[Feature][ZXW-65]merged P49 base code
Change-Id: I3e09c0c3d47483bc645f02310380ecb7fc6f4041
diff --git a/cap/zx297520v3/sources/meta-selinux/MAINTAINERS b/cap/zx297520v3/sources/meta-selinux/MAINTAINERS
new file mode 100755
index 0000000..0dc492e
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/MAINTAINERS
@@ -0,0 +1,42 @@
+This file contains a list of maintainers for the meta-selinux layer.
+
+Please submit any patches against meta-selinux to the Yocto Project mailing
+list (yocto@lists.yoctoproject.org).
+
+git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-selinux][PATCH
+
+These values can be set as defaults for this repository:
+
+$ git config sendemail.to yocto@lists.yoctoproject.org
+$ git config format.subjectPrefix meta-selinux][PATCH
+
+You may also contact the maintainers directly.
+
+Descriptions of section entries:
+
+ M: Mail patches to: FullName <address@domain>
+ F: Files and directories with wildcard patterns.
+ A trailing slash includes all files and subdirectory files.
+ F: recipes-devtools/ all files in and below meta-crownbay
+ F: recipes-selinux/* all files in meta-crownbay, but not below
+ One pattern per line. Multiple F: lines acceptable.
+
+Please keep this list in alphabetical order.
+
+Maintainers List (try to look for most precise areas first)
+
+COMMON
+M: Joe MacDonald <joe_macdonald@mentor.com>
+F: conf
+F: classes
+F: recipes-*
+
+M: Philip Tricca <flihp@twobit.us>
+F: conf
+F: classes
+F: recipes-*
+
+COMMON
+M: Yi Zhao <yi.zhao@windriver.com>
+F: conf
+F: recipes-*
diff --git a/cap/zx297520v3/sources/meta-selinux/README b/cap/zx297520v3/sources/meta-selinux/README
new file mode 100755
index 0000000..20e94ca
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/README
@@ -0,0 +1,115 @@
+meta-selinux
+============
+
+This layer's purpose is enabling SE Linux support.
+
+The majority of this layers work is accomplished in bbappend files, used to
+enable SE Linux support in existing recipes.
+
+A new recipes-security was added. The purpose of this category is to add
+software specific to system security.
+
+Please see the MAINTAINERS file for information on contacting the maintainers
+of this layer, as well as instructions for submitting patches.
+
+
+Dependencies
+------------
+
+This layer depends on the openembedded-core metadata and the meta-python and
+meta-oe layers from the meta-openembedded repository.
+
+
+Maintenance
+-----------
+Please see the MAINTAINERS file for information on contacting the maintainers
+of this layer, as well as instructions for submitting patches.
+
+
+Building the meta-selinux layer
+-------------------------------
+In order to add selinux support to the poky build this layer should be added
+to your projects bblayers.conf file.
+
+By default the selinux components are disabled. This conforms to the
+Yocto Project compatible guideline that indicate that simply including a
+layer should not change the system behavior.
+
+In order to use the components in this layer you must add the 'selinux' to the
+DISTRO_FEATURES. In addition to selinux, you should be sure that acl, xattr and
+pam are also present.
+e.g. DISTRO_FEATURES_append = " acl xattr pam selinux"
+
+You must also specify a preferred provider for the virtual/refpolicy. The
+included policies with this layer are simply reference policies and will need
+to be tailored for your environment.
+* Enable the refpolicy-mls:
+e.g. PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls"
+
+
+Using different versions of refpolicy
+-------------------------------------
+To prepare selinux enabled images using different ver. of refpolicy,
+we can choose supported releases of refpolicy
+refer to available versions under recipes-security/refpolicy
+
+We can use the refpolicy directly from git repository instead of release tarballs.
+By default refpolicy from git builds head commit of master branch, we can update
+SRCREV for refpolicy and refpolicy-contrib as appropriate at refpolicy_git.inc
+to check refpolicy as per required commits.
+
+* enable the preferred refpolicy-minimum:
+PREFERRED_VERSION_refpolicy-minimum = "2.20151208"
+PREFERRED_VERSION_refpolicy = "2.20151208"
+
+
+Using different init manager
+----------------------------
+By default selinux enabled images coming up with "sysvinit" as init manager,
+we can use "systemd" as an init manager using below changes to local.conf
+
+* enable systemd as init manager changes to local.conf
+DISTRO_FEATURES_remove = " sysvinit"
+DISTRO_FEATURES_append = " systemd"
+VIRTUAL-RUNTIME_init_manager = "systemd"
+DISTRO_FEATURES_BACKFILL_CONSIDERED = ""
+
+
+Starting up the system
+----------------------
+Most likely the reference policy selected will not just work "out of the box".
+
+As always, if you update the reference policy to better work with OpenEmbedded
+or Poky configurations, please submit the changes back to the project.
+
+When using 'core-image-selinux', the system will boot and automatically setup
+the policy by running the "fixfiles -f -F relabel" for you. This is
+implemented via the 'selinux-autorelabel' recipe.
+
+The 'core-image-selinux-minimal' does not automatically relabel the system.
+So you must boot using the parameters "selinux=1 enforcing=0", and then
+manually perform the setup. Running 'fixfiles -f -F relabel' is available
+in this configuration.
+
+After logging in you can verify selinux is present using:
+
+$ sestatus
+
+Output should include:
+SELinux status: enabled
+...
+Current mode: enforcing
+...
+
+The above indicates that selinux is currently running, and if you are running
+in an enforcing mode or not.
+
+
+License
+-------
+
+All metadata is MIT licensed unless otherwise stated. Source code included
+in tree for individual recipes is under the LICENSE stated in each recipe
+(.bb file) unless otherwise stated.
+
+This README document is Copyright (C) 2012 Wind River Systems, Inc.
diff --git a/cap/zx297520v3/sources/meta-selinux/SELinux-FAQ b/cap/zx297520v3/sources/meta-selinux/SELinux-FAQ
new file mode 100755
index 0000000..b6a0df9
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/SELinux-FAQ
@@ -0,0 +1,154 @@
+ SELinux FAQ
+
+----------------------------------------------------------------------------
+
+This file contains answers to frequently-asked questions about the SELinux
+feature for Poky.
