename recipes-security/refpolicy/refpolicy/{0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch => 0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch} (90%)
  delete mode 100644 recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch
  rename recipes-security/refpolicy/refpolicy/{0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch => 0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch} (94%)
  delete mode 100644 recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch
  rename recipes-security/refpolicy/refpolicy/{0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch => 0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch} (89%)
  delete mode 100644 recipes-security/refpolicy/refpolicy/0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch
  rename recipes-security/refpolicy/refpolicy/{0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch => 0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch} (92%)
  rename recipes-security/refpolicy/refpolicy/{0053-policy-modules-system-systemd-systemd-make-systemd_-.patch => 0046-policy-modules-system-systemd-systemd-make-systemd_-.patch} (82%)
  rename recipes-security/refpolicy/refpolicy/{0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch => 0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch} (78%)
  rename recipes-security/refpolicy/refpolicy/{0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch => 0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch} (85%)
  rename recipes-security/refpolicy/refpolicy/{0056-policy-modules-system-init-all-init_t-to-read-any-le.patch => 0049-policy-modules-system-init-all-init_t-to-read-any-le.patch} (88%)
  rename recipes-security/refpolicy/refpolicy/{0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch => 0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch} (87%)
  rename recipes-security/refpolicy/refpolicy/{0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch => 0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch} (83%)
  rename recipes-security/refpolicy/refpolicy/{0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch => 0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch} (83%)
  rename recipes-security/refpolicy/refpolicy/{0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch => 0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch} (88%)
  rename recipes-security/refpolicy/refpolicy/{0061-policy-modules-system-logging-make-syslogd_runtime_t.patch => 0054-policy-modules-system-logging-make-syslogd_runtime_t.patch} (84%)
  delete mode 100644 recipes-security/refpolicy/refpolicy/0062-systemd-systemd-resolved-is-linked-to-libselinux.patch
  delete mode 100644 recipes-security/refpolicy/refpolicy/0063-sysnetwork-systemd-allow-DNS-resolution-over-io.syst.patch
  delete mode 100644 recipes-security/refpolicy/refpolicy/0064-term-init-allow-systemd-to-watch-and-watch-reads-on-.patch
  delete mode 100644 recipes-security/refpolicy/refpolicy/0065-systemd-add-file-transition-for-systemd-networkd-run.patch
  delete mode 100644 recipes-security/refpolicy/refpolicy/0066-systemd-add-missing-file-context-for-run-systemd-net.patch
  delete mode 100644 recipes-security/refpolicy/refpolicy/0067-systemd-add-file-contexts-for-systemd-network-genera.patch
  delete mode 100644 recipes-security/refpolicy/refpolicy/0068-systemd-udev-allow-udev-to-read-systemd-networkd-run.patch
  delete mode 100644 recipes-security/refpolicy/refpolicy/0069-fc-fstools-apply-policy-to-findfs-alternative.patch

diff --git a/recipes-security/refpolicy/refpolicy-minimum_git.bb b/recipes-security/refpolicy/refpolicy-minimum_git.bb
index 2e95b9f..5940ce2 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_git.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_git.bb
@@ -14,29 +14,29 @@ domains are unconfined. \
  SRC_URI += " \
file://0001-refpolicy-minimum-make-sysadmin-module-optional.patch \
file://0002-refpolicy-minimum-make-xdg-module-optional.patch \
- file://0003-refpolicy-minimum-enable-nscd_use_shm.patch \
          "
    POLICY_NAME = "minimum"
    CORE_POLICY_MODULES = "unconfined \
-    selinuxutil \
-    storage \
-    sysnetwork \
-    application \
-    libraries \
-    miscfiles \
-    logging \
-    userdomain \
-    init \
-    mount \
-    modutils \
-    getty \
-    authlogin \
-    locallogin \
-    "
-#systemd dependent policy modules
-CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev fstools dbus', '', d)}"
+    selinuxutil \
+    storage \
+    sysnetwork \
+    application \
+    libraries \
+    miscfiles \
+    logging \
+    userdomain \
+    init \
+    mount \
+    modutils \
+    getty \
+    authlogin \
+    locallogin \
+    dbus \
+    "
+# systemd dependent policy modules
+CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev fstools', '', d)}"
    # nscd caches libc-issued requests to the name service.
  # Without nscd.pp, commands want to use these caches will be blocked.
@@ -60,39 +60,38 @@ EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils"
  #
  # PURGE_POLICY_MODULES += "xdg xen"
  -
  POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
  -# re-write the same func from refpolicy_common.inc
-prepare_policy_store () {
-    oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
-    POL_PRIORITY=100
-    POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
-    POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
- POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
+# Re-write the same func from refpolicy_common.inc
+prepare_policy_store() {
+    oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
+    POL_PRIORITY=100
+    POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
+    POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
+ POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
  -    # Prepare to create policy store
-    mkdir -p ${POL_STORE}
-    mkdir -p ${POL_ACTIVE_MODS}
+    # Prepare to create policy store
+    mkdir -p ${POL_STORE}
+    mkdir -p ${POL_ACTIVE_MODS}
  -    # get hll type from suffix on base policy module
-    HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
- HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
+    # Get hll type from suffix on base policy module
+    HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
+ HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
  -    for i in base ${POLICY_MODULES_MIN}; do
-        MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE}
-        MOD_DIR=${POL_ACTIVE_MODS}/${i}
-        mkdir -p ${MOD_DIR}
-        echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
+    for i in base ${POLICY_MODULES_MIN}; do
+        MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE}
+        MOD_DIR=${POL_ACTIVE_MODS}/${i}
+        mkdir -p ${MOD_DIR}
+        echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
  -        if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then
-            ${HLL_BIN} ${MOD_FILE} | bzip2 --stdout > ${MOD_DIR}/cil
-            bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2 ${MOD_FILE}
-        else
-            bunzip2 --stdout ${MOD_FILE} | \
-                ${HLL_BIN} | \
-                bzip2 --stdout > ${MOD_DIR}/cil
-        fi
-        cp ${MOD_FILE} ${MOD_DIR}/hll
-    done
+        if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then
+            ${HLL_BIN} ${MOD_FILE} | bzip2 --stdout > ${MOD_DIR}/cil
+            bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2 ${MOD_FILE}
+        else
+            bunzip2 --stdout ${MOD_FILE} | \
+                ${HLL_BIN} | \
+                bzip2 --stdout > ${MOD_DIR}/cil
+        fi
+        cp ${MOD_FILE} ${MOD_DIR}/hll
+    done
  }
diff --git a/recipes-security/refpolicy/refpolicy-targeted_git.bb b/recipes-security/refpolicy/refpolicy-targeted_git.bb
index 15226db..de81d46 100644
--- a/recipes-security/refpolicy/refpolicy-targeted_git.bb
+++ b/recipes-security/refpolicy/refpolicy-targeted_git.bb
@@ -14,5 +14,4 @@ include refpolicy_${PV}.inc
    SRC_URI += " \
file://0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch \
- file://0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch \
          "
diff --git a/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
index c3a03f3..1605d90 100644
---
a/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
+++ b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
@@ -1,4 +1,4 @@
-From d39f2ddbfcfd6e224a50bf327a7bd0031d74d0c6 Mon Sep 17 00:00:00 2001
+From ee66387c393af77b88c833f5d271efe48036112c Mon Sep 17 00:00:00 2001
  From: Joe MacDonald <joe_macdonald@...>
  Date: Thu, 28 Mar 2019 16:14:09 -0400
  Subject: [PATCH] fc/subs/volatile: alias common /var/volatile paths
@@ -29,5 +29,5 @@ index ba22ce7e7..23d4328f7 100644
  +/var/volatile/log /var/log
  +/var/volatile/tmp /var/tmp
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch
index f607cbb..657c5cd 100644
---
a/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch
+++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch
@@ -1,4 +1,4 @@
-From 669293ddf351f231b34979a7d708601ccbd11930 Mon Sep 17 00:00:00 2001
+From 0e3b79ae0ae468640d7092c9a91a91d258d07645 Mon Sep 17 00:00:00 2001
  From: Joe MacDonald <joe_macdonald@...>
  Date: Fri, 5 Apr 2019 11:53:28 -0400
  Subject: [PATCH] refpolicy-minimum: make sysadmin module optional
@@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   2 files changed, 11 insertions(+), 7 deletions(-)
    diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 5a19f0e43..1f4a671dc 100644
+index 671b5aef3..8ce3d5956 100644
  --- a/policy/modules/system/init.te
  +++ b/policy/modules/system/init.te
-@@ -556,13 +556,15 @@ ifdef(`init_systemd',`
+@@ -615,13 +615,15 @@ ifdef(`init_systemd',`
           unconfined_write_keys(init_t)
       ')
   ',`
@@ -48,10 +48,10 @@ index 5a19f0e43..1f4a671dc 100644
       ')
   ')
  diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 109980e79..313112371 100644
+index 7728de804..a8ff403dd 100644
  --- a/policy/modules/system/locallogin.te
  +++ b/policy/modules/system/locallogin.te
-@@ -265,7 +265,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -274,7 +274,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
   userdom_search_user_home_dirs(sulogin_t)
   userdom_use_user_ptys(sulogin_t)
   @@ -63,5 +63,5 @@ index 109980e79..313112371 100644
   # by default, sulogin does not use pam...
   # sulogin_pam might need to be defined otherwise
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch
index 9939b59..64e658e 100644
---
a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch
+++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch
@@ -1,14 +1,14 @@
-From bf7b74e7c38b546e162eb5a3bd4774e3d84d593d Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
+From 60b4e5ea5668a71b2a0660461daecea66fd11d51 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@...>
  Date: Mon, 20 Apr 2020 11:50:03 +0800
  Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux
   user
    For targeted policy type, we define unconfined_u as the default selinux
-user for root and normal users, so users could login in and run most
+user for root and normal users, so users could login and run most
  commands and services on unconfined domains.
  -Upstream-Status: Inappropriate [configuration]
+Upstream-Status: Inappropriate [embedded specific]
    Signed-off-by: Xin Ouyang <Xin.Ouyang@...>
  Signed-off-by: Joe MacDonald <joe_macdonald@...>
@@ -38,7 +38,7 @@ index ce614b41b..c0903d98b 100644
  +root:unconfined_u:s0-mcs_systemhigh
  +__default__:unconfined_u:s0
  diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 4972094cb..b6d769412 100644
+index d116a1b9b..32720f68f 100644
  --- a/policy/modules/system/unconfined.te
  +++ b/policy/modules/system/unconfined.te
  @@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t;
@@ -77,5 +77,5 @@ index ca203758c..e737cd9cc 100644
  +    gen_user(root, sysadm, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
   ')
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
index d2b8139..ef00602 100644
---
a/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
+++ b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
@@ -1,4 +1,4 @@
-From 974befcafcee1377e122f19a4182f74eea757158 Mon Sep 17 00:00:00 2001
+From 8fa6c5b7b99a50b09e9dffd142c066fa41319750 Mon Sep 17 00:00:00 2001
  From: Joe MacDonald <joe_macdonald@...>
  Date: Thu, 28 Mar 2019 20:48:10 -0400
  Subject: [PATCH] fc/subs/busybox: set aliases for bin, sbin and usr
@@ -29,5 +29,5 @@ index 23d4328f7..690007f22 100644
  +/usr/lib/busybox/sbin /usr/sbin
  +/usr/lib/busybox/usr /usr
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch
index 84764e5..25afa3b 100644
---
a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch
+++ b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch
@@ -1,4 +1,4 @@
-From 1ff0e212ce737bba59d90977a58a15250bc84ea9 Mon Sep 17 00:00:00 2001
+From 9a8d6b634d4f714fc63125be5e23228c565d1aaf Mon Sep 17 00:00:00 2001
  From: Yi Zhao <yi.zhao@...>
  Date: Wed, 29 Sep 2021 11:08:49 +0800
  Subject: [PATCH] refpolicy-minimum: make xdg module optional
@@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 6 insertions(+), 2 deletions(-)
    diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 8cea6baa1..218834495 100644
+index 7b717d3ba..3b07b368d 100644
  --- a/policy/modules/system/systemd.te
  +++ b/policy/modules/system/systemd.te
-@@ -276,10 +276,14 @@ files_type(systemd_update_run_t)
+@@ -298,10 +298,14 @@ init_unit_file(systemd_user_manager_unit_t)
      type systemd_conf_home_t;
   init_unit_file(systemd_conf_home_t)
@@ -36,5 +36,5 @@ index 8cea6baa1..218834495 100644
   type systemd_user_runtime_notify_t;
   userdom_user_runtime_content(systemd_user_runtime_notify_t)
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch b/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch
deleted file mode 100644
index e4c081d..0000000
---
a/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From b46903aaf7e52f9c4c51a2fa7fe7a85190da98b1 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Wed, 29 Sep 2021 16:43:54 +0800
-Subject: [PATCH] refpolicy-targeted: add capability2 bpf and perfmon for
- unconfined_t
-
-Fixes:
-avc: denied { bpf } for pid=433 comm="systemd" capability=39
-scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-tclass=capability2 permissive=0
-
-avc: denied { perfmon } for pid=433 comm="systemd" capability=38
-scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-tclass=capability2 permissive=0
-
-type=USER_AVC msg=audit(1632901631.693:86): pid=433 uid=0 auid=0 ses=3
-subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='avc:
-denied { reload } for auid=n/a uid=0 gid=0 cmdline=""
-scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-tclass=system permissive=0  exe="/lib/systemd/systemd" sauid=0
-hostname=? addr=? terminal=?'UID="root" AUID="root" AUID="root"
-UID="root" GID="root" SAUID="root"
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/unconfined.if | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index a139cfe78..807e959c3 100644
---- a/policy/modules/system/unconfined.if
-+++ b/policy/modules/system/unconfined.if
-@@ -66,6 +66,11 @@ interface(`unconfined_domain_noaudit',`
-     files_start_etc_service($1)
-     files_stop_etc_service($1)
-
-+    ifdef(`init_systemd',`
-+        allow $1 self:capability2 { bpf perfmon };
-+        allow $1 self:system reload;
-+    ')
-+
-     tunable_policy(`allow_execheap',`
-         # Allow making the stack executable via mprotect.
-         allow $1 self:process execheap;
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
index 6596e76..94ac31b 100644
---
a/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
+++ b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
@@ -1,4 +1,4 @@
-From 9c6f3c5acc01607a67277f69faa67e34dc98232b Mon Sep 17 00:00:00 2001
+From 5a0bbd1920205f488b6a4565f7217b9d0825067b Mon Sep 17 00:00:00 2001
  From: Xin Ouyang <Xin.Ouyang@...>
  Date: Thu, 22 Aug 2013 13:37:23 +0800
  Subject: [PATCH] fc/hostname: apply policy to common yocto hostname
@@ -22,5 +22,5 @@ index 83ddeb573..cf523bc4c 100644
  +/usr/bin/hostname\.net-tools    --
gen_context(system_u:object_r:hostname_exec_t,s0)
  +/usr/bin/hostname\.coreutils    --
gen_context(system_u:object_r:hostname_exec_t,s0)
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0003-refpolicy-minimum-enable-nscd_use_shm.patch b/recipes-security/refpolicy/refpolicy/0003-refpolicy-minimum-enable-nscd_use_shm.patch
deleted file mode 100644
index edf9caa..0000000
---
a/recipes-security/refpolicy/refpolicy/0003-refpolicy-minimum-enable-nscd_use_shm.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 5f992b59a74cc6cde8fd20162a11065dc30fd7ab Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Fri, 26 Feb 2021 09:13:23 +0800
-Subject: [PATCH] refpolicy-minimum: enable nscd_use_shm
-
-Fixes:
-avc: denied { listen } for pid=199 comm="systemd-resolve"
-path="/run/systemd/resolve/io.systemd.Resolve"
-scontext=system_u:system_r:systemd_resolved_t:s0
-tcontext=system_u:system_r:systemd_resolved_t:s0
-tclass=unix_stream_socket permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/services/nscd.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
-index ada67edb1..9801fc228 100644
---- a/policy/modules/services/nscd.te
-+++ b/policy/modules/services/nscd.te
-@@ -15,7 +15,7 @@ gen_require(`
- ##    can use nscd shared memory.
