Merge branch 'master-next'

Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>

conf/distro/oe-selinux.conf

@@ -1,4 +1,4 @@
 DISTRO = "oe-selinux"
 DISTROOVERRIDES .= ":selinux"
 
-DISTRO_FEATURES_append = " acl xattr pam selinux compressed_policy"
+DISTRO_FEATURES_append = " acl xattr pam selinux"

recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch

@@ -1,32 +0,0 @@
-From 56c43144d7dcf5fec969c9aa9cb97679ccad50cc Mon Sep 17 00:00:00 2001
-From: Sven Vermeulen <sven.vermeulen@siphos.be>
-Date: Wed, 25 Sep 2013 20:27:34 +0200
-Subject: [PATCH] Allow ping to get/set capabilities
-
-When ping is installed with capabilities instead of being marked setuid,
-then the ping_t domain needs to be allowed to getcap/setcap.
-
-Reported-by: Luis Ressel <aranea@aixah.de>
-Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
-
-Upstream-Status: backport
----
- policy/modules/admin/netutils.te |    2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index 557da97..cfe036a 100644
---- a/policy/modules/admin/netutils.te
-+++ b/policy/modules/admin/netutils.te
-@@ -106,6 +106,8 @@ optional_policy(`
- #
- 
- allow ping_t self:capability { setuid net_raw };
-+# When ping is installed with capabilities instead of setuid
-+allow ping_t self:process { getcap setcap };
- dontaudit ping_t self:capability sys_tty_config;
- allow ping_t self:tcp_socket create_socket_perms;
- allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
--- 
-1.7.10.4
-

recipes-security/refpolicy/refpolicy-2.20130424/Allow-udev-the-block_suspend-capability.patch

@@ -1,25 +0,0 @@
-Allow udev the block_suspend capability
-
-Upstream-Status: backport
-upstream commit: 5905067f2acf710ffbb13ba32575e6316619ddd8
-
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
----
- policy/modules/system/udev.te |    1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 90e4ab3..efe6c02 100644
---- a/policy/modules/system/udev.te
-+++ b/policy/modules/system/udev.te
-@@ -39,6 +39,7 @@ ifdef(`enable_mcs',`
- 
- allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
- dontaudit udev_t self:capability sys_tty_config;
-+allow udev_t self:capability2 block_suspend;
- allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow udev_t self:process { execmem setfscreate };
- allow udev_t self:fd use;
--- 
-1.7.9.5
-

recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch

@@ -1,30 +0,0 @@
-Upstream-Status: backport
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-=========================
-From e3072cb7bf8f9e09598f01c9eb58d9cfb319d8a1 Mon Sep 17 00:00:00 2001
-From: Dominick Grift <dominick.grift@gmail.com>
-Date: Tue, 24 Sep 2013 15:39:21 +0200
-Subject: [PATCH] filesystem: associate tmpfs_t (shm) to device_t (devtmpfs)
- file systems
-
-Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
----
- policy/modules/kernel/filesystem.te |    1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index ed59e5e..f72cde1 100644
---- a/policy/modules/kernel/filesystem.te
-+++ b/policy/modules/kernel/filesystem.te
-@@ -177,6 +177,7 @@ genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
- # tmpfs_t is the type for tmpfs filesystems
- #
- type tmpfs_t;
-+dev_associate(tmpfs_t)
- fs_type(tmpfs_t)
- files_type(tmpfs_t)
- files_mountpoint(tmpfs_t)
--- 
-1.7.10.4
-

recipes-security/refpolicy/refpolicy-2.20130424/hostname-do-not-audit-attempts-by-hostname-to-read-a.patch

@@ -1,59 +0,0 @@
-From 0857061b58e5ec0bf00e78839254f21519ed55d4 Mon Sep 17 00:00:00 2001
-From: Dominick Grift <dominick.grift@gmail.com>
-Date: Fri, 27 Sep 2013 10:36:14 +0200
-Subject: [PATCH] hostname: do not audit attempts by hostname to read and
- write dhcpc udp sockets (looks like a leaked fd)
-
-Upstream-Status: backport
-
-Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
----
- policy/modules/system/hostname.te   |    1 +
- policy/modules/system/sysnetwork.if |   19 +++++++++++++++++++
- 2 files changed, 20 insertions(+)
-
-diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
-index f6cbda9..380197b 100644
---- a/policy/modules/system/hostname.te
-+++ b/policy/modules/system/hostname.te
-@@ -51,6 +51,7 @@ logging_send_syslog_msg(hostname_t)
- 
- miscfiles_read_localization(hostname_t)
- 
-+sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t)
- sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
- sysnet_read_config(hostname_t)
- sysnet_dns_name_resolve(hostname_t)
-diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 52b548c..2cea692 100644
---- a/policy/modules/system/sysnetwork.if
-+++ b/policy/modules/system/sysnetwork.if
-@@ -47,6 +47,25 @@ interface(`sysnet_run_dhcpc',`
- 
- ########################################
- ## <summary>
-+##	Do not audit attempts to read and
-+##	write dhcpc udp socket descriptors.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`sysnet_dontaudit_rw_dhcpc_udp_sockets',`
-+	gen_require(`
-+		type dhcpc_t;
-+	')
-+
-+	dontaudit $1 dhcpc_t:udp_socket { read write };
-+')
-+
-+########################################
-+## <summary>
- ##	Do not audit attempts to use
- ##	the dhcp file descriptors.
- ## </summary>
--- 
-1.7.10.4
-

recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-xconsole_device_t-as-a-dev_node.patch