+
+Copyright (C) 2012 Wind River Systems, Inc.
+
+============================================================================
+
+Table of Contents
+
+1. About SELinux
+ * 1.1 What is SELinux?
+ * 1.2 How does this layer do to enable SELinux features?
+
+2. Building with SELinux
+
+ * 2.1 How can I build a SELinux image?
+ * 2.2 How can I add SELinux to my custom images?
+
+3. Using SELinux
+
+ * 3.1 How do I turn SELinux off at boot?
+ * 3.2 How do I turn enforcing mode on/off at boot?
+
+4. Resolving Problems
+
+ * 4.1 Why I can not login in via ssh in enforcing mode?
+
+==============================================================================
+
+1 - About SELinux
+
+------------------------------------------------------------------------------
+
+1.1 - What is SELinux?
+
+Security-enhanced Linux (SELinux) is a reference implementation of the Flask
+security architecture for flexible mandatory access control. It was created to
+demonstrate the value of flexible mandatory access controls and how such
+controls could be added to an operating system.
+
+1.2 - How does this layer do to enable SELinux features?
+
+To enable SELinux features, this layers has done these works:
+
+ * new DISTRO_FEATURES "selinux" defined
+ * new DISTRO "poky-selinux" defined, with DISTRO_FEATURES += "pam selinux"
+ * config file for Linux kernel to enable SELinux
+ * recipes for SELinux userland libraries and tools
+ * package group (packagegroup-core-selinux) for SELinux userland packages
+ * bbappends for SELinux related recipes to build with SELinux enabled
+ * recipes for SELinux policy modified from refpolicy
+
+
+==============================================================================
+
+2 - Building with SELinux
+
+------------------------------------------------------------------------------
+
+2.1 - How can I build a SELinux image?
+
+After init Poky build environment, please follow these steps:
+
+ 1. Add meta-selinux path to BUILDDIR/conf/bblayers.conf file.
+
+ 2. Set DISTRO="poky-selinux" or add DISTRO_FEATURES_append=" pam selinux"
+ in BUILDDIR/conf/local.conf file.
+
+ 3. Build the default selinux image.
+
+ $ bitbake core-image-selinux
+
+2.2 - How can I add SELinux to my custom images?
+
+If you only want to add SELinux to your custom image, then you should perform
+the following steps:
+
+ 1. Add meta-selinux path to BUILDDIR/conf/bblayers.conf file
+
+ 2. Add DISTRO_FEATURES_append=" pam selinux" in BUILDDIR/conf/local.conf
+ file.
+
+ 3. Add packagegroup-core-selinux to your custom image.
+ For example, if core-image-custom.bb is your building image file, then
+ you should add packagegroup-core-selinux to IMAGE_INSTALL in
+ core-image-custom.bb.
+
+ 4. Build your custom image in build directory
+
+ $ bitbake core-image-custom
+
+
+
+==============================================================================
+
+3 - Using SELinux
+
+------------------------------------------------------------------------------
+
+3.1 - How do I turn SELinux off at boot?
+
+Set SELINUX=disabled in /etc/selinux/config.
+
+Alternatively, you can add "selinux=0" to your kernel boot parameters. It is
+not recommended but useful on some testing situations.
+For example, when you are using qemu targets,
+
+ $ runqemu qemumips core-image-selinux ext3 nographic bootparams="selinux=0"
+
+The initial filesystem relabel step requires considerable memory and can result
+in unexpected, sometimes impossible to reproduce, failures if an OOM condition
+occurs while it is in progress. Therefore you should consider allocating at a
+minimum 512MB of RAM to your qemu image. 1GB or more is recommended. This is
+accomplished by adding qemuparams="-m 1024" to your runqemu options.
+
+The defaults for various platforms vary, though it is usually around 256MB.
+
+3.2 - How do I turn enforcing mode on/off?
+
+You can specify the SELinux mode in /etc/selinux/config.
+
+ # SELINUX= can take one of these three values:
+ # enforcing - SELinux security policy is enforced.
+ # permissive - SELinux prints warnings instead of enforcing.
+ # disabled - No SELinux policy is loaded.
+ SELINUX=enforcing
+
+Setting "SELINUX" to "enforcing" is the same as adding "enforcing=1" to the
+kernel boot parameters. While to "permissive" is the same as adding
+"enforcing=0" to the kernel boot parameters.
+However, to "disabled" is not the same as the "selinux=0" kernel boot
+parameter. Rather than fully disabling SELinux in the kernel, the "disabled"
+setting instead turns enforcing off and skips loading a policy.
+
+==============================================================================
+
+4 - Resolving Problems
+
+------------------------------------------------------------------------------
+
+4.1 - Why I can not login in via ssh in enforcing mode?
+
+Please check "PermitEmptyPasswords" in /etc/ssh/sshd_config. If it is set to
+"yes", set to "no" then restart sshd. That's because pam_selinux module does
+not allow sshd to set PermitEmptyPasswords to "yes".
+
+Note: If both IMAGE_FEATURES debug-tweaks ssh-server-openssh are enabled, this
+"PermitEmptyPasswords" will be set to "yes" by default for Poky images.
+
+
diff --git a/cap/zx297520v3/sources/meta-selinux/classes/enable-audit.bbclass b/cap/zx297520v3/sources/meta-selinux/classes/enable-audit.bbclass
new file mode 100755
index 0000000..4538b0b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/classes/enable-audit.bbclass
@@ -0,0 +1,4 @@
+# There is still no audit DISTRO_FEATURE, so enable audit when selinux feature enabled.
