* [meta-selinux][PULL] refpolicy: update to 2.20190201 and git HEAD policies (2019-04-10 10:57:14 -0400)
@ 2019-04-10 15:53 Joe MacDonald
2019-04-11 8:19 ` Yi Zhao
2019-04-14 16:26 ` Joe MacDonald
0 siblings, 2 replies; 4+ messages in thread
From: Joe MacDonald @ 2019-04-10 15:53 UTC (permalink / raw)
To: mark.hatle, yocto
[-- Attachment #1: Type: text/plain, Size: 34160 bytes --]
This is a huge, long-overdue update the refpolicy. I apologise for it
blocking the other outstanding meta-selinux patches, but I've been
trying to limit the scope of changes while this happens. Now that this
is cleared off the slate, I'll be gathering up the other meta-selinux
patches from the list. I'll send out a follow-up on those as they're
merged and another when I think I'm done, so if I've missed your patch,
that'll be the time to ping me about it.
As for this, here's what I've done.
- manually reviewed all patches that had been present in
repolicy-* for both the old stable (2.20170204) and git
versions
- forked the SELinuxPolicy/refpolicy repo and applied all
still-relevant patches to the RELEASE_2.20190201 branch
- restructured the patches so that all patches that should
reasonably apply to all variants (mcs, mls, minimum, standard
and targeted) were in a common branch and only the ones that
are specific to each variant would be in their own recipe
- restructure the patches so that systemd and sysvinit patches
were not applied to the same tree
- created a parallel set of branches for each of these against
current git HEAD
The results of this can be examined here:
https://github.com/joeythesaint/refpolicy
Then each of these were exported and put in the appropriate SRC_URIs so
the branch structure is more-or-less preserved.
My goals with this approach were the following:
- make it easier to keep refpolicy up to date, particularly for
anyone wanting to use the git variants
- make it easier to determine how your preferred version of
refpolicy on Yocto differs from upstream refpolicy
- limit the above differences to the minimum to achieve the goal
of a functional Yocto system
- eventually move us away from release tarballs entirely
That last point is why I'm preserving the refpolicy fork above. I'd
like to keep going with this and so future refpolicy patches will first
be put in that repo then exported and applied to the SRC_URIs. If you
have such a patch and want to send me a PR against the branch you think
it belongs on from github directly, that'd be awesome, but the old
method of patches to the mailing list will work fine too, just know that
this is the way I'm going to try to manage this for the foreseeable
future. Ultimately, if this proves to work well, I would like to move
the refpolicy fork off github and house it on git.yoctoproject.org
beside meta-selinux, but the workflow needs to be properly validated
first.
One additional point, I intend to take another pass at revising this
stuff, ideally moving the huge number of common patches out as well.
There's still some that aren't necessary for base yocto but are for
additional layers. That's fine for us to have, but I'd like to get
those moved to optional layer directories so we're making the best use
of that functionality we can. If you have suggestions on which pieces
already present are good candidates, let me know. Similarly, if you've
got additional policy patches you want to see included, feel free to
send them along, we can easily move them to optional locations inside
meta-selinux.
Finally, please everyone test this and provide feedback on anything that
doesn't work or looks strange. This is easily the biggest change we've
had in meta-selinux in years and I expect there's still some wrinkles to
be ironed out. And I really appreciate everyone's patience while we got
to this point and hope it's not too much more pain before we put a
ribbon on this and call it done.
I'll give this until at least the weekend before merging it to master,
pending comments or an overwhelming "please just do it" from the
community.
Thanks.
---
The following changes since commit a6a3cadb1ef3203a123d8f5f9df27832f55b2ce3:
Backport patches from upstream to fix build with musl (2019-03-25 09:43:53 +0100)
are available in the Git repository at:
git://git.yoctoproject.org/meta-selinux yocto/master-next
for you to fetch changes up to 776da889b550ac9e5be414a8cc10fd86b1923264:
refpolicy: update to 2.20190201 and git HEAD policies (2019-04-10 10:57:14 -0400)
----------------------------------------------------------------
Joe MacDonald (1):
refpolicy: update to 2.20190201 and git HEAD policies
README | 16 +-
.../refpolicy-2.20170204/poky-fc-clock.patch | 20 --
.../poky-fc-corecommands.patch | 24 --
.../refpolicy-2.20170204/poky-fc-dmesg.patch | 18 --
.../poky-fc-fix-real-path_login.patch | 37 ---
.../poky-fc-fix-real-path_shadow.patch | 34 ---
.../refpolicy-2.20170204/poky-fc-fstools.patch | 75 ------
.../refpolicy-2.20170204/poky-fc-ftpwho-dir.patch | 27 ---
.../refpolicy-2.20170204/poky-fc-iptables.patch | 24 --
.../refpolicy-2.20170204/poky-fc-mta.patch | 27 ---
.../refpolicy-2.20170204/poky-fc-netutils.patch | 24 --
.../refpolicy-2.20170204/poky-fc-nscd.patch | 25 --
.../refpolicy-2.20170204/poky-fc-rpm.patch | 23 --
.../refpolicy-2.20170204/poky-fc-screen.patch | 23 --
.../refpolicy-2.20170204/poky-fc-su.patch | 20 --
.../refpolicy-2.20170204/poky-fc-subs_dist.patch | 33 ---
.../refpolicy-2.20170204/poky-fc-sysnetwork.patch | 48 ----
.../refpolicy-2.20170204/poky-fc-udevd.patch | 38 ---
.../poky-fc-update-alternatives_bash.patch | 24 --
.../poky-fc-update-alternatives_hostname.patch | 21 --
.../poky-fc-update-alternatives_sysklogd.patch | 62 -----
.../poky-fc-update-alternatives_sysvinit.patch | 57 -----
...ky-policy-add-rules-for-syslogd_t-symlink.patch | 30 ---
...licy-add-rules-for-var-log-symlink-apache.patch | 31 ---
...rules-for-var-log-symlink-audisp_remote_t.patch | 29 ---
...poky-policy-add-rules-for-var-log-symlink.patch | 185 ---------------
...-policy-allow-nfsd-to-exec-shell-commands.patch | 60 -----
...-policy-allow-setfiles_t-to-read-symlinks.patch | 30 ---
.../poky-policy-fix-dmesg-to-use-dev-kmsg.patch | 37 ---
.../poky-policy-fix-new-SELINUXMNT-in-sys.patch | 259 ---------------------
...olicy-fix-setfiles-statvfs-get-file-count.patch | 32 ---
...-volatile-alias-common-var-volatile-paths.patch | 36 +++
...001-fix-update-alternatives-for-sysvinit.patch} | 51 ++--
...nimum-audit-logging-getty-audit-related-.patch} | 17 +-
...-busybox-set-aliases-for-bin-sbin-and-usr.patch | 31 +++
...nimum-locallogin-add-allow-rules-for-typ.patch} | 11 +-
...ysklogd-apply-policy-to-sysklogd-symlink.patch} | 49 ++--
...nimum-systemd-unconfined-lib-add-systemd.patch} | 34 +--
...-apply-policy-to-common-yocto-hostname-al.patch | 27 +++
...nimum-systemd-mount-logging-authlogin-ad.patch} | 39 ++--
...ply-usr-bin-bash-context-to-bin-bash.bash.patch | 30 +++
...inimum-init-fix-reboot-with-systemd-as-in.patch | 9 +-
...nf-label-resolv.conf-in-var-run-properly.patch} | 24 +-
...inimum-systemd-mount-enable-required-refp.patch | 92 ++++++++
...ogin-apply-login-context-to-login.shadow.patch} | 22 +-
...inimum-systemd-fix-for-login-journal-serv.patch | 33 +--
.../0008-fc-bind-fix-real-path-for-bind.patch} | 25 +-
...inimum-systemd-fix-for-systemd-tmp-files-.patch | 34 ++-
.../0009-fc-hwclock-add-hwclock-alternatives.patch | 28 +++
...-refpolicy-minimum-systemd-fix-for-syslog.patch | 13 +-
...-dmesg-apply-policy-to-dmesg-alternatives.patch | 24 ++
...-fc-ssh-apply-policy-to-ssh-alternatives.patch} | 21 +-
...snetwork-apply-policy-to-ip-alternatives.patch} | 35 ++-
...c-udev-apply-policy-to-udevadm-in-libexec.patch | 28 +++
...pm-apply-rpm_exec-policy-to-cpio-binaries.patch | 29 +++
...15-fc-su-apply-policy-to-su-alternatives.patch} | 18 +-
...016-fc-fstools-fix-real-path-for-fstools.patch} | 58 ++---
...e-logging-Add-the-syslogd_t-to-trusted-o.patch} | 18 +-
...le-logging-add-rules-for-the-symlink-of-v.patch | 100 ++++++++
...le-logging-add-rules-for-syslogd-symlink-.patch | 33 +++
...e-logging-add-domain-rules-for-the-subdi.patch} | 18 +-
...e-files-add-rules-for-the-symlink-of-tmp.patch} | 69 ++----
...e-terminals-add-rules-for-bsdpty_device_.patch} | 60 ++---
...e-terminals-don-t-audit-tty_device_t-in-.patch} | 18 +-
...ule-rpc-allow-nfsd-to-exec-shell-commands.patch | 29 +++
...e-rpc-fix-policy-for-nfsserver-to-mount-.patch} | 96 ++++----
...odule-sysfs-fix-for-new-SELINUXMNT-in-sys.patch | 126 ++++++++++
...y-module-rpc-allow-sysadm-to-run-rpcinfo.patch} | 24 +-
...e-userdomain-fix-selinux-utils-to-manage.patch} | 28 +--
...le-selinuxutil-fix-setfiles-statvfs-to-ge.patch | 33 +++
...le-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch | 25 ++
...e-ftp-add-ftpd_t-to-mls_file_write_all_l.patch} | 26 ++-
...e-init-update-for-systemd-related-allow-.patch} | 16 +-
...cy-minimum-make-sysadmin-module-optional.patch} | 28 +--
...le-apache-add-rules-for-the-symlink-of-va.patch | 33 +++
...-volatile-alias-common-var-volatile-paths.patch | 36 +++
...0001-fix-update-alternatives-for-sysvinit.patch | 53 +++++
...inimum-audit-logging-getty-audit-related-.patch | 68 ++++++
...-busybox-set-aliases-for-bin-sbin-and-usr.patch | 31 +++
...inimum-locallogin-add-allow-rules-for-typ.patch | 54 +++++
...sysklogd-apply-policy-to-sysklogd-symlink.patch | 57 +++++
...inimum-systemd-unconfined-lib-add-systemd.patch | 121 ++++++++++
...-apply-policy-to-common-yocto-hostname-al.patch | 27 +++
...inimum-systemd-mount-logging-authlogin-ad.patch | 96 ++++++++
...ply-usr-bin-bash-context-to-bin-bash.bash.patch | 30 +++
...inimum-init-fix-reboot-with-systemd-as-in.patch | 37 +++
...nf-label-resolv.conf-in-var-run-properly.patch} | 26 ++-
...inimum-systemd-mount-enable-required-refp.patch | 92 ++++++++
...login-apply-login-context-to-login.shadow.patch | 27 +++
...inimum-systemd-fix-for-login-journal-serv.patch | 103 ++++++++
...h => 0008-fc-bind-fix-real-path-for-bind.patch} | 25 +-
...inimum-systemd-fix-for-systemd-tmp-files-.patch | 110 +++++++++
.../0009-fc-hwclock-add-hwclock-alternatives.patch | 28 +++
...-refpolicy-minimum-systemd-fix-for-syslog.patch | 70 ++++++
...-dmesg-apply-policy-to-dmesg-alternatives.patch | 24 ++
...-fc-ssh-apply-policy-to-ssh-alternatives.patch} | 21 +-
...ysnetwork-apply-policy-to-ip-alternatives.patch | 48 ++++
...c-udev-apply-policy-to-udevadm-in-libexec.patch | 28 +++
...pm-apply-rpm_exec-policy-to-cpio-binaries.patch | 29 +++
...15-fc-su-apply-policy-to-su-alternatives.patch} | 20 +-
...0016-fc-fstools-fix-real-path-for-fstools.patch | 76 ++++++