- ##    </p>
- ## </desc>
--gen_tunable(nscd_use_shm, false)
-+gen_tunable(nscd_use_shm, true)
-
- attribute_role nscd_roles;
-
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
index cf333f1..eff0255 100644
---
a/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
+++ b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
@@ -1,4 +1,4 @@
-From bbc8b58fe5fe709dfadbffc86e17ebd2d76a257c Mon Sep 17 00:00:00 2001
+From c9219d2f7be1e641b3866b770a9b570c12333b93 Mon Sep 17 00:00:00 2001
  From: Joe MacDonald <joe_macdonald@...>
  Date: Thu, 28 Mar 2019 21:37:32 -0400
  Subject: [PATCH] fc/bash: apply /usr/bin/bash context to /bin/bash.bash
@@ -15,7 +15,7 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 1 insertion(+)
    diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 4c18154ce..9187e50af 100644
+index 0c05c693d..b70940928 100644
  --- a/policy/modules/kernel/corecommands.fc
  +++ b/policy/modules/kernel/corecommands.fc
  @@ -142,6 +142,7 @@ ifdef(`distro_gentoo',`
@@ -27,5 +27,5 @@ index 4c18154ce..9187e50af 100644
   /usr/bin/fish            --
gen_context(system_u:object_r:shell_exec_t,s0)
   /usr/bin/git-shell        --
gen_context(system_u:object_r:shell_exec_t,s0)
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
index 078c246..06c8087 100644
---
a/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
+++ b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
@@ -1,4 +1,4 @@
-From 3cccdec2aaa273ca09100ca957f4968a25f4f3a3 Mon Sep 17 00:00:00 2001
+From 51631a7eaaea1fab4b36a2488497cf725317ce6e Mon Sep 17 00:00:00 2001
  From: Joe MacDonald <joe_macdonald@...>
  Date: Thu, 4 Apr 2019 10:45:03 -0400
  Subject: [PATCH] fc/resolv.conf: label resolv.conf in var/run/ properly
@@ -25,5 +25,5 @@ index 14505efe9..c9ec4e5ab 100644
   ifdef(`distro_gentoo',`
   /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch
index b4747f7..70c5566 100644
---
a/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch
+++ b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch
@@ -1,4 +1,4 @@
-From 9a1e1c7b65cb3f5ab97ce05463ca02a3eaa57d86 Mon Sep 17 00:00:00 2001
+From 1c61b10d21a22d4110bc880b23477295f6cd9efb Mon Sep 17 00:00:00 2001
  From: Joe MacDonald <joe_macdonald@...>
  Date: Thu, 28 Mar 2019 21:43:53 -0400
  Subject: [PATCH] fc/login: apply login context to login.shadow
@@ -24,5 +24,5 @@ index 50efcff7b..5cb48882c 100644
   /usr/bin/pam_timestamp_check    --
gen_context(system_u:object_r:pam_exec_t,s0)
   /usr/bin/tcb_convert        --
gen_context(system_u:object_r:updpwd_exec_t,s0)
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch
index 33f6a10..2f9f703 100644
---
a/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch
@@ -1,4 +1,4 @@
-From 73716015ab28a9474912902e9467f2d2a864ecd0 Mon Sep 17 00:00:00 2001
+From e4d7d9fb1cb157bf205874e1a81d5719017866a1 Mon Sep 17 00:00:00 2001
  From: Joe MacDonald <joe_macdonald@...>
  Date: Thu, 28 Mar 2019 21:59:18 -0400
  Subject: [PATCH] fc/hwclock: add hwclock alternatives
@@ -21,5 +21,5 @@ index 301965892..139485835 100644
   /usr/sbin/hwclock    --
gen_context(system_u:object_r:hwclock_exec_t,s0)
  +/usr/sbin/hwclock\.util-linux    --
gen_context(system_u:object_r:hwclock_exec_t,s0)
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
index 5f2ffdf..6e576a8 100644
---
a/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
@@ -1,4 +1,4 @@
-From 504e8429500ab0984adfd52bb09a3e993b87f2f1 Mon Sep 17 00:00:00 2001
+From ac6536f04674ccc051744e6eb3644e68fe38da33 Mon Sep 17 00:00:00 2001
  From: Joe MacDonald <joe_macdonald@...>
  Date: Fri, 29 Mar 2019 08:26:55 -0400
  Subject: [PATCH] fc/dmesg: apply policy to dmesg alternatives
@@ -19,5 +19,5 @@ index e52fdfcf8..526b92ed2 100644
   /usr/bin/dmesg        --
gen_context(system_u:object_r:dmesg_exec_t,s0)
  +/usr/bin/dmesg\.util-linux        --
gen_context(system_u:object_r:dmesg_exec_t,s0)
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch b/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch
index 585850b..611c0d3 100644
---
a/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch
@@ -1,4 +1,4 @@
-From 8ad451ceff2ba4ea26290a7ba9918406a90bb10f Mon Sep 17 00:00:00 2001
+From a56887ca448b60ad6715348b2cfe533e8109a040 Mon Sep 17 00:00:00 2001
  From: Joe MacDonald <joe_macdonald@...>
  Date: Fri, 29 Mar 2019 09:20:58 -0400
  Subject: [PATCH] fc/ssh: apply policy to ssh alternatives
@@ -12,11 +12,11 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 1 insertion(+)
    diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 60060c35c..518043a9b 100644
+index 5c512e972..0448c1877 100644
  --- a/policy/modules/services/ssh.fc
  +++ b/policy/modules/services/ssh.fc
  @@ -4,6 +4,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
- /etc/ssh/ssh_host.*_key        --
gen_context(system_u:object_r:sshd_key_t,s0)
+ /etc/ssh/ssh_host.*_key(\.pub)?    --
gen_context(system_u:object_r:sshd_key_t,s0)
      /usr/bin/ssh            --
gen_context(system_u:object_r:ssh_exec_t,s0)
  +/usr/bin/ssh\.openssh    --
gen_context(system_u:object_r:ssh_exec_t,s0)
@@ -24,5 +24,5 @@ index 60060c35c..518043a9b 100644
   /usr/bin/ssh-keygen        --
gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
   /usr/bin/sshd            --
gen_context(system_u:object_r:sshd_exec_t,s0)
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch b/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch
index 0621923..7af147d 100644
---
a/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch
+++ b/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch
@@ -1,4 +1,4 @@
-From c85fd7d9c45770b31de44bb35521e2251882df10 Mon Sep 17 00:00:00 2001
+From 47a5e9a0bd4960534998798ab1a5ab62e77b2b61 Mon Sep 17 00:00:00 2001
  From: Xin Ouyang <Xin.Ouyang@...>
  Date: Tue, 9 Jun 2015 21:22:52 +0530
  Subject: [PATCH] fc/sysnetwork: apply policy to network commands alternatives
@@ -43,5 +43,5 @@ index c9ec4e5ab..4ca151524 100644
   /usr/sbin/tc            --
gen_context(system_u:object_r:ifconfig_exec_t,s0)
     --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch
index cc3e529..434fc1d 100644
---
a/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch
+++ b/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch
@@ -1,4 +1,4 @@
-From aa2635a54f9c36205ebc469f799a56ece01ac610 Mon Sep 17 00:00:00 2001
+From bbc6eb20e9509a61236051df7a5fa552a8f2654d Mon Sep 17 00:00:00 2001
  From: Joe MacDonald <joe_macdonald@...>
  Date: Fri, 29 Mar 2019 09:36:08 -0400
  Subject: [PATCH] fc/udev: apply policy to udevadm in libexec
@@ -25,5 +25,5 @@ index 7898ff01c..bc717e60c 100644
   /usr/sbin/start_udev --
gen_context(system_u:object_r:udev_exec_t,s0)
   ')
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
index b039f53..bf562d6 100644
---
a/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
+++ b/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
@@ -1,4 +1,4 @@
-From faf757c732c9a022499b584cea64ce1fcc78e118 Mon Sep 17 00:00:00 2001
+From 00533fded8e2264f8bdc68c8ed79644a10e4e2ad Mon Sep 17 00:00:00 2001
  From: Joe MacDonald <joe_macdonald@...>
  Date: Fri, 29 Mar 2019 09:54:07 -0400
  Subject: [PATCH] fc/rpm: apply rpm_exec policy to cpio binaries
@@ -12,10 +12,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 2 insertions(+)
    diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
-index aaf530c2b..618b18cec 100644
+index 3f842f942..12973ac8b 100644
  --- a/policy/modules/admin/rpm.fc
  +++ b/policy/modules/admin/rpm.fc
-@@ -66,4 +66,6 @@ ifdef(`distro_redhat',`
+@@ -71,4 +71,6 @@ ifdef(`distro_redhat',`
      ifdef(`enable_mls',`
   /usr/sbin/cpio    -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -23,5 +23,5 @@ index aaf530c2b..618b18cec 100644
  +/usr/bin/cpio\.cpio    --
gen_context(system_u:object_r:rpm_exec_t,s0)
   ')
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch b/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch
index 14c7d5b..32d38f1 100644
---
a/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch
@@ -1,4 +1,4 @@
-From 52853ae9ee13038c5ffae8616858c442d412a2b8 Mon Sep 17 00:00:00 2001
+From 4b202554e646a60000c1acad7bbdfae1078bdc10 Mon Sep 17 00:00:00 2001
  From: Wenzong Fan <wenzong.fan@...>
  Date: Thu, 13 Feb 2014 00:33:07 -0500
  Subject: [PATCH] fc/su: apply policy to su alternatives
@@ -23,5 +23,5 @@ index 3375c9692..a9868cd58 100644
  +/usr/bin/su\.shadow        --
gen_context(system_u:object_r:su_exec_t,s0)
  +/usr/bin/su\.util-linux        --
gen_context(system_u:object_r:su_exec_t,s0)
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch b/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch
index c2e0ca8..de0aad7 100644
---
a/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch
+++ b/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch
@@ -1,4 +1,4 @@
-From 4f3a637c0385204c0b87806d158e106fb9f88972 Mon Sep 17 00:00:00 2001
+From f64a5d6a2f2e72ae6c5122220eb759117b6384c8 Mon Sep 17 00:00:00 2001
  From: Wenzong Fan <wenzong.fan@...>
  Date: Mon, 27 Jan 2014 03:54:01 -0500
  Subject: [PATCH] fc/fstools: fix real path for fstools
@@ -10,14 +10,14 @@ Signed-off-by: Shrikant Bobade <shrikant_bobade@...>
  Signed-off-by: Joe MacDonald <joe_macdonald@...>
  Signed-off-by: Yi Zhao <yi.zhao@...>
  ---
- policy/modules/system/fstools.fc | 10 ++++++++++
- 1 file changed, 10 insertions(+)
+ policy/modules/system/fstools.fc | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
    diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index d871294e8..bef711850 100644
+index 8fbd5ce44..2842afbcc 100644
  --- a/policy/modules/system/fstools.fc
  +++ b/policy/modules/system/fstools.fc
-@@ -59,7 +59,9 @@
+@@ -58,7 +58,9 @@
   /usr/sbin/addpart        --
gen_context(system_u:object_r:fsadm_exec_t,s0)
   /usr/sbin/badblocks        --
gen_context(system_u:object_r:fsadm_exec_t,s0)
   /usr/sbin/blkid            --
gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -27,12 +27,13 @@ index d871294e8..bef711850 100644
   /usr/sbin/cfdisk        --
gen_context(system_u:object_r:fsadm_exec_t,s0)
   /usr/sbin/clubufflush        --
gen_context(system_u:object_r:fsadm_exec_t,s0)
   /usr/sbin/delpart        --
gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -73,10 +75,12 @@
+@@ -72,10 +74,13 @@
   /usr/sbin/efibootmgr        --
gen_context(system_u:object_r:fsadm_exec_t,s0)
   /usr/sbin/fatsort        --
gen_context(system_u:object_r:fsadm_exec_t,s0)
   /usr/sbin/fdisk            --
gen_context(system_u:object_r:fsadm_exec_t,s0)
  +/usr/sbin/fdisk\.util-linux            --
gen_context(system_u:object_r:fsadm_exec_t,s0)
   /usr/sbin/findfs        --
gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/findfs\.util-linux        --
gen_context(system_u:object_r:fsadm_exec_t,s0)
   /usr/sbin/fsck.*        --
gen_context(system_u:object_r:fsadm_exec_t,s0)
   /usr/sbin/gdisk            --
gen_context(system_u:object_r:fsadm_exec_t,s0)
   /usr/sbin/hdparm        --
gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -40,7 +41,7 @@ index d871294e8..bef711850 100644
   /usr/sbin/install-mbr        --
gen_context(system_u:object_r:fsadm_exec_t,s0)
   /usr/sbin/jfs_.*        --
gen_context(system_u:object_r:fsadm_exec_t,s0)
   /usr/sbin/losetup.*        --
gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -84,24 +88,30 @@
+@@ -83,24 +88,30 @@
   /usr/sbin/make_reiser4        --
gen_context(system_u:object_r:fsadm_exec_t,s0)
   /usr/sbin/mkdosfs        --
gen_context(system_u:object_r:fsadm_exec_t,s0)
   /usr/sbin/mke2fs        --
gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -72,5 +73,5 @@ index d871294e8..bef711850 100644
   /usr/sbin/zhack            --
gen_context(system_u:object_r:fsadm_exec_t,s0)
   /usr/sbin/zinject        --
gen_context(system_u:object_r:fsadm_exec_t,s0)
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch b/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch
index b3ab0cc..5e9c197 100644
---
a/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch
+++ b/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch
@@ -1,4 +1,4 @@
-From e1439aa43af6ef15b35eac3cdbf0cea561768362 Mon Sep 17 00:00:00 2001
+From 6d2a96abd1e292d0c34ff77501e618cfc193655f Mon Sep 17 00:00:00 2001
  From: Xin Ouyang <Xin.Ouyang@...>
  Date: Thu, 22 Aug 2013 13:37:23 +0800
  Subject: [PATCH] fc/init: fix update-alternatives for sysvinit
@@ -26,7 +26,7 @@ index bf51c103f..91ed72be0 100644
      /run/shutdown\.pid    --
gen_context(system_u:object_r:shutdown_runtime_t,s0)
  diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 9187e50af..0ecabe34e 100644
+index b70940928..e6077fd5b 100644
  --- a/policy/modules/kernel/corecommands.fc
  +++ b/policy/modules/kernel/corecommands.fc
  @@ -151,6 +151,8 @@ ifdef(`distro_gentoo',`
@@ -39,10 +39,10 @@ index 9187e50af..0ecabe34e 100644
   /usr/bin/sash            --
gen_context(system_u:object_r:shell_exec_t,s0)
   /usr/bin/sesh            --
gen_context(system_u:object_r:shell_exec_t,s0)
  diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 63cf195e6..5268bddb2 100644
+index 1a99e5824..7f0b7c699 100644
  --- a/policy/modules/system/init.fc
  +++ b/policy/modules/system/init.fc
-@@ -40,6 +40,7 @@ ifdef(`distro_gentoo',`
+@@ -41,6 +41,7 @@ ifdef(`distro_gentoo',`
   /usr/libexec/dcc/stop-.* --
gen_context(system_u:object_r:initrc_exec_t,s0)
      /usr/sbin/init(ng)?    --
gen_context(system_u:object_r:init_exec_t,s0)
@@ -51,5 +51,5 @@ index 63cf195e6..5268bddb2 100644
   /usr/sbin/upstart    --
gen_context(system_u:object_r:init_exec_t,s0)
     --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch b/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch
index b9812b7..b0ba609 100644
---
a/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch
@@ -1,4 +1,4 @@
-From 274066b3397b53d63134aee94a0148d9c7d1886d Mon Sep 17 00:00:00 2001
+From 2e9c22ee83b7d4fea7b177ca8111c06e69338db9 Mon Sep 17 00:00:00 2001
  From: Yi Zhao <yi.zhao@...>
  Date: Fri, 15 Nov 2019 10:19:54 +0800
  Subject: [PATCH] fc/brctl: apply policy to brctl alternatives
@@ -20,5 +20,5 @@ index ed472f095..2a852b0fd 100644
   /usr/sbin/brctl    -- gen_context(system_u:object_r:brctl_exec_t,s0)
  +/usr/sbin/brctl\.bridge-utils    --
gen_context(system_u:object_r:brctl_exec_t,s0)
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch
index e0ddc5e..58ac463 100644
---
a/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch
@@ -1,4 +1,4 @@
-From ab0267f77e38bcda797cfe00ba6fa49ba89e334a Mon Sep 17 00:00:00 2001
+From c43f2d7ddf1d0c2185796e0297dd9f85b9663aaf Mon Sep 17 00:00:00 2001
  From: Yi Zhao <yi.zhao@...>
  Date: Fri, 15 Nov 2019 10:21:51 +0800
  Subject: [PATCH] fc/corecommands: apply policy to nologin alternatives
@@ -11,10 +11,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 2 insertions(+)
    diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 0ecabe34e..e27e701ef 100644
+index e6077fd5b..0df59e837 100644
  --- a/policy/modules/kernel/corecommands.fc
  +++ b/policy/modules/kernel/corecommands.fc
-@@ -304,6 +304,8 @@ ifdef(`distro_debian',`
+@@ -306,6 +306,8 @@ ifdef(`distro_debian',`
   /usr/sbin/insmod_ksymoops_clean    --
gen_context(system_u:object_r:bin_t,s0)
   /usr/sbin/mkfs\.cramfs        --
gen_context(system_u:object_r:bin_t,s0)
   /usr/sbin/nologin        --
gen_context(system_u:object_r:shell_exec_t,s0)
@@ -24,5 +24,5 @@ index 0ecabe34e..e27e701ef 100644
   /usr/sbin/sesh            --
gen_context(system_u:object_r:shell_exec_t,s0)
   /usr/sbin/smrsh            --
gen_context(system_u:object_r:shell_exec_t,s0)
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch
index 2fe3740..3c43254 100644
---
a/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch
@@ -1,4 +1,4 @@
-From cfb86acce9fe9da9b88c853c0b22d48d99602fbb Mon Sep 17 00:00:00 2001
+From 11c95928e325aea7e4c41a9cdf969f9bdd306611 Mon Sep 17 00:00:00 2001
  From: Yi Zhao <yi.zhao@...>
  Date: Fri, 15 Nov 2019 10:43:28 +0800
  Subject: [PATCH] fc/locallogin: apply policy to sulogin alternatives
@@ -21,5 +21,5 @@ index fc8d58507..59e6e9601 100644
  +/usr/sbin/sulogin\.util-linux    --
gen_context(system_u:object_r:sulogin_exec_t,s0)
   /usr/sbin/sushell    --
gen_context(system_u:object_r:sulogin_exec_t,s0)
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch b/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch
index 4b046ce..cbae4c5 100644
---
a/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch
@@ -1,4 +1,4 @@
-From e159e70b533b500390337ec666d678c7424afb90 Mon Sep 17 00:00:00 2001
+From 5841a5bd25e6017b6ccff4f56628ad6e950eadad Mon Sep 17 00:00:00 2001
  From: Yi Zhao <yi.zhao@...>
  Date: Fri, 15 Nov 2019 10:45:23 +0800
  Subject: [PATCH] fc/ntp: apply policy to ntpd alternatives
@@ -23,5 +23,5 @@ index cd69ea5d5..49ffe6f68 100644
   /usr/sbin/sntp                --
gen_context(system_u:object_r:ntpdate_exec_t,s0)
     --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch b/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch
index 9d2e6fa..76e7fe9 100644
---
a/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch
@@ -1,4 +1,4 @@
-From 95797c20fb68558b9f37ded3f1cc9a4ef09717f9 Mon Sep 17 00:00:00 2001
+From 8126ec521e5a0f72da098f5d90b5b5b392006b7c Mon Sep 17 00:00:00 2001
  From: Yi Zhao <yi.zhao@...>
  Date: Fri, 15 Nov 2019 10:55:05 +0800
  Subject: [PATCH] fc/kerberos: apply policy to kerberos alternatives
@@ -46,5 +46,5 @@ index df21fcc78..ce0166edd 100644
   /var/log/kadmin\.log.*    --
gen_context(system_u:object_r:kadmind_log_t,s0)
   /var/log/kadmind\.log.*    --
gen_context(system_u:object_r:kadmind_log_t,s0)
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch b/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch
index e0b7b9e..a46c9c9 100644
---
a/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch
@@ -1,4 +1,4 @@
-From 6b43af067ec45bce1b7059fc549e246f53311d3a Mon Sep 17 00:00:00 2001
+From c71ea08245069001b56aadd7bb0af28e019f45e4 Mon Sep 17 00:00:00 2001
  From: Yi Zhao <yi.zhao@...>
  Date: Fri, 15 Nov 2019 11:06:13 +0800
  Subject: [PATCH] fc/ldap: apply policy to ldap alternatives
@@ -36,5 +36,5 @@ index 0a1d08d0f..65b202962 100644
   /run/openldap(/.*)? gen_context(system_u:object_r:slapd_runtime_t,s0)
   /run/slapd.*    -s gen_context(system_u:object_r:slapd_runtime_t,s0)
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch b/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch
index 4a1a2dc..0a0464f 100644
---
a/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch
+++ b/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch
@@ -1,4 +1,4 @@
-From 5f664c3a38853129fa1703032822c203dbeaf0a6 Mon Sep 17 00:00:00 2001
+From 72726c1bc51628e6eb56e758f1e334f9b9a0f17e Mon Sep 17 00:00:00 2001
  From: Yi Zhao <yi.zhao@...>
  Date: Fri, 15 Nov 2019 11:13:16 +0800
  Subject: [PATCH] fc/postgresql: apply policy to postgresql alternatives
@@ -33,5 +33,5 @@ index f31a52cf8..f9bf46870 100644
   /usr/share/jonas/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
   ')
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch b/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch
index 9ae9435..e95cb3c 100644
---
a/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch
@@ -1,4 +1,4 @@
-From 2d1634127f8f5c9ec98f866711b8d15b7df815d1 Mon Sep 17 00:00:00 2001