+inherit selinux
+
+PACKAGECONFIG_append = " ${@target_selinux(d, 'audit')}"
diff --git a/cap/zx297520v3/sources/meta-selinux/classes/enable-selinux.bbclass b/cap/zx297520v3/sources/meta-selinux/classes/enable-selinux.bbclass
new file mode 100755
index 0000000..de2a124
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/classes/enable-selinux.bbclass
@@ -0,0 +1,4 @@
+inherit selinux
+
+PACKAGECONFIG_append = " ${@target_selinux(d)}"
+PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,"
diff --git a/cap/zx297520v3/sources/meta-selinux/classes/meson-enable-selinux.bbclass b/cap/zx297520v3/sources/meta-selinux/classes/meson-enable-selinux.bbclass
new file mode 100755
index 0000000..91c2a2b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/classes/meson-enable-selinux.bbclass
@@ -0,0 +1,4 @@
+inherit selinux
+
+PACKAGECONFIG_append = " ${@target_selinux(d)}"
+PACKAGECONFIG[selinux] = "-Dselinux=enabled,-Dselinux=disabled,libselinux,"
diff --git a/cap/zx297520v3/sources/meta-selinux/classes/meson-selinux.bbclass b/cap/zx297520v3/sources/meta-selinux/classes/meson-selinux.bbclass
new file mode 100755
index 0000000..77a763a
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/classes/meson-selinux.bbclass
@@ -0,0 +1,4 @@
+inherit selinux
+
+PACKAGECONFIG_append = " ${@target_selinux(d)}"
+PACKAGECONFIG[selinux] = "-Dselinux=true,-Dselinux=false,libselinux,"
diff --git a/cap/zx297520v3/sources/meta-selinux/classes/selinux-image.bbclass b/cap/zx297520v3/sources/meta-selinux/classes/selinux-image.bbclass
new file mode 100755
index 0000000..7f157d3
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/classes/selinux-image.bbclass
@@ -0,0 +1,15 @@
+selinux_set_labels () {
+ POL_TYPE=$(sed -n -e "s&^SELINUXTYPE[[:space:]]*=[[:space:]]*\([0-9A-Za-z_]\+\)&\1&p" ${IMAGE_ROOTFS}/${sysconfdir}/selinux/config)
+ if ! setfiles -m -r ${IMAGE_ROOTFS} ${IMAGE_ROOTFS}/${sysconfdir}/selinux/${POL_TYPE}/contexts/files/file_contexts ${IMAGE_ROOTFS}
+ then
+ echo WARNING: Unable to set filesystem context, setfiles / restorecon must be run on the live image.
+ touch ${IMAGE_ROOTFS}/.autorelabel
+ exit 0
+ fi
+}
+
+DEPENDS += "policycoreutils-native"
+
+IMAGE_PREPROCESS_COMMAND_append = " selinux_set_labels ;"
+
+inherit core-image
diff --git a/cap/zx297520v3/sources/meta-selinux/classes/selinux.bbclass b/cap/zx297520v3/sources/meta-selinux/classes/selinux.bbclass
new file mode 100755
index 0000000..13256d5
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/classes/selinux.bbclass
@@ -0,0 +1,12 @@
+def target_selinux(d, truevar = 'selinux', falsevar = ''):
+ if not bb.utils.contains("DISTRO_FEATURES", "selinux", True, False, d):
+ return falsevar
+
+ pn = d.getVar("PN")
+ type = pn.replace(d.getVar("BPN"), "")
+ if type in ("-native", "nativesdk-", "-cross", "-crosssdk"):
+ return falsevar
+
+ return truevar
+
+LIBSELINUX = "${@target_selinux(d, 'libselinux')}"
diff --git a/cap/zx297520v3/sources/meta-selinux/classes/with-audit.bbclass b/cap/zx297520v3/sources/meta-selinux/classes/with-audit.bbclass
new file mode 100755
index 0000000..0c15312
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/classes/with-audit.bbclass
@@ -0,0 +1,5 @@
+# There is still no audit DISTRO_FEATURE, so enable audit when selinux feature enabled.
+inherit selinux
+
+PACKAGECONFIG_append = " ${@target_selinux(d, 'audit')}"
+PACKAGECONFIG[audit] = "--with-audit,--without-audit,audit,"
diff --git a/cap/zx297520v3/sources/meta-selinux/classes/with-selinux.bbclass b/cap/zx297520v3/sources/meta-selinux/classes/with-selinux.bbclass
new file mode 100755
index 0000000..7873d9b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/classes/with-selinux.bbclass
@@ -0,0 +1,4 @@
+inherit selinux
+
+PACKAGECONFIG_append = " ${@target_selinux(d)}"
+PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux,"
diff --git a/cap/zx297520v3/sources/meta-selinux/conf/layer.conf b/cap/zx297520v3/sources/meta-selinux/conf/layer.conf
new file mode 100755
index 0000000..da24359
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/conf/layer.conf
@@ -0,0 +1,31 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH .= ":${LAYERDIR}"
+
+# We have a packages directory, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
+ ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+BBFILES_DYNAMIC += "openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/*/*/*.bb \
+ openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/*/*/*.bbappend \
+ networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/*/*/*.bb \
+ networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/*/*/*.bbappend \
+ virtualization-layer:${LAYERDIR}/dynamic-layers/virtualization-layer/recipes*/*/*.bb \
+ virtualization-layer:${LAYERDIR}/dynamic-layers/virtualization-layer/recipes*/*/*.bbappend \
+ meta-python2:${LAYERDIR}/dynamic-layers/python2-layer/recipes*/*/*.bb \
+ meta-python2:${LAYERDIR}/dynamic-layers/python2-layer/recipes*/*/*.bbappend \
+ "
+
+BBFILE_COLLECTIONS += "selinux"
+BBFILE_PATTERN_selinux = "^${LAYERDIR}/"
+BBFILE_PRIORITY_selinux = "5"
+
+# This should only be incremented on significant changes that will
+# cause compatibility issues with other layers
+LAYERVERSION_selinux = "1"
+
+LAYERSERIES_COMPAT_selinux = "dunfell"
+
+LAYERDEPENDS_selinux = " \
+ core \
+ meta-python \
+"
diff --git a/cap/zx297520v3/sources/meta-selinux/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian b/cap/zx297520v3/sources/meta-selinux/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian
new file mode 100755
index 0000000..43fb348
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian
@@ -0,0 +1,123 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:
+# Required-Start:
+# Required-Stop:
+# Default-Start:
+# Default-Stop:
+# Short-Description: Starts and stops the iSCSI initiator services and logins to default targets
+### END INIT INFO
+#set -x
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+DAEMON=/usr/sbin/iscsid
+ADM=/usr/sbin/iscsiadm
+PIDFILE=/var/run/iscsid.pid
+
+[ -x "$DAEMON" ] || exit 0
+
+if [ ! -d /sys/class/ ]; then
+ echo "Failure:" "iSCSI requires a mounted sysfs, not started."