...e-logging-Add-the-syslogd_t-to-trusted-o.patch} | 18 +-
...le-logging-add-rules-for-the-symlink-of-v.patch | 100 ++++++++
...le-logging-add-rules-for-syslogd-symlink-.patch | 33 +++
...e-logging-add-domain-rules-for-the-subdi.patch} | 18 +-
...e-files-add-rules-for-the-symlink-of-tmp.patch} | 71 ++----
...e-terminals-add-rules-for-bsdpty_device_.patch} | 60 ++---
...e-terminals-don-t-audit-tty_device_t-in-.patch} | 18 +-
...ule-rpc-allow-nfsd-to-exec-shell-commands.patch | 29 +++
...e-rpc-fix-policy-for-nfsserver-to-mount-.patch} | 96 ++++----
...odule-sysfs-fix-for-new-SELINUXMNT-in-sys.patch | 126 ++++++++++
...y-module-rpc-allow-sysadm-to-run-rpcinfo.patch} | 24 +-
...e-userdomain-fix-selinux-utils-to-manage.patch} | 28 +--
...le-selinuxutil-fix-setfiles-statvfs-to-ge.patch | 33 +++
...le-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch | 25 ++
...e-ftp-add-ftpd_t-to-mls_file_write_all_l.patch} | 26 ++-
...e-init-update-for-systemd-related-allow-.patch} | 23 +-
...cy-minimum-make-sysadmin-module-optional.patch} | 53 ++---
...e-apache-add-rules-for-the-symlink-of-va.patch} | 24 +-
.../refpolicy/refpolicy-git/poky-fc-clock.patch | 19 --
.../refpolicy/refpolicy-git/poky-fc-dmesg.patch | 15 --
.../poky-fc-fix-real-path_shadow.patch | 50 ----
.../refpolicy-git/poky-fc-ftpwho-dir.patch | 27 ---
.../refpolicy/refpolicy-git/poky-fc-mta.patch | 27 ---
.../refpolicy/refpolicy-git/poky-fc-nscd.patch | 25 --
.../refpolicy/refpolicy-git/poky-fc-rpm.patch | 23 --
.../refpolicy/refpolicy-git/poky-fc-screen.patch | 23 --
.../refpolicy-git/poky-fc-subs_dist.patch | 32 ---
.../refpolicy/refpolicy-git/poky-fc-udevd.patch | 27 ---
.../poky-fc-update-alternatives_bash.patch | 12 -
.../poky-fc-update-alternatives_hostname.patch | 19 --
...ky-policy-add-rules-for-syslogd_t-symlink.patch | 29 ---
...rules-for-var-log-symlink-audisp_remote_t.patch | 29 ---
...poky-policy-add-rules-for-var-log-symlink.patch | 88 -------
...-policy-allow-nfsd-to-exec-shell-commands.patch | 81 -------
...-policy-allow-setfiles_t-to-read-symlinks.patch | 30 ---
.../poky-policy-fix-dmesg-to-use-dev-kmsg.patch | 22 --
.../poky-policy-fix-new-SELINUXMNT-in-sys.patch | 253 --------------------
...olicy-fix-setfiles-statvfs-get-file-count.patch | 31 ---
...s_2.20170204.bb => refpolicy-mcs_2.20190201.bb} | 0
...inimum-systemd-mount-enable-requiried-ref.patch | 47 ----
...20170204.bb => refpolicy-minimum_2.20190201.bb} | 39 ++--
.../refpolicy/refpolicy-minimum_git.bb | 22 +-
...s_2.20170204.bb => refpolicy-mls_2.20190201.bb} | 0
...0170204.bb => refpolicy-standard_2.20190201.bb} | 0
...efpolicy-remove-duplicate-type_transition.patch | 46 ----
...move-duplicate-type_transition_2.20170204.patch | 46 ----
.../refpolicy-unconfined_u-default-user.patch | 222 ------------------
...licy-unconfined_u-default-user_2.20170204.patch | 222 ------------------
.../refpolicy/refpolicy-targeted_2.20170204.bb | 29 ---
.../refpolicy/refpolicy-targeted_2.20190201.bb | 35 +++
.../refpolicy/refpolicy-targeted_git.bb | 22 +-
.../refpolicy/refpolicy_2.20170204.inc | 58 -----
.../refpolicy/refpolicy_2.20190201.inc | 7 +
recipes-security/refpolicy/refpolicy_common.inc | 48 +++-
recipes-security/refpolicy/refpolicy_git.inc | 55 +----
156 files changed, 3145 insertions(+), 3748 deletions(-)
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-clock.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-corecommands.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-dmesg.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_login.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_shadow.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fstools.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ftpwho-dir.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-iptables.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-mta.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-netutils.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-nscd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-rpm.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-screen.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-su.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-subs_dist.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-sysnetwork.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-udevd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_bash.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_hostname.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysvinit.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-syslogd_t-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-nfsd-to-exec-shell-commands.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-setfiles_t-to-read-symlinks.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-new-SELINUXMNT-in-sys.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-setfiles-statvfs-get-file-count.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
rename recipes-security/refpolicy/{refpolicy-git/poky-fc-update-alternatives_sysvinit.patch => refpolicy-2.20190201/0001-fix-update-alternatives-for-sysvinit.patch} (51%)
rename recipes-security/refpolicy/{refpolicy-minimum/0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch => refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch} (85%)
create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
rename recipes-security/refpolicy/{refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch => refpolicy-2.20190201/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch} (87%)
rename recipes-security/refpolicy/{refpolicy-git/poky-fc-update-alternatives_sysklogd.patch => refpolicy-2.20190201/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch} (52%)
rename recipes-security/refpolicy/{refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch => refpolicy-2.20190201/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch} (79%)
create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
rename recipes-security/refpolicy/{refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch => refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch} (76%)
create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
rename recipes-security/refpolicy/{refpolicy-minimum => refpolicy-2.20190201}/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch (83%)
rename recipes-security/refpolicy/{refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch => refpolicy-2.20190201/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch} (54%)
create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
rename recipes-security/refpolicy/{refpolicy-git/poky-fc-fix-real-path_login.patch => refpolicy-2.20190201/0007-fc-login-apply-login-context-to-login.shadow.patch} (52%)
rename recipes-security/refpolicy/{refpolicy-minimum => refpolicy-2.20190201}/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch (82%)
rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-fc-fix-bind.patch => refpolicy-2.20190201/0008-fc-bind-fix-real-path-for-bind.patch} (62%)
rename recipes-security/refpolicy/{refpolicy-minimum => refpolicy-2.20190201}/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch (80%)
create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch
rename recipes-security/refpolicy/{refpolicy-minimum => refpolicy-2.20190201}/0009-refpolicy-minimum-systemd-fix-for-syslog.patch (90%)
create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
rename recipes-security/refpolicy/{refpolicy-git/poky-fc-ssh.patch => refpolicy-2.20190201/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch} (55%)
rename recipes-security/refpolicy/{refpolicy-git/poky-fc-sysnetwork.patch => refpolicy-2.20190201/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch} (54%)
create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
rename recipes-security/refpolicy/{refpolicy-git/poky-fc-fix-real-path_su.patch => refpolicy-2.20190201/0015-fc-su-apply-policy-to-su-alternatives.patch} (52%)
rename recipes-security/refpolicy/{refpolicy-git/poky-fc-fstools.patch => refpolicy-2.20190201/0016-fc-fstools-fix-real-path-for-fstools.patch} (66%)
rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-add-syslogd_t-to-trusted-object.patch => refpolicy-2.20190201/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch} (69%)
create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch
rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-add-rules-for-var-cache-symlink.patch => refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch} (69%)
rename recipes-security/refpolicy/{refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch => refpolicy-2.20190201/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch} (54%)
rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-add-rules-for-bsdpty_device_t.patch => refpolicy-2.20190201/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch} (67%)
rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-don-t-audit-tty_device_t.patch => refpolicy-2.20190201/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch} (66%)
create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch => refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch} (54%)
create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-allow-sysadm-to-run-rpcinfo.patch => refpolicy-2.20190201/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch} (70%)
rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-fix-seutils-manage-config-files.patch => refpolicy-2.20190201/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch} (60%)
create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
rename recipes-security/refpolicy/{refpolicy-2.20170204/ftp-add-ftpd_t-to-mlsfilewrite.patch => refpolicy-2.20190201/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch} (74%)
rename recipes-security/refpolicy/{refpolicy-git/refpolicy-update-for_systemd.patch => refpolicy-2.20190201/0032-policy-module-init-update-for-systemd-related-allow-.patch} (66%)
rename recipes-security/refpolicy/{refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch => refpolicy-2.20190201/0033-refpolicy-minimum-make-sysadmin-module-optional.patch} (69%)
create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch
create mode 100644 recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
create mode 100644 recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch
create mode 100644 recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
create mode 100644 recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
create mode 100644 recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