@@ -1,27 +0,0 @@
-From 843299c135c30b036ed163a10570a1d5efe36ff8 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 1/2] fix xconsole_device_t as a dev_node.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/services/xserver.te |    1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 4f6d693..b00f004 100644
---- a/policy/modules/services/xserver.te
-+++ b/policy/modules/services/xserver.te
-@@ -151,6 +151,7 @@ userdom_user_tmp_file(xauth_tmp_t)
- # this is not actually a device, its a pipe
- type xconsole_device_t;
- files_type(xconsole_device_t)
-+dev_node(xconsole_device_t)
- fs_associate_tmpfs(xconsole_device_t)
- files_associate_tmp(xconsole_device_t)
- 
--- 
-1.7.9.5
-

recipes-security/refpolicy/refpolicy-2.20130424/sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch

@@ -1,41 +0,0 @@
-From b1599e01fe3f3e7a1c2048d1c466e3e842952924 Mon Sep 17 00:00:00 2001
-From: Dominick Grift <dominick.grift@gmail.com>
-Date: Fri, 27 Sep 2013 11:35:41 +0200
-Subject: [PATCH] sysnetwork: dhcpc binds socket to random high udp ports
- sysnetwork: do not audit attempts by ifconfig to read, and
- write dhcpc udp sockets (looks like a leaked fd)
-
-Upstream-Status: backport
-
-Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
----
- policy/modules/system/sysnetwork.te |    6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index f9dce11..67709b5 100644
---- a/policy/modules/system/sysnetwork.te
-+++ b/policy/modules/system/sysnetwork.te
-@@ -111,7 +111,9 @@ corenet_tcp_bind_dhcpc_port(dhcpc_t)
- corenet_udp_bind_dhcpc_port(dhcpc_t)
- corenet_tcp_connect_all_ports(dhcpc_t)
- corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
--corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
-+
-+corenet_sendrecv_all_server_packets(dhcpc_t)
-+corenet_udp_bind_all_unreserved_ports(dhcpc_t)
- 
- dev_read_sysfs(dhcpc_t)
- # for SSP:
-@@ -313,6 +315,8 @@ modutils_domtrans_insmod(ifconfig_t)
- 
- seutil_use_runinit_fds(ifconfig_t)
- 
-+sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
-+
- userdom_use_user_terminals(ifconfig_t)
- userdom_use_all_users_fds(ifconfig_t)
- 
--- 
-1.7.10.4
-

recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fstools.patch

@@ -6,12 +6,11 @@ Subject: [PATCH] refpolicy: fix real path for fstools
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
- policy/modules/system/fstools.fc |   12 ++++++++++++
- 1 file changed, 12 insertions(+)
+ policy/modules/system/fstools.fc |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
 
-diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index 7a46b45..a724776 100644
 --- a/policy/modules/system/fstools.fc
 +++ b/policy/modules/system/fstools.fc
 @@ -1,6 +1,8 @@
@@ -23,48 +22,44 @@ index 7a46b45..a724776 100644
  /sbin/cfdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/dosfsck		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/dump		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -9,9 +11,12 @@
+@@ -9,9 +11,11 @@
  /sbin/e4fsck		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/e2label		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/fdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/sbin/fdisk\.util-linux	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/findfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/findfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/fsck.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/hdparm		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/sbin/hdparm\.hdparm	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/install-mbr	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/jfs_.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/losetup.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -24,21 +29,28 @@
+@@ -24,6 +28,7 @@
  /sbin/mkraid		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/mkreiserfs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/mkswap		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/sbin/mkswap\.util-linux	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/parted		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/parted		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partprobe		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/partprobe		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/raidautorun	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/raidstart		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/reiserfs(ck|tune)	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/resize.*fs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -34,6 +39,7 @@
  /sbin/scsi_info		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/sfdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/sfdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/swapoff		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/sbin/swapoff\.util-linux	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/zdb		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -50,7 +56,12 @@
  
- /usr/bin/partition_uuid	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/raw		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/clubufflush	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fatsort	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/findfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/parted	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/partprobe		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/usr/sbin/raw		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/scsi_unique_id	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/syslinux	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/sfdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/smartctl	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  
--- 
-1.7.9.5
-
+ /var/log/fsck(/.*)?		gen_context(system_u:object_r:fsadm_log_t,s0)

recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-subs_dist.patch

@@ -6,19 +6,17 @@ mapping to the pathes in file_contexts.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
- config/file_contexts.subs_dist |    8 ++++++++
- 1 files changed, 11 insertions(+), 0 deletions(-)
+ config/file_contexts.subs_dist |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
 
-diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
-index 32b87a4..ebba73d 100644
 --- a/config/file_contexts.subs_dist
 +++ b/config/file_contexts.subs_dist
-@@ -5,3 +5,14 @@
- /usr/lib32 /usr/lib
- /usr/lib64 /usr/lib
+@@ -19,3 +19,13 @@
+ /usr/local/lib64 /usr/lib
+ /usr/local/lib /usr/lib
  /var/run/lock /var/lock
-+/etc/init.d /etc/rc.d/init.d
 +/var/volatile/log /var/log
 +/var/volatile/run /var/run
 +/var/volatile/cache /var/cache
@@ -29,6 +27,3 @@ index 32b87a4..ebba73d 100644
 +/usr/lib/busybox/bin /bin
 +/usr/lib/busybox/sbin /sbin
 +/usr/lib/busybox/usr /usr
--- 
-1.7.5.4
-

recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-new-SELINUXMNT-in-sys.patch