+ exit 1
+fi
+
+nodestartup_re='s/^node\.conn\[0]\.startup[ ]*=[ ]*//p'
+
+RETVAL=0
+
+start() {
+ echo "Starting iSCSI initiator service" "iscsid"
+ modprobe -q iscsi_tcp 2>/dev/null || :
+ modprobe -q ib_iser 2>/dev/null || :
+ if [ ! -f /etc/iscsi/initiatorname.iscsi ]; then
+ INITIATORNAME=$(iscsi-iname)
+ cat >/etc/iscsi/initiatorname.iscsi <<EOF
+## DO NOT EDIT OR REMOVE THIS FILE!
+## If you remove this file, the iSCSI daemon will not start.
+## If you change the InitiatorName, existing access control lists
+## may reject this initiator. The InitiatorName must be unique
+## for each iSCSI initiator. Do NOT duplicate iSCSI InitiatorNames.
+InitiatorName=$INITIATORNAME
+EOF
+ fi
+
+ # Fix label for /etc/iscsi/initiatorname.iscsi if SELinux was enabled
+ test ! -x /sbin/restorecon || /sbin/restorecon -F /etc/iscsi/initiatorname.iscsi
+
+ start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON
+ RETVAL=$?
+ starttargets
+}
+
+starttargets() {
+ echo "Setting up iSCSI targets"
+ $ADM -m node --loginall=automatic
+}
+
+stoptargets() {
+ echo "Disconnecting iSCSI targets"
+ sync
+ $ADM -m node --logoutall=all
+ RETVAL=$?
+ #if RETVAL is 21, means no active sessions, consider ok
+ if [ "$RETVAL" = "21" ]; then
+ RETVAL=0
+ fi
+}
+
+stop() {
+ stoptargets
+ if [ $RETVAL -ne 0 ]; then
+ echo "Failure:" "Could not stop all targets, try again later"
+ return $RETVAL
+ fi
+
+ echo "Stopping iSCSI initiator service"
+ start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
+ rm -f $PIDFILE
+ status=0
+ modprobe -r ib_iser 2>/dev/null
+ if [ "$?" -ne "0" -a "$?" -ne "1" ]; then
+ status=1
+ fi
+ modprobe -r iscsi_tcp 2>/dev/null
+ if [ "$?" -ne "0" -a "$?" -ne "1" ]; then
+ status=1
+ fi
+}
+
+restart() {
+ stop
+ if [ $RETVAL -ne 0 ]; then
+ echo "Failure:" "Stopping iSCSI initiator service failed, not starting"
+ return $RETVAL
+ fi
+ start
+}
+
+restarttargets() {
+ stoptargets
+ if [ $RETVAL -ne 0 ]; then
+ echo "Failure:" "Could not stop all targets, try again later"
+ return $RETVAL
+ fi
+ starttargets
+}
+
+status() {
+ #XXX FIXME: what to do here?
+ #status iscsid
+ # list active sessions
+ echo Current active iSCSI sessions:
+ $ADM -m session
+}
+
+case "$1" in
+ start|starttargets|stop|stoptargets|restart|restarttargets|status)
+ $1
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|restart|status}"
+ exit 1
+ ;;
+esac
+exit $RETVAL
diff --git a/cap/zx297520v3/sources/meta-selinux/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend b/cap/zx297520v3/sources/meta-selinux/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
new file mode 100755
index 0000000..7719d3b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc b/cap/zx297520v3/sources/meta-selinux/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc
new file mode 100755
index 0000000..81fe7b7
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc
@@ -0,0 +1 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
diff --git a/cap/zx297520v3/sources/meta-selinux/dynamic-layers/openembedded-layer/recipes-support/augeas/augeas_%.bbappend b/cap/zx297520v3/sources/meta-selinux/dynamic-layers/openembedded-layer/recipes-support/augeas/augeas_%.bbappend
new file mode 100755
index 0000000..b01ad25
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/dynamic-layers/openembedded-layer/recipes-support/augeas/augeas_%.bbappend
@@ -0,0 +1 @@
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/dynamic-layers/python2-layer/recipes-devtools/python/files/sitecustomize.py b/cap/zx297520v3/sources/meta-selinux/dynamic-layers/python2-layer/recipes-devtools/python/files/sitecustomize.py
new file mode 100755
index 0000000..d2b71fa
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/dynamic-layers/python2-layer/recipes-devtools/python/files/sitecustomize.py
@@ -0,0 +1,26 @@
+# OpenEmbedded sitecustomize.py (C) 2002-2008 Michael 'Mickey' Lauer <mlauer@vanille-media.de>
+# GPLv2 or later
+# Version: 20081123
+# Features:
+# * set proper default encoding
+# Features removed for SELinux:
+# * enable readline completion in the interactive interpreter
+# * load command line history on startup
+# * save command line history on exit
+
+import os
+
+def __enableDefaultEncoding():
+ import sys
+ try:
+ sys.setdefaultencoding( "utf8" )
+ except LookupError:
+ pass
+
+import sys
+try:
+ import rlcompleter, readline
+except ImportError:
+ pass
+else:
+ __enableDefaultEncoding()
diff --git a/cap/zx297520v3/sources/meta-selinux/dynamic-layers/python2-layer/recipes-devtools/python/python_%.bbappend b/cap/zx297520v3/sources/meta-selinux/dynamic-layers/python2-layer/recipes-devtools/python/python_%.bbappend
new file mode 100755
index 0000000..7719d3b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/dynamic-layers/python2-layer/recipes-devtools/python/python_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/dynamic-layers/python2-layer/recipes-devtools/python/python_selinux.inc b/cap/zx297520v3/sources/meta-selinux/dynamic-layers/python2-layer/recipes-devtools/python/python_selinux.inc
new file mode 100755
index 0000000..bb54a90
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/dynamic-layers/python2-layer/recipes-devtools/python/python_selinux.inc
@@ -0,0 +1,5 @@
+# If selinux enabled, disable handlers to rw command history file
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+inherit selinux
+