create mode 100644 recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch
create mode 100644 recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
create mode 100644 recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
create mode 100644 recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
create mode 100644 recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
create mode 100644 recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-fc-fix-real-path_resolv.conf.patch => refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch} (52%)
create mode 100644 recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
create mode 100644 recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch
create mode 100644 recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch
rename recipes-security/refpolicy/refpolicy-git/{poky-fc-fix-bind.patch => 0008-fc-bind-fix-real-path-for-bind.patch} (62%)
create mode 100644 recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
create mode 100644 recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch
create mode 100644 recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
create mode 100644 recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-fc-ssh.patch => refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch} (52%)
create mode 100644 recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch
create mode 100644 recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
create mode 100644 recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-fc-fix-real-path_su.patch => refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch} (52%)
create mode 100644 recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch
rename recipes-security/refpolicy/refpolicy-git/{poky-policy-add-syslogd_t-to-trusted-object.patch => 0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch} (69%)
create mode 100644 recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
create mode 100644 recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch
rename recipes-security/refpolicy/refpolicy-git/{poky-policy-add-rules-for-var-cache-symlink.patch => 0020-policy-module-logging-add-domain-rules-for-the-subdi.patch} (69%)
rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-add-rules-for-tmp-symlink.patch => refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch} (53%)
rename recipes-security/refpolicy/refpolicy-git/{poky-policy-add-rules-for-bsdpty_device_t.patch => 0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch} (67%)
rename recipes-security/refpolicy/refpolicy-git/{poky-policy-don-t-audit-tty_device_t.patch => 0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch} (66%)
create mode 100644 recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
rename recipes-security/refpolicy/refpolicy-git/{poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch => 0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch} (54%)
create mode 100644 recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
rename recipes-security/refpolicy/refpolicy-git/{poky-policy-allow-sysadm-to-run-rpcinfo.patch => 0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch} (70%)
rename recipes-security/refpolicy/refpolicy-git/{poky-policy-fix-seutils-manage-config-files.patch => 0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch} (60%)
create mode 100644 recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
create mode 100644 recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
rename recipes-security/refpolicy/refpolicy-git/{ftp-add-ftpd_t-to-mlsfilewrite.patch => 0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch} (74%)
rename recipes-security/refpolicy/{refpolicy-2.20170204/refpolicy-update-for_systemd.patch => refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch} (52%)
rename recipes-security/refpolicy/{refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module_2.20170204.patch => refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch} (56%)
rename recipes-security/refpolicy/refpolicy-git/{poky-policy-add-rules-for-var-log-symlink-apache.patch => 0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch} (54%)
delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_bash.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch
rename recipes-security/refpolicy/{refpolicy-mcs_2.20170204.bb => refpolicy-mcs_2.20190201.bb} (100%)
delete mode 100644 recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch
rename recipes-security/refpolicy/{refpolicy-minimum_2.20170204.bb => refpolicy-minimum_2.20190201.bb} (66%)
rename recipes-security/refpolicy/{refpolicy-mls_2.20170204.bb => refpolicy-mls_2.20190201.bb} (100%)
rename recipes-security/refpolicy/{refpolicy-standard_2.20170204.bb => refpolicy-standard_2.20190201.bb} (100%)
delete mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition_2.20170204.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user_2.20170204.patch
delete mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20170204.bb
create mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb
delete mode 100644 recipes-security/refpolicy/refpolicy_2.20170204.inc
create mode 100644 recipes-security/refpolicy/refpolicy_2.20190201.inc
--
-Joe MacDonald.
:wq
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 499 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [meta-selinux][PULL] refpolicy: update to 2.20190201 and git HEAD policies (2019-04-10 10:57:14 -0400)
2019-04-10 15:53 [meta-selinux][PULL] refpolicy: update to 2.20190201 and git HEAD policies (2019-04-10 10:57:14 -0400) Joe MacDonald
@ 2019-04-11 8:19 ` Yi Zhao
2019-04-12 19:24 ` Joe MacDonald
2019-04-14 16:26 ` Joe MacDonald
1 sibling, 1 reply; 4+ messages in thread
From: Yi Zhao @ 2019-04-11 8:19 UTC (permalink / raw)
To: Joe MacDonald, mark.hatle, yocto, Randy MacLeod
[-- Attachment #1: Type: text/plain, Size: 36203 bytes --]
Hi Joe,
Thank you for working on the refpolicy upgrade.
I have a quick test with your patch. Here are the results:
Machine: qemux86-64
Image: core-image-selinux
Init manager: systemd
Boot command: runqemu qemux86-64 kvm nographic bootparams="selinux=1
enforcing=X" qemuparams="-m 1024"
1. All refpolicy type of git version can be built without problems.
2. With parameter selinux=1 & enforcing=0
The qemu can boot up and login for all refpolicy types.
3. With parameter selinux=1 & enforcing=1
Some of services failed to startup when booting. But this issue also
exist on old refpolicy version (2.20170204)
4. refpolicy stable version (2.20190201)
I got an do_fetch error with refpolicy stable version.
Seems the SRC_URI is not correct. It should be
"https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20190201/refpolicy-${PV}.tar.bz2"
Regards,
Yi
在 2019/4/10 下午11:53, Joe MacDonald 写道:
> This is a huge, long-overdue update the refpolicy. I apologise for it
> blocking the other outstanding meta-selinux patches, but I've been
> trying to limit the scope of changes while this happens. Now that this
> is cleared off the slate, I'll be gathering up the other meta-selinux
> patches from the list. I'll send out a follow-up on those as they're
> merged and another when I think I'm done, so if I've missed your patch,
> that'll be the time to ping me about it.
>
> As for this, here's what I've done.
>
> - manually reviewed all patches that had been present in
> repolicy-* for both the old stable (2.20170204) and git
> versions
>
> - forked the SELinuxPolicy/refpolicy repo and applied all
> still-relevant patches to the RELEASE_2.20190201 branch
>
> - restructured the patches so that all patches that should
> reasonably apply to all variants (mcs, mls, minimum, standard
> and targeted) were in a common branch and only the ones that
> are specific to each variant would be in their own recipe
>
> - restructure the patches so that systemd and sysvinit patches
> were not applied to the same tree
>
> - created a parallel set of branches for each of these against
> current git HEAD
>
> The results of this can be examined here:
>
> https://github.com/joeythesaint/refpolicy
>
> Then each of these were exported and put in the appropriate SRC_URIs so
> the branch structure is more-or-less preserved.
>
> My goals with this approach were the following:
>
> - make it easier to keep refpolicy up to date, particularly for
> anyone wanting to use the git variants
>
> - make it easier to determine how your preferred version of
> refpolicy on Yocto differs from upstream refpolicy
>
> - limit the above differences to the minimum to achieve the goal
> of a functional Yocto system
>
> - eventually move us away from release tarballs entirely
>
> That last point is why I'm preserving the refpolicy fork above. I'd
> like to keep going with this and so future refpolicy patches will first
> be put in that repo then exported and applied to the SRC_URIs. If you
> have such a patch and want to send me a PR against the branch you think
> it belongs on from github directly, that'd be awesome, but the old
> method of patches to the mailing list will work fine too, just know that
> this is the way I'm going to try to manage this for the foreseeable
> future. Ultimately, if this proves to work well, I would like to move
> the refpolicy fork off github and house it on git.yoctoproject.org
> beside meta-selinux, but the workflow needs to be properly validated
> first.
>
> One additional point, I intend to take another pass at revising this
> stuff, ideally moving the huge number of common patches out as well.
> There's still some that aren't necessary for base yocto but are for
> additional layers. That's fine for us to have, but I'd like to get
> those moved to optional layer directories so we're making the best use
> of that functionality we can. If you have suggestions on which pieces
> already present are good candidates, let me know. Similarly, if you've
> got additional policy patches you want to see included, feel free to
> send them along, we can easily move them to optional locations inside
> meta-selinux.
>
> Finally, please everyone test this and provide feedback on anything that
> doesn't work or looks strange. This is easily the biggest change we've
> had in meta-selinux in years and I expect there's still some wrinkles to
> be ironed out. And I really appreciate everyone's patience while we got
> to this point and hope it's not too much more pain before we put a
> ribbon on this and call it done.
>
> I'll give this until at least the weekend before merging it to master,
> pending comments or an overwhelming "please just do it" from the
> community.
>
> Thanks.