+From 003a22f73563ef7b8b4ab6a6a0cb4a920a43570f Mon Sep 17 00:00:00 2001
  From: Yi Zhao <yi.zhao@...>
  Date: Fri, 15 Nov 2019 11:15:33 +0800
  Subject: [PATCH] fc/screen: apply policy to screen alternatives
@@ -21,5 +21,5 @@ index e51e01d97..238dc263e 100644
  +/usr/bin/screen-.*        --
gen_context(system_u:object_r:screen_exec_t,s0)
   /usr/bin/tmux        --
gen_context(system_u:object_r:screen_exec_t,s0)
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch b/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch
index 2dbdcf4..a92b809 100644
---
a/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch
+++ b/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch
@@ -1,4 +1,4 @@
-From 2323a6ab69c4a74ab127c16e38f14616a289b3d1 Mon Sep 17 00:00:00 2001
+From fdf7c2d27b6ecf08c88bb98e52a7d8284ac828af Mon Sep 17 00:00:00 2001
  From: Yi Zhao <yi.zhao@...>
  Date: Fri, 15 Nov 2019 11:25:34 +0800
  Subject: [PATCH] fc/usermanage: apply policy to usermanage alternatives
@@ -7,26 +7,28 @@ Upstream-Status: Inappropriate [embedded specific]
    Signed-off-by: Yi Zhao <yi.zhao@...>
  ---
- policy/modules/admin/usermanage.fc | 6 ++++++
- 1 file changed, 6 insertions(+)
+ policy/modules/admin/usermanage.fc | 8 ++++++++
+ 1 file changed, 8 insertions(+)
    diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
-index 620eefc6f..bf1ff09ab 100644
+index 7209a8dd0..c9dc1f000 100644
  --- a/policy/modules/admin/usermanage.fc
  +++ b/policy/modules/admin/usermanage.fc
-@@ -4,7 +4,11 @@ ifdef(`distro_debian',`
+@@ -4,8 +4,13 @@ ifdef(`distro_debian',`
      /usr/bin/chage        --
gen_context(system_u:object_r:passwd_exec_t,s0)
   /usr/bin/chfn        --
gen_context(system_u:object_r:chfn_exec_t,s0)
  +/usr/bin/chfn\.shadow        --
gen_context(system_u:object_r:chfn_exec_t,s0)
  +/usr/bin/chfn\.util-linux        --
gen_context(system_u:object_r:chfn_exec_t,s0)
+ /usr/bin/chpasswd    --
gen_context(system_u:object_r:passwd_exec_t,s0)
++/usr/bin/chpasswd\.shadow    --
gen_context(system_u:object_r:passwd_exec_t,s0)
   /usr/bin/chsh        --
gen_context(system_u:object_r:chfn_exec_t,s0)
  +/usr/bin/chsh\.shadow        --
gen_context(system_u:object_r:chfn_exec_t,s0)
  +/usr/bin/chsh\.util-linux        --
gen_context(system_u:object_r:chfn_exec_t,s0)
   /usr/bin/crack_[a-z]*    --
gen_context(system_u:object_r:crack_exec_t,s0)
   /usr/bin/cracklib-[a-z]* --
gen_context(system_u:object_r:crack_exec_t,s0)
   /usr/bin/gpasswd    --
gen_context(system_u:object_r:groupadd_exec_t,s0)
-@@ -14,6 +18,7 @@ ifdef(`distro_debian',`
+@@ -15,6 +20,7 @@ ifdef(`distro_debian',`
   /usr/bin/grpconv    --
gen_context(system_u:object_r:admin_passwd_exec_t,s0)
   /usr/bin/grpunconv    --
gen_context(system_u:object_r:admin_passwd_exec_t,s0)
   /usr/bin/passwd        --
gen_context(system_u:object_r:passwd_exec_t,s0)
@@ -34,7 +36,15 @@ index 620eefc6f..bf1ff09ab 100644
   /usr/bin/pwconv        --
gen_context(system_u:object_r:admin_passwd_exec_t,s0)
   /usr/bin/pwunconv    --
gen_context(system_u:object_r:admin_passwd_exec_t,s0)
   /usr/bin/useradd    --
gen_context(system_u:object_r:useradd_exec_t,s0)
-@@ -39,6 +44,7 @@ ifdef(`distro_debian',`
+@@ -26,6 +32,7 @@ ifdef(`distro_debian',`
+ /usr/lib/cracklib_dict.* --
gen_context(system_u:object_r:crack_db_t,s0)
+
+ /usr/sbin/chpasswd    --
gen_context(system_u:object_r:passwd_exec_t,s0)
++/usr/sbin/chpasswd\.shadow    --
gen_context(system_u:object_r:passwd_exec_t,s0)
+ /usr/sbin/crack_[a-z]*    --
gen_context(system_u:object_r:crack_exec_t,s0)
+ /usr/sbin/cracklib-[a-z]* --
gen_context(system_u:object_r:crack_exec_t,s0)
+ /usr/sbin/gpasswd    --
gen_context(system_u:object_r:groupadd_exec_t,s0)
+@@ -41,6 +48,7 @@ ifdef(`distro_debian',`
   /usr/sbin/usermod    --
gen_context(system_u:object_r:useradd_exec_t,s0)
   /usr/sbin/vigr        --
gen_context(system_u:object_r:admin_passwd_exec_t,s0)
   /usr/sbin/vipw        --
gen_context(system_u:object_r:admin_passwd_exec_t,s0)
@@ -43,5 +53,5 @@ index 620eefc6f..bf1ff09ab 100644
   /usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0)
     --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch b/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch
index c0d9cf4..f6fa8a0 100644
---
a/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch
+++ b/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch
@@ -1,4 +1,4 @@
-From dbd399143d6fbda828cfc9f2546bc730e0da584c Mon Sep 17 00:00:00 2001
+From 863ece4fd9815997486c04ce89180707435669e4 Mon Sep 17 00:00:00 2001
  From: Yi Zhao <yi.zhao@...>
  Date: Fri, 15 Nov 2019 16:07:30 +0800
  Subject: [PATCH] fc/getty: add file context to start_getty
@@ -23,5 +23,5 @@ index 116ea6421..53ff6137b 100644
   /usr/sbin/.*getty    --
gen_context(system_u:object_r:getty_exec_t,s0)
     --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch
index 71521e8..7f63b14 100644
---
a/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch
+++ b/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch
@@ -1,4 +1,4 @@
-From 0280f05e2c9665f094d7098cd03e11d75908bcdb Mon Sep 17 00:00:00 2001
+From 5bb33b7d9d7915399cca7d8c6fbdd9c0e27c1cd8 Mon Sep 17 00:00:00 2001
  From: Yi Zhao <yi.zhao@...>
  Date: Wed, 18 Dec 2019 15:04:41 +0800
  Subject: [PATCH] fc/vlock: apply policy to vlock alternatives
@@ -21,5 +21,5 @@ index f668cde9c..c4bc50984 100644
      /usr/sbin/vlock-main    --
gen_context(system_u:object_r:vlock_exec_t,s0)
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch b/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch
index ca9b644..cfb2fd5 100644
---
a/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch
+++ b/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch
@@ -1,4 +1,4 @@
-From 7f8b07b7af0c3cd8bbec49082b42011ac433df45 Mon Sep 17 00:00:00 2001
+From 574df1810c8f32bbf24b223f72f6622b0df7e82c Mon Sep 17 00:00:00 2001
  From: Yi Zhao <yi.zhao@...>
  Date: Tue, 30 Jun 2020 10:45:57 +0800
  Subject: [PATCH] fc: add fcontext for init scripts and systemd service files
@@ -34,7 +34,7 @@ index 382c067f9..0ecc5acc4 100644
   /usr/bin/rngd    -- gen_context(system_u:object_r:rngd_exec_t,s0)
     diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
-index 88d2acaf0..d9c0a4aa7 100644
+index 75c2f0617..fa881ba2e 100644
  --- a/policy/modules/services/rpc.fc
  +++ b/policy/modules/services/rpc.fc
  @@ -1,7 +1,9 @@
@@ -46,7 +46,7 @@ index 88d2acaf0..d9c0a4aa7 100644
  +/etc/rc\.d/init\.d/nfscommon    --
gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
   /etc/rc\.d/init\.d/rpcidmapd    --
gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
   - /usr/bin/rpc\..*    --
gen_context(system_u:object_r:rpcd_exec_t,s0)
+ /usr/bin/nfsdcld    -- gen_context(system_u:object_r:rpcd_exec_t,s0)
  diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
  index 5681acb51..4ff5f990a 100644
  --- a/policy/modules/system/logging.fc
@@ -60,5 +60,5 @@ index 5681acb51..4ff5f990a 100644
   /usr/lib/systemd/systemd-kmsg-syslogd    --
gen_context(system_u:object_r:syslogd_exec_t,s0)
     --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch b/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch
index dc10350..82b4708 100644
---
a/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch
+++ b/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch
@@ -1,4 +1,4 @@
-From 0bb081084a2d12f9041bfae195481d898b5a0ba1 Mon Sep 17 00:00:00 2001
+From 01f57c996e09fb68daf3d97805c46c27a6d34304 Mon Sep 17 00:00:00 2001
  From: Yi Zhao <yi.zhao@...>
  Date: Sun, 5 Apr 2020 22:03:45 +0800
  Subject: [PATCH] file_contexts.subs_dist: set aliase for /root directory
@@ -26,5 +26,5 @@ index 690007f22..f80499ebf 100644
  +# Add an aliase for it
  +/root /home/root
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch
index f8a4cec..06b792a 100644
---
a/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch
+++ b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch
@@ -1,4 +1,4 @@
-From 9c676fe5ff2a14206f25bf8ed932c305f13dcfdc Mon Sep 17 00:00:00 2001
+From 2e9b42143ccb92f04d8d57430b3ae1e9f55eb00e Mon Sep 17 00:00:00 2001
  From: Xin Ouyang <Xin.Ouyang@...>
  Date: Thu, 22 Aug 2013 13:37:23 +0800
  Subject: [PATCH] policy/modules/system/logging: add rules for the symlink of
@@ -30,7 +30,7 @@ index 4ff5f990a..dee26a9f4 100644
   /var/log/dmesg        -- gen_context(system_u:object_r:var_log_t,s0)
   /var/log/syslog        --
gen_context(system_u:object_r:var_log_t,s0)
  diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 341763730..30d402c75 100644
+index cf7ef1721..b627cacb8 100644
  --- a/policy/modules/system/logging.if
  +++ b/policy/modules/system/logging.if
  @@ -1086,10 +1086,12 @@ interface(`logging_append_all_inherited_logs',`
@@ -100,5 +100,5 @@ index 341763730..30d402c75 100644
      ########################################
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch b/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch
index a06b3f4..ecfc018 100644
---
a/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch
+++ b/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch
@@ -1,4 +1,4 @@
-From c9759b1024873819cf594fe7ac3bf06bcf0d959d Mon Sep 17 00:00:00 2001
+From 26dc5529db7664ae248eba4dbc5d17915c371137 Mon Sep 17 00:00:00 2001
  From: Joe MacDonald <joe_macdonald@...>
  Date: Fri, 29 Mar 2019 10:33:18 -0400
  Subject: [PATCH] policy/modules/system/logging: add rules for syslogd symlink
@@ -18,10 +18,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 1 insertion(+)
    diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 21e3285a9..abee7df9c 100644
+index abd61e6bd..90d8ccd31 100644
  --- a/policy/modules/system/logging.te
  +++ b/policy/modules/system/logging.te
-@@ -411,6 +411,7 @@ files_search_spool(syslogd_t)
+@@ -420,6 +420,7 @@ files_search_spool(syslogd_t)
      # Allow access for syslog-ng
   allow syslogd_t var_log_t:dir { create setattr };
@@ -30,5 +30,5 @@ index 21e3285a9..abee7df9c 100644
   # for systemd but can not be conditional
   files_runtime_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch
index ffa78ac..48e8acf 100644
---
a/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch
+++ b/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch
@@ -1,4 +1,4 @@
-From fd55f9f292617c7475c62c07ed6c478b4bd9eda5 Mon Sep 17 00:00:00 2001
+From 9052089dfc4f7466fcf304ab282c2e32933a5881 Mon Sep 17 00:00:00 2001
  From: Xin Ouyang <Xin.Ouyang@...>
  Date: Thu, 22 Aug 2013 13:37:23 +0800
  Subject: [PATCH] policy/modules/kernel/files: add rules for the symlink of
@@ -18,10 +18,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   2 files changed, 9 insertions(+)
    diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 826722f4e..677ae96c3 100644
+index f6ff6b079..279df3d3c 100644
  --- a/policy/modules/kernel/files.fc
  +++ b/policy/modules/kernel/files.fc
-@@ -172,6 +172,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -170,6 +170,7 @@ HOME_ROOT/lost\+found/.* <<none>>
   # /tmp
   #
   /tmp            -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
@@ -30,10 +30,10 @@ index 826722f4e..677ae96c3 100644
   /tmp/\.journal            <<none>>
     diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 495cbe2f4..b308eefd9 100644
+index f7217b226..451f302af 100644
  --- a/policy/modules/kernel/files.if
  +++ b/policy/modules/kernel/files.if
-@@ -4555,6 +4555,7 @@ interface(`files_search_tmp',`
+@@ -4750,6 +4750,7 @@ interface(`files_search_tmp',`
       ')
          allow $1 tmp_t:dir search_dir_perms;
@@ -41,7 +41,7 @@ index 495cbe2f4..b308eefd9 100644
   ')
      ########################################
-@@ -4591,6 +4592,7 @@ interface(`files_list_tmp',`
+@@ -4786,6 +4787,7 @@ interface(`files_list_tmp',`
       ')
          allow $1 tmp_t:dir list_dir_perms;
@@ -49,7 +49,7 @@ index 495cbe2f4..b308eefd9 100644
   ')
      ########################################
-@@ -4627,6 +4629,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4822,6 +4824,7 @@ interface(`files_delete_tmp_dir_entry',`
       ')
          allow $1 tmp_t:dir del_entry_dir_perms;
@@ -57,7 +57,7 @@ index 495cbe2f4..b308eefd9 100644
   ')
      ########################################
-@@ -4645,6 +4648,7 @@ interface(`files_read_generic_tmp_files',`
+@@ -4840,6 +4843,7 @@ interface(`files_read_generic_tmp_files',`
       ')
          read_files_pattern($1, tmp_t, tmp_t)
@@ -65,7 +65,7 @@ index 495cbe2f4..b308eefd9 100644
   ')
      ########################################
-@@ -4663,6 +4667,7 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4858,6 +4862,7 @@ interface(`files_manage_generic_tmp_dirs',`
       ')
          manage_dirs_pattern($1, tmp_t, tmp_t)
@@ -73,7 +73,7 @@ index 495cbe2f4..b308eefd9 100644
   ')
      ########################################
-@@ -4699,6 +4704,7 @@ interface(`files_manage_generic_tmp_files',`
+@@ -4894,6 +4899,7 @@ interface(`files_manage_generic_tmp_files',`
       ')
          manage_files_pattern($1, tmp_t, tmp_t)
@@ -81,7 +81,7 @@ index 495cbe2f4..b308eefd9 100644
   ')
      ########################################
-@@ -4735,6 +4741,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4930,6 +4936,7 @@ interface(`files_rw_generic_tmp_sockets',`
       ')
          rw_sock_files_pattern($1, tmp_t, tmp_t)
@@ -89,7 +89,7 @@ index 495cbe2f4..b308eefd9 100644
   ')
      ########################################
-@@ -4942,6 +4949,7 @@ interface(`files_tmp_filetrans',`
+@@ -5137,6 +5144,7 @@ interface(`files_tmp_filetrans',`
       ')
          filetrans_pattern($1, tmp_t, $2, $3, $4)
@@ -98,5 +98,5 @@ index 495cbe2f4..b308eefd9 100644
      ########################################
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch b/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch
index 3f10d06..22ce8f2 100644
---
a/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch
+++ b/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch
@@ -1,4 +1,4 @@
-From a196ae5e13b3f8e0d2e7ff27c8d481c9376b18e9 Mon Sep 17 00:00:00 2001
+From eed095029b270bbc49dc67d6b7b6b2fe9c3bca07 Mon Sep 17 00:00:00 2001
  From: Xin Ouyang <Xin.Ouyang@...>
  Date: Thu, 22 Aug 2013 13:37:23 +0800
  Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures
@@ -17,10 +17,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 2 insertions(+)
    diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index abee7df9c..cc530a2be 100644
+index 90d8ccd31..d3b06db7d 100644
  --- a/policy/modules/system/logging.te
  +++ b/policy/modules/system/logging.te
-@@ -161,6 +161,7 @@ dontaudit auditd_t auditd_etc_t:file map;
+@@ -169,6 +169,7 @@ dontaudit auditd_t auditd_etc_t:file map;
   manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
   allow auditd_t auditd_log_t:dir setattr;
   manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
@@ -28,7 +28,7 @@ index abee7df9c..cc530a2be 100644
   allow auditd_t var_log_t:dir search_dir_perms;
      manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
-@@ -290,6 +291,7 @@ optional_policy(`
+@@ -298,6 +299,7 @@ optional_policy(`
   allow audisp_remote_t self:capability { setpcap setuid };
   allow audisp_remote_t self:process { getcap setcap };
   allow audisp_remote_t self:tcp_socket create_socket_perms;
@@ -37,5 +37,5 @@ index abee7df9c..cc530a2be 100644
      manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch b/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch
index 3421a43..f62db74 100644
---
a/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch
+++ b/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch
@@ -1,4 +1,4 @@
-From bfcb86c9c9ad6a9f10a8556320443d8c96adedc9 Mon Sep 17 00:00:00 2001
+From 3f24b88886fcd1a17248d8d674a02d01061d937a Mon Sep 17 00:00:00 2001
  From: Xin Ouyang <Xin.Ouyang@...>
  Date: Thu, 22 Aug 2013 13:37:23 +0800
  Subject: [PATCH] policy/modules/kernel/terminal: don't audit tty_device_t in
@@ -17,7 +17,7 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 3 insertions(+)
    diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 55c18dffb..e8c0735eb 100644
+index e5645c7c5..6e9f654ac 100644
  --- a/policy/modules/kernel/terminal.if
  +++ b/policy/modules/kernel/terminal.if
  @@ -335,9 +335,12 @@ interface(`term_use_console',`
@@ -34,5 +34,5 @@ index 55c18dffb..e8c0735eb 100644
      ########################################
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0036-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch b/recipes-security/refpolicy/refpolicy/0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
similarity index 52%
rename from recipes-security/refpolicy/refpolicy/0036-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
rename to recipes-security/refpolicy/refpolicy/0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
index f9aa158..0b00f5a 100644
---
a/recipes-security/refpolicy/refpolicy/0036-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
+++ b/recipes-security/refpolicy/refpolicy/0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
@@ -1,4 +1,4 @@
-From d1352b688603b16eb6da7a30198d8b7abfc55d1e Mon Sep 17 00:00:00 2001
+From 9c84425bbcaef5913fb6e309b8811639134714ed Mon Sep 17 00:00:00 2001
  From: Yi Zhao <yi.zhao@...>
  Date: Wed, 1 Jul 2020 08:44:07 +0800
  Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create
@@ -13,14 +13,14 @@ Upstream-Status: Inappropriate [embedded specific]
    Signed-off-by: Yi Zhao <yi.zhao@...>
  ---
- policy/modules/services/rpcbind.te | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
+ policy/modules/services/rpcbind.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
    diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
-index 168c28ca3..e1eb7d5fc 100644
+index 137c21ece..2a712192b 100644
  --- a/policy/modules/services/rpcbind.te
  +++ b/policy/modules/services/rpcbind.te
-@@ -25,16 +25,17 @@ files_type(rpcbind_var_lib_t)
+@@ -25,7 +25,7 @@ files_type(rpcbind_var_lib_t)
   # Local policy
   #
   @@ -29,17 +29,6 @@ index 168c28ca3..e1eb7d5fc 100644
   # net_admin is for SO_SNDBUFFORCE
   dontaudit rpcbind_t self:capability net_admin;
   allow rpcbind_t self:fifo_file rw_fifo_file_perms;
- allow rpcbind_t self:unix_stream_socket { accept listen };
- allow rpcbind_t self:tcp_socket { accept listen };
-
-+manage_dirs_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t)
- manage_files_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t)
- manage_sock_files_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t)
--files_runtime_filetrans(rpcbind_t, rpcbind_runtime_t, { file sock_file })
-+files_runtime_filetrans(rpcbind_t, rpcbind_runtime_t, { file sock_file dir })
-
- manage_dirs_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
- manage_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch
deleted file mode 100644
index e7ce388..0000000
---
a/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From b3ff2e8572cd929c419775e57b547f309ba9d8fb Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Mon, 24 Aug 2020 11:29:09 +0800
-Subject: [PATCH] policy/modules/system/modutils: allow mod_t to access
- confidentiality of class lockdown
-
-The SELinux lockdown implementation was introduced since kernel 5.6 by
-commit 59438b46471ae6cdfb761afc8c9beaf1e428a331. We need to allow mod_t
-and udev_t to access confidentiality of class lockdown to mount tracefs.