@@ -9,12 +9,11 @@ add rules to access sysfs.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
- policy/modules/kernel/selinux.if |   40 ++++++++++++++++++++++++++++++++++++++
- 1 file changed, 40 insertions(+)
+ policy/modules/kernel/selinux.if |   34 ++++++++++++++++++++++++++++++++--
+ 1 file changed, 32 insertions(+), 2 deletions(-)
 
-diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
-index 81440c5..ee4e86b 100644
 --- a/policy/modules/kernel/selinux.if
 +++ b/policy/modules/kernel/selinux.if
 @@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',`
@@ -28,7 +27,7 @@ index 81440c5..ee4e86b 100644
  	# starting in libselinux 2.0.5, init_selinuxmnt() will
  	# attempt to short circuit by checking if SELINUXMNT
  	# (/selinux) is already a selinuxfs
-@@ -84,6 +88,7 @@ interface(`selinux_dontaudit_get_fs_mount',`
+@@ -84,6 +88,7 @@ interface(`selinux_dontaudit_get_fs_moun
  		type security_t;
  	')
  
@@ -72,7 +71,7 @@ index 81440c5..ee4e86b 100644
  	allow $1 security_t:filesystem getattr;
  ')
  
-@@ -183,6 +196,7 @@ interface(`selinux_dontaudit_getattr_fs',`
+@@ -183,6 +196,7 @@ interface(`selinux_dontaudit_getattr_fs'
  		type security_t;
  	')
  
@@ -80,7 +79,7 @@ index 81440c5..ee4e86b 100644
  	dontaudit $1 security_t:filesystem getattr;
  ')
  
-@@ -202,6 +216,7 @@ interface(`selinux_dontaudit_getattr_dir',`
+@@ -202,6 +216,7 @@ interface(`selinux_dontaudit_getattr_dir
  		type security_t;
  	')
  
@@ -88,16 +87,15 @@ index 81440c5..ee4e86b 100644
  	dontaudit $1 security_t:dir getattr;
  ')
  
-@@ -220,6 +235,8 @@ interface(`selinux_search_fs',`
+@@ -220,6 +235,7 @@ interface(`selinux_search_fs',`
  		type security_t;
  	')
  
 +	dev_getattr_sysfs_dirs($1)
-+	dev_search_sysfs($1)
+ 	dev_search_sysfs($1)
  	allow $1 security_t:dir search_dir_perms;
  ')
- 
-@@ -238,6 +255,7 @@ interface(`selinux_dontaudit_search_fs',`
+@@ -239,6 +255,7 @@ interface(`selinux_dontaudit_search_fs',
  		type security_t;
  	')
  
@@ -105,7 +103,7 @@ index 81440c5..ee4e86b 100644
  	dontaudit $1 security_t:dir search_dir_perms;
  ')
  
-@@ -257,6 +275,7 @@ interface(`selinux_dontaudit_read_fs',`
+@@ -258,6 +275,7 @@ interface(`selinux_dontaudit_read_fs',`
  		type security_t;
  	')
  
@@ -113,52 +111,75 @@ index 81440c5..ee4e86b 100644
  	dontaudit $1 security_t:dir search_dir_perms;
  	dontaudit $1 security_t:file read_file_perms;
  ')
-@@ -342,6 +361,8 @@ interface(`selinux_load_policy',`
- 		bool secure_mode_policyload;
- 	')
- 
-+	dev_getattr_sysfs_dirs($1)
-+	dev_search_sysfs($1)
- 	allow $1 security_t:dir list_dir_perms;
- 	allow $1 security_t:file rw_file_perms;
- 	typeattribute $1 can_load_policy;
-@@ -371,6 +392,8 @@ interface(`selinux_read_policy',`
+@@ -279,6 +297,7 @@ interface(`selinux_get_enforce_mode',`
  		type security_t;
  	')
  
 +	dev_getattr_sysfs_dirs($1)
-+	dev_search_sysfs($1)
+ 	dev_search_sysfs($1)
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file read_file_perms;
- 	allow $1 security_t:security read_policy;
-@@ -435,6 +458,8 @@ interface(`selinux_set_generic_booleans',`
- 		type security_t;
- 	')
- 
-+	dev_getattr_sysfs_dirs($1)
-+	dev_search_sysfs($1)
- 	allow $1 security_t:dir list_dir_perms;
- 	allow $1 security_t:file rw_file_perms;
- 
-@@ -475,6 +500,8 @@ interface(`selinux_set_all_booleans',`
+@@ -313,6 +332,7 @@ interface(`selinux_set_enforce_mode',`
  		bool secure_mode_policyload;
  	')
  