>
> ---
>
> The following changes since commit a6a3cadb1ef3203a123d8f5f9df27832f55b2ce3:
>
> Backport patches from upstream to fix build with musl (2019-03-25 09:43:53 +0100)
>
> are available in the Git repository at:
>
> git://git.yoctoproject.org/meta-selinux yocto/master-next
>
> for you to fetch changes up to 776da889b550ac9e5be414a8cc10fd86b1923264:
>
> refpolicy: update to 2.20190201 and git HEAD policies (2019-04-10 10:57:14 -0400)
>
> ----------------------------------------------------------------
> Joe MacDonald (1):
> refpolicy: update to 2.20190201 and git HEAD policies
>
> README | 16 +-
> .../refpolicy-2.20170204/poky-fc-clock.patch | 20 --
> .../poky-fc-corecommands.patch | 24 --
> .../refpolicy-2.20170204/poky-fc-dmesg.patch | 18 --
> .../poky-fc-fix-real-path_login.patch | 37 ---
> .../poky-fc-fix-real-path_shadow.patch | 34 ---
> .../refpolicy-2.20170204/poky-fc-fstools.patch | 75 ------
> .../refpolicy-2.20170204/poky-fc-ftpwho-dir.patch | 27 ---
> .../refpolicy-2.20170204/poky-fc-iptables.patch | 24 --
> .../refpolicy-2.20170204/poky-fc-mta.patch | 27 ---
> .../refpolicy-2.20170204/poky-fc-netutils.patch | 24 --
> .../refpolicy-2.20170204/poky-fc-nscd.patch | 25 --
> .../refpolicy-2.20170204/poky-fc-rpm.patch | 23 --
> .../refpolicy-2.20170204/poky-fc-screen.patch | 23 --
> .../refpolicy-2.20170204/poky-fc-su.patch | 20 --
> .../refpolicy-2.20170204/poky-fc-subs_dist.patch | 33 ---
> .../refpolicy-2.20170204/poky-fc-sysnetwork.patch | 48 ----
> .../refpolicy-2.20170204/poky-fc-udevd.patch | 38 ---
> .../poky-fc-update-alternatives_bash.patch | 24 --
> .../poky-fc-update-alternatives_hostname.patch | 21 --
> .../poky-fc-update-alternatives_sysklogd.patch | 62 -----
> .../poky-fc-update-alternatives_sysvinit.patch | 57 -----
> ...ky-policy-add-rules-for-syslogd_t-symlink.patch | 30 ---
> ...licy-add-rules-for-var-log-symlink-apache.patch | 31 ---
> ...rules-for-var-log-symlink-audisp_remote_t.patch | 29 ---
> ...poky-policy-add-rules-for-var-log-symlink.patch | 185 ---------------
> ...-policy-allow-nfsd-to-exec-shell-commands.patch | 60 -----
> ...-policy-allow-setfiles_t-to-read-symlinks.patch | 30 ---
> .../poky-policy-fix-dmesg-to-use-dev-kmsg.patch | 37 ---
> .../poky-policy-fix-new-SELINUXMNT-in-sys.patch | 259 ---------------------
> ...olicy-fix-setfiles-statvfs-get-file-count.patch | 32 ---
> ...-volatile-alias-common-var-volatile-paths.patch | 36 +++
> ...001-fix-update-alternatives-for-sysvinit.patch} | 51 ++--
> ...nimum-audit-logging-getty-audit-related-.patch} | 17 +-
> ...-busybox-set-aliases-for-bin-sbin-and-usr.patch | 31 +++
> ...nimum-locallogin-add-allow-rules-for-typ.patch} | 11 +-
> ...ysklogd-apply-policy-to-sysklogd-symlink.patch} | 49 ++--
> ...nimum-systemd-unconfined-lib-add-systemd.patch} | 34 +--
> ...-apply-policy-to-common-yocto-hostname-al.patch | 27 +++
> ...nimum-systemd-mount-logging-authlogin-ad.patch} | 39 ++--
> ...ply-usr-bin-bash-context-to-bin-bash.bash.patch | 30 +++
> ...inimum-init-fix-reboot-with-systemd-as-in.patch | 9 +-
> ...nf-label-resolv.conf-in-var-run-properly.patch} | 24 +-
> ...inimum-systemd-mount-enable-required-refp.patch | 92 ++++++++
> ...ogin-apply-login-context-to-login.shadow.patch} | 22 +-
> ...inimum-systemd-fix-for-login-journal-serv.patch | 33 +--
> .../0008-fc-bind-fix-real-path-for-bind.patch} | 25 +-
> ...inimum-systemd-fix-for-systemd-tmp-files-.patch | 34 ++-
> .../0009-fc-hwclock-add-hwclock-alternatives.patch | 28 +++
> ...-refpolicy-minimum-systemd-fix-for-syslog.patch | 13 +-
> ...-dmesg-apply-policy-to-dmesg-alternatives.patch | 24 ++
> ...-fc-ssh-apply-policy-to-ssh-alternatives.patch} | 21 +-
> ...snetwork-apply-policy-to-ip-alternatives.patch} | 35 ++-
> ...c-udev-apply-policy-to-udevadm-in-libexec.patch | 28 +++
> ...pm-apply-rpm_exec-policy-to-cpio-binaries.patch | 29 +++
> ...15-fc-su-apply-policy-to-su-alternatives.patch} | 18 +-
> ...016-fc-fstools-fix-real-path-for-fstools.patch} | 58 ++---
> ...e-logging-Add-the-syslogd_t-to-trusted-o.patch} | 18 +-
> ...le-logging-add-rules-for-the-symlink-of-v.patch | 100 ++++++++
> ...le-logging-add-rules-for-syslogd-symlink-.patch | 33 +++
> ...e-logging-add-domain-rules-for-the-subdi.patch} | 18 +-
> ...e-files-add-rules-for-the-symlink-of-tmp.patch} | 69 ++----
> ...e-terminals-add-rules-for-bsdpty_device_.patch} | 60 ++---
> ...e-terminals-don-t-audit-tty_device_t-in-.patch} | 18 +-
> ...ule-rpc-allow-nfsd-to-exec-shell-commands.patch | 29 +++
> ...e-rpc-fix-policy-for-nfsserver-to-mount-.patch} | 96 ++++----
> ...odule-sysfs-fix-for-new-SELINUXMNT-in-sys.patch | 126 ++++++++++
> ...y-module-rpc-allow-sysadm-to-run-rpcinfo.patch} | 24 +-
> ...e-userdomain-fix-selinux-utils-to-manage.patch} | 28 +--
> ...le-selinuxutil-fix-setfiles-statvfs-to-ge.patch | 33 +++
> ...le-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch | 25 ++
> ...e-ftp-add-ftpd_t-to-mls_file_write_all_l.patch} | 26 ++-
> ...e-init-update-for-systemd-related-allow-.patch} | 16 +-
> ...cy-minimum-make-sysadmin-module-optional.patch} | 28 +--
> ...le-apache-add-rules-for-the-symlink-of-va.patch | 33 +++
> ...-volatile-alias-common-var-volatile-paths.patch | 36 +++
> ...0001-fix-update-alternatives-for-sysvinit.patch | 53 +++++
> ...inimum-audit-logging-getty-audit-related-.patch | 68 ++++++
> ...-busybox-set-aliases-for-bin-sbin-and-usr.patch | 31 +++
> ...inimum-locallogin-add-allow-rules-for-typ.patch | 54 +++++
> ...sysklogd-apply-policy-to-sysklogd-symlink.patch | 57 +++++
> ...inimum-systemd-unconfined-lib-add-systemd.patch | 121 ++++++++++
> ...-apply-policy-to-common-yocto-hostname-al.patch | 27 +++
> ...inimum-systemd-mount-logging-authlogin-ad.patch | 96 ++++++++
> ...ply-usr-bin-bash-context-to-bin-bash.bash.patch | 30 +++
> ...inimum-init-fix-reboot-with-systemd-as-in.patch | 37 +++
> ...nf-label-resolv.conf-in-var-run-properly.patch} | 26 ++-
> ...inimum-systemd-mount-enable-required-refp.patch | 92 ++++++++
> ...login-apply-login-context-to-login.shadow.patch | 27 +++
> ...inimum-systemd-fix-for-login-journal-serv.patch | 103 ++++++++
> ...h => 0008-fc-bind-fix-real-path-for-bind.patch} | 25 +-
> ...inimum-systemd-fix-for-systemd-tmp-files-.patch | 110 +++++++++
> .../0009-fc-hwclock-add-hwclock-alternatives.patch | 28 +++
> ...-refpolicy-minimum-systemd-fix-for-syslog.patch | 70 ++++++
> ...-dmesg-apply-policy-to-dmesg-alternatives.patch | 24 ++
> ...-fc-ssh-apply-policy-to-ssh-alternatives.patch} | 21 +-
> ...ysnetwork-apply-policy-to-ip-alternatives.patch | 48 ++++
> ...c-udev-apply-policy-to-udevadm-in-libexec.patch | 28 +++
> ...pm-apply-rpm_exec-policy-to-cpio-binaries.patch | 29 +++
> ...15-fc-su-apply-policy-to-su-alternatives.patch} | 20 +-
> ...0016-fc-fstools-fix-real-path-for-fstools.patch | 76 ++++++
> ...e-logging-Add-the-syslogd_t-to-trusted-o.patch} | 18 +-
> ...le-logging-add-rules-for-the-symlink-of-v.patch | 100 ++++++++
> ...le-logging-add-rules-for-syslogd-symlink-.patch | 33 +++
> ...e-logging-add-domain-rules-for-the-subdi.patch} | 18 +-
> ...e-files-add-rules-for-the-symlink-of-tmp.patch} | 71 ++----
> ...e-terminals-add-rules-for-bsdpty_device_.patch} | 60 ++---
> ...e-terminals-don-t-audit-tty_device_t-in-.patch} | 18 +-
> ...ule-rpc-allow-nfsd-to-exec-shell-commands.patch | 29 +++
> ...e-rpc-fix-policy-for-nfsserver-to-mount-.patch} | 96 ++++----
> ...odule-sysfs-fix-for-new-SELINUXMNT-in-sys.patch | 126 ++++++++++
> ...y-module-rpc-allow-sysadm-to-run-rpcinfo.patch} | 24 +-
> ...e-userdomain-fix-selinux-utils-to-manage.patch} | 28 +--
> ...le-selinuxutil-fix-setfiles-statvfs-to-ge.patch | 33 +++
> ...le-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch | 25 ++
> ...e-ftp-add-ftpd_t-to-mls_file_write_all_l.patch} | 26 ++-
> ...e-init-update-for-systemd-related-allow-.patch} | 23 +-
> ...cy-minimum-make-sysadmin-module-optional.patch} | 53 ++---
> ...e-apache-add-rules-for-the-symlink-of-va.patch} | 24 +-
> .../refpolicy/refpolicy-git/poky-fc-clock.patch | 19 --
> .../refpolicy/refpolicy-git/poky-fc-dmesg.patch | 15 --
> .../poky-fc-fix-real-path_shadow.patch | 50 ----
> .../refpolicy-git/poky-fc-ftpwho-dir.patch | 27 ---
> .../refpolicy/refpolicy-git/poky-fc-mta.patch | 27 ---
> .../refpolicy/refpolicy-git/poky-fc-nscd.patch | 25 --
> .../refpolicy/refpolicy-git/poky-fc-rpm.patch | 23 --
> .../refpolicy/refpolicy-git/poky-fc-screen.patch | 23 --
> .../refpolicy-git/poky-fc-subs_dist.patch | 32 ---
> .../refpolicy/refpolicy-git/poky-fc-udevd.patch | 27 ---
> .../poky-fc-update-alternatives_bash.patch | 12 -
> .../poky-fc-update-alternatives_hostname.patch | 19 --
> ...ky-policy-add-rules-for-syslogd_t-symlink.patch | 29 ---
> ...rules-for-var-log-symlink-audisp_remote_t.patch | 29 ---
> ...poky-policy-add-rules-for-var-log-symlink.patch | 88 -------
> ...-policy-allow-nfsd-to-exec-shell-commands.patch | 81 -------
> ...-policy-allow-setfiles_t-to-read-symlinks.patch | 30 ---
> .../poky-policy-fix-dmesg-to-use-dev-kmsg.patch | 22 --
> .../poky-policy-fix-new-SELINUXMNT-in-sys.patch | 253 --------------------
> ...olicy-fix-setfiles-statvfs-get-file-count.patch | 31 ---
> ...s_2.20170204.bb => refpolicy-mcs_2.20190201.bb} | 0
> ...inimum-systemd-mount-enable-requiried-ref.patch | 47 ----
> ...20170204.bb => refpolicy-minimum_2.20190201.bb} | 39 ++--
> .../refpolicy/refpolicy-minimum_git.bb | 22 +-
> ...s_2.20170204.bb => refpolicy-mls_2.20190201.bb} | 0
> ...0170204.bb => refpolicy-standard_2.20190201.bb} | 0
> ...efpolicy-remove-duplicate-type_transition.patch | 46 ----
> ...move-duplicate-type_transition_2.20170204.patch | 46 ----
> .../refpolicy-unconfined_u-default-user.patch | 222 ------------------
> ...licy-unconfined_u-default-user_2.20170204.patch | 222 ------------------
> .../refpolicy/refpolicy-targeted_2.20170204.bb | 29 ---
> .../refpolicy/refpolicy-targeted_2.20190201.bb | 35 +++
> .../refpolicy/refpolicy-targeted_git.bb | 22 +-
> .../refpolicy/refpolicy_2.20170204.inc | 58 -----
> .../refpolicy/refpolicy_2.20190201.inc | 7 +
> recipes-security/refpolicy/refpolicy_common.inc | 48 +++-
> recipes-security/refpolicy/refpolicy_git.inc | 55 +----
> 156 files changed, 3145 insertions(+), 3748 deletions(-)