-
-Fixes:
-kernel: Could not create tracefs 'iwlwifi_data/filter' entry
-kernel: Could not create tracefs 'enable' entry
-kernel: Could not create tracefs 'id' entry
-kernel: Could not create tracefs 'filter' entry
-kernel: Could not create tracefs 'trigger' entry
-kernel: Could not create tracefs 'format' entry
-
-audit[170]: AVC avc:  denied  { confidentiality } for pid=170
-comm="modprobe" lockdown_reason="use of tracefs"
-scontext=system_u:system_r:kmod_t:s15:c0.c1023
-tcontext=system_u:system_r:kmod_t:s15:c0.c1023 tclass=lockdown
-permissive=0
-
-audit[190]: AVC avc:  denied  { confidentiality } for pid=190
-comm="systemd-udevd" lockdown_reason="use of tracefs"
-scontext=system_u:system_r:udev_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=lockdown
-permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/modutils.te | 2 ++
- policy/modules/system/udev.te     | 2 ++
- 2 files changed, 4 insertions(+)
-
-diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index b0a419dc1..5b4f0aca1 100644
---- a/policy/modules/system/modutils.te
-+++ b/policy/modules/system/modutils.te
-@@ -41,6 +41,8 @@ dontaudit kmod_t self:capability sys_admin;
- allow kmod_t self:udp_socket create_socket_perms;
- allow kmod_t self:rawip_socket create_socket_perms;
-
-+allow kmod_t self:lockdown confidentiality;
-+
- # Read module config and dependency information
- list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
- read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
-diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index c50ff68c1..4c5a690fb 100644
---- a/policy/modules/system/udev.te
-+++ b/policy/modules/system/udev.te
-@@ -67,6 +67,8 @@ ifdef(`init_systemd',`
- # for systemd-udevd to rename interfaces
- allow udev_t self:netlink_route_socket nlmsg_write;
-
-+allow udev_t self:lockdown confidentiality;
-+
- can_exec(udev_t, udev_exec_t)
-
- allow udev_t udev_helper_exec_t:dir list_dir_perms;
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-getty-allow-getty_t-to-search-.patch b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-getty-allow-getty_t-to-search-.patch
deleted file mode 100644
index 0dfe0ee..0000000
---
a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-getty-allow-getty_t-to-search-.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 175b493e7fe69de274388a7f251e74ec9cd56c41 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Tue, 23 Jun 2020 08:39:44 +0800
-Subject: [PATCH] policy/modules/system/getty: allow getty_t to search tmpfs
-
-Fixes:
-avc:  denied  { search } for  pid=211 comm="agetty" name="/" dev="tmpfs"
-ino=1 scontext=system_u:system_r:getty_t
-tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/getty.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index e6e76a93b..c704ddb82 100644
---- a/policy/modules/system/getty.te
-+++ b/policy/modules/system/getty.te
-@@ -68,6 +68,7 @@ files_read_etc_runtime_files(getty_t)
- files_read_etc_files(getty_t)
- files_search_spool(getty_t)
- files_dontaudit_search_var_lib(getty_t)
-+fs_search_tmpfs(getty_t)
-
- fs_search_auto_mountpoints(getty_t)
- # for error condition handling
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-enable-support-for-sys.patch b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-systemd-enable-support-for-sys.patch
similarity index 91%
rename from recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-enable-support-for-sys.patch
rename to recipes-security/refpolicy/refpolicy/0035-policy-modules-system-systemd-enable-support-for-sys.patch
index cc29c7b..43b2f4d 100644
---
a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-enable-support-for-sys.patch
+++ b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-systemd-enable-support-for-sys.patch
@@ -1,4 +1,4 @@
-From 93d4f198bd469a8728f5ce0cc51ff18f8a58b23b Mon Sep 17 00:00:00 2001
+From 6465e39b6dfe8daa88cab321e3cf44ccc9f1441d Mon Sep 17 00:00:00 2001
  From: Wenzong Fan <wenzong.fan@...>
  Date: Thu, 4 Feb 2016 06:03:19 -0500
  Subject: [PATCH] policy/modules/system/systemd: enable support for
@@ -36,10 +36,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 5 insertions(+), 1 deletion(-)
    diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 3d9198342..31d28a0e3 100644
+index ef25974ac..362248d17 100644
  --- a/policy/modules/system/systemd.te
  +++ b/policy/modules/system/systemd.te
-@@ -10,7 +10,7 @@ policy_module(systemd, 1.12.6)
+@@ -10,7 +10,7 @@ policy_module(systemd)
   ## Enable support for systemd-tmpfiles to manage all non-security files.
   ## </p>
   ## </desc>
@@ -48,7 +48,7 @@ index 3d9198342..31d28a0e3 100644
      ## <desc>
   ## <p>
-@@ -1396,6 +1396,10 @@ files_relabelfrom_home(systemd_tmpfiles_t)
+@@ -1640,6 +1640,10 @@ files_relabelfrom_home(systemd_tmpfiles_t)
   files_relabelto_home(systemd_tmpfiles_t)
   files_relabelto_etc_dirs(systemd_tmpfiles_t)
   files_setattr_lock_dirs(systemd_tmpfiles_t)
@@ -60,5 +60,5 @@ index 3d9198342..31d28a0e3 100644
   files_manage_etc_symlinks(systemd_tmpfiles_t)
     --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-allow-systemd_logind_t.patch b/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch
similarity index 88%
rename from recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-allow-systemd_logind_t.patch
rename to recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch
index 49aa7a6..56b6119 100644
---
a/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-allow-systemd_logind_t.patch
+++ b/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch
@@ -1,4 +1,4 @@
-From 4e2df7ca542b6c94e74345daaecb33efc82d749a Mon Sep 17 00:00:00 2001
+From 2acb5ddbd04c578a420418e3bcb572bbd2dfbae6 Mon Sep 17 00:00:00 2001
  From: Yi Zhao <yi.zhao@...>
  Date: Sat, 18 Dec 2021 09:26:43 +0800
  Subject: [PATCH] policy/modules/system/systemd: allow systemd_logind_t to read
@@ -27,10 +27,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 1 insertion(+)
    diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 847895e63..1a83148c1 100644
+index 362248d17..4a1e06640 100644
  --- a/policy/modules/system/systemd.te
  +++ b/policy/modules/system/systemd.te
-@@ -721,6 +721,7 @@ userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
+@@ -920,6 +920,7 @@ userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
   userdom_relabelto_user_runtime_dirs(systemd_logind_t)
   userdom_setattr_user_ttys(systemd_logind_t)
   userdom_use_user_ttys(systemd_logind_t)
@@ -39,5 +39,5 @@ index 847895e63..1a83148c1 100644
   # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
   # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch b/recipes-security/refpolicy/refpolicy/0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch
deleted file mode 100644
index 9465a3e..0000000
---
a/recipes-security/refpolicy/refpolicy/0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 07866ad826b299194c1bfd7978e5077dde72a68e Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Mon, 11 Oct 2021 10:10:10 +0800
-Subject: [PATCH] policy/modules/admin/usermanage: allow useradd to relabel
- user home files
-
-Fixes:
-avc: denied { relabelfrom } for pid=491 comm="useradd" name=".bashrc"
-dev="vda" ino=12641 scontext=root:sysadm_r:useradd_t
-tcontext=user_u:object_r:user_home_t tclass=file permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/admin/usermanage.te  |  2 ++
- policy/modules/system/userdomain.if | 18 ++++++++++++++++++
- 2 files changed, 20 insertions(+)
-
-diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 98646b4b4..50c479498 100644
---- a/policy/modules/admin/usermanage.te
-+++ b/policy/modules/admin/usermanage.te
-@@ -496,6 +496,7 @@ files_read_etc_runtime_files(useradd_t)
-
- fs_search_auto_mountpoints(useradd_t)
- fs_getattr_xattr_fs(useradd_t)
-+fs_search_tmpfs(useradd_t)
-
- mls_file_upgrade(useradd_t)
-
-@@ -541,6 +542,7 @@ userdom_home_filetrans_user_home_dir(useradd_t)
- userdom_manage_user_home_content_dirs(useradd_t)
- userdom_manage_user_home_content_files(useradd_t)
- userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
-+userdom_relabel_user_home_content_files(useradd_t)
-
- optional_policy(`
-     mta_manage_spool(useradd_t)
-diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 22b3c1bf7..ec625170d 100644
---- a/policy/modules/system/userdomain.if
-+++ b/policy/modules/system/userdomain.if
-@@ -2362,6 +2362,24 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
-     dontaudit $1 user_home_t:file relabel_file_perms;
- ')
-
-+########################################
-+## <summary>
-+##    Relabel user home files.
-+## </summary>
-+## <param name="domain">
-+##    <summary>
-+##    Domain allowed access.
-+##    </summary>
-+## </param>
-+#
-+interface(`userdom_relabel_user_home_content_files',`
-+    gen_require(`
-+        type user_home_t;
-+    ')
-+
-+    allow $1 user_home_t:file relabel_file_perms;
-+')
-+
- ########################################
- ## <summary>
- ##    Read user home subdirectory symbolic links.
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch b/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch
new file mode 100644
index 0000000..78c4dc8
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch
@@ -0,0 +1,36 @@
+From 51a7f8058fee569322c1a0597fccd36c318ad943 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@...>
+Date: Fri, 28 Oct 2022 11:56:09 +0800
+Subject: [PATCH] policy/modules/roles/sysadm: allow sysadm to use init file
+ descriptors
+
+Root can not login via console without this.
+
+Fixes:
+avc: denied { use } for pid=323 comm="sh" path="/dev/tty1"
+dev="devtmpfs" ino=21 scontext=root:sysadm_r:sysadm_t
+tcontext=system_u:system_r:init_t tclass=fd permissive=0
+
+Upstream-Status: Pending
+
+Signed-off-by: Yi Zhao <yi.zhao@...>
+---
+ policy/modules/roles/sysadm.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index bb715a847..088c954f5 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -86,6 +86,8 @@ ifdef(`init_systemd',`
+     # LookupDynamicUserByUID on org.freedesktop.systemd1.
+     init_dbus_chat(sysadm_t)
+
++    init_use_fds(sysadm_t)
++
+     # Allow sysadm to get the status of and set properties of other users,
+     # sessions, and seats on the system.
+     systemd_dbus_chat_logind(sysadm_t)
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch
new file mode 100644
index 0000000..85bb82b
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch
@@ -0,0 +1,84 @@
+From 5b6f3fcb1ddabd0a66541959306e7b0adfe2b2b0 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@...>
+Date: Thu, 4 Feb 2021 10:48:54 +0800
+Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes
+
+Fixes:
+systemctl[277]: Failed to connect to bus: No medium found
+
+avc: denied { mknod } for  pid=297 comm="systemd" capability=27
+scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0
+
+avc: denied { bpf } for pid=297 comm="systemd" capability=39
+scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0
+
+avc: denied { sys_admin } for pid=297 comm="systemd" capability=21
+scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0
+
+avc: denied { perfmon } for pid=297 comm="systemd" capability=38
+scontext=root:sysadm_r:sysadm_systemd_t
+tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@...>
+---
+ policy/modules/roles/sysadm.te   |  2 ++
+ policy/modules/system/systemd.if | 21 ++++++++++++++++++++-
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 088c954f5..92f50fd5a 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -98,6 +98,8 @@ ifdef(`init_systemd',`
+
+     # Allow sysadm to follow logs in the journal, i.e. with podman logs -f
+     systemd_watch_journal_dirs(sysadm_t)
++
++    systemd_sysadm_user(sysadm_t)
+ ')
+
+ tunable_policy(`allow_ptrace',`
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index 9dc91fbb7..325ca548b 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -58,7 +58,7 @@ template(`systemd_role_template',`
+     allow $1_systemd_t self:process { getsched signal };
+     allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms;
+     allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
+-    allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
++    allow $1_systemd_t $3:process { setsched rlimitinh signal_perms noatsecure };
+     corecmd_shell_domtrans($1_systemd_t, $3)
+     corecmd_bin_domtrans($1_systemd_t, $3)
+
+@@ -2613,3 +2613,22 @@ interface(`systemd_use_inherited_machined_ptys', `
+     allow $1 systemd_machined_t:fd use;
+     allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
+ ')
++
++#########################################
++## <summary>
++##    sysadm user for systemd --user
++## </summary>
++## <param name="role">
++##    <summary>
++##  Role allowed access.
++##    </summary>
++## </param>
++#
++interface(`systemd_sysadm_user',`
++    gen_require(`
++        type sysadm_systemd_t;
++    ')
++
++    allow sysadm_systemd_t self:capability { mknod sys_admin };
++    allow sysadm_systemd_t self:capability2 { bpf perfmon };
++')
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch
similarity index 84%
rename from recipes-security/refpolicy/refpolicy/0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch
rename to recipes-security/refpolicy/refpolicy/0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch
index 4cae8c6..c3b4b55 100644
---
a/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch
+++ b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch
@@ -1,4 +1,4 @@
-From 705008ba8ef960cf2e4813b4b8c5a87b919d545f Mon Sep 17 00:00:00 2001
+From ccdd22cc2776b695f96faffc88699aa2b182e085 Mon Sep 17 00:00:00 2001
  From: Wenzong Fan <wenzong.fan@...>
  Date: Sat, 15 Feb 2014 04:22:47 -0500
  Subject: [PATCH] policy/modules/system/mount: make mount_t domain MLS trusted
@@ -19,10 +19,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 1 insertion(+)
    diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index e39ab41a8..3481f9294 100644
+index d028723ce..97f49e58e 100644
  --- a/policy/modules/system/mount.te
  +++ b/policy/modules/system/mount.te
-@@ -116,6 +116,7 @@ fs_dontaudit_write_all_image_files(mount_t)
+@@ -112,6 +112,7 @@ fs_dontaudit_write_all_image_files(mount_t)
      mls_file_read_all_levels(mount_t)
   mls_file_write_all_levels(mount_t)
@@ -31,5 +31,5 @@ index e39ab41a8..3481f9294 100644
   selinux_get_enforce_mode(mount_t)
     --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch
deleted file mode 100644
index ea8af31..0000000
---
a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 99139408a7919282e97e1b2fcd5da33248386d73 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Mon, 25 Jan 2021 14:14:59 +0800
-Subject: [PATCH] policy/modules/system/systemd: fix systemd-resolved startup
- failures
-
-* Allow systemd_resolved_t to manage systemd_resolved_runtime_t link
-  files
-* Allow systemd_resolved_t to send and recevie messages from dhcpc over
-  dbus
-
-Fixes:
-avc:  denied  { create } for  pid=329 comm="systemd-resolve"
-name=".#stub-resolv.conf53cb7f9d1e3aa72b"
-scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:systemd_resolved_runtime_t:s0 tclass=lnk_file
-permissive=0
-
-avc:  denied  { send_msg } for msgtype=method_call
-interface=org.freedesktop.resolve1.Manager member=RevertLink
-dest=org.freedesktop.resolve1 spid=340 tpid=345
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
-tclass=dbus permissive=0
-
-avc:  denied  { send_msg } for msgtype=method_return dest=:1.6 spid=345
-tpid=340 scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=dbus
-permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/systemd.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 31d28a0e3..448905ff7 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -1199,6 +1199,7 @@ allow systemd_resolved_t systemd_networkd_runtime_t:dir watch;
-
- manage_dirs_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
- manage_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
-+manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
- manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
- init_runtime_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir)
-
-@@ -1236,6 +1237,7 @@ optional_policy(`
-     dbus_system_bus_client(systemd_resolved_t)
-     dbus_watch_system_bus_runtime_dirs(systemd_resolved_t)
- dbus_watch_system_bus_runtime_named_sockets(systemd_resolved_t)
-+    sysnet_dbus_chat_dhcpc(systemd_resolved_t)
- ')
-
- #########################################
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch b/recipes-security/refpolicy/refpolicy/0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
similarity index 83%
rename from recipes-security/refpolicy/refpolicy/0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
rename to recipes-security/refpolicy/refpolicy/0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
index 86317b3..d711612 100644
---
a/recipes-security/refpolicy/refpolicy/0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
+++ b/recipes-security/refpolicy/refpolicy/0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
@@ -1,4 +1,4 @@
-From ef2b9196f3a51745a3644489d316bda7cd67f72d Mon Sep 17 00:00:00 2001
+From 64498d6cd30a0a65a24e3e7ab22cca5921c2db89 Mon Sep 17 00:00:00 2001
  From: Xin Ouyang <Xin.Ouyang@...>
  Date: Mon, 28 Jan 2019 14:05:18 +0800
  Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance
@@ -7,7 +7,7 @@ The two new rules make sysadm_t domain MLS trusted for:
   - reading from files at all levels.
   - writing to processes up to its clearance(s0-s15).
  -With default MLS policy, root user would login in as sysadm_t:s0 by
+With default MLS policy, root user would login as sysadm_t:s0 by
  default. Most processes will run in sysadm_t:s0 because no
  domtrans/rangetrans rules, as a result, even root could not access
  high level files/processes.