 +	dev_getattr_sysfs_dirs($1)
-+	dev_search_sysfs($1)
+ 	dev_search_sysfs($1)
+ 	allow $1 security_t:dir list_dir_perms;
+ 	allow $1 security_t:file rw_file_perms;
+@@ -345,6 +365,7 @@ interface(`selinux_load_policy',`
+ 		bool secure_mode_policyload;
+ 	')
+ 
++	dev_getattr_sysfs_dirs($1)
+ 	dev_search_sysfs($1)
+ 	allow $1 security_t:dir list_dir_perms;
+ 	allow $1 security_t:file rw_file_perms;
+@@ -375,6 +396,7 @@ interface(`selinux_read_policy',`
+ 		type security_t;
+ 	')
+ 
++	dev_getattr_sysfs_dirs($1)
+ 	dev_search_sysfs($1)
+ 	allow $1 security_t:dir list_dir_perms;
+ 	allow $1 security_t:file read_file_perms;
+@@ -440,8 +462,8 @@ interface(`selinux_set_generic_booleans'
+ 		type security_t;
+ 	')
+ 
++	dev_getattr_sysfs_dirs($1)
+ 	dev_search_sysfs($1)
+-
+ 	allow $1 security_t:dir list_dir_perms;
+ 	allow $1 security_t:file rw_file_perms;
+ 
+@@ -482,8 +504,8 @@ interface(`selinux_set_all_booleans',`
+ 		bool secure_mode_policyload;
+ 	')
+ 
++	dev_getattr_sysfs_dirs($1)
+ 	dev_search_sysfs($1)
+-
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
  	allow $1 secure_mode_policyload_t:file read_file_perms;
-@@ -519,6 +546,8 @@ interface(`selinux_set_parameters',`
+@@ -528,6 +550,7 @@ interface(`selinux_set_parameters',`
  		attribute can_setsecparam;
  	')
  
 +	dev_getattr_sysfs_dirs($1)
-+	dev_search_sysfs($1)
+ 	dev_search_sysfs($1)
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
- 	allow $1 security_t:security setsecparam;
-@@ -563,6 +592,7 @@ interface(`selinux_dontaudit_validate_context',`
+@@ -552,6 +575,7 @@ interface(`selinux_validate_context',`
+ 		type security_t;
+ 	')
+ 
++	dev_getattr_sysfs_dirs($1)
+ 	dev_search_sysfs($1)
+ 	allow $1 security_t:dir list_dir_perms;
+ 	allow $1 security_t:file rw_file_perms;
+@@ -574,6 +598,7 @@ interface(`selinux_dontaudit_validate_co
  		type security_t;
  	')
  
@@ -166,51 +187,43 @@ index 81440c5..ee4e86b 100644
  	dontaudit $1 security_t:dir list_dir_perms;
  	dontaudit $1 security_t:file rw_file_perms;
  	dontaudit $1 security_t:security check_context;
-@@ -584,6 +614,8 @@ interface(`selinux_compute_access_vector',`
+@@ -595,6 +620,7 @@ interface(`selinux_compute_access_vector
  		type security_t;
  	')
  
 +	dev_getattr_sysfs_dirs($1)
-+	dev_search_sysfs($1)
+ 	dev_search_sysfs($1)
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
- 	allow $1 security_t:security compute_av;
-@@ -605,6 +637,8 @@ interface(`selinux_compute_create_context',`
+@@ -617,6 +643,7 @@ interface(`selinux_compute_create_contex
  		type security_t;
  	')
  
 +	dev_getattr_sysfs_dirs($1)
-+	dev_search_sysfs($1)
+ 	dev_search_sysfs($1)
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
- 	allow $1 security_t:security compute_create;
-@@ -626,6 +660,8 @@ interface(`selinux_compute_member',`
+@@ -639,6 +666,7 @@ interface(`selinux_compute_member',`
  		type security_t;
  	')
  
 +	dev_getattr_sysfs_dirs($1)
-+	dev_search_sysfs($1)
+ 	dev_search_sysfs($1)
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
- 	allow $1 security_t:security compute_member;
-@@ -655,6 +691,8 @@ interface(`selinux_compute_relabel_context',`
+@@ -669,6 +697,7 @@ interface(`selinux_compute_relabel_conte
  		type security_t;
  	')
  
 +	dev_getattr_sysfs_dirs($1)
-+	dev_search_sysfs($1)
+ 	dev_search_sysfs($1)
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
- 	allow $1 security_t:security compute_relabel;
-@@ -675,6 +713,8 @@ interface(`selinux_compute_user_contexts',`
+@@ -690,6 +719,7 @@ interface(`selinux_compute_user_contexts
  		type security_t;
  	')
  
 +	dev_getattr_sysfs_dirs($1)
-+	dev_search_sysfs($1)
+ 	dev_search_sysfs($1)
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
- 	allow $1 security_t:security compute_user;
--- 
-1.7.9.5
-

recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch

@@ -6,6 +6,7 @@ Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t.
 Upstream-Status: Pending
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/contrib/rpc.te       |    5 +++++
  policy/modules/contrib/rpcbind.te   |    5 +++++
@@ -13,11 +14,9 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  policy/modules/kernel/kernel.te     |    2 ++
  4 files changed, 13 insertions(+)
 
-diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
-index 5605205..9e9f468 100644
 --- a/policy/modules/contrib/rpc.te
 +++ b/policy/modules/contrib/rpc.te
-@@ -256,6 +256,11 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -263,6 +263,11 @@ tunable_policy(`nfs_export_all_ro',`
  
  optional_policy(`
  	mount_exec(nfsd_t)
@@ -29,27 +28,23 @@ index 5605205..9e9f468 100644
  ')
  