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-clock.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-corecommands.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-dmesg.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_login.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_shadow.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fstools.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ftpwho-dir.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-iptables.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-mta.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-netutils.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-nscd.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-rpm.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-screen.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-su.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-subs_dist.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-sysnetwork.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-udevd.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_bash.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_hostname.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysvinit.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-syslogd_t-symlink.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-nfsd-to-exec-shell-commands.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-setfiles_t-to-read-symlinks.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-new-SELINUXMNT-in-sys.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-setfiles-statvfs-get-file-count.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
> rename recipes-security/refpolicy/{refpolicy-git/poky-fc-update-alternatives_sysvinit.patch => refpolicy-2.20190201/0001-fix-update-alternatives-for-sysvinit.patch} (51%)
> rename recipes-security/refpolicy/{refpolicy-minimum/0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch => refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch} (85%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
> rename recipes-security/refpolicy/{refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch => refpolicy-2.20190201/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch} (87%)
> rename recipes-security/refpolicy/{refpolicy-git/poky-fc-update-alternatives_sysklogd.patch => refpolicy-2.20190201/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch} (52%)
> rename recipes-security/refpolicy/{refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch => refpolicy-2.20190201/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch} (79%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
> rename recipes-security/refpolicy/{refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch => refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch} (76%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
> rename recipes-security/refpolicy/{refpolicy-minimum => refpolicy-2.20190201}/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch (83%)
> rename recipes-security/refpolicy/{refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch => refpolicy-2.20190201/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch} (54%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
> rename recipes-security/refpolicy/{refpolicy-git/poky-fc-fix-real-path_login.patch => refpolicy-2.20190201/0007-fc-login-apply-login-context-to-login.shadow.patch} (52%)
> rename recipes-security/refpolicy/{refpolicy-minimum => refpolicy-2.20190201}/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch (82%)
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-fc-fix-bind.patch => refpolicy-2.20190201/0008-fc-bind-fix-real-path-for-bind.patch} (62%)
> rename recipes-security/refpolicy/{refpolicy-minimum => refpolicy-2.20190201}/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch (80%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch
> rename recipes-security/refpolicy/{refpolicy-minimum => refpolicy-2.20190201}/0009-refpolicy-minimum-systemd-fix-for-syslog.patch (90%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
> rename recipes-security/refpolicy/{refpolicy-git/poky-fc-ssh.patch => refpolicy-2.20190201/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch} (55%)
> rename recipes-security/refpolicy/{refpolicy-git/poky-fc-sysnetwork.patch => refpolicy-2.20190201/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch} (54%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
> rename recipes-security/refpolicy/{refpolicy-git/poky-fc-fix-real-path_su.patch => refpolicy-2.20190201/0015-fc-su-apply-policy-to-su-alternatives.patch} (52%)
> rename recipes-security/refpolicy/{refpolicy-git/poky-fc-fstools.patch => refpolicy-2.20190201/0016-fc-fstools-fix-real-path-for-fstools.patch} (66%)
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-add-syslogd_t-to-trusted-object.patch => refpolicy-2.20190201/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch} (69%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-add-rules-for-var-cache-symlink.patch => refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch} (69%)
> rename recipes-security/refpolicy/{refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch => refpolicy-2.20190201/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch} (54%)
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-add-rules-for-bsdpty_device_t.patch => refpolicy-2.20190201/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch} (67%)
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-don-t-audit-tty_device_t.patch => refpolicy-2.20190201/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch} (66%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch => refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch} (54%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-allow-sysadm-to-run-rpcinfo.patch => refpolicy-2.20190201/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch} (70%)
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-fix-seutils-manage-config-files.patch => refpolicy-2.20190201/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch} (60%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
> rename recipes-security/refpolicy/{refpolicy-2.20170204/ftp-add-ftpd_t-to-mlsfilewrite.patch => refpolicy-2.20190201/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch} (74%)
> rename recipes-security/refpolicy/{refpolicy-git/refpolicy-update-for_systemd.patch => refpolicy-2.20190201/0032-policy-module-init-update-for-systemd-related-allow-.patch} (66%)
> rename recipes-security/refpolicy/{refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch => refpolicy-2.20190201/0033-refpolicy-minimum-make-sysadmin-module-optional.patch} (69%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-fc-fix-real-path_resolv.conf.patch => refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch} (52%)
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch
> rename recipes-security/refpolicy/refpolicy-git/{poky-fc-fix-bind.patch => 0008-fc-bind-fix-real-path-for-bind.patch} (62%)
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-fc-ssh.patch => refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch} (52%)
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-fc-fix-real-path_su.patch => refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch} (52%)
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch
> rename recipes-security/refpolicy/refpolicy-git/{poky-policy-add-syslogd_t-to-trusted-object.patch => 0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch} (69%)
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch
> rename recipes-security/refpolicy/refpolicy-git/{poky-policy-add-rules-for-var-cache-symlink.patch => 0020-policy-module-logging-add-domain-rules-for-the-subdi.patch} (69%)
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-add-rules-for-tmp-symlink.patch => refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch} (53%)
> rename recipes-security/refpolicy/refpolicy-git/{poky-policy-add-rules-for-bsdpty_device_t.patch => 0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch} (67%)
> rename recipes-security/refpolicy/refpolicy-git/{poky-policy-don-t-audit-tty_device_t.patch => 0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch} (66%)
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
> rename recipes-security/refpolicy/refpolicy-git/{poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch => 0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch} (54%)
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
> rename recipes-security/refpolicy/refpolicy-git/{poky-policy-allow-sysadm-to-run-rpcinfo.patch => 0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch} (70%)
> rename recipes-security/refpolicy/refpolicy-git/{poky-policy-fix-seutils-manage-config-files.patch => 0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch} (60%)
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
> rename recipes-security/refpolicy/refpolicy-git/{ftp-add-ftpd_t-to-mlsfilewrite.patch => 0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch} (74%)
> rename recipes-security/refpolicy/{refpolicy-2.20170204/refpolicy-update-for_systemd.patch => refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch} (52%)
> rename recipes-security/refpolicy/{refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module_2.20170204.patch => refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch} (56%)
> rename recipes-security/refpolicy/refpolicy-git/{poky-policy-add-rules-for-var-log-symlink-apache.patch => 0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch} (54%)
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_bash.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch
> rename recipes-security/refpolicy/{refpolicy-mcs_2.20170204.bb => refpolicy-mcs_2.20190201.bb} (100%)
> delete mode 100644 recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch
> rename recipes-security/refpolicy/{refpolicy-minimum_2.20170204.bb => refpolicy-minimum_2.20190201.bb} (66%)
> rename recipes-security/refpolicy/{refpolicy-mls_2.20170204.bb => refpolicy-mls_2.20190201.bb} (100%)
> rename recipes-security/refpolicy/{refpolicy-standard_2.20170204.bb => refpolicy-standard_2.20190201.bb} (100%)
> delete mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition_2.20170204.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user_2.20170204.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20170204.bb
> create mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb
> delete mode 100644 recipes-security/refpolicy/refpolicy_2.20170204.inc
> create mode 100644 recipes-security/refpolicy/refpolicy_2.20190201.inc
>
>
[-- Attachment #2: Type: text/html, Size: 36210 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [meta-selinux][PULL] refpolicy: update to 2.20190201 and git HEAD policies (2019-04-10 10:57:14 -0400)
2019-04-11 8:19 ` Yi Zhao
@ 2019-04-12 19:24 ` Joe MacDonald
0 siblings, 0 replies; 4+ messages in thread
From: Joe MacDonald @ 2019-04-12 19:24 UTC (permalink / raw)
To: Yi Zhao; +Cc: yocto
[-- Attachment #1: Type: text/plain, Size: 1658 bytes --]
Hi Yi,
[Re: [yocto] [meta-selinux][PULL] refpolicy: update to 2.20190201 and git HEAD policies (2019-04-10 10:57:14 -0400)] On 19.04.11 (Thu 16:19) Yi Zhao wrote:
> Hi Joe,
>
> Thank you for working on the refpolicy upgrade.