@@ -23,10 +23,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 2 insertions(+)
    diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e1933a5bd..0682ed31a 100644
+index 92f50fd5a..8c154d474 100644
  --- a/policy/modules/roles/sysadm.te
  +++ b/policy/modules/roles/sysadm.te
-@@ -44,6 +44,8 @@ logging_watch_all_logs(sysadm_t)
+@@ -45,6 +45,8 @@ logging_watch_all_logs(sysadm_t)
   logging_watch_audit_log(sysadm_t)
      mls_process_read_all_levels(sysadm_t)
@@ -36,5 +36,5 @@ index e1933a5bd..0682ed31a 100644
   selinux_read_policy(sysadm_t)
     --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch b/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch
deleted file mode 100644
index 91588f1..0000000
---
a/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch
+++ /dev/null
@@ -1,156 +0,0 @@
-From 81e63f86d6d030eaf0204796e32011c08e7b5e52 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Tue, 28 Sep 2021 10:03:04 +0800
-Subject: [PATCH] policy/modules/system/systemd: allow systemd_*_t to get the
- attributes of tmpfs and cgroups
-
-Fixes:
-avc: denied { getattr } for pid=245 comm="systemd-network" name="/"
-dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_networkd_t
-tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
-
-avc: denied { getattr } for pid=252 comm="systemd-resolve" name="/"
-dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_resolved_t
-tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
-
-avc: denied { getattr } for pid=260 comm="systemd-user-se" name="/"
-dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_sessions_t
-tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
-
-avc: denied { search } for pid=293 comm="systemd-user-ru" name="/"
-dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_user_runtime_dir_t
-tcontext=system_u:object_r:cgroup_t tclass=dir permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/systemd.te | 35 ++++++++++++++++++++++++++++++++
- 1 file changed, 35 insertions(+)
-
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 448905ff7..847895e63 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -337,6 +337,10 @@ udev_read_runtime_files(systemd_backlight_t)
-
- files_search_var_lib(systemd_backlight_t)
-
-+fs_getattr_tmpfs(systemd_backlight_t)
-+fs_search_cgroup_dirs(systemd_backlight_t)
-+fs_getattr_cgroup(systemd_backlight_t)
-+
- #######################################
- #
- # Binfmt local policy
-@@ -447,6 +451,7 @@ files_list_usr(systemd_generator_t)
- fs_list_efivars(systemd_generator_t)
- fs_getattr_cgroup(systemd_generator_t)
- fs_getattr_xattr_fs(systemd_generator_t)
-+fs_getattr_tmpfs(systemd_generator_t)
-
- init_create_runtime_files(systemd_generator_t)
- init_manage_runtime_dirs(systemd_generator_t)
-@@ -515,6 +520,10 @@ systemd_log_parse_environment(systemd_hostnamed_t)
- # Allow reading /run/udev/data/+dmi:id
- udev_read_runtime_files(systemd_hostnamed_t)
-
-+fs_getattr_tmpfs(systemd_hostnamed_t)
-+fs_search_cgroup_dirs(systemd_hostnamed_t)
-+fs_getattr_cgroup(systemd_hostnamed_t)
-+
- optional_policy(`
-     dbus_connect_system_bus(systemd_hostnamed_t)
-     dbus_system_bus_client(systemd_hostnamed_t)
-@@ -835,6 +844,10 @@ dev_read_sysfs(systemd_modules_load_t)
- files_mmap_read_kernel_modules(systemd_modules_load_t)
- files_read_etc_files(systemd_modules_load_t)
-
-+fs_getattr_tmpfs(systemd_modules_load_t)
-+fs_search_cgroup_dirs(systemd_modules_load_t)
-+fs_getattr_cgroup(systemd_modules_load_t)
-+
- modutils_read_module_config(systemd_modules_load_t)
- modutils_read_module_deps(systemd_modules_load_t)
-
-@@ -885,6 +898,7 @@ files_watch_runtime_dirs(systemd_networkd_t)
- files_watch_root_dirs(systemd_networkd_t)
- files_list_runtime(systemd_networkd_t)
- fs_getattr_xattr_fs(systemd_networkd_t)
-+fs_getattr_tmpfs(systemd_networkd_t)
- fs_getattr_cgroup(systemd_networkd_t)
- fs_search_cgroup_dirs(systemd_networkd_t)
- fs_read_nsfs_files(systemd_networkd_t)
-@@ -1185,6 +1199,10 @@ udev_read_runtime_files(systemd_rfkill_t)
-
- systemd_log_parse_environment(systemd_rfkill_t)
-
-+fs_getattr_tmpfs(systemd_rfkill_t)
-+fs_search_cgroup_dirs(systemd_rfkill_t)
-+fs_getattr_cgroup(systemd_rfkill_t)
-+
- #########################################
- #
- # Resolved local policy
-@@ -1224,6 +1242,9 @@ auth_use_nsswitch(systemd_resolved_t)
- files_watch_root_dirs(systemd_resolved_t)
- files_watch_runtime_dirs(systemd_resolved_t)
- files_list_runtime(systemd_resolved_t)
-+fs_getattr_tmpfs(systemd_resolved_t)
-+fs_search_cgroup_dirs(systemd_resolved_t)
-+fs_getattr_cgroup(systemd_resolved_t)
-
- init_dgram_send(systemd_resolved_t)
-
-@@ -1288,6 +1309,10 @@ seutil_read_file_contexts(systemd_sessions_t)
-
- systemd_log_parse_environment(systemd_sessions_t)
-
-+fs_getattr_tmpfs(systemd_sessions_t)
-+fs_search_cgroup_dirs(systemd_sessions_t)
-+fs_getattr_cgroup(systemd_sessions_t)
-+
- ########################################
- #
- # sysctl local policy
-@@ -1304,6 +1329,9 @@ kernel_rw_all_sysctls(systemd_sysctl_t)
- kernel_dontaudit_getattr_proc(systemd_sysctl_t)
-
- files_read_etc_files(systemd_sysctl_t)
-+fs_getattr_tmpfs(systemd_sysctl_t)
-+fs_search_cgroup_dirs(systemd_sysctl_t)
-+fs_getattr_cgroup(systemd_sysctl_t)
-
- systemd_log_parse_environment(systemd_sysctl_t)
-
-@@ -1409,6 +1437,8 @@ fs_getattr_tmpfs(systemd_tmpfiles_t)
- fs_getattr_xattr_fs(systemd_tmpfiles_t)
- fs_list_tmpfs(systemd_tmpfiles_t)
- fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
-+fs_search_cgroup_dirs(systemd_tmpfiles_t)
-+fs_getattr_cgroup(systemd_tmpfiles_t)
-
- selinux_get_fs_mount(systemd_tmpfiles_t)
- selinux_use_status_page(systemd_tmpfiles_t)
-@@ -1497,6 +1527,10 @@ allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
- files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file)
- files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)
-
-+fs_getattr_tmpfs(systemd_update_done_t)
-+fs_search_cgroup_dirs(systemd_update_done_t)
-+fs_getattr_cgroup(systemd_update_done_t)
-+
- kernel_read_kernel_sysctls(systemd_update_done_t)
-
- selinux_use_status_page(systemd_update_done_t)
-@@ -1601,6 +1635,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t)
- fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
- fs_read_cgroup_files(systemd_user_runtime_dir_t)
- fs_getattr_cgroup(systemd_user_runtime_dir_t)
-+fs_search_cgroup_dirs(systemd_user_runtime_dir_t)
-
- kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
- kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch b/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch
similarity index 84%
rename from recipes-security/refpolicy/refpolicy/0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch
rename to recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch
index f659e7e..d22dacf 100644
---
a/recipes-security/refpolicy/refpolicy/0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch
+++ b/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch
@@ -1,4 +1,4 @@
-From 18ad027229a06fdcb833482dff0c2ae637d08e78 Mon Sep 17 00:00:00 2001
+From e82c43e60ef52ba00e8f2af5b46b2a6d49331209 Mon Sep 17 00:00:00 2001
  From: Xin Ouyang <Xin.Ouyang@...>
  Date: Fri, 23 Aug 2013 12:01:53 +0800
  Subject: [PATCH] policy/modules/services/rpc: make nfsd_t domain MLS trusted
@@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   2 files changed, 7 insertions(+)
    diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index ca951cb44..a32c59eb1 100644
+index 5124ae016..a40db8507 100644
  --- a/policy/modules/kernel/kernel.te
  +++ b/policy/modules/kernel/kernel.te
-@@ -356,6 +356,8 @@ mls_process_read_all_levels(kernel_t)
+@@ -368,6 +368,8 @@ mls_process_read_all_levels(kernel_t)
   mls_process_write_all_levels(kernel_t)
   mls_file_write_all_levels(kernel_t)
   mls_file_read_all_levels(kernel_t)
@@ -28,7 +28,7 @@ index ca951cb44..a32c59eb1 100644
   ifdef(`distro_redhat',`
       # Bugzilla 222337
  diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
-index e1eb7d5fc..da0994749 100644
+index 2a712192b..923e48db7 100644
  --- a/policy/modules/services/rpcbind.te
  +++ b/policy/modules/services/rpcbind.te
  @@ -73,6 +73,11 @@ logging_send_syslog_msg(rpcbind_t)
@@ -36,7 +36,7 @@ index e1eb7d5fc..da0994749 100644
   miscfiles_read_localization(rpcbind_t)
     +# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
-+# because the are running in different level. So add rules to allow this.
++# because they are running in different level. So add rules to allow this.
  +mls_socket_read_all_levels(rpcbind_t)
  +mls_socket_write_all_levels(rpcbind_t)
  +
@@ -44,5 +44,5 @@ index e1eb7d5fc..da0994749 100644
       term_dontaudit_use_unallocated_ttys(rpcbind_t)
   ')
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-logging-fix-syslogd-failures-f.patch b/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-logging-fix-syslogd-failures-f.patch
deleted file mode 100644
index 2232d48..0000000
---
a/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-logging-fix-syslogd-failures-f.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From dc2c9c91219311f6c4d985169dff6c5931a465d7 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan <wenzong.fan@...>
-Date: Thu, 4 Feb 2016 02:10:15 -0500
-Subject: [PATCH] policy/modules/system/logging: fix syslogd failures for
- systemd
-
-Fixes:
-syslogd[243]: Error opening log file: /var/log/auth.log: Permission denied
-syslogd[243]: Error opening log file: /var/log/syslog: Permission denied
-syslogd[243]: Error opening log file: /var/log/kern.log: Permission denied
-syslogd[243]: Error opening log file: /var/log/mail.log: Permission denied
-syslogd[243]: Error opening log file: /var/log/mail.err: Permission denied
-syslogd[243]: Error opening log file: /var/log/messages: Permission denied
-
-avc:  denied  { search } for  pid=243 comm="syslogd" name="/"
-dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t
-tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0
-
-avc:  denied  { write } for  pid=162 comm="systemd-journal"
-name="syslog" dev="tmpfs" ino=515 scontext=system_u:system_r:syslogd_t
-tcontext=system_u:object_r:syslogd_runtime_t tclass=sock_file
-permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Wenzong Fan <wenzong.fan@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/logging.te | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index cc530a2be..5b4b5ec5d 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -431,7 +431,7 @@ files_search_var_lib(syslogd_t)
-
- # manage runtime files
- allow syslogd_t syslogd_runtime_t:dir create_dir_perms;
--allow syslogd_t syslogd_runtime_t:sock_file { create setattr unlink };
-+allow syslogd_t syslogd_runtime_t:sock_file { create setattr unlink write };
- allow syslogd_t syslogd_runtime_t:file map;
- manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
- files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file)
-@@ -495,6 +495,7 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
-
- fs_getattr_all_fs(syslogd_t)
- fs_search_auto_mountpoints(syslogd_t)
-+fs_search_tmpfs(syslogd_t)
-
- mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
-
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch
similarity index 90%
rename from recipes-security/refpolicy/refpolicy/0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch
rename to recipes-security/refpolicy/refpolicy/0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch
index ace056a..30c84f6 100644
---
a/recipes-security/refpolicy/refpolicy/0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch
+++ b/recipes-security/refpolicy/refpolicy/0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch
@@ -1,4 +1,4 @@
-From b41a910654f5c5fe198b1695df18b6f6a1af7904 Mon Sep 17 00:00:00 2001
+From 9343914c0486b5aa6ff7cceeb8f6c399115e5fb3 Mon Sep 17 00:00:00 2001
  From: Yi Zhao <yi.zhao@...>
  Date: Tue, 30 Jun 2020 10:18:20 +0800
  Subject: [PATCH] policy/modules/admin/dmesg: make dmesg_t MLS trusted reading
@@ -19,7 +19,7 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 2 insertions(+)
    diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
-index f3421fdbb..d87ee5583 100644
+index f1da315a9..89478c38e 100644
  --- a/policy/modules/admin/dmesg.te
  +++ b/policy/modules/admin/dmesg.te
  @@ -52,6 +52,8 @@ miscfiles_read_localization(dmesg_t)
@@ -32,5 +32,5 @@ index f3421fdbb..d87ee5583 100644
       seutil_sigchld_newrole(dmesg_t)
   ')
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch
deleted file mode 100644
index 108f62f..0000000
---
a/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch
+++ /dev/null
@@ -1,172 +0,0 @@
-From 20b2608718064a92f9255adb459a97d95fdbc22e Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Thu, 4 Feb 2021 10:48:54 +0800
-Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes
-
-Fixes:
-systemctl[1598]: Failed to connect to bus: $DBUS_SESSION_BUS_ADDRESS and
-$XDG_RUNTIME_DIR not defined (consider using --machine=<user>@.host
---user to connect to bus of other user)
-
-avc: denied { connectto } for  pid=293 comm="login"
-path="/run/systemd/userdb/io.systemd.Multiplexer"
-scontext=system_u:system_r:local_login_t
-tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
-permissive=0
-
-avc: denied { read } for  pid=293 comm="login" name="io.systemd.DropIn"
-dev="tmpfs" ino=44 scontext=system_u:system_r:local_login_t
-tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
-permissive=0
-
-avc: denied { read } for  pid=293 comm="login"
-name="io.systemd.NameServiceSwitch" dev="tmpfs" ino=43
-scontext=system_u:system_r:local_login_t
-tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
-permissive=0
-
-avc: denied { connectto } for  pid=244 comm="systemd-logind"
-path="/run/systemd/userdb/io.systemd.Multiplexer"
-scontext=system_u:system_r:systemd_logind_t
-tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
-permissive=0
-
-avc: denied { read } for  pid=244 comm="systemd-logind"
-name="io.systemd.DropIn" dev="tmpfs" ino=44
-scontext=system_u:system_r:systemd_logind_t
-tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
-permissive=0
-
-avc: denied { read } for  pid=244 comm="systemd-logind"
-name="io.systemd.NameServiceSwitch" dev="tmpfs" ino=43
-scontext=system_u:system_r:systemd_logind_t
-tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
-permissive=0
-
-avc: denied { mknod } for  pid=297 comm="systemd" capability=27
-scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0
-
-avc: denied { setrlimit } for pid=297 comm="systemd"
-scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=root:sysadm_r:sysadm_systemd_t tclass=process permissive=0
-
-avc: denied { bpf } for pid=297 comm="systemd" capability=39
-scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0
-
-avc: denied { sys_admin } for pid=297 comm="systemd" capability=21
-scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0
-
-avc: denied { perfmon } for pid=297 comm="systemd" capability=38
-scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0
-
-avc: denied { watch } for pid=297 comm="systemd" path="/etc" dev="vda"
-ino=173 scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=system_u:object_r:etc_t tclass=dir permissive=0
-
-avc: denied { getattr } for pid=297 comm="systemd" name="/" dev="vda"
-ino=2 scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0
-
-avc: denied { read } for pid=297 comm="systemd" name="unix" dev="proc"
-ino=4026532057 scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=system_u:object_r:proc_net_t tclass=file permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/roles/sysadm.te   |  2 ++
- policy/modules/system/init.if    |  1 +
- policy/modules/system/systemd.if | 27 ++++++++++++++++++++++++++-
- 3 files changed, 29 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 46d3e2f0b..e1933a5bd 100644
---- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -92,6 +92,8 @@ ifdef(`init_systemd',`
-     # Allow sysadm to query and set networking settings on the system.
-     systemd_dbus_chat_networkd(sysadm_t)
-     fs_read_nsfs_files(sysadm_t)
-+
-+    systemd_sysadm_user(sysadm_t)
- ')
-
- tunable_policy(`allow_ptrace',`
-diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 0171ee299..8ca29f654 100644
---- a/policy/modules/system/init.if
-+++ b/policy/modules/system/init.if
-@@ -959,6 +959,7 @@ interface(`init_unix_stream_socket_connectto',`
-     ')
-
-     allow $1 init_t:unix_stream_socket connectto;
-+    allow $1 initrc_t:unix_stream_socket connectto;
- ')
-
- ########################################
-diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 38adf050c..5c44d8d8a 100644
---- a/policy/modules/system/systemd.if
-+++ b/policy/modules/system/systemd.if
-@@ -57,7 +57,7 @@ template(`systemd_role_template',`
-     allow $1_systemd_t self:process { getsched signal };
-     allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms;
-     allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
--    allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
-+    allow $1_systemd_t $3:process { setsched rlimitinh signal_perms noatsecure };
-     corecmd_shell_domtrans($1_systemd_t, $3)
-     corecmd_bin_domtrans($1_systemd_t, $3)
-
-@@ -88,8 +88,11 @@ template(`systemd_role_template',`
-
-     fs_manage_cgroup_files($1_systemd_t)
-     fs_watch_cgroup_files($1_systemd_t)
-+    files_watch_etc_dirs($1_systemd_t)
-+    fs_getattr_xattr_fs($1_systemd_t)
-
-     kernel_dontaudit_getattr_proc($1_systemd_t)
-+    kernel_read_network_state($1_systemd_t)
-
-     selinux_use_status_page($1_systemd_t)
-
-@@ -1052,6 +1055,7 @@ interface(`systemd_stream_connect_userdb', `
-     init_search_runtime($1)
-     allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
-     allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
-+    allow $1 systemd_userdb_runtime_t:lnk_file read_lnk_file_perms;
-     init_unix_stream_socket_connectto($1)
- ')
-
-@@ -2003,3 +2007,24 @@ interface(`systemd_use_inherited_machined_ptys', `
-     allow $1 systemd_machined_t:fd use;
-     allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
- ')
-+
-+#########################################
-+## <summary>
-+##    sysadm user for systemd --user
-+## </summary>
-+## <param name="role">
-+##    <summary>
-+##  Role allowed access.