diff --git a/cap/zx297520v3/sources/meta-selinux/dynamic-layers/virtualization-layer/recipes-containers/lxc/lxc_%.bbappend b/cap/zx297520v3/sources/meta-selinux/dynamic-layers/virtualization-layer/recipes-containers/lxc/lxc_%.bbappend
new file mode 100755
index 0000000..74e22b3
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/dynamic-layers/virtualization-layer/recipes-containers/lxc/lxc_%.bbappend
@@ -0,0 +1 @@
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/bind/bind_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/bind/bind_%.bbappend
new file mode 100755
index 0000000..7719d3b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/bind/bind_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/bind/bind_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/bind/bind_selinux.inc
new file mode 100755
index 0000000..1be9260
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/bind/bind_selinux.inc
@@ -0,0 +1,11 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+SRC_URI += "file://volatiles.04_bind"
+
+do_install_append() {
+ install -d ${D}${sysconfdir}/default/volatiles
+ install -m 0644 ${WORKDIR}/volatiles.04_bind ${D}${sysconfdir}/default/volatiles/04_bind
+
+ sed -i '/^\s*\/usr\/sbin\/rndc-confgen/a\
+ [ -x /sbin/restorecon ] && /sbin/restorecon -F /etc/bind/rndc.key' ${D}${sysconfdir}/init.d/bind
+}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/bind/files/volatiles.04_bind b/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/bind/files/volatiles.04_bind
new file mode 100755
index 0000000..c6a8151
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/bind/files/volatiles.04_bind
@@ -0,0 +1,4 @@
+# <type> <owner> <group> <mode> <path> <linksource>
+d root root 0755 /var/run/named none
+d root root 0755 /var/run/bind/run none
+d root root 0755 /var/cache/bind none
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/dhcp/dhcp_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/dhcp/dhcp_%.bbappend
new file mode 100755
index 0000000..7719d3b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/dhcp/dhcp_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/dhcp/dhcp_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/dhcp/dhcp_selinux.inc
new file mode 100755
index 0000000..08389f1
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/dhcp/dhcp_selinux.inc
@@ -0,0 +1,3 @@
+inherit selinux
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/dhcp/files/init-server b/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/dhcp/files/init-server
new file mode 100755
index 0000000..a0e901a
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/dhcp/files/init-server
@@ -0,0 +1,52 @@
+#!/bin/sh
+#
+# $Id: dhcp3-server.init.d,v 1.4 2003/07/13 19:12:41 mdz Exp $
+#
+
+test -f /usr/sbin/dhcpd || exit 0
+
+# It is not safe to start if we don't have a default configuration...
+if [ ! -f /etc/default/dhcp-server ]; then
+ echo "/etc/default/dhcp-server does not exist! - Aborting..."
+ exit 0
+fi
+
+# Read init script configuration (so far only interfaces the daemon
+# should listen on.)
+. /etc/default/dhcp-server
+
+# Restorecon for /var/lib/dhcp/{dhcpd.leases,dhcpd6.leases}
+restorecon_dhcpd_leases(){
+ test ! -x /sbin/restorecon || for x in dhcpd.leases dhcpd6.leases; do
+ [ -f /var/lib/dhcp/$x ] && /sbin/restorecon -F /var/lib/dhcp/$x
+ done
+}
+
+case "$1" in
+ start)
+ echo -n "Starting DHCP server: "
+ test -d /var/lib/dhcp/ || mkdir -p /var/lib/dhcp/
+ test -f /var/lib/dhcp/dhcpd.leases || touch /var/lib/dhcp/dhcpd.leases
+ restorecon_dhcpd_leases
+ start-stop-daemon -S -x /usr/sbin/dhcpd -- -q $INTERFACES -user dhcp -group dhcp
+ echo "."
+ ;;
+ stop)
+ echo -n "Stopping DHCP server: dhcpd3"
+ start-stop-daemon -K -x /usr/sbin/dhcpd
+ echo "."
+ ;;
+ restart | force-reload)
+ $0 stop
+ sleep 2
+ $0 start
+ if [ "$?" != "0" ]; then
+ exit 1
+ fi
+ ;;
+ *)
+ echo "Usage: /etc/init.d/dhcp-server {start|stop|restart|force-reload}"
+ exit 1
+esac
+
+exit 0
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/iproute2/iproute2_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/iproute2/iproute2_%.bbappend
new file mode 100755
index 0000000..b01ad25
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/iproute2/iproute2_%.bbappend
@@ -0,0 +1 @@
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/openssh/files/pam/sshd b/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/openssh/files/pam/sshd
new file mode 100755
index 0000000..72303eb
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/openssh/files/pam/sshd
@@ -0,0 +1,24 @@
+#%PAM-1.0
+
+auth include common-auth
+account required pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+account include common-account
+password include common-password
+session optional pam_keyinit.so force revoke
+session include common-session
+session required pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/openssh/openssh_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/openssh/openssh_%.bbappend
new file mode 100755
index 0000000..99c51bf
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/openssh/openssh_%.bbappend
@@ -0,0 +1,15 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
+
+# if pam feature is enabled in the distro then take sshd from the pam directory.
+FILESEXTRAPATHS_prepend := "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${THISDIR}/files/pam:', '', d)}"
+
+do_install_append(){
+
+ if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
+ # Make sure UsePAM entry is in the sshd_config file.