> I have a quick test with your patch. Here are the results:
>
> Machine: qemux86-64
> Image: core-image-selinux
> Init manager: systemd
> Boot command: runqemu qemux86-64 kvm nographic bootparams="selinux=1 enforcing=
> X" qemuparams="-m 1024"
>
> 1. All refpolicy type of git version can be built without problems.
>
> 2. With parameter selinux=1 & enforcing=0
> The qemu can boot up and login for all refpolicy types.
Perfect, that's what I had when testing on my reference hardware, so I'm
happy you were able to validate those results.
> 3. With parameter selinux=1 & enforcing=1
> Some of services failed to startup when booting. But this issue also exist on
> old refpolicy version (2.20170204)
Yeah, and given the scope of this change my goal was mainly parity with
the old policy but based on a version that's 2-ish years newer. So once
that's done I think we can reasonably work at enabling the additional
services in some structured way.
> 4. refpolicy stable version (2.20190201)
> I got an do_fetch error with refpolicy stable version.
> Seems the SRC_URI is not correct. It should be "https://github.com/
> SELinuxProject/refpolicy/releases/download/RELEASE_2_20190201/refpolicy-$
> {PV}.tar.bz2"
Thanks, good catch, I don't know how that slipped through. Corrected on
my end, I'll update it in a bit.
-J.
>
>
> Regards,
> Yi
--
-Joe MacDonald.
:wq
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 499 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [meta-selinux][PULL] refpolicy: update to 2.20190201 and git HEAD policies (2019-04-10 10:57:14 -0400)
2019-04-10 15:53 [meta-selinux][PULL] refpolicy: update to 2.20190201 and git HEAD policies (2019-04-10 10:57:14 -0400) Joe MacDonald
2019-04-11 8:19 ` Yi Zhao
@ 2019-04-14 16:26 ` Joe MacDonald
1 sibling, 0 replies; 4+ messages in thread
From: Joe MacDonald @ 2019-04-14 16:26 UTC (permalink / raw)
To: mark.hatle, yocto
[-- Attachment #1: Type: text/plain, Size: 35866 bytes --]
Hi all,
Update on this, I've just now completed this merge (with Yi's corrected
SRC_URI for the RELEASE_2.20190201 tag) and I'm going to start pulling
in the additional meta-selinux patches that have been sent to the
mailing list. I'll prep a queue of those updates soon and send out
another pull mail to the list in order to keep everyone reasonably
informed of what's in and what's not. Once that happens, if you have a
patch that's still pending but not in my pull list, please let me know
with a follow up to the list.
Thanks,
-J.
[[yocto] [meta-selinux][PULL] refpolicy: update to 2.20190201 and git HEAD policies (2019-04-10 10:57:14 -0400)] On 19.04.10 (Wed 11:53) Joe MacDonald wrote:
> This is a huge, long-overdue update the refpolicy. I apologise for it
> blocking the other outstanding meta-selinux patches, but I've been
> trying to limit the scope of changes while this happens. Now that this
> is cleared off the slate, I'll be gathering up the other meta-selinux
> patches from the list. I'll send out a follow-up on those as they're
> merged and another when I think I'm done, so if I've missed your patch,
> that'll be the time to ping me about it.
>
> As for this, here's what I've done.
>
> - manually reviewed all patches that had been present in
> repolicy-* for both the old stable (2.20170204) and git
> versions
>
> - forked the SELinuxPolicy/refpolicy repo and applied all
> still-relevant patches to the RELEASE_2.20190201 branch
>
> - restructured the patches so that all patches that should
> reasonably apply to all variants (mcs, mls, minimum, standard
> and targeted) were in a common branch and only the ones that
> are specific to each variant would be in their own recipe
>
> - restructure the patches so that systemd and sysvinit patches
> were not applied to the same tree
>
> - created a parallel set of branches for each of these against
> current git HEAD
>
> The results of this can be examined here:
>
> https://github.com/joeythesaint/refpolicy
>
> Then each of these were exported and put in the appropriate SRC_URIs so
> the branch structure is more-or-less preserved.
>
> My goals with this approach were the following:
>
> - make it easier to keep refpolicy up to date, particularly for
> anyone wanting to use the git variants
>
> - make it easier to determine how your preferred version of
> refpolicy on Yocto differs from upstream refpolicy
>
> - limit the above differences to the minimum to achieve the goal
> of a functional Yocto system
>
> - eventually move us away from release tarballs entirely
>
> That last point is why I'm preserving the refpolicy fork above. I'd
> like to keep going with this and so future refpolicy patches will first
> be put in that repo then exported and applied to the SRC_URIs. If you
> have such a patch and want to send me a PR against the branch you think
> it belongs on from github directly, that'd be awesome, but the old
> method of patches to the mailing list will work fine too, just know that
> this is the way I'm going to try to manage this for the foreseeable
> future. Ultimately, if this proves to work well, I would like to move
> the refpolicy fork off github and house it on git.yoctoproject.org
> beside meta-selinux, but the workflow needs to be properly validated
> first.
>
> One additional point, I intend to take another pass at revising this
> stuff, ideally moving the huge number of common patches out as well.
> There's still some that aren't necessary for base yocto but are for
> additional layers. That's fine for us to have, but I'd like to get
> those moved to optional layer directories so we're making the best use
> of that functionality we can. If you have suggestions on which pieces
> already present are good candidates, let me know. Similarly, if you've
> got additional policy patches you want to see included, feel free to
> send them along, we can easily move them to optional locations inside
> meta-selinux.
>
> Finally, please everyone test this and provide feedback on anything that
> doesn't work or looks strange. This is easily the biggest change we've
> had in meta-selinux in years and I expect there's still some wrinkles to
> be ironed out. And I really appreciate everyone's patience while we got
> to this point and hope it's not too much more pain before we put a
> ribbon on this and call it done.
>
> I'll give this until at least the weekend before merging it to master,
> pending comments or an overwhelming "please just do it" from the
> community.
>
> Thanks.