-+##    </summary>
-+## </param>
-+#
-+interface(`systemd_sysadm_user',`
-+    gen_require(`
-+        type sysadm_systemd_t;
-+    ')
-+
-+    allow sysadm_systemd_t self:capability { mknod sys_admin };
-+    allow sysadm_systemd_t self:capability2 { bpf perfmon };
-+    allow sysadm_systemd_t self:process setrlimit;
-+    allow $1 sysadm_systemd_t:system reload;
-+')
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
similarity index 94%
rename from recipes-security/refpolicy/refpolicy/0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
rename to recipes-security/refpolicy/refpolicy/0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
index 8b9f98c..932047a 100644
---
a/recipes-security/refpolicy/refpolicy/0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
+++ b/recipes-security/refpolicy/refpolicy/0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
@@ -1,4 +1,4 @@
-From c2e99e27acc1454d792b3e8d6f24d3a2a3be29e3 Mon Sep 17 00:00:00 2001
+From 057e4e6a6e2e87edcd6a93dd533620700b00b1c2 Mon Sep 17 00:00:00 2001
  From: Wenzong Fan <wenzong.fan@...>
  Date: Fri, 13 Oct 2017 07:20:40 +0000
  Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for
@@ -59,10 +59,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 2 insertions(+)
    diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index a32c59eb1..1c53754ee 100644
+index a40db8507..40cd52825 100644
  --- a/policy/modules/kernel/kernel.te
  +++ b/policy/modules/kernel/kernel.te
-@@ -358,6 +358,8 @@ mls_file_write_all_levels(kernel_t)
+@@ -370,6 +370,8 @@ mls_file_write_all_levels(kernel_t)
   mls_file_read_all_levels(kernel_t)
   mls_socket_write_all_levels(kernel_t)
   mls_fd_use_all_levels(kernel_t)
@@ -72,5 +72,5 @@ index a32c59eb1..1c53754ee 100644
   ifdef(`distro_redhat',`
       # Bugzilla 222337
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch b/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch
deleted file mode 100644
index 504e028..0000000
---
a/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-From d1c159d4400722e783d12cc3684c1cf15004f7a9 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Thu, 24 Sep 2020 14:05:52 +0800
-Subject: [PATCH] policy/modules/system/sysnetwork: support priviledge
- separation for dhcpcd
-
-Fixes:
-
-avc:  denied  { sys_chroot } for  pid=332 comm="dhcpcd" capability=18
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
-permissive=0
-
-avc:  denied  { setgid } for  pid=332 comm="dhcpcd" capability=6
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
-permissive=0
-
-avc:  denied  { setuid } for  pid=332 comm="dhcpcd" capability=7
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
-permissive=0
-
-avc:  denied  { setrlimit } for  pid=332 comm="dhcpcd"
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=process
-permissive=0
-
-avc:  denied  { create } for  pid=330 comm="dhcpcd"
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tclass=netlink_kobject_uevent_socket permissive=0
-
-avc:  denied  { setopt } for  pid=330 comm="dhcpcd"
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tclass=netlink_kobject_uevent_socket permissive=0
-
-avc:  denied  { bind } for  pid=330 comm="dhcpcd"
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tclass=netlink_kobject_uevent_socket permissive=0
-
-avc:  denied  { getattr } for  pid=330 comm="dhcpcd"
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tclass=netlink_kobject_uevent_socket permissive=0
-
-avc:  denied  { read } for  pid=330 comm="dhcpcd" name="n1" dev="tmpfs"
-ino=15616 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0
-
-avc:  denied  { open } for  pid=330 comm="dhcpcd"
-path="/run/udev/data/n1" dev="tmpfs" ino=15616
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0
-
-avc:  denied  { getattr } for  pid=330 comm="dhcpcd"
-path="/run/udev/data/n1" dev="tmpfs" ino=15616
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0
-
-avc:  denied  { connectto } for  pid=1600 comm="dhcpcd"
-path="/run/dhcpcd/unpriv.sock"
-scontext=root:sysadm_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tclass=unix_stream_socket permissive=0
-
-avc:  denied  { kill } for  pid=314 comm="dhcpcd" capability=5
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
-permissive=0
-
-avc:  denied  { getattr } for  pid=300 comm="dhcpcd"
-path="net:[4026532008]" dev="nsfs" ino=4026532008
-scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/sysnetwork.te | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 4c317cc4c..05a9a52b8 100644
---- a/policy/modules/system/sysnetwork.te
-+++ b/policy/modules/system/sysnetwork.te
-@@ -58,10 +58,11 @@ ifdef(`distro_debian',`
- # DHCP client local policy
- #
- allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config };
-+allow dhcpc_t self:capability { setgid setuid sys_chroot kill };
- dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
- # for access("/etc/bashrc", X_OK) on Red Hat
- dontaudit dhcpc_t self:capability { dac_read_search sys_module };
--allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
-+allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms setrlimit };
-
- allow dhcpc_t self:fifo_file rw_fifo_file_perms;
- allow dhcpc_t self:tcp_socket create_stream_socket_perms;
-@@ -69,8 +70,10 @@ allow dhcpc_t self:udp_socket create_socket_perms;
- allow dhcpc_t self:packet_socket create_socket_perms;
- allow dhcpc_t self:netlink_generic_socket create_socket_perms;
- allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms;
-+allow dhcpc_t self:netlink_kobject_uevent_socket create_socket_perms;
- allow dhcpc_t self:rawip_socket create_socket_perms;
- allow dhcpc_t self:unix_dgram_socket { create_socket_perms sendto };
-+allow dhcpc_t self:unix_stream_socket connectto;
-
- allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
- read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
-@@ -146,6 +149,7 @@ files_manage_var_files(dhcpc_t)
- fs_getattr_all_fs(dhcpc_t)
- fs_search_auto_mountpoints(dhcpc_t)
- fs_search_cgroup_dirs(dhcpc_t)
-+fs_read_nsfs_files(dhcpc_t)
-
- term_dontaudit_use_all_ttys(dhcpc_t)
- term_dontaudit_use_all_ptys(dhcpc_t)
-@@ -181,6 +185,7 @@ ifdef(`init_systemd',`
-     init_stream_connect(dhcpc_t)
-     init_get_all_units_status(dhcpc_t)
-     init_search_units(dhcpc_t)
-+    udev_read_runtime_files(dhcpc_t)
- ')
-
- optional_policy(`
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
similarity index 89%
rename from recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
rename to recipes-security/refpolicy/refpolicy/0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
index b4da47d..9e52b7f 100644
---
a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
+++ b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
@@ -1,4 +1,4 @@
-From 7bcc117ea39532427df297299c10ca1d2948a70c Mon Sep 17 00:00:00 2001
+From c47e288e8950e7e92e3c90972ca7ef8ef9fc6a7f Mon Sep 17 00:00:00 2001
  From: Wenzong Fan <wenzong.fan@...>
  Date: Fri, 15 Jan 2016 03:47:05 -0500
  Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for
@@ -27,10 +27,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 4 insertions(+)
    diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 932d1f7b3..36becaa6e 100644
+index 97a75cf86..fee846cb5 100644
  --- a/policy/modules/system/init.te
  +++ b/policy/modules/system/init.te
-@@ -219,6 +219,10 @@ mls_process_write_all_levels(init_t)
+@@ -229,6 +229,10 @@ mls_process_write_all_levels(init_t)
   mls_fd_use_all_levels(init_t)
   mls_process_set_level(init_t)
   @@ -42,5 +42,5 @@ index 932d1f7b3..36becaa6e 100644
   # otherwise the call fails and sysvinit tries to load the policy
   # again when using the initramfs
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch
deleted file mode 100644
index 2f94974..0000000
---
a/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 8343ff97a265836ba1e1e2f4159f888c21e5cabe Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Tue, 9 Feb 2021 17:31:55 +0800
-Subject: [PATCH] policy/modules/system/modutils: allow kmod_t to write keys
-
-Fixes:
-kernel: cfg80211: Problem loading in-kernel X.509 certificate (-13)
-
-avc:  denied  { write } for  pid=219 comm="modprobe"
-scontext=system_u:system_r:kmod_t tcontext=system_u:system_r:kmod_t
-tclass=key permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/modutils.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 5b4f0aca1..008f286a8 100644
---- a/policy/modules/system/modutils.te
-+++ b/policy/modules/system/modutils.te
-@@ -42,6 +42,7 @@ allow kmod_t self:udp_socket create_socket_perms;
- allow kmod_t self:rawip_socket create_socket_perms;
-
- allow kmod_t self:lockdown confidentiality;
-+allow kmod_t self:key write;
-
- # Read module config and dependency information
- list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
---
-2.17.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch b/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
similarity index 92%
rename from recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
rename to recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
index 4b768e0..1bfbb16 100644
---
a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
+++ b/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
@@ -1,4 +1,4 @@
-From d965e6a02854a07c4783cf33e95bf3c7cf9f56f1 Mon Sep 17 00:00:00 2001
+From afd35f6c73551c674e5bfe7cc1832b6a0ea717a6 Mon Sep 17 00:00:00 2001
  From: Wenzong Fan <wenzong.fan@...>
  Date: Thu, 4 Feb 2016 06:03:19 -0500
  Subject: [PATCH] policy/modules/system/systemd: make systemd-tmpfiles_t domain
@@ -43,10 +43,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 5 insertions(+)
    diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 1a83148c1..736107fad 100644
+index 4a1e06640..b44b9b2d7 100644
  --- a/policy/modules/system/systemd.te
  +++ b/policy/modules/system/systemd.te
-@@ -1483,6 +1483,11 @@ sysnet_relabel_config(systemd_tmpfiles_t)
+@@ -1694,6 +1694,11 @@ sysnet_relabel_config(systemd_tmpfiles_t)
      systemd_log_parse_environment(systemd_tmpfiles_t)
   @@ -59,5 +59,5 @@ index 1a83148c1..736107fad 100644
   userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
     --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-systemd-make-systemd_-.patch b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-systemd-systemd-make-systemd_-.patch
similarity index 82%
rename from recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-systemd-make-systemd_-.patch
rename to recipes-security/refpolicy/refpolicy/0046-policy-modules-system-systemd-systemd-make-systemd_-.patch
index 60f7dae..800439c 100644
---
a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-systemd-make-systemd_-.patch
+++ b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-systemd-systemd-make-systemd_-.patch
@@ -1,4 +1,4 @@
-From 71986d0c6775408a1c89415dd5d4e7ea03302248 Mon Sep 17 00:00:00 2001
+From 8aa70c13d63e093bff87ea938d35dcc76e5bdd56 Mon Sep 17 00:00:00 2001
  From: Yi Zhao <yi.zhao@...>
  Date: Thu, 18 Jun 2020 09:59:58 +0800
  Subject: [PATCH] policy/modules/system/systemd: systemd-*: make systemd_*_t
@@ -43,12 +43,12 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 12 insertions(+)
    diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 736107fad..8cea6baa1 100644
+index b44b9b2d7..7b717d3ba 100644
  --- a/policy/modules/system/systemd.te
  +++ b/policy/modules/system/systemd.te
-@@ -341,6 +341,9 @@ fs_getattr_tmpfs(systemd_backlight_t)
+@@ -373,6 +373,9 @@ files_search_var_lib(systemd_backlight_t)
+ fs_getattr_all_fs(systemd_backlight_t)
   fs_search_cgroup_dirs(systemd_backlight_t)
- fs_getattr_cgroup(systemd_backlight_t)
     +mls_file_read_to_clearance(systemd_backlight_t)
  +mls_file_write_to_clearance(systemd_backlight_t)
@@ -56,9 +56,9 @@ index 736107fad..8cea6baa1 100644
   #######################################
   #
   # Binfmt local policy
-@@ -479,6 +482,9 @@ term_use_unallocated_ttys(systemd_generator_t)
+@@ -528,6 +531,9 @@ term_use_unallocated_ttys(systemd_generator_t)
   - udev_search_runtime(systemd_generator_t)
+ udev_read_runtime_files(systemd_generator_t)
     +mls_file_read_to_clearance(systemd_generator_t)
  +mls_file_write_to_clearance(systemd_generator_t)
@@ -66,19 +66,19 @@ index 736107fad..8cea6baa1 100644
   ifdef(`distro_gentoo',`
       corecmd_shell_entry_type(systemd_generator_t)
   ')
-@@ -723,6 +729,9 @@ userdom_setattr_user_ttys(systemd_logind_t)
+@@ -922,6 +928,9 @@ userdom_setattr_user_ttys(systemd_logind_t)
   userdom_use_user_ttys(systemd_logind_t)
   domain_read_all_domains_state(systemd_logind_t)
   -+mls_file_read_to_clearance(systemd_logind_t)
-+mls_file_write_to_clearance(systemd_logind_t)
++mls_file_read_all_levels(systemd_logind_t)
++mls_file_write_all_levels(systemd_logind_t)
  +
   # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
   # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
   # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
-@@ -1204,6 +1213,9 @@ fs_getattr_tmpfs(systemd_rfkill_t)
- fs_search_cgroup_dirs(systemd_rfkill_t)
- fs_getattr_cgroup(systemd_rfkill_t)
+@@ -1412,6 +1421,9 @@ udev_read_runtime_files(systemd_rfkill_t)
+
+ systemd_log_parse_environment(systemd_rfkill_t)
     +mls_file_read_to_clearance(systemd_rfkill_t)
  +mls_file_write_to_clearance(systemd_rfkill_t)
@@ -87,5 +87,5 @@ index 736107fad..8cea6baa1 100644
   #
   # Resolved local policy
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch b/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch
similarity index 78%
rename from recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch
rename to recipes-security/refpolicy/refpolicy/0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch
index 75be11d..cb3894c 100644
---
a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch
+++ b/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch
@@ -1,4 +1,4 @@
-From 511f7fdad45a150f7ea3666eb51463573eabab0a Mon Sep 17 00:00:00 2001
+From 2afa5753f2ef8c7cee5ad0511c521d252bedf3e5 Mon Sep 17 00:00:00 2001
  From: Xin Ouyang <Xin.Ouyang@...>
  Date: Thu, 22 Aug 2013 13:37:23 +0800
  Subject: [PATCH] policy/modules/system/logging: add the syslogd_t to trusted
@@ -14,18 +14,17 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@...>
  Signed-off-by: Joe MacDonald <joe_macdonald@...>
  Signed-off-by: Yi Zhao <yi.zhao@...>
  ---
- policy/modules/system/logging.te | 4 ++++
- 1 file changed, 4 insertions(+)
+ policy/modules/system/logging.te | 3 +++
+ 1 file changed, 3 insertions(+)
    diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 5b4b5ec5d..e67c25a9e 100644
+index d3b06db7d..f63965d4d 100644
  --- a/policy/modules/system/logging.te
  +++ b/policy/modules/system/logging.te
-@@ -498,6 +498,10 @@ fs_search_auto_mountpoints(syslogd_t)
- fs_search_tmpfs(syslogd_t)
+@@ -505,6 +505,9 @@ fs_getattr_all_fs(syslogd_t)
+ fs_search_auto_mountpoints(syslogd_t)
      mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
-+mls_file_read_all_levels(syslogd_t)
  +mls_socket_write_all_levels(syslogd_t) # Need to be able to sendto dgram
  +mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log
  +mls_fd_use_all_levels(syslogd_t)
@@ -33,5 +32,5 @@ index 5b4b5ec5d..e67c25a9e 100644
   term_write_console(syslogd_t)
   # Allow syslog to a terminal
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
similarity index 85%
rename from recipes-security/refpolicy/refpolicy/0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
rename to recipes-security/refpolicy/refpolicy/0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
index 5c01ef4..16f0e4e 100644
---
a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
+++ b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch
@@ -1,4 +1,4 @@
-From 3f875fae6d9a4538b3e7d33f30dd2a98fc9ea2bd Mon Sep 17 00:00:00 2001
+From f87bb3cb0843af69f9aecaef0a4052e04b15a630 Mon Sep 17 00:00:00 2001
  From: Yi Zhao <yi.zhao@...>
  Date: Tue, 28 May 2019 16:41:37 +0800
  Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for
@@ -17,10 +17,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 1 insertion(+)
    diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 36becaa6e..9c0a98eb7 100644
+index fee846cb5..df7f87f17 100644
  --- a/policy/modules/system/init.te
  +++ b/policy/modules/system/init.te
-@@ -218,6 +218,7 @@ mls_file_write_all_levels(init_t)
+@@ -228,6 +228,7 @@ mls_file_write_all_levels(init_t)
   mls_process_write_all_levels(init_t)
   mls_fd_use_all_levels(init_t)
   mls_process_set_level(init_t)
@@ -29,5 +29,5 @@ index 36becaa6e..9c0a98eb7 100644
   # MLS trusted for lowering/raising the level of files
   mls_file_downgrade(init_t)
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-init-all-init_t-to-read-any-le.patch b/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-init-all-init_t-to-read-any-le.patch
similarity index 88%
rename from recipes-security/refpolicy/refpolicy/0056-policy-modules-system-init-all-init_t-to-read-any-le.patch
rename to recipes-security/refpolicy/refpolicy/0049-policy-modules-system-init-all-init_t-to-read-any-le.patch
index d3ddcd2..fb56eca 100644
---
a/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-init-all-init_t-to-read-any-le.patch
+++ b/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-init-all-init_t-to-read-any-le.patch
@@ -1,4 +1,4 @@
-From a59dae035b7d5063e0f25c4cf40b5b180ad69022 Mon Sep 17 00:00:00 2001
+From f3c0f18b647631fd2ffc1e86c9e3f51cbf74d60f Mon Sep 17 00:00:00 2001
  From: Wenzong Fan <wenzong.fan@...>
  Date: Wed, 3 Feb 2016 04:16:06 -0500
  Subject: [PATCH] policy/modules/system/init: all init_t to read any level
@@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 3 insertions(+)
    diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 9c0a98eb7..5a19f0e43 100644
+index df7f87f17..671b5aef3 100644
  --- a/policy/modules/system/init.te
  +++ b/policy/modules/system/init.te
-@@ -224,6 +224,9 @@ mls_key_write_all_levels(init_t)
+@@ -234,6 +234,9 @@ mls_key_write_all_levels(init_t)
   mls_file_downgrade(init_t)
   mls_file_upgrade(init_t)
   @@ -36,5 +36,5 @@ index 9c0a98eb7..5a19f0e43 100644
   # otherwise the call fails and sysvinit tries to load the policy
   # again when using the initramfs
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch b/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch
similarity index 87%
rename from recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch
rename to recipes-security/refpolicy/refpolicy/0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch
index 47328be..aa02eb1 100644
---
a/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch
+++ b/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch
@@ -1,4 +1,4 @@
-From 96437ba860d352304246fbe3381030da0665f239 Mon Sep 17 00:00:00 2001
+From cb7a4ff6081f19d05b109512275ec9a537f2f6d2 Mon Sep 17 00:00:00 2001
  From: Wenzong Fan <wenzong.fan@...>
  Date: Thu, 25 Feb 2016 04:25:08 -0500
  Subject: [PATCH] policy/modules/system/logging: allow auditd_t to write socket
@@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 2 insertions(+)
    diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index e67c25a9e..f8d8b73f0 100644
+index f63965d4d..7e41596f4 100644
  --- a/policy/modules/system/logging.te
  +++ b/policy/modules/system/logging.te
-@@ -215,6 +215,8 @@ miscfiles_read_localization(auditd_t)
+@@ -223,6 +223,8 @@ miscfiles_read_localization(auditd_t)
      mls_file_read_all_levels(auditd_t)
   mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
@@ -35,5 +35,5 @@ index e67c25a9e..f8d8b73f0 100644
   seutil_dontaudit_read_config(auditd_t)
     --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
similarity index 83%
rename from recipes-security/refpolicy/refpolicy/0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
rename to recipes-security/refpolicy/refpolicy/0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