  ########################################
-diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
-index 196f168..9c75677 100644
 --- a/policy/modules/contrib/rpcbind.te
 +++ b/policy/modules/contrib/rpcbind.te
-@@ -71,6 +71,11 @@ miscfiles_read_localization(rpcbind_t)
+@@ -70,6 +70,11 @@ logging_send_syslog_msg(rpcbind_t)
  
- sysnet_dns_name_resolve(rpcbind_t)
+ miscfiles_read_localization(rpcbind_t)
  
 +# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
 +# because the are running in different level. So add rules to allow this.
 +mls_socket_read_all_levels(rpcbind_t)
 +mls_socket_write_all_levels(rpcbind_t)
 +
- optional_policy(`
- 	nis_use_ypbind(rpcbind_t)
+ ifdef(`distro_debian',`
+ 	term_dontaudit_use_unallocated_ttys(rpcbind_t)
  ')
-diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 1c66416..2b9e7ce 100644
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
-@@ -119,6 +119,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+@@ -119,6 +119,7 @@ genfscon mvfs / gen_context(system_u:obj
  
  type nfsd_fs_t;
  fs_type(nfsd_fs_t)
@@ -57,11 +52,9 @@ index 1c66416..2b9e7ce 100644
  genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
  
  type oprofilefs_t;
-diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 49fde6e..a731078 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
-@@ -284,6 +284,8 @@ mls_process_read_up(kernel_t)
+@@ -293,6 +293,8 @@ mls_process_read_up(kernel_t)
  mls_process_write_down(kernel_t)
  mls_file_write_all_levels(kernel_t)
  mls_file_read_all_levels(kernel_t)
@@ -70,6 +63,3 @@ index 49fde6e..a731078 100644
  
  ifdef(`distro_redhat',`
  	# Bugzilla 222337
--- 
-1.7.9.5
-

recipes-security/refpolicy/refpolicy-mcs_2.20140311.bb

@@ -6,8 +6,6 @@ level. This is useful on systems where a hierarchical policy (MLS) isn't \
 needed (pretty much all systems) but the non-hierarchical categories are. \
 "
 
-PR = "r99"
-
 POLICY_TYPE = "mcs"
 
 include refpolicy_${PV}.inc

recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb

@@ -1,5 +1,3 @@
-PR = "r99"
-
 include refpolicy-targeted_${PV}.bb
 
 SUMMARY = "SELinux minimum policy"
@@ -40,19 +38,11 @@ prepare_policy_store () {
 	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
 	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
 	touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
-	if  ${@bb.utils.contains('DISTRO_FEATURES','compressed_policy','true','false',d)}; then
-		bzip2 base.pp
-		cp base.pp.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
-		for i in ${POLICY_MODULES_MIN}; do
-			bzip2 $i
-			cp ${i}.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i`
-		done
-	else
-		bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/base.pp  > \
-			${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
-		for i in ${POLICY_MODULES_MIN}; do
-			bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/$i.pp > \
-				${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/$i.pp
-		done
-	fi
+	for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
+		bzip2 -f $i && mv -f $i.bz2 $i
+	done
+	cp base.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
+	for i in ${POLICY_MODULES_MIN}; do
+		cp ${i}.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i.pp`
+	done
 }

recipes-security/refpolicy/refpolicy-mls_2.20140311.bb

@@ -5,8 +5,6 @@ It allows giving data labels such as \"Top Secret\" and preventing \
 such data from leaking to processes or files with lower classification. \
 "
 
-PR = "r99"
-
 POLICY_TYPE = "mls"
 
 include refpolicy_${PV}.inc

recipes-security/refpolicy/refpolicy-standard_2.20140311.bb

@@ -3,8 +3,6 @@ DESCRIPTION = "\
 This is the reference policy for SELinux built with type enforcement \
 only."
 
-PR = "r99"
-
 POLICY_TYPE = "standard"
 
 include refpolicy_${PV}.inc

recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch

@@ -1,4 +1,4 @@
-Subject: [PATCH] refpolicy: make unconfined_u the default selinux user
+refpolicy: make unconfined_u the default selinux user
 
 For targeted policy type, we define unconfined_u as the default selinux
 user for root and normal users, so users could login in and run most
@@ -10,16 +10,15 @@ run_init.
 Upstream-Status: Inappropriate [configuration] 
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
- config/appconfig-mcs/seusers        |    4 +-
- policy/modules/roles/sysadm.te      |    1 +
- policy/modules/system/init.if       |   47 +++++++++++++++++++++++++++++------
+ config/appconfig-mcs/seusers        |    4 +--
+ policy/modules/roles/sysadm.te      |    1 
+ policy/modules/system/init.if       |   47 +++++++++++++++++++++++++++++-------
  policy/modules/system/unconfined.te |    7 +++++
- policy/users                        |   14 +++------
- 5 files changed, 54 insertions(+), 19 deletions(-)
+ policy/users                        |   16 ++++--------
+ 5 files changed, 55 insertions(+), 20 deletions(-)
 
-diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
-index dc5f1e4..4428da8 100644
 --- a/config/appconfig-mcs/seusers
 +++ b/config/appconfig-mcs/seusers
 @@ -1,3 +1,3 @@
@@ -28,11 +27,9 @@ index dc5f1e4..4428da8 100644
 -__default__:user_u:s0
 +root:unconfined_u:s0-mcs_systemhigh
 +__default__:unconfined_u:s0
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 85ff145..77d7bdc 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
-@@ -37,6 +37,7 @@ ubac_file_exempt(sysadm_t)
+@@ -34,6 +34,7 @@ ubac_file_exempt(sysadm_t)
  ubac_fd_exempt(sysadm_t)
  
  init_exec(sysadm_t)
@@ -40,11 +37,9 @@ index 85ff145..77d7bdc 100644
  
  # Add/remove user home directories
  userdom_manage_user_home_dirs(sysadm_t)
-diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index d26fe81..fa46786 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
-@@ -803,11 +803,12 @@ interface(`init_script_file_entry_type',`
+@@ -825,11 +825,12 @@ interface(`init_script_file_entry_type',
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -59,7 +54,7 @@ index d26fe81..fa46786 100644
  
  	ifdef(`distro_gentoo',`
  		gen_require(`
-@@ -818,11 +819,11 @@ interface(`init_spec_domtrans_script',`
+@@ -840,11 +841,11 @@ interface(`init_spec_domtrans_script',`
  	')
  
  	ifdef(`enable_mcs',`
@@ -73,7 +68,7 @@ index d26fe81..fa46786 100644
  	')
  ')
  
-@@ -838,18 +839,19 @@ interface(`init_spec_domtrans_script',`
+@@ -860,18 +861,19 @@ interface(`init_spec_domtrans_script',`
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -97,7 +92,7 @@ index d26fe81..fa46786 100644
  	')
  ')
  
-@@ -1792,3 +1794,32 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1837,3 +1839,32 @@ interface(`init_udp_recvfrom_all_daemons
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -130,8 +125,6 @@ index d26fe81..fa46786 100644
 +	role_transition $1 init_script_file_type system_r;
 +')
 +
-diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 0280b32..00b4dcf 100644
 --- a/policy/modules/system/unconfined.te
 +++ b/policy/modules/system/unconfined.te
 @@ -20,6 +20,11 @@ type unconfined_execmem_t;
@@ -146,17 +139,15 @@ index 0280b32..00b4dcf 100644
  
  ########################################
  #
-@@ -34,6 +39,8 @@ mcs_killall(unconfined_t)
- mcs_ptrace_all(unconfined_t)
- 
- init_run_daemon(unconfined_t, unconfined_r)
-+init_domtrans_script(unconfined_t)
-+init_script_role_transition(unconfined_r)
- 
- libs_run_ldconfig(unconfined_t, unconfined_r)
- 
-diff --git a/policy/users b/policy/users
-index c4ebc7e..f300f22 100644
+@@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_hom
+ ifdef(`direct_sysadm_daemon',`
+         optional_policy(`
+                 init_run_daemon(unconfined_t, unconfined_r)
++                init_domtrans_script(unconfined_t)
++                init_script_role_transition(unconfined_r)
+         ')
+ ',`
+         ifdef(`distro_gentoo',`
 --- a/policy/users
 +++ b/policy/users
 @@ -15,7 +15,7 @@
@@ -168,7 +159,7 @@ index c4ebc7e..f300f22 100644
  
  #
  # user_u is a generic user identity for Linux users who have no
-@@ -25,11 +25,11 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+@@ -25,14 +25,14 @@ gen_user(system_u,, system_r, s0, s0 - m
  # permit any access to such users, then remove this entry.
  #
  gen_user(user_u, user, user_r, s0, s0)
@@ -178,12 +169,16 @@ index c4ebc7e..f300f22 100644
 +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
  
  # Until order dependence is fixed for users:
--gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ ifdef(`direct_sysadm_daemon',`
+-        gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
++        gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ ',`
+-        gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
++        gen_user(unconfined_u, user, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ ')
  
  #
- # The following users correspond to Unix identities.
-@@ -38,8 +38,4 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al
+@@ -42,8 +42,4 @@ ifdef(`direct_sysadm_daemon',`
  # role should use the staff_r role instead of the user_r role when
  # not in the sysadm_r.
  #
@@ -193,6 +188,3 @@ index c4ebc7e..f300f22 100644
 -	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 -')
 +gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
--- 
-1.7.1
-

recipes-security/refpolicy/refpolicy-targeted_2.20140311.bb

@@ -12,8 +12,9 @@ POLICY_NAME = "targeted"
 POLICY_TYPE = "mcs"
 POLICY_MLS_SENS = "0"
 
-PR = "r99"
 include refpolicy_${PV}.inc
 
-SRC_URI += "file://refpolicy-fix-optional-issue-on-sysadm-module.patch \
-	file://refpolicy-unconfined_u-default-user.patch"
+SRC_URI += " \
+            file://refpolicy-fix-optional-issue-on-sysadm-module.patch \
+            file://refpolicy-unconfined_u-default-user.patch \
+           "

recipes-security/refpolicy/refpolicy_2.20140311.inc

@@ -1,8 +1,8 @@
-SRC_URI = "http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2;"
-SRC_URI[md5sum] = "6a5c975258cc8eb92c122f11b11a5085"
-SRC_URI[sha256sum] = "6039ba854f244a39dc727cc7db25632f7b933bb271c803772d754d4354f5aef4"
+SRC_URI = "https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2;"
+SRC_URI[md5sum] = "418f8d2a6ada3a299816153e70970449"
+SRC_URI[sha256sum] = "f69437db95548c78a5dec44c236397146b144153149009ea554d2e536e5436f7"
 
-FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20130424:"
+FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20140311:"
 
 # Fix file contexts for Poky
 SRC_URI += "file://poky-fc-subs_dist.patch \
@@ -49,19 +49,11 @@ SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
            "
 
 # Other policy fixes 
-SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
+SRC_URI += " \
             file://poky-policy-fix-seutils-manage-config-files.patch \
             file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \
             file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
-            file://hostname-do-not-audit-attempts-by-hostname-to-read-a.patch \
-            file://sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch \
             file://ftp-add-ftpd_t-to-mlsfilewrite.patch \
            "
 
-# Backport from upstream
-SRC_URI += "file://Allow-ping-to-get-set-capabilities.patch \
-            file://filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch \
-            file://Allow-udev-the-block_suspend-capability.patch \
-           "
-
 include refpolicy_common.inc

recipes-security/refpolicy/refpolicy_common.inc

@@ -13,7 +13,7 @@ S = "${WORKDIR}/refpolicy"
 
 FILES_${PN} = " \
 	${sysconfdir}/selinux/${POLICY_NAME}/ \
-	${@bb.utils.contains('DISTRO_FEATURES', 'compressed_policy', '${datadir}/selinux/${POLICY_NAME}/*.pp.bz2', '${datadir}/selinux/${POLICY_NAME}/*.pp', d)} \
+	${datadir}/selinux/${POLICY_NAME}/*.pp \
 	"
 FILES_${PN}-dev =+ "${datadir}/selinux/${POLICY_NAME}/include/"
 
@@ -69,24 +69,14 @@ prepare_policy_store () {
 	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
 	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
 	touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
-	if  ${@bb.utils.contains('DISTRO_FEATURES','compressed_policy','true','false',d)}; then
-		for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
-			bzip2 $i
-			if [ "`basename $i`" != "base.pp" ]; then
-				cp ${i}.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i`
-			else
-				cp ${i}.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/`basename $i`
-			fi
-		done
-	else
-		bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/base.pp  >\
-			${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
-		for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
-			if [ "`basename $i`" != "base.pp" ]; then
-				bzip2 -c $i > ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i`;
-			fi
-		done
-	fi
+	for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
+		bzip2 -f $i && mv -f $i.bz2 $i
+		if [ "`basename $i`" != "base.pp" ]; then
+			cp $i ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i`
+		else
+			cp $i ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/`basename $i`
+		fi
+	done
 }
 
 rebuild_policy () {

recipes-security/selinux/checkpolicy.inc

@@ -11,7 +11,7 @@ LICENSE = "GPLv2+"
 
 DEPENDS += "libsepol libselinux bison-native flex-native"
 
-SRC_URI += "file://checkpolicy-Do-not-link-against-libfl.patch"
+#SRC_URI += "file://checkpolicy-Do-not-link-against-libfl.patch"
 
 EXTRA_OEMAKE += "PREFIX=${D}" 
 EXTRA_OEMAKE += "LEX='flex'"

recipes-security/selinux/checkpolicy_2.2.bb

@@ -1,9 +0,0 @@
-PR = "r99"
-
-include selinux_20131030.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "d76d5c70cd594fdb15f8d319c6536324"
-SRC_URI[sha256sum] = "5d74075379cbaf17135c2a113a3053bd2e7b2a2c54ac04458de652457306c020"

recipes-security/selinux/checkpolicy_2.3.bb

@@ -0,0 +1,7 @@
+include selinux_20140506.inc
+include ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "920f1a048b6023a22e1bae7b40fd413c"
+SRC_URI[sha256sum] = "8072c12121613ba943417bbb6d33224d12373ea19d75c5acd1846a35e0e05b74" 

recipes-security/selinux/libselinux_2.3.bb

@@ -1,12 +1,10 @@
-PR = "r99"
-
-include selinux_20131030.inc
+include selinux_20140506.inc
 include ${BPN}.inc
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0"
 
-SRC_URI[md5sum] = "c13ea5de171f21fee399abfd4aef9481"
-SRC_URI[sha256sum] = "cc8354d67d7bef11fb2a03d23e788c6f4e8510b6760c3778dc7baf6dcfa97539"
+SRC_URI[md5sum] = "d27e249ad8450e7182203134cf4d85e2"
+SRC_URI[sha256sum] = "03fe2baa7ceeea531a64fd321b44ecf09a55f3af5ef66a58a4135944f34e9851"
 
 SRC_URI += "\
         file://libselinux-drop-Wno-unused-but-set-variable.patch \

recipes-security/selinux/libsemanage_2.3.bb

@@ -1,12 +1,10 @@
-PR = "r99"
-
-include selinux_20131030.inc
+include selinux_20140506.inc
 include ${BPN}.inc
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
 
-SRC_URI[md5sum] = "2bb8f4b728a5667519764297b7725c19"
-SRC_URI[sha256sum] = "9b421ce1df10594cb467eef37faeb403d5c6b341a4b7e4b407ac4cb77df95cba"
+SRC_URI[md5sum] = "cc313b400637d94e3a549bf77555d8c3"
+SRC_URI[sha256sum] = "4c984379a98ee9f05b80ff6e57dd2de886273d7136146456cabdce21ac32ed7f"
 