>
> ---
>
> The following changes since commit a6a3cadb1ef3203a123d8f5f9df27832f55b2ce3:
>
> Backport patches from upstream to fix build with musl (2019-03-25 09:43:53 +0100)
>
> are available in the Git repository at:
>
> git://git.yoctoproject.org/meta-selinux yocto/master-next
>
> for you to fetch changes up to 776da889b550ac9e5be414a8cc10fd86b1923264:
>
> refpolicy: update to 2.20190201 and git HEAD policies (2019-04-10 10:57:14 -0400)
>
> ----------------------------------------------------------------
> Joe MacDonald (1):
> refpolicy: update to 2.20190201 and git HEAD policies
>
> README | 16 +-
> .../refpolicy-2.20170204/poky-fc-clock.patch | 20 --
> .../poky-fc-corecommands.patch | 24 --
> .../refpolicy-2.20170204/poky-fc-dmesg.patch | 18 --
> .../poky-fc-fix-real-path_login.patch | 37 ---
> .../poky-fc-fix-real-path_shadow.patch | 34 ---
> .../refpolicy-2.20170204/poky-fc-fstools.patch | 75 ------
> .../refpolicy-2.20170204/poky-fc-ftpwho-dir.patch | 27 ---
> .../refpolicy-2.20170204/poky-fc-iptables.patch | 24 --
> .../refpolicy-2.20170204/poky-fc-mta.patch | 27 ---
> .../refpolicy-2.20170204/poky-fc-netutils.patch | 24 --
> .../refpolicy-2.20170204/poky-fc-nscd.patch | 25 --
> .../refpolicy-2.20170204/poky-fc-rpm.patch | 23 --
> .../refpolicy-2.20170204/poky-fc-screen.patch | 23 --
> .../refpolicy-2.20170204/poky-fc-su.patch | 20 --
> .../refpolicy-2.20170204/poky-fc-subs_dist.patch | 33 ---
> .../refpolicy-2.20170204/poky-fc-sysnetwork.patch | 48 ----
> .../refpolicy-2.20170204/poky-fc-udevd.patch | 38 ---
> .../poky-fc-update-alternatives_bash.patch | 24 --
> .../poky-fc-update-alternatives_hostname.patch | 21 --
> .../poky-fc-update-alternatives_sysklogd.patch | 62 -----
> .../poky-fc-update-alternatives_sysvinit.patch | 57 -----
> ...ky-policy-add-rules-for-syslogd_t-symlink.patch | 30 ---
> ...licy-add-rules-for-var-log-symlink-apache.patch | 31 ---
> ...rules-for-var-log-symlink-audisp_remote_t.patch | 29 ---
> ...poky-policy-add-rules-for-var-log-symlink.patch | 185 ---------------
> ...-policy-allow-nfsd-to-exec-shell-commands.patch | 60 -----
> ...-policy-allow-setfiles_t-to-read-symlinks.patch | 30 ---
> .../poky-policy-fix-dmesg-to-use-dev-kmsg.patch | 37 ---
> .../poky-policy-fix-new-SELINUXMNT-in-sys.patch | 259 ---------------------
> ...olicy-fix-setfiles-statvfs-get-file-count.patch | 32 ---
> ...-volatile-alias-common-var-volatile-paths.patch | 36 +++
> ...001-fix-update-alternatives-for-sysvinit.patch} | 51 ++--
> ...nimum-audit-logging-getty-audit-related-.patch} | 17 +-
> ...-busybox-set-aliases-for-bin-sbin-and-usr.patch | 31 +++
> ...nimum-locallogin-add-allow-rules-for-typ.patch} | 11 +-
> ...ysklogd-apply-policy-to-sysklogd-symlink.patch} | 49 ++--
> ...nimum-systemd-unconfined-lib-add-systemd.patch} | 34 +--
> ...-apply-policy-to-common-yocto-hostname-al.patch | 27 +++
> ...nimum-systemd-mount-logging-authlogin-ad.patch} | 39 ++--
> ...ply-usr-bin-bash-context-to-bin-bash.bash.patch | 30 +++
> ...inimum-init-fix-reboot-with-systemd-as-in.patch | 9 +-
> ...nf-label-resolv.conf-in-var-run-properly.patch} | 24 +-
> ...inimum-systemd-mount-enable-required-refp.patch | 92 ++++++++
> ...ogin-apply-login-context-to-login.shadow.patch} | 22 +-
> ...inimum-systemd-fix-for-login-journal-serv.patch | 33 +--
> .../0008-fc-bind-fix-real-path-for-bind.patch} | 25 +-
> ...inimum-systemd-fix-for-systemd-tmp-files-.patch | 34 ++-
> .../0009-fc-hwclock-add-hwclock-alternatives.patch | 28 +++
> ...-refpolicy-minimum-systemd-fix-for-syslog.patch | 13 +-
> ...-dmesg-apply-policy-to-dmesg-alternatives.patch | 24 ++
> ...-fc-ssh-apply-policy-to-ssh-alternatives.patch} | 21 +-
> ...snetwork-apply-policy-to-ip-alternatives.patch} | 35 ++-
> ...c-udev-apply-policy-to-udevadm-in-libexec.patch | 28 +++
> ...pm-apply-rpm_exec-policy-to-cpio-binaries.patch | 29 +++
> ...15-fc-su-apply-policy-to-su-alternatives.patch} | 18 +-
> ...016-fc-fstools-fix-real-path-for-fstools.patch} | 58 ++---
> ...e-logging-Add-the-syslogd_t-to-trusted-o.patch} | 18 +-
> ...le-logging-add-rules-for-the-symlink-of-v.patch | 100 ++++++++
> ...le-logging-add-rules-for-syslogd-symlink-.patch | 33 +++
> ...e-logging-add-domain-rules-for-the-subdi.patch} | 18 +-
> ...e-files-add-rules-for-the-symlink-of-tmp.patch} | 69 ++----
> ...e-terminals-add-rules-for-bsdpty_device_.patch} | 60 ++---
> ...e-terminals-don-t-audit-tty_device_t-in-.patch} | 18 +-
> ...ule-rpc-allow-nfsd-to-exec-shell-commands.patch | 29 +++
> ...e-rpc-fix-policy-for-nfsserver-to-mount-.patch} | 96 ++++----
> ...odule-sysfs-fix-for-new-SELINUXMNT-in-sys.patch | 126 ++++++++++
> ...y-module-rpc-allow-sysadm-to-run-rpcinfo.patch} | 24 +-
> ...e-userdomain-fix-selinux-utils-to-manage.patch} | 28 +--
> ...le-selinuxutil-fix-setfiles-statvfs-to-ge.patch | 33 +++
> ...le-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch | 25 ++
> ...e-ftp-add-ftpd_t-to-mls_file_write_all_l.patch} | 26 ++-
> ...e-init-update-for-systemd-related-allow-.patch} | 16 +-
> ...cy-minimum-make-sysadmin-module-optional.patch} | 28 +--
> ...le-apache-add-rules-for-the-symlink-of-va.patch | 33 +++
> ...-volatile-alias-common-var-volatile-paths.patch | 36 +++
> ...0001-fix-update-alternatives-for-sysvinit.patch | 53 +++++
> ...inimum-audit-logging-getty-audit-related-.patch | 68 ++++++
> ...-busybox-set-aliases-for-bin-sbin-and-usr.patch | 31 +++
> ...inimum-locallogin-add-allow-rules-for-typ.patch | 54 +++++
> ...sysklogd-apply-policy-to-sysklogd-symlink.patch | 57 +++++
> ...inimum-systemd-unconfined-lib-add-systemd.patch | 121 ++++++++++
> ...-apply-policy-to-common-yocto-hostname-al.patch | 27 +++
> ...inimum-systemd-mount-logging-authlogin-ad.patch | 96 ++++++++
> ...ply-usr-bin-bash-context-to-bin-bash.bash.patch | 30 +++
> ...inimum-init-fix-reboot-with-systemd-as-in.patch | 37 +++
> ...nf-label-resolv.conf-in-var-run-properly.patch} | 26 ++-
> ...inimum-systemd-mount-enable-required-refp.patch | 92 ++++++++
> ...login-apply-login-context-to-login.shadow.patch | 27 +++
> ...inimum-systemd-fix-for-login-journal-serv.patch | 103 ++++++++
> ...h => 0008-fc-bind-fix-real-path-for-bind.patch} | 25 +-
> ...inimum-systemd-fix-for-systemd-tmp-files-.patch | 110 +++++++++
> .../0009-fc-hwclock-add-hwclock-alternatives.patch | 28 +++
> ...-refpolicy-minimum-systemd-fix-for-syslog.patch | 70 ++++++
> ...-dmesg-apply-policy-to-dmesg-alternatives.patch | 24 ++
> ...-fc-ssh-apply-policy-to-ssh-alternatives.patch} | 21 +-
> ...ysnetwork-apply-policy-to-ip-alternatives.patch | 48 ++++
> ...c-udev-apply-policy-to-udevadm-in-libexec.patch | 28 +++
> ...pm-apply-rpm_exec-policy-to-cpio-binaries.patch | 29 +++
> ...15-fc-su-apply-policy-to-su-alternatives.patch} | 20 +-
> ...0016-fc-fstools-fix-real-path-for-fstools.patch | 76 ++++++
> ...e-logging-Add-the-syslogd_t-to-trusted-o.patch} | 18 +-
> ...le-logging-add-rules-for-the-symlink-of-v.patch | 100 ++++++++
> ...le-logging-add-rules-for-syslogd-symlink-.patch | 33 +++
> ...e-logging-add-domain-rules-for-the-subdi.patch} | 18 +-
> ...e-files-add-rules-for-the-symlink-of-tmp.patch} | 71 ++----
> ...e-terminals-add-rules-for-bsdpty_device_.patch} | 60 ++---
> ...e-terminals-don-t-audit-tty_device_t-in-.patch} | 18 +-
> ...ule-rpc-allow-nfsd-to-exec-shell-commands.patch | 29 +++
> ...e-rpc-fix-policy-for-nfsserver-to-mount-.patch} | 96 ++++----
> ...odule-sysfs-fix-for-new-SELINUXMNT-in-sys.patch | 126 ++++++++++
> ...y-module-rpc-allow-sysadm-to-run-rpcinfo.patch} | 24 +-
> ...e-userdomain-fix-selinux-utils-to-manage.patch} | 28 +--
> ...le-selinuxutil-fix-setfiles-statvfs-to-ge.patch | 33 +++
> ...le-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch | 25 ++
> ...e-ftp-add-ftpd_t-to-mls_file_write_all_l.patch} | 26 ++-
> ...e-init-update-for-systemd-related-allow-.patch} | 23 +-
> ...cy-minimum-make-sysadmin-module-optional.patch} | 53 ++---
> ...e-apache-add-rules-for-the-symlink-of-va.patch} | 24 +-
> .../refpolicy/refpolicy-git/poky-fc-clock.patch | 19 --
> .../refpolicy/refpolicy-git/poky-fc-dmesg.patch | 15 --
> .../poky-fc-fix-real-path_shadow.patch | 50 ----
> .../refpolicy-git/poky-fc-ftpwho-dir.patch | 27 ---
> .../refpolicy/refpolicy-git/poky-fc-mta.patch | 27 ---
> .../refpolicy/refpolicy-git/poky-fc-nscd.patch | 25 --
> .../refpolicy/refpolicy-git/poky-fc-rpm.patch | 23 --
> .../refpolicy/refpolicy-git/poky-fc-screen.patch | 23 --
> .../refpolicy-git/poky-fc-subs_dist.patch | 32 ---
> .../refpolicy/refpolicy-git/poky-fc-udevd.patch | 27 ---
> .../poky-fc-update-alternatives_bash.patch | 12 -
> .../poky-fc-update-alternatives_hostname.patch | 19 --
> ...ky-policy-add-rules-for-syslogd_t-symlink.patch | 29 ---
> ...rules-for-var-log-symlink-audisp_remote_t.patch | 29 ---
> ...poky-policy-add-rules-for-var-log-symlink.patch | 88 -------
> ...-policy-allow-nfsd-to-exec-shell-commands.patch | 81 -------
> ...-policy-allow-setfiles_t-to-read-symlinks.patch | 30 ---
> .../poky-policy-fix-dmesg-to-use-dev-kmsg.patch | 22 --
> .../poky-policy-fix-new-SELINUXMNT-in-sys.patch | 253 --------------------
> ...olicy-fix-setfiles-statvfs-get-file-count.patch | 31 ---
> ...s_2.20170204.bb => refpolicy-mcs_2.20190201.bb} | 0
> ...inimum-systemd-mount-enable-requiried-ref.patch | 47 ----
> ...20170204.bb => refpolicy-minimum_2.20190201.bb} | 39 ++--
> .../refpolicy/refpolicy-minimum_git.bb | 22 +-
> ...s_2.20170204.bb => refpolicy-mls_2.20190201.bb} | 0
> ...0170204.bb => refpolicy-standard_2.20190201.bb} | 0
> ...efpolicy-remove-duplicate-type_transition.patch | 46 ----
> ...move-duplicate-type_transition_2.20170204.patch | 46 ----
> .../refpolicy-unconfined_u-default-user.patch | 222 ------------------
> ...licy-unconfined_u-default-user_2.20170204.patch | 222 ------------------
> .../refpolicy/refpolicy-targeted_2.20170204.bb | 29 ---
> .../refpolicy/refpolicy-targeted_2.20190201.bb | 35 +++
> .../refpolicy/refpolicy-targeted_git.bb | 22 +-
> .../refpolicy/refpolicy_2.20170204.inc | 58 -----
> .../refpolicy/refpolicy_2.20190201.inc | 7 +
> recipes-security/refpolicy/refpolicy_common.inc | 48 +++-
> recipes-security/refpolicy/refpolicy_git.inc | 55 +----
> 156 files changed, 3145 insertions(+), 3748 deletions(-)