+ # If entry not present then append it.
+ grep -q 'UsePAM' "${D}/etc/ssh/sshd_config" && \
+ sed -i 's/.*UsePAM.*/UsePAM yes/' "${D}/etc/ssh/sshd_config" || \
+ echo 'UsePAM yes' >> "${D}/etc/ssh/sshd_config"
+ fi
+}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/openssh/openssh_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/openssh/openssh_selinux.inc
new file mode 100755
index 0000000..ebd2721
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-connectivity/openssh/openssh_selinux.inc
@@ -0,0 +1,9 @@
+inherit with-selinux
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+# There is no distro feature just for audit.
+PACKAGECONFIG_append = " audit"
+
+PACKAGECONFIG[audit] = "--with-audit=linux,--without-audit,audit,"
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-core/busybox/busybox_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-core/busybox/busybox_%.bbappend
new file mode 100755
index 0000000..7719d3b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-core/busybox/busybox_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-core/busybox/busybox_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-core/busybox/busybox_selinux.inc
new file mode 100755
index 0000000..6e491ce
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-core/busybox/busybox_selinux.inc
@@ -0,0 +1,88 @@
+PTEST_BINDIR = "0"
+
+FILES_${PN} += "${libdir}/${PN}"
+
+# We should use sh wrappers instead of links so the commands could get correct
+# security labels
+python create_sh_wrapper_reset_alternative_vars () {
+ # We need to load the full set of busybox provides from the /etc/busybox.links
+ # Use this to see the update-alternatives with the right information
+
+ dvar = d.getVar('D')
+ pn = d.getVar('PN')
+ base_bindir = d.getVar('base_bindir')
+
+ def create_sh_alternative_vars(links, target, mode):
+ import shutil
+ # Create sh wrapper template
+ fwp = open("busybox_wrapper", 'w')
+ fwp.write("#!%s" % (target))
+ os.fchmod(fwp.fileno(), mode)
+ fwp.close()
+ # Install the sh wrappers and alternatives reset to link to them
+ wpdir = os.path.join(d.getVar('libdir'), pn)
+ wpdir_dest = '%s%s' % (dvar, wpdir)
+ if not os.path.exists(wpdir_dest):
+ os.makedirs(wpdir_dest)
+ f = open('%s%s' % (dvar, links), 'r')
+ for alt_link_name in f:
+ alt_link_name = alt_link_name.strip()
+ alt_name = os.path.basename(alt_link_name)
+ # Copy script wrapper to wp_path
+ alt_wppath = '%s%s' % (wpdir, alt_link_name)
+ alt_wppath_dest = '%s%s' % (wpdir_dest, alt_link_name)
+ alt_wpdir_dest = os.path.dirname(alt_wppath_dest)
+ if not os.path.exists(alt_wpdir_dest):
+ os.makedirs(alt_wpdir_dest)
+ shutil.copy2("busybox_wrapper", alt_wppath_dest)
+ # Re-set alternatives
+ # Match coreutils
+ if alt_name == '[':
+ alt_name = 'lbracket'
+ d.appendVar('ALTERNATIVE_%s' % (pn), ' ' + alt_name)
+ d.setVarFlag('ALTERNATIVE_LINK_NAME', alt_name, alt_link_name)
+ if os.path.exists(alt_wppath_dest):
+ d.setVarFlag('ALTERNATIVE_TARGET', alt_name, alt_wppath)
+ f.close()
+
+ os.remove("busybox_wrapper")
+ return
+
+ if os.path.exists('%s/etc/busybox.links' % (dvar)):
+ create_sh_alternative_vars("/etc/busybox.links", "%s/busybox" % base_bindir, 0o0755)
+ else:
+ create_sh_alternative_vars("/etc/busybox.links.nosuid", "%s/busybox.nosuid" % base_bindir, 0o0755)
+ create_sh_alternative_vars("/etc/busybox.links.suid", "%s/busybox.suid" % base_bindir, 0o4755)
+}
+
+# Add to PACKAGEBUILDPKGD so it could override the alternatives, which are set in
+# do_package_prepend() section of busybox_*.bb.
+PACKAGEBUILDPKGD_prepend = "create_sh_wrapper_reset_alternative_vars "
+
+# Use sh wrappers instead of links
+pkg_postinst_${PN} () {
+ # This part of code is dedicated to the on target upgrade problem.
+ # It's known that if we don't make appropriate symlinks before update-alternatives calls,
+ # there will be errors indicating missing commands such as 'sed'.
+ # These symlinks will later be updated by update-alternatives calls.
+ test -n 2 > /dev/null || alias test='busybox test'
+ if test "x$D" = "x"; then
+ # Remove busybox.nosuid if it's a symlink, because this situation indicates
+ # that we're installing or upgrading to a one-binary busybox.
+ if test -h /bin/busybox.nosuid; then
+ rm -f /bin/busybox.nosuid
+ fi
+ for suffix in "" ".nosuid" ".suid"; do
+ if test -e /etc/busybox.links$suffix; then
+ while read link; do
+ if test ! -e "$link"; then
+ # we can use busybox here because even if we are using splitted busybox
+ # we've made a symlink from /bin/busybox to /bin/busybox.nosuid.