 SRC_URI += "\
 	file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch \

recipes-security/selinux/libsepol_2.2.bb

@@ -1,9 +0,0 @@
-PR = "r99"
-
-include selinux_20131030.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
-
-SRC_URI[md5sum] = "2d43599ed29fea9ef41218ec9635ef64"
-SRC_URI[sha256sum] = "fbd77459fd03979a9020289b10c89a0af56a52bcd0f7ae0a78455713bb04878b"

recipes-security/selinux/libsepol_2.3.bb

@@ -0,0 +1,7 @@
+include selinux_20140506.inc
+include ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
+
+SRC_URI[md5sum] = "c6b3dc07bf19ab4f364f21bbecb44beb"
+SRC_URI[sha256sum] = "5a4481bfd0fad6fdad1511c786d69de1fc3eddc28154eae1691e1bf4e9e505c3"

recipes-security/selinux/policycoreutils.inc

@@ -211,7 +211,7 @@ FILES_${PN}-setsebool += "\
 FILES_system-config-selinux = " \
     ${bindir}/sepolgen \
     ${datadir}/system-config-selinux/* \
-    ${datadir}/icons/hicolor/24x24/apps/system-config-selinux.png \
+    ${datadir}/icons/hicolor/ \
     ${datadir}/polkit-1/actions/org.selinux.config.policy \
 "
 

recipes-security/selinux/policycoreutils_2.3.bb

@@ -1,12 +1,10 @@
-PR = "r99"
-
-include selinux_20131030.inc
+include selinux_20140506.inc
 include ${BPN}.inc
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
 
-SRC_URI[md5sum] = "f330a90c566c8b564858d45399ce3dd1"
-SRC_URI[sha256sum] = "3d2c8806742004693c2d4726abbc4f412340ee07bed407976dd8abeda09a4333"
+SRC_URI[md5sum] = "4f5c508e3c3867c8beb343e993d353dd"
+SRC_URI[sha256sum] = "11e8815ac13debb87897d2781381b89ec5c6c746a3d44223a493bc7ace6cc71f"
 
 SRC_URI += "\
 	file://policycoreutils-fix-sepolicy-install-path.patch \

recipes-security/selinux/selinux_git.inc

@@ -1,6 +1,6 @@
 SRCREV = "edc2e99687b050d5be21a78a66d038aa1fc068d9"
 
-SRC_URI = "git://oss.tresys.com/git/selinux.git;protocol=http"
+SRC_URI = "git://github.com/SELinuxProject/selinux.git;protocol=http"
 
 include selinux_common.inc
 

recipes-security/selinux/sepolgen_1.2.1.bb

@@ -1,6 +1,4 @@
-PR = "r99"
-
-include selinux_20131030.inc
+include selinux_20140506.inc
 include ${BPN}.inc
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"

recipes-security/setools/setools/setools-replcon-correct-invalid-prototype-for-lsetfilecon_ra.patch

@@ -0,0 +1,34 @@
+From 74680dfb3df4c0c5b0e4bcf41717a9ea16fd8680 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Mon, 29 Sep 2014 14:19:48 -0400
+Subject: [PATCH] replcon: correct invalid prototype for lsetfilecon_raw
+
+Port debian patch from:
+
+        git://anonscm.debian.org/selinux/setools.git
+        commit a3ab84b35efd9c42641d53ec2236ad01f7411df7
+
+Upstream-Status: Denied [ the setools3 tree is in stasis and the focus is
+                          only on setools4 now ]
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ secmds/replcon.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/secmds/replcon.cc b/secmds/replcon.cc
+index 34f7c1a..307c39f 100644
+--- a/secmds/replcon.cc
++++ b/secmds/replcon.cc
+@@ -60,7 +60,7 @@ static struct option const longopts[] = {
+ 	{NULL, 0, NULL, 0}
+ };
+ 
+-extern int lsetfilecon_raw(const char *, security_context_t) __attribute__ ((weak));
++extern int lsetfilecon_raw(const char *, const char *) __attribute__ ((weak));
+ 
+ /**
+  * As that setools must work with older libselinux versions that may
+-- 
+1.9.1
+

recipes-security/setools/setools_3.3.8.bb

@@ -14,7 +14,6 @@ SRC_URI[sha256sum] = "44387ecc9a231ec536a937783440cd8960a72c51f14bffc1604b7525e3
 
 SRC_URI += "file://setools-neverallow-rules-all-always-fail.patch"
 SRC_URI += "file://setools-Fix-sepol-calls-to-work-with-latest-libsepol.patch"
-#SRC_URI += "file://setools-Changes-to-support-named-file_trans-rules.patch"
 
 SRC_URI += "file://setools-Don-t-check-selinux-policies-if-disabled.patch"
 SRC_URI += "file://setools-configure-ac.patch"
@@ -23,6 +22,8 @@ SRC_URI += "file://setools-cross-ar.patch"
 SRC_URI += "file://setools-Fix-test-bug-for-unary-operator.patch"
 SRC_URI += "file://setools-Fix-python-setools-Makefile.am-for-cross.patch"
 
+SRC_URI += "file://setools-replcon-correct-invalid-prototype-for-lsetfilecon_ra.patch"
+
 LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=26035c503c68ae1098177934ac0cc795 \
                     file://${S}/COPYING.GPL;md5=751419260aa954499f7abaabaa882bbe \
                     file://${S}/COPYING.LGPL;md5=fbc093901857fcd118f065f900982c24"