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-clock.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-corecommands.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-dmesg.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_login.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_shadow.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fstools.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ftpwho-dir.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-iptables.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-mta.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-netutils.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-nscd.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-rpm.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-screen.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-su.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-subs_dist.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-sysnetwork.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-udevd.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_bash.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_hostname.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysvinit.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-syslogd_t-symlink.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-nfsd-to-exec-shell-commands.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-setfiles_t-to-read-symlinks.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-new-SELINUXMNT-in-sys.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-setfiles-statvfs-get-file-count.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
> rename recipes-security/refpolicy/{refpolicy-git/poky-fc-update-alternatives_sysvinit.patch => refpolicy-2.20190201/0001-fix-update-alternatives-for-sysvinit.patch} (51%)
> rename recipes-security/refpolicy/{refpolicy-minimum/0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch => refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch} (85%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
> rename recipes-security/refpolicy/{refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch => refpolicy-2.20190201/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch} (87%)
> rename recipes-security/refpolicy/{refpolicy-git/poky-fc-update-alternatives_sysklogd.patch => refpolicy-2.20190201/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch} (52%)
> rename recipes-security/refpolicy/{refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch => refpolicy-2.20190201/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch} (79%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
> rename recipes-security/refpolicy/{refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch => refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch} (76%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
> rename recipes-security/refpolicy/{refpolicy-minimum => refpolicy-2.20190201}/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch (83%)
> rename recipes-security/refpolicy/{refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch => refpolicy-2.20190201/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch} (54%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
> rename recipes-security/refpolicy/{refpolicy-git/poky-fc-fix-real-path_login.patch => refpolicy-2.20190201/0007-fc-login-apply-login-context-to-login.shadow.patch} (52%)
> rename recipes-security/refpolicy/{refpolicy-minimum => refpolicy-2.20190201}/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch (82%)
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-fc-fix-bind.patch => refpolicy-2.20190201/0008-fc-bind-fix-real-path-for-bind.patch} (62%)
> rename recipes-security/refpolicy/{refpolicy-minimum => refpolicy-2.20190201}/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch (80%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch
> rename recipes-security/refpolicy/{refpolicy-minimum => refpolicy-2.20190201}/0009-refpolicy-minimum-systemd-fix-for-syslog.patch (90%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
> rename recipes-security/refpolicy/{refpolicy-git/poky-fc-ssh.patch => refpolicy-2.20190201/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch} (55%)
> rename recipes-security/refpolicy/{refpolicy-git/poky-fc-sysnetwork.patch => refpolicy-2.20190201/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch} (54%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
> rename recipes-security/refpolicy/{refpolicy-git/poky-fc-fix-real-path_su.patch => refpolicy-2.20190201/0015-fc-su-apply-policy-to-su-alternatives.patch} (52%)
> rename recipes-security/refpolicy/{refpolicy-git/poky-fc-fstools.patch => refpolicy-2.20190201/0016-fc-fstools-fix-real-path-for-fstools.patch} (66%)
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-add-syslogd_t-to-trusted-object.patch => refpolicy-2.20190201/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch} (69%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-add-rules-for-var-cache-symlink.patch => refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch} (69%)
> rename recipes-security/refpolicy/{refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch => refpolicy-2.20190201/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch} (54%)
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-add-rules-for-bsdpty_device_t.patch => refpolicy-2.20190201/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch} (67%)
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-don-t-audit-tty_device_t.patch => refpolicy-2.20190201/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch} (66%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch => refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch} (54%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-allow-sysadm-to-run-rpcinfo.patch => refpolicy-2.20190201/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch} (70%)
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-fix-seutils-manage-config-files.patch => refpolicy-2.20190201/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch} (60%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
> rename recipes-security/refpolicy/{refpolicy-2.20170204/ftp-add-ftpd_t-to-mlsfilewrite.patch => refpolicy-2.20190201/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch} (74%)
> rename recipes-security/refpolicy/{refpolicy-git/refpolicy-update-for_systemd.patch => refpolicy-2.20190201/0032-policy-module-init-update-for-systemd-related-allow-.patch} (66%)
> rename recipes-security/refpolicy/{refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch => refpolicy-2.20190201/0033-refpolicy-minimum-make-sysadmin-module-optional.patch} (69%)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-fc-fix-real-path_resolv.conf.patch => refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch} (52%)
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch
> rename recipes-security/refpolicy/refpolicy-git/{poky-fc-fix-bind.patch => 0008-fc-bind-fix-real-path-for-bind.patch} (62%)
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-fc-ssh.patch => refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch} (52%)
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-fc-fix-real-path_su.patch => refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch} (52%)
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch
> rename recipes-security/refpolicy/refpolicy-git/{poky-policy-add-syslogd_t-to-trusted-object.patch => 0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch} (69%)
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch
> rename recipes-security/refpolicy/refpolicy-git/{poky-policy-add-rules-for-var-cache-symlink.patch => 0020-policy-module-logging-add-domain-rules-for-the-subdi.patch} (69%)
> rename recipes-security/refpolicy/{refpolicy-2.20170204/poky-policy-add-rules-for-tmp-symlink.patch => refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch} (53%)
> rename recipes-security/refpolicy/refpolicy-git/{poky-policy-add-rules-for-bsdpty_device_t.patch => 0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch} (67%)
> rename recipes-security/refpolicy/refpolicy-git/{poky-policy-don-t-audit-tty_device_t.patch => 0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch} (66%)
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
> rename recipes-security/refpolicy/refpolicy-git/{poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch => 0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch} (54%)
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
> rename recipes-security/refpolicy/refpolicy-git/{poky-policy-allow-sysadm-to-run-rpcinfo.patch => 0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch} (70%)
> rename recipes-security/refpolicy/refpolicy-git/{poky-policy-fix-seutils-manage-config-files.patch => 0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch} (60%)
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
> create mode 100644 recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
> rename recipes-security/refpolicy/refpolicy-git/{ftp-add-ftpd_t-to-mlsfilewrite.patch => 0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch} (74%)
> rename recipes-security/refpolicy/{refpolicy-2.20170204/refpolicy-update-for_systemd.patch => refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch} (52%)
> rename recipes-security/refpolicy/{refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module_2.20170204.patch => refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch} (56%)
> rename recipes-security/refpolicy/refpolicy-git/{poky-policy-add-rules-for-var-log-symlink-apache.patch => 0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch} (54%)
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_bash.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch
> rename recipes-security/refpolicy/{refpolicy-mcs_2.20170204.bb => refpolicy-mcs_2.20190201.bb} (100%)
> delete mode 100644 recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch
> rename recipes-security/refpolicy/{refpolicy-minimum_2.20170204.bb => refpolicy-minimum_2.20190201.bb} (66%)
> rename recipes-security/refpolicy/{refpolicy-mls_2.20170204.bb => refpolicy-mls_2.20190201.bb} (100%)
> rename recipes-security/refpolicy/{refpolicy-standard_2.20170204.bb => refpolicy-standard_2.20190201.bb} (100%)
> delete mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition_2.20170204.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user_2.20170204.patch
> delete mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20170204.bb
> create mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb
> delete mode 100644 recipes-security/refpolicy/refpolicy_2.20170204.inc
> create mode 100644 recipes-security/refpolicy/refpolicy_2.20190201.inc
>
> --
> -Joe MacDonald.
> :wq
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 201 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-04-16 11:40 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-04-10 15:53 [meta-selinux][PULL] refpolicy: update to 2.20190201 and git HEAD policies (2019-04-10 10:57:14 -0400) Joe MacDonald
2019-04-11 8:19 ` Yi Zhao
2019-04-12 19:24 ` Joe MacDonald
2019-04-14 16:26 ` Joe MacDonald
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.