+ busybox echo "#!/bin/busybox$suffix" > $link
+ fi
+ done < /etc/busybox.links$suffix
+ fi
+ done
+ fi
+}
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-core/coreutils/coreutils_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-core/coreutils/coreutils_%.bbappend
new file mode 100755
index 0000000..7b9a2dc
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-core/coreutils/coreutils_%.bbappend
@@ -0,0 +1,2 @@
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)}
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-core/dbus/dbus_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-core/dbus/dbus_%.bbappend
new file mode 100755
index 0000000..ee221e2
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-core/dbus/dbus_%.bbappend
@@ -0,0 +1,2 @@
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)}
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-core/eudev/eudev_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-core/eudev/eudev_%.bbappend
new file mode 100755
index 0000000..b0b03ec
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-core/eudev/eudev_%.bbappend
@@ -0,0 +1,2 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-core/eudev/eudev_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-core/eudev/eudev_selinux.inc
new file mode 100755
index 0000000..2ad6b13
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-core/eudev/eudev_selinux.inc
@@ -0,0 +1,3 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+inherit enable-selinux
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-core/eudev/files/init b/cap/zx297520v3/sources/meta-selinux/recipes-core/eudev/files/init
new file mode 100755
index 0000000..daa4079
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-core/eudev/files/init
@@ -0,0 +1,99 @@
+#!/bin/sh
+
+### BEGIN INIT INFO
+# Provides: udev
+# Required-Start: mountvirtfs
+# Required-Stop:
+# Default-Start: S
+# Default-Stop:
+# Short-Description: Start udevd, populate /dev and load drivers.
+### END INIT INFO
+
+export TZ=/etc/localtime
+
+[ -d /sys/class ] || exit 1
+[ -r /proc/mounts ] || exit 1
+[ -x @UDEVD@ ] || exit 1
+
+[ -f /etc/udev/udev.conf ] && . /etc/udev/udev.conf
+[ -f /etc/default/rcS ] && . /etc/default/rcS
+
+kill_udevd () {
+ pid=`pidof -x udevd`
+ [ -n "$pid" ] && kill $pid
+}
+
+case "$1" in
+ start)
+ export ACTION=add
+ # propagate /dev from /sys
+ echo "Starting udev"
+
+ # Check for requireed devtmpfs before trying to start udev and
+ # mount a no-existant fs.
+ if ! grep -q devtmpfs /proc/filesystems
+ then
+ echo "Missing devtmpfs, which is required for udev to run";
+ echo "Halting..."
+ halt
+ fi
+ # mount the devtmpfs on /dev, if not already done
+ LANG=C awk '$2 == "/dev" && ($3 == "devtmpfs") { exit 1 }' /proc/mounts && {
+ mount -n -o mode=0755 -t devtmpfs none "/dev"
+ }
+ [ -e /dev/pts ] || mkdir -m 0755 /dev/pts
+ [ -e /dev/shm ] || mkdir -m 1777 /dev/shm
+ # the automount rule for udev needs /tmp directory available, as /tmp is a symlink
+ # to /var/tmp which in turn is a symlink to /var/volatile/tmp, we need to make sure
+ # /var/volatile/tmp directory to be available.
+ mkdir -m 1777 -p /var/volatile/tmp
+
+ # restorecon /run early to allow mdadm creating dir /run/mdadm
+ test ! -x /sbin/restorecon || /sbin/restorecon -F /run
+
+ # make_extra_nodes
+ kill_udevd > "/dev/null" 2>&1
+
+ # trigger the sorted events
+ [ -e /proc/sys/kernel/hotplug ] && echo -e '\000' >/proc/sys/kernel/hotplug
+ @UDEVD@ -d
+
+ udevadm control --env=STARTUP=1
+ if [ "$not_first_boot" != "" ];then
+ if [ "$PROBE_PLATFORM_BUS" != "yes" ]; then
+ PLATFORM_BUS_NOMATCH="--subsystem-nomatch=platform"
+ else
+ PLATFORM_BUS_NOMATCH=""
+ fi
+ udevadm trigger --action=add --subsystem-nomatch=tty --subsystem-nomatch=mem --subsystem-nomatch=vc --subsystem-nomatch=vtconsole --subsystem-nomatch=misc --subsystem-nomatch=dcon --subsystem-nomatch=pci_bus --subsystem-nomatch=graphics --subsystem-nomatch=backlight --subsystem-nomatch=video4linux $PLATFORM_BUS_NOMATCH
+ (udevadm settle --timeout=3; udevadm control --env=STARTUP=)&
+ else
+ udevadm trigger --action=add
+ udevadm settle
+ fi
+
+ test ! -x /sbin/restorecon || /sbin/restorecon -F /dev /dev/shm /dev/pts
+
+ ;;
+ stop)
+ echo "Stopping udevd"
+ start-stop-daemon --stop --name udevd --quiet
+ ;;
+ restart)
+ $0 stop
+ sleep 1
+ $0 start
+ ;;
+ status)
+ pid=`pidof -x udevd`
+ if [ -n "$pid" ]; then
+ echo "udevd (pid $pid) is running ..."
+ else
+ echo "udevd is stopped"
+ fi
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|status|restart}"
+ exit 1
+esac
+exit 0
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-core/glib-2.0/glib-2.0_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-core/glib-2.0/glib-2.0_%.bbappend
new file mode 100755
index 0000000..39a0a3a
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-core/glib-2.0/glib-2.0_%.bbappend
@@ -0,0 +1 @@
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'meson-enable-selinux', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-core/initscripts/files/devpts.sh b/cap/zx297520v3/sources/meta-selinux/recipes-core/initscripts/files/devpts.sh
new file mode 100755
index 0000000..a0b037f
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-core/initscripts/files/devpts.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides: devpts
+# Required-Start: udev
+# Required-Stop:
+# Default-Start: S
+# Default-Stop:
+# Short-Description: Mount /dev/pts file systems.
+### END INIT INFO
+
+. /etc/default/devpts
+
+if grep -q devpts /proc/filesystems
+then
+ #
+ # Create multiplexor device.
+ #
+ test -c /dev/ptmx || mknod -m 666 /dev/ptmx c 5 2
+
+ #
+ # Mount /dev/pts if needed.