index ad92c7f..16bdf84 100644
---
a/recipes-security/refpolicy/refpolicy/0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
+++ b/recipes-security/refpolicy/refpolicy/0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
@@ -1,4 +1,4 @@
-From 102255e89863c5a31d0d6c8df67b258d819b9a68 Mon Sep 17 00:00:00 2001
+From 023e7b92a805103c54aec06bbd9465e4fbf7a6f2 Mon Sep 17 00:00:00 2001
  From: Yi Zhao <yi.zhao@...>
  Date: Thu, 31 Oct 2019 17:35:59 +0800
  Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for
@@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 1 insertion(+)
    diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 1c53754ee..2031576e0 100644
+index 40cd52825..d08610543 100644
  --- a/policy/modules/kernel/kernel.te
  +++ b/policy/modules/kernel/kernel.te
-@@ -360,6 +360,7 @@ mls_socket_write_all_levels(kernel_t)
+@@ -372,6 +372,7 @@ mls_socket_write_all_levels(kernel_t)
   mls_fd_use_all_levels(kernel_t)
   # https://bugzilla.redhat.com/show_bug.cgi?id=667370
   mls_file_downgrade(kernel_t)
@@ -27,5 +27,5 @@ index 1c53754ee..2031576e0 100644
   ifdef(`distro_redhat',`
       # Bugzilla 222337
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
similarity index 83%
rename from recipes-security/refpolicy/refpolicy/0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
rename to recipes-security/refpolicy/refpolicy/0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
index 96d0588..b916084 100644
---
a/recipes-security/refpolicy/refpolicy/0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
+++ b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
@@ -1,4 +1,4 @@
-From 5fa9e03a3b90f97e573a7724cd9d49b53730d083 Mon Sep 17 00:00:00 2001
+From 55fe90eba640e6d52bb269176f45a3a5e2c3ed80 Mon Sep 17 00:00:00 2001
  From: Roy Li <rongqing.li@...>
  Date: Sat, 22 Feb 2014 13:35:38 +0800
  Subject: [PATCH] policy/modules/system/setrans: allow setrans_t use fd at any
@@ -13,10 +13,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 2 insertions(+)
    diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
-index 25aadfc5f..564e2d4d1 100644
+index 12e66aad9..5510f7fac 100644
  --- a/policy/modules/system/setrans.te
  +++ b/policy/modules/system/setrans.te
-@@ -73,6 +73,8 @@ mls_net_receive_all_levels(setrans_t)
+@@ -69,6 +69,8 @@ mls_net_receive_all_levels(setrans_t)
   mls_socket_write_all_levels(setrans_t)
   mls_process_read_all_levels(setrans_t)
   mls_socket_read_all_levels(setrans_t)
@@ -26,5 +26,5 @@ index 25aadfc5f..564e2d4d1 100644
   selinux_compute_access_vector(setrans_t)
     --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
similarity index 88%
rename from recipes-security/refpolicy/refpolicy/0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
rename to recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
index 8bfe607..c4dc87b 100644
---
a/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
+++ b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
@@ -1,4 +1,4 @@
-From fe70aaf9a104b4b0c3439d2767eccb0136951f08 Mon Sep 17 00:00:00 2001
+From c9afe0dc30f51f7ad7b93b8878c88df1146272a0 Mon Sep 17 00:00:00 2001
  From: Yi Zhao <yi.zhao@...>
  Date: Mon, 22 Feb 2021 11:28:12 +0800
  Subject: [PATCH] policy/modules/system/systemd: make *_systemd_t MLS trusted
@@ -24,10 +24,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 3 insertions(+)
    diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 5c44d8d8a..5f2038f22 100644
+index 325ca548b..b23b9bb0a 100644
  --- a/policy/modules/system/systemd.if
  +++ b/policy/modules/system/systemd.if
-@@ -171,6 +171,9 @@ template(`systemd_role_template',`
+@@ -196,6 +196,9 @@ template(`systemd_role_template',`
           xdg_read_config_files($1_systemd_t)
           xdg_read_data_files($1_systemd_t)
       ')
@@ -38,5 +38,5 @@ index 5c44d8d8a..5f2038f22 100644
      ######################################
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0061-policy-modules-system-logging-make-syslogd_runtime_t.patch b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-make-syslogd_runtime_t.patch
similarity index 84%
rename from recipes-security/refpolicy/refpolicy/0061-policy-modules-system-logging-make-syslogd_runtime_t.patch
rename to recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-make-syslogd_runtime_t.patch
index 7bdc9d6..ab87039 100644
---
a/recipes-security/refpolicy/refpolicy/0061-policy-modules-system-logging-make-syslogd_runtime_t.patch
+++ b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-make-syslogd_runtime_t.patch
@@ -1,4 +1,4 @@
-From f8a12b28b70689ab520e7ae94d306afe9dcbb556 Mon Sep 17 00:00:00 2001
+From 7a65c9f3636b43f3a29349ea1c045d5281efa5aa Mon Sep 17 00:00:00 2001
  From: Yi Zhao <yi.zhao@...>
  Date: Sat, 18 Dec 2021 17:31:45 +0800
  Subject: [PATCH] policy/modules/system/logging: make syslogd_runtime_t MLS
@@ -23,7 +23,7 @@ dev="tmpfs" ino=9854 scontext=system_u:system_r:rpcd_t:s0-s15:c0.c1023
  tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 tclass=dir
  permissive=0
  -Upstream-Status: Pending
+Upstream-Status: Inappropriate [embedded specific]
    Signed-off-by: Yi Zhao <yi.zhao@...>
  ---
@@ -31,18 +31,18 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
   1 file changed, 2 insertions(+)
    diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index f8d8b73f0..badf56f16 100644
+index 7e41596f4..0c25457d6 100644
  --- a/policy/modules/system/logging.te
  +++ b/policy/modules/system/logging.te
-@@ -438,6 +438,8 @@ allow syslogd_t syslogd_runtime_t:file map;
+@@ -447,6 +447,8 @@ allow syslogd_t syslogd_runtime_t:file map;
   manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
   files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file)
     +mls_trusted_object(syslogd_runtime_t)
  +
- kernel_read_crypto_sysctls(syslogd_t)
   kernel_read_system_state(syslogd_t)
   kernel_read_network_state(syslogd_t)
+ kernel_read_kernel_sysctls(syslogd_t)
  --
-2.17.1
+2.25.1
  diff --git a/recipes-security/refpolicy/refpolicy/0062-systemd-systemd-resolved-is-linked-to-libselinux.patch b/recipes-security/refpolicy/refpolicy/0062-systemd-systemd-resolved-is-linked-to-libselinux.patch
deleted file mode 100644
index e0db7d3..0000000
---
a/recipes-security/refpolicy/refpolicy/0062-systemd-systemd-resolved-is-linked-to-libselinux.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 52a4222397f5d3b28ca15a45bb2ace209a4afc3e Mon Sep 17 00:00:00 2001
-From: Kenton Groombridge <me@...>
-Date: Thu, 31 Mar 2022 13:09:10 -0400
-Subject: [PATCH] systemd: systemd-resolved is linked to libselinux
-
-systemd-resolved as of systemd 250 fails to start with this error:
-
-Failed to initialize SELinux labeling handle: No such file or directory
-
-Upstream-Status: Backport
-[https://github.com/SELinuxProject/refpolicy/commit/3a22db2410de479e5baa88f3f668a7a4ac198950]
-
-Signed-off-by: Kenton Groombridge <me@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/systemd.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 8cea6baa1..beb301cc6 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -1261,6 +1261,7 @@ fs_getattr_cgroup(systemd_resolved_t)
-
- init_dgram_send(systemd_resolved_t)
-
-+seutil_libselinux_linked(systemd_resolved_t)
- seutil_read_file_contexts(systemd_resolved_t)
-
- systemd_log_parse_environment(systemd_resolved_t)
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0063-sysnetwork-systemd-allow-DNS-resolution-over-io.syst.patch b/recipes-security/refpolicy/refpolicy/0063-sysnetwork-systemd-allow-DNS-resolution-over-io.syst.patch
deleted file mode 100644
index 63da7cd..0000000
---
a/recipes-security/refpolicy/refpolicy/0063-sysnetwork-systemd-allow-DNS-resolution-over-io.syst.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 1ba0911e157c64ea15636c5707f38f1bdc9a46c8 Mon Sep 17 00:00:00 2001
-From: Kenton Groombridge <me@...>
-Date: Wed, 27 Apr 2022 01:09:52 -0400
-Subject: [PATCH] sysnetwork, systemd: allow DNS resolution over
- io.systemd.Resolve
-
-Upstream-Status: Backport
-[https://github.com/SELinuxProject/refpolicy/commit/1a0acc9c0d8c7c49ad4ca2cabd44bc66450f45e0]
-
-Signed-off-by: Kenton Groombridge <me@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/sysnetwork.if |  1 +
- policy/modules/system/systemd.if    | 21 +++++++++++++++++++++
- 2 files changed, 22 insertions(+)
-
-diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 8664a67c8..140d48508 100644
---- a/policy/modules/system/sysnetwork.if
-+++ b/policy/modules/system/sysnetwork.if
-@@ -844,6 +844,7 @@ interface(`sysnet_dns_name_resolve',`
-     ifdef(`init_systemd',`
-         optional_policy(`
-             systemd_dbus_chat_resolved($1)
-+            systemd_stream_connect_resolved($1)
-         ')
-         # This seems needed when the mymachines NSS module is used
-         optional_policy(`
-diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 5f2038f22..9143fb4c0 100644
---- a/policy/modules/system/systemd.if
-+++ b/policy/modules/system/systemd.if
-@@ -1835,6 +1835,27 @@ interface(`systemd_tmpfilesd_managed',`
-     ')
- ')
-
-+#######################################
-+## <summary>
-+##    Connect to systemd resolved over
-+##    /run/systemd/resolve/io.systemd.Resolve .
-+## </summary>
-+## <param name="domain">
-+##    <summary>
-+##    Domain allowed access.
-+##    </summary>
-+## </param>
-+#
-+interface(`systemd_stream_connect_resolved',`
-+    gen_require(`
-+        type systemd_resolved_t;
-+        type systemd_resolved_runtime_t;
-+    ')
-+
-+    files_search_runtime($1)
-+    stream_connect_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t, systemd_resolved_t)
-+')
-+
- ########################################
- ## <summary>
- ##   Send and receive messages from
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0064-term-init-allow-systemd-to-watch-and-watch-reads-on-.patch b/recipes-security/refpolicy/refpolicy/0064-term-init-allow-systemd-to-watch-and-watch-reads-on-.patch
deleted file mode 100644
index 88f070d..0000000
---
a/recipes-security/refpolicy/refpolicy/0064-term-init-allow-systemd-to-watch-and-watch-reads-on-.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 50670946f04257cc2110facbc61884e2cf0d8327 Mon Sep 17 00:00:00 2001
-From: Kenton Groombridge <me@...>
-Date: Fri, 6 May 2022 21:16:29 -0400
-Subject: [PATCH] term, init: allow systemd to watch and watch reads on
- unallocated ttys
-
-As of systemd 250, systemd needs to be able to add a watch on and watch
-reads on unallocated ttys in order to start getty.
-
-systemd[55548]: getty@...: Failed to set up standard input: Permission denied
-systemd[55548]: getty@...: Failed at step STDIN spawning /sbin/agetty: Permission denied
-
-time->Fri May  6 21:17:58 2022
-type=PROCTITLE msg=audit(1651886278.452:1770): proctitle="(agetty)"
-type=PATH msg=audit(1651886278.452:1770): item=0 name="/dev/tty1" inode=18 dev=00:05 mode=020620 ouid=0 ogid=5 rdev=04:01 obj=system_u:object_r:tty_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
-type=CWD msg=audit(1651886278.452:1770): cwd="/"
-type=SYSCALL msg=audit(1651886278.452:1770): arch=c000003e syscall=254 success=no exit=-13 a0=3 a1=60ba5c21e020 a2=18 a3=23 items=1 ppid=1 pid=55551 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(agetty)" exe="/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
-type=AVC msg=audit(1651886278.452:1770): avc:  denied  { watch watch_reads } for  pid=55551 comm="(agetty)" path="/dev/tty1" dev="devtmpfs" ino=18 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0
-
-Upstream-Status: Backport
-[https://github.com/SELinuxProject/refpolicy/commit/308ab9f69a4623f5dace8da151e70c6316f055a8]
-
-Signed-off-by: Kenton Groombridge <me@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/kernel/terminal.if | 38 +++++++++++++++++++++++++++++++
- policy/modules/system/init.te     |  2 ++
- 2 files changed, 40 insertions(+)
-
-diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index e8c0735eb..6e9f654ac 100644
---- a/policy/modules/kernel/terminal.if
-+++ b/policy/modules/kernel/terminal.if
-@@ -1287,6 +1287,44 @@ interface(`term_dontaudit_use_unallocated_ttys',`
-     dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
- ')
-
-+########################################
-+## <summary>
-+##    Watch unallocated ttys.
-+## </summary>
-+## <param name="domain">
-+##    <summary>
-+##    Domain allowed access.
-+##    </summary>
-+## </param>
-+#
-+interface(`term_watch_unallocated_ttys',`
-+    gen_require(`
-+        type tty_device_t;
-+    ')
-+
-+    dev_list_all_dev_nodes($1)
-+    allow $1 tty_device_t:chr_file watch;
-+')
-+
-+########################################
-+## <summary>
-+##    Watch reads on unallocated ttys.
-+## </summary>
-+## <param name="domain">
-+##    <summary>
-+##    Domain allowed access.
-+##    </summary>
-+## </param>
-+#
-+interface(`term_watch_reads_unallocated_ttys',`
-+    gen_require(`
-+        type tty_device_t;
-+    ')
-+
-+    dev_list_all_dev_nodes($1)
-+    allow $1 tty_device_t:chr_file watch_reads;
-+')
-+
- ########################################
- ## <summary>
- ##    Get the attributes of all tty device nodes.
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 5a19f0e43..24cef0924 100644
---- a/policy/modules/system/init.te
-+++ b/policy/modules/system/init.te
-@@ -518,6 +518,8 @@ ifdef(`init_systemd',`
-     term_create_devpts_dirs(init_t)
-     term_create_ptmx(init_t)
-     term_create_controlling_term(init_t)
-+    term_watch_unallocated_ttys(init_t)
-+    term_watch_reads_unallocated_ttys(init_t)
-
-     # udevd is a "systemd kobject uevent socket activated daemon"
-     udev_create_kobject_uevent_sockets(init_t)
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0065-systemd-add-file-transition-for-systemd-networkd-run.patch b/recipes-security/refpolicy/refpolicy/0065-systemd-add-file-transition-for-systemd-networkd-run.patch
deleted file mode 100644
index 1029490..0000000
---
a/recipes-security/refpolicy/refpolicy/0065-systemd-add-file-transition-for-systemd-networkd-run.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 6f8a8ecd8bafd6e8a3515b53db2a2982a02ff254 Mon Sep 17 00:00:00 2001
-From: Kenton Groombridge <me@...>
-Date: Thu, 31 Mar 2022 13:22:37 -0400
-Subject: [PATCH] systemd: add file transition for systemd-networkd runtime
-
-systemd-networkd creates the /run/systemd/network directory which should
-be labeled appropriately.
-
-Upstream-Status: Backport
-[https://github.com/SELinuxProject/refpolicy/commit/663b62f27cb12c22f056eba9326cf3f7f78d8a9e]
-
-Signed-off-by: Kenton Groombridge <me@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/systemd.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index beb301cc6..654c6a42a 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -917,6 +917,7 @@ auth_use_nsswitch(systemd_networkd_t)
-
- init_dgram_send(systemd_networkd_t)
- init_read_state(systemd_networkd_t)
-+init_runtime_filetrans(systemd_networkd_t, systemd_networkd_runtime_t, dir)
-
- logging_send_syslog_msg(systemd_networkd_t)
-
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0066-systemd-add-missing-file-context-for-run-systemd-net.patch b/recipes-security/refpolicy/refpolicy/0066-systemd-add-missing-file-context-for-run-systemd-net.patch
deleted file mode 100644
index f84eb4a..0000000
---
a/recipes-security/refpolicy/refpolicy/0066-systemd-add-missing-file-context-for-run-systemd-net.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 2e3f371b59bee343c42e4c69495df0f3719b6e24 Mon Sep 17 00:00:00 2001
-From: Kenton Groombridge <me@...>
-Date: Sat, 2 Apr 2022 15:44:01 -0400
-Subject: [PATCH] systemd: add missing file context for /run/systemd/network
-
-Upstream-Status: Backport
-[https://github.com/SELinuxProject/refpolicy/commit/f2fe1ae15485da7b6269b7d0d7dbed9a834f1876]
-
-Signed-off-by: Kenton Groombridge <me@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/systemd.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
-index 34db8c034..d21914227 100644
---- a/policy/modules/system/systemd.fc
-+++ b/policy/modules/system/systemd.fc
-@@ -85,6 +85,7 @@ HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_data
-
- /run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
- /run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
-+/run/systemd/network(/.*)? gen_context(system_u:object_r:systemd_networkd_runtime_t,s0)
- /run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_runtime_t,s0)
- /run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
- /run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0067-systemd-add-file-contexts-for-systemd-network-genera.patch b/recipes-security/refpolicy/refpolicy/0067-systemd-add-file-contexts-for-systemd-network-genera.patch
deleted file mode 100644
index 0aaf096..0000000
---
a/recipes-security/refpolicy/refpolicy/0067-systemd-add-file-contexts-for-systemd-network-genera.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 143d339b2e6611c56cd0210279757ebee9632731 Mon Sep 17 00:00:00 2001
-From: Kenton Groombridge <me@...>
-Date: Thu, 19 May 2022 11:42:51 -0400
-Subject: [PATCH] systemd: add file contexts for systemd-network-generator
-
-Upstream-Status: Backport
-[https://github.com/SELinuxProject/refpolicy/commit/73adba0a39b7409bc4bbfa0e962108c2b1e5f2a5]
-
-Thanks-To: Zhao Yi
-Signed-off-by: Kenton Groombridge <me@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/systemd.fc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
-index d21914227..1a35bd65c 100644
---- a/policy/modules/system/systemd.fc
-+++ b/policy/modules/system/systemd.fc
-@@ -35,6 +35,7 @@
- /usr/lib/systemd/systemd-machined    --
gen_context(system_u:object_r:systemd_machined_exec_t,s0)
- /usr/lib/systemd/systemd-modules-load    --
gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
- /usr/lib/systemd/systemd-networkd    --
gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
-+/usr/lib/systemd/systemd-network-generator    --
gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
- /usr/lib/systemd/systemd-pstore        --
gen_context(system_u:object_r:systemd_pstore_exec_t,s0)
- /usr/lib/systemd/systemd-resolved    --
gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
- /usr/lib/systemd/systemd-rfkill        --
gen_context(system_u:object_r:systemd_rfkill_exec_t,s0)
-@@ -60,6 +61,7 @@ HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_data
- /usr/lib/systemd/system/systemd-backlight.*    --
gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
- /usr/lib/systemd/system/systemd-binfmt.*    --
gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
- /usr/lib/systemd/system/systemd-networkd.* gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
-+/usr/lib/systemd/system/systemd-network-generator.* gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
- /usr/lib/systemd/system/systemd-rfkill.*    --
gen_context(system_u:object_r:systemd_rfkill_unit_t,s0)
- /usr/lib/systemd/system/systemd-socket-proxyd\.service --
gen_context(system_u:object_r:systemd_socket_proxyd_unit_file_t,s0)
-
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0068-systemd-udev-allow-udev-to-read-systemd-networkd-run.patch b/recipes-security/refpolicy/refpolicy/0068-systemd-udev-allow-udev-to-read-systemd-networkd-run.patch
deleted file mode 100644
index 259863c..0000000
---
a/recipes-security/refpolicy/refpolicy/0068-systemd-udev-allow-udev-to-read-systemd-networkd-run.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 6508bc8a3440525384fcfcd8ad55a4cd5c79b912 Mon Sep 17 00:00:00 2001
-From: Kenton Groombridge <me@...>
-Date: Thu, 19 May 2022 11:43:44 -0400
-Subject: [PATCH] systemd, udev: allow udev to read systemd-networkd runtime
-
-udev searches for .link files and applies custom udev rules to devices
-as they come up.
-
-Upstream-Status: Backport
-[https://github.com/SELinuxProject/refpolicy/commit/998ef975f38c70d57e7220b88ae5e62c88ebb770]
-
-Thanks-To: Zhao Yi
-Signed-off-by: Kenton Groombridge <me@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/udev.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 4c5a690fb..8e243c0f2 100644
---- a/policy/modules/system/udev.te
-+++ b/policy/modules/system/udev.te
-@@ -270,6 +270,8 @@ ifdef(`init_systemd',`
-     systemd_read_hwdb(udev_t)
-     systemd_read_logind_sessions_files(udev_t)
-     systemd_read_logind_runtime_files(udev_t)
-+    # udev searches for .link files and applies custom udev rules
-+    systemd_read_networkd_runtime(udev_t)
-
-     optional_policy(`
-         init_dbus_chat(udev_t)
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0069-fc-fstools-apply-policy-to-findfs-alternative.patch b/recipes-security/refpolicy/refpolicy/0069-fc-fstools-apply-policy-to-findfs-alternative.patch
deleted file mode 100644
index 6535a4b..0000000
---
a/recipes-security/refpolicy/refpolicy/0069-fc-fstools-apply-policy-to-findfs-alternative.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 3e3ec39659ae068d20efbb5f13054d90960c3c3f Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Thu, 19 May 2022 16:51:49 +0800
-Subject: [PATCH] fc/fstools: apply policy to findfs alternative
-
-Add file context for findfs alternative which is provided by util-linux.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- policy/modules/system/fstools.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index bef711850..91be0ef3d 100644
---- a/policy/modules/system/fstools.fc
-+++ b/policy/modules/system/fstools.fc
-@@ -77,6 +77,7 @@
- /usr/sbin/fdisk            --
gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/fdisk\.util-linux            --
gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/findfs        --
gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/findfs\.util-linux        --
gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/fsck.*        --
gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/gdisk            --
gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/hdparm        --
gen_context(system_u:object_r:fsadm_exec_t,s0)
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index bb0c0dd..a51312f 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -7,10 +7,10 @@ PROVIDES = "virtual/refpolicy"
  RPROVIDES:${PN} = "refpolicy"
    # Specific config files for Poky
-SRC_URI += "file://customizable_types  \
-        file://setrans-mls.conf  \
-        file://setrans-mcs.conf  \
-       "
+SRC_URI += "file://customizable_types \
+            file://setrans-mls.conf \
+            file://setrans-mcs.conf \
+           "
    # Base patches applied to all Yocto-based platforms.  Your own version of
  # refpolicy should provide a version of these and place them in your own
@@ -49,64 +49,49 @@ SRC_URI += " \
file://0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch \
file://0032-policy-modules-system-logging-fix-auditd-startup-fai.patch \
file://0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \
- file://0034-policy-modules-system-modutils-allow-mod_t-to-access.patch \
- file://0035-policy-modules-system-getty-allow-getty_t-to-search-.patch \
- file://0036-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \
- file://0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch \
- file://0038-policy-modules-system-systemd-enable-support-for-sys.patch \
- file://0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch \
- file://0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch \
- file://0041-policy-modules-system-logging-fix-syslogd-failures-f.patch \
- file://0042-policy-modules-system-systemd-systemd-user-fixes.patch \
- file://0043-policy-modules-system-sysnetwork-support-priviledge-.patch \
- file://0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch \
- file://0045-policy-modules-system-systemd-allow-systemd_logind_t.patch \
- file://0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \
- file://0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \
- file://0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch \
- file://0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \
- file://0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
- file://0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
- file://0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \
- file://0053-policy-modules-system-systemd-systemd-make-systemd_-.patch \
- file://0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \
- file://0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
- file://0056-policy-modules-system-init-all-init_t-to-read-any-le.patch \
- file://0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch \
- file://0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
- file://0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
- file://0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
- file://0061-policy-modules-system-logging-make-syslogd_runtime_t.patch \
- file://0062-systemd-systemd-resolved-is-linked-to-libselinux.patch \
- file://0063-sysnetwork-systemd-allow-DNS-resolution-over-io.syst.patch \
- file://0064-term-init-allow-systemd-to-watch-and-watch-reads-on-.patch \
- file://0065-systemd-add-file-transition-for-systemd-networkd-run.patch \
- file://0066-systemd-add-missing-file-context-for-run-systemd-net.patch \
- file://0067-systemd-add-file-contexts-for-systemd-network-genera.patch \
- file://0068-systemd-udev-allow-udev-to-read-systemd-networkd-run.patch \
- file://0069-fc-fstools-apply-policy-to-findfs-alternative.patch \
+ file://0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \
+ file://0035-policy-modules-system-systemd-enable-support-for-sys.patch \
+ file://0036-policy-modules-system-systemd-allow-systemd_logind_t.patch \
+ file://0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \
+ file://0038-policy-modules-system-systemd-systemd-user-fixes.patch \
+ file://0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \
+ file://0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \
+ file://0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch \
+ file://0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \
+ file://0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
+ file://0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
+ file://0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \
+ file://0046-policy-modules-system-systemd-systemd-make-systemd_-.patch \
+ file://0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \
+ file://0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
+ file://0049-policy-modules-system-init-all-init_t-to-read-any-le.patch \
+ file://0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch \
+ file://0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
+ file://0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
+ file://0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
+ file://0054-policy-modules-system-logging-make-syslogd_runtime_t.patch \
          "
    S = "${WORKDIR}/refpolicy"
  -CONFFILES:${PN} += "${sysconfdir}/selinux/config"
+CONFFILES:${PN} = "${sysconfdir}/selinux/config"
  FILES:${PN} += " \
-    ${sysconfdir}/selinux/${POLICY_NAME}/ \
-    ${datadir}/selinux/${POLICY_NAME}/*.pp \
-    ${localstatedir}/lib/selinux/${POLICY_NAME}/ \
-    "
+    ${sysconfdir}/selinux/${POLICY_NAME}/ \
+    ${datadir}/selinux/${POLICY_NAME}/*.pp \
+    ${localstatedir}/lib/selinux/${POLICY_NAME}/ \
+    "
  FILES:${PN}-dev =+ " \
-        ${datadir}/selinux/${POLICY_NAME}/include/ \
-        ${sysconfdir}/selinux/sepolgen.conf \
-"
+    ${datadir}/selinux/${POLICY_NAME}/include/ \
+    ${sysconfdir}/selinux/sepolgen.conf \
+    "
    EXTRANATIVEPATH += "bzip2-native"
  -DEPENDS += "bzip2-replacement-native checkpolicy-native policycoreutils-native semodule-utils-native m4-native"
+DEPENDS = "bzip2-replacement-native checkpolicy-native policycoreutils-native semodule-utils-native m4-native"
  -RDEPENDS:${PN}-dev =+ " \
-        python3-core \
-"
+RDEPENDS:${PN}-dev = " \
+    python3-core \
+    "
    PACKAGE_ARCH = "${MACHINE_ARCH}"
  @@ -129,83 +114,83 @@ POLICY_MLS_SENS ?= "16"
  POLICY_MLS_CATS ?= "1024"
  POLICY_MCS_CATS ?= "1024"
  -EXTRA_OEMAKE += "NAME=${POLICY_NAME} \
-    TYPE=${POLICY_TYPE} \
-    DISTRO=${POLICY_DISTRO} \
-    UBAC=${POLICY_UBAC} \
-    UNK_PERMS=${POLICY_UNK_PERMS} \
-    DIRECT_INITRC=${POLICY_DIRECT_INITRC} \
-    SYSTEMD=${POLICY_SYSTEMD} \
-    MONOLITHIC=${POLICY_MONOLITHIC} \
-    CUSTOM_BUILDOPT=${POLICY_CUSTOM_BUILDOPT} \
-    QUIET=${POLICY_QUIET} \
-    MLS_SENS=${POLICY_MLS_SENS} \
-    MLS_CATS=${POLICY_MLS_CATS} \
-    MCS_CATS=${POLICY_MCS_CATS}"
+EXTRA_OEMAKE = "NAME=${POLICY_NAME} \
+    TYPE=${POLICY_TYPE} \
+    DISTRO=${POLICY_DISTRO} \
+    UBAC=${POLICY_UBAC} \
+    UNK_PERMS=${POLICY_UNK_PERMS} \
+    DIRECT_INITRC=${POLICY_DIRECT_INITRC} \
+    SYSTEMD=${POLICY_SYSTEMD} \
+    MONOLITHIC=${POLICY_MONOLITHIC} \
+    CUSTOM_BUILDOPT=${POLICY_CUSTOM_BUILDOPT} \
+    QUIET=${POLICY_QUIET} \
+    MLS_SENS=${POLICY_MLS_SENS} \
+    MLS_CATS=${POLICY_MLS_CATS} \
+    MCS_CATS=${POLICY_MCS_CATS}"
    EXTRA_OEMAKE += "tc_usrbindir=${STAGING_BINDIR_NATIVE}"
  EXTRA_OEMAKE += "OUTPUT_POLICY=`${STAGING_BINDIR_NATIVE}/checkpolicy -V | cut -d' ' -f1`"
  EXTRA_OEMAKE += "CC='${BUILD_CC}' CFLAGS='${BUILD_CFLAGS}' PYTHON='${PYTHON}'"
  -python __anonymous () {
+python __anonymous() {
      import re
  -    # make sure DEFAULT_ENFORCING is something sane
+    # Make sure DEFAULT_ENFORCING is something sane
      if not re.match('^(enforcing|permissive|disabled)$',
                      d.getVar('DEFAULT_ENFORCING'),
                      flags=0):
          d.setVar('DEFAULT_ENFORCING', 'permissive')
  }
  -disable_policy_modules () {
-    for module in ${PURGE_POLICY_MODULES} ; do
-        sed -i "s/^\(\<${module}\>\) *= *.*$/\1 = off/" ${S}/policy/modules.conf
-    done
+disable_policy_modules() {
+    for module in ${PURGE_POLICY_MODULES} ; do
+        sed -i "s/^\(\<${module}\>\) *= *.*$/\1 = off/" ${S}/policy/modules.conf
+    done
  }
    do_compile() {
-    if [ -f "${WORKDIR}/modules.conf" ] ; then
-        cp -f ${WORKDIR}/modules.conf ${S}/policy/modules.conf
-    fi
-    oe_runmake conf
-    disable_policy_modules
-    oe_runmake policy
+    if [ -f "${WORKDIR}/modules.conf" ] ; then
+        cp -f ${WORKDIR}/modules.conf ${S}/policy/modules.conf
+    fi
+    oe_runmake conf
+    disable_policy_modules
+    oe_runmake policy
  }
  -prepare_policy_store () {
-    oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
-    POL_PRIORITY=100
-    POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
-    POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
- POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
-
-    # Prepare to create policy store
-    mkdir -p ${POL_STORE}
-    mkdir -p ${POL_ACTIVE_MODS}
-
-    # get hll type from suffix on base policy module
-    HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
- HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
-
-    for i in ${POL_SRC}/*.${HLL_TYPE}; do
-        MOD_NAME=$(basename $i | sed "s/\.${HLL_TYPE}$//")
-        MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME}
-        mkdir -p ${MOD_DIR}
-        echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
-        if ! bzip2 -t $i >/dev/null 2>&1; then
-            ${HLL_BIN} $i | bzip2 --stdout > ${MOD_DIR}/cil
-            bzip2 -f $i && mv -f $i.bz2 $i
-        else
-            bunzip2 --stdout $i | \
-                ${HLL_BIN} | \
-                bzip2 --stdout > ${MOD_DIR}/cil
-        fi
-        cp $i ${MOD_DIR}/hll
-    done
+prepare_policy_store() {
+    oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
+    POL_PRIORITY=100
+    POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
+    POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
+ POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
+
+    # Prepare to create policy store
+    mkdir -p ${POL_STORE}
+    mkdir -p ${POL_ACTIVE_MODS}
+
+    # Get hll type from suffix on base policy module
+    HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
+ HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
+
+    for i in ${POL_SRC}/*.${HLL_TYPE}; do
+        MOD_NAME=$(basename $i | sed "s/\.${HLL_TYPE}$//")
+        MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME}
+        mkdir -p ${MOD_DIR}
+        echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
+        if ! bzip2 -t $i >/dev/null 2>&1; then
+            ${HLL_BIN} $i | bzip2 --stdout > ${MOD_DIR}/cil
+            bzip2 -f $i && mv -f $i.bz2 $i
+        else
+            bunzip2 --stdout $i | \
+                ${HLL_BIN} | \
+                bzip2 --stdout > ${MOD_DIR}/cil
+        fi
+        cp $i ${MOD_DIR}/hll
+    done
  }
  -rebuild_policy () {
-    cat <<-EOF > ${D}${sysconfdir}/selinux/semanage.conf
+rebuild_policy() {
+    cat <<-EOF > ${D}${sysconfdir}/selinux/semanage.conf
  module-store = direct
  [setfiles]
  path = ${STAGING_DIR_NATIVE}${base_sbindir_native}/setfiles
@@ -219,29 +204,29 @@ args = \$@
  policy-version = 33
  EOF
  -    # Create policy store and build the policy
-    semodule -p ${D} -s ${POLICY_NAME} -n -B
-    rm -f ${D}${sysconfdir}/selinux/semanage.conf
-    # no need to leave final dir created by semanage laying around
-    rm -rf ${D}${localstatedir}/lib/selinux/final
+    # Create policy store and build the policy
+    semodule -p ${D} -s ${POLICY_NAME} -n -B
+    rm -f ${D}${sysconfdir}/selinux/semanage.conf
+    # No need to leave final dir created by semanage laying around
+    rm -rf ${D}${localstatedir}/lib/selinux/final
  }
  -install_misc_files () {
-    cat ${WORKDIR}/customizable_types >> \
- ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/customizable_types
+install_misc_files() {
+    cat ${WORKDIR}/customizable_types >> \
+ ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/customizable_types
  -    # install setrans.conf for mls/mcs policy
-    if [ -f ${WORKDIR}/setrans-${POLICY_TYPE}.conf ]; then
-        install -m 0644 ${WORKDIR}/setrans-${POLICY_TYPE}.conf \
- ${D}${sysconfdir}/selinux/${POLICY_NAME}/setrans.conf
-    fi
+    # Install setrans.conf for mls/mcs policy
+    if [ -f ${WORKDIR}/setrans-${POLICY_TYPE}.conf ]; then
+        install -m 0644 ${WORKDIR}/setrans-${POLICY_TYPE}.conf \
+ ${D}${sysconfdir}/selinux/${POLICY_NAME}/setrans.conf
+    fi
  -    # install policy headers
-    oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
+    # Install policy headers
+    oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
  }
  -install_config () {
-    echo "\
+install_config() {
+    echo "\
  # This file controls the state of SELinux on the system.
  # SELINUX= can take one of these three values:
  #     enforcing - SELinux security policy is enforced.
@@ -256,22 +241,22 @@ SELINUX=${DEFAULT_ENFORCING}
  #     mcs - Multi Category Security protection.
  SELINUXTYPE=${POLICY_NAME}
  " > ${WORKDIR}/config
-    install -d ${D}/${sysconfdir}/selinux
-    install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
+    install -d ${D}/${sysconfdir}/selinux
+    install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
  }
  -do_install () {
-    prepare_policy_store
-    rebuild_policy
-    install_misc_files
-    install_config
+do_install() {
+    prepare_policy_store
+    rebuild_policy
+    install_misc_files
+    install_config
  }
  -do_install:append(){
-    # While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
-    echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
+do_install:append() {
+    # While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
+    echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
  }
  -sysroot_stage_all:append () {
-    sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
+sysroot_stage_all:append() {
+    sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
  }
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc
index 9e78aed..54e0890 100644
--- a/recipes-security/refpolicy/refpolicy_git.inc
+++ b/recipes-security/refpolicy/refpolicy_git.inc
@@ -1,8 +1,8 @@
-PV = "2.20210908+git${SRCPV}"
+PV = "2.20221101+git${SRCPV}"
    SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=master;name=refpolicy;destsuffix=refpolicy"
  -SRCREV_refpolicy ?= "23a8d103f379361cfe63a9ee064564624e108196"
+SRCREV_refpolicy ?= "03d486e306555da161b653c88e804ce23f3a0ea4"
    UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)"
  --
2.25.1


[meta-security][PATCH] bubblewrap: Update 0.6.2 -> 0.7.0

Alex Kiernan
 

Inherit github-releases so that `devtool upgrade` can identify new
versions correctly.

Signed-off-by: Alex Kiernan <alex.kiernan@...>
---
.../{bubblewrap_0.6.2.bb => bubblewrap_0.7.0.bb} | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
rename recipes-security/bubblewrap/{bubblewrap_0.6.2.bb => bubblewrap_0.7.0.bb} (72%)

diff --git a/recipes-security/bubblewrap/bubblewrap_0.6.2.bb b/recipes-security/bubblewrap/bubblewrap_0.7.0.bb
similarity index 72%
rename from recipes-security/bubblewrap/bubblewrap_0.6.2.bb
rename to recipes-security/bubblewrap/bubblewrap_0.7.0.bb
index 921defda9e9d..a48b01252034 100644
--- a/recipes-security/bubblewrap/bubblewrap_0.6.2.bb
+++ b/recipes-security/bubblewrap/bubblewrap_0.7.0.bb
@@ -6,12 +6,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2"
DEPENDS = "libcap"

SRC_URI = "https://github.com/containers/${BPN}/releases/download/v${PV}/${BP}.tar.xz"
-SRC_URI[sha256sum] = "8a0ec802d1b3e956c5bb0a40a81c9ce0b055a31bf30a8efa547433603b8af20b"
+SRC_URI[sha256sum] = "764ab7100bd037ea53d440d362e099d7a425966bc62d1f00ab26b8fbb882a9dc"

-UPSTREAM_CHECK_URI = "https://github.com/containers/bubblewrap/releases"
-UPSTREAM_CHECK_REGEX = "bubblewrap-(?P<pver>\d+(\.\d+)+)\.tar"
+inherit autotools bash-completion github-releases manpages pkgconfig

-inherit autotools bash-completion manpages pkgconfig
+GITHUB_BASE_URI = "https://github.com/containers/${BPN}/releases/"

PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
PACKAGECONFIG[manpages] = "--enable-man,--disable-man,libxslt-native docbook-xsl-stylesheets-native xmlto-native"
--
2.35.1