+ #
+ if ! grep -q devpts /proc/mounts
+ then
+ mkdir -p /dev/pts
+ mount -t devpts devpts /dev/pts -ogid=${TTYGRP},mode=${TTYMODE}
+ test ! -x /sbin/restorecon || /sbin/restorecon -F /dev/pts
+ fi
+fi
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-core/initscripts/initscripts-1.0_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-core/initscripts/initscripts-1.0_selinux.inc
new file mode 100755
index 0000000..6e8a9b6
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-core/initscripts/initscripts-1.0_selinux.inc
@@ -0,0 +1,11 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+do_install_append () {
+ cat <<-EOF >> ${D}${sysconfdir}/init.d/populate-volatile.sh
+touch /var/log/lastlog
+test ! -x /sbin/restorecon || /sbin/restorecon -iRF /var/volatile/ /var/lib /run \
+ /etc/resolv.conf /etc/adjtime
+EOF
+ sed -i '/mount -n -o remount,$rootmode/i\test ! -x /sbin/restorecon || /sbin/restorecon -iRF /run' \
+ ${D}${sysconfdir}/init.d/checkroot.sh
+}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-core/initscripts/initscripts_1.0.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-core/initscripts/initscripts_1.0.bbappend
new file mode 100755
index 0000000..4f9950b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-core/initscripts/initscripts_1.0.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'initscripts-1.0_selinux.inc', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-core/libcgroup/libcgroup_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-core/libcgroup/libcgroup_%.bbappend
new file mode 100755
index 0000000..7719d3b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-core/libcgroup/libcgroup_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-core/libcgroup/libcgroup_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-core/libcgroup/libcgroup_selinux.inc
new file mode 100755
index 0000000..9d9ebfc
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-core/libcgroup/libcgroup_selinux.inc
@@ -0,0 +1,10 @@
+EXTRA_OECONF_append_class-native = " --enable-pam=no"
+
+do_install_append() {
+ test ! -f ${D}${base_libdir}/security/pam_cgroup.so.0.0.0 || {
+ mv -f ${D}${base_libdir}/security/pam_cgroup.so.0.0.0 ${D}${base_libdir}/security/pam_cgroup.so
+ rm -f ${D}${base_libdir}/security/pam_cgroup.so.*
+ }
+}
+
+BBCLASSEXTEND = "native"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-core/systemd/systemd_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-core/systemd/systemd_%.bbappend
new file mode 100755
index 0000000..7719d3b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-core/systemd/systemd_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-core/systemd/systemd_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-core/systemd/systemd_selinux.inc
new file mode 100755
index 0000000..b17e70a
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-core/systemd/systemd_selinux.inc
@@ -0,0 +1,7 @@
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-audit', '', d)}
+
+do_install_append() {
+ if ${@bb.utils.contains('PACKAGECONFIG', 'backlight', 'true', 'false', d)}; then
+ install -d ${D}${localstatedir}/lib/systemd/backlight
+ fi
+}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-core/sysvinit/sysvinit_2.9%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-core/sysvinit/sysvinit_2.9%.bbappend
new file mode 100755
index 0000000..4ec2267
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-core/sysvinit/sysvinit_2.9%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'sysvinit_selinux.inc', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-core/sysvinit/sysvinit_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-core/sysvinit/sysvinit_selinux.inc
new file mode 100755
index 0000000..2e54330
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-core/sysvinit/sysvinit_selinux.inc
@@ -0,0 +1,9 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+B = "${S}"
+
+inherit selinux
+
+DEPENDS += "${LIBSELINUX}"
+
+EXTRA_OEMAKE += "${@target_selinux(d, 'WITH_SELINUX=\"yes\"')}"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-core/util-linux/util-linux_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-core/util-linux/util-linux_%.bbappend
new file mode 100755
index 0000000..b01ad25
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-core/util-linux/util-linux_%.bbappend
@@ -0,0 +1 @@
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-devtools/prelink/prelink_git.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-devtools/prelink/prelink_git.bbappend
new file mode 100755
index 0000000..74e22b3
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-devtools/prelink/prelink_git.bbappend
@@ -0,0 +1 @@
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-devtools/rpm/rpm_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-devtools/rpm/rpm_%.bbappend
new file mode 100755
index 0000000..7719d3b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-devtools/rpm/rpm_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-devtools/rpm/rpm_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-devtools/rpm/rpm_selinux.inc
new file mode 100755
index 0000000..983dda7
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-devtools/rpm/rpm_selinux.inc
@@ -0,0 +1,2 @@
+inherit with-selinux
+PACKAGECONFIG[selinux] = "${WITH_SELINUX},${WITHOUT_SELINUX},libsemanage,"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/at/at_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-extended/at/at_%.bbappend
new file mode 100755
index 0000000..b01ad25
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/at/at_%.bbappend
@@ -0,0 +1 @@
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/cronie/cronie_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-extended/cronie/cronie_%.bbappend
new file mode 100755
index 0000000..cfa56ca
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/cronie/cronie_%.bbappend
@@ -0,0 +1,2 @@
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-audit', '', d)}
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/findutils/findutils_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-extended/findutils/findutils_%.bbappend
new file mode 100755
index 0000000..b01ad25
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/findutils/findutils_%.bbappend
@@ -0,0 +1 @@
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/logrotate/logrotate_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-extended/logrotate/logrotate_%.bbappend
new file mode 100755
index 0000000..7719d3b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/logrotate/logrotate_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/logrotate/logrotate_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-extended/logrotate/logrotate_selinux.inc
new file mode 100755
index 0000000..1bdca98
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/logrotate/logrotate_selinux.inc
@@ -0,0 +1,5 @@
+inherit selinux
+
+DEPENDS += "${LIBSELINUX}"
+
+EXTRA_OEMAKE += "${@target_selinux(d, 'WITH_SELINUX=\"yes\"')}"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/lsof/lsof_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-extended/lsof/lsof_%.bbappend
new file mode 100755
index 0000000..7719d3b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/lsof/lsof_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/lsof/lsof_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-extended/lsof/lsof_selinux.inc
new file mode 100755
index 0000000..6691b4c
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/lsof/lsof_selinux.inc
@@ -0,0 +1,14 @@
+inherit selinux
+
+DEPENDS += "${LIBSELINUX}"
+
+do_configure_prepend () {
+ export LINUX_HASSELINUX="${@target_selinux(d, 'Y', 'N')}"
+ export LSOF_CFGF="${CFLAGS}"
+ export LSOF_CFGL="${LDFLAGS}"
+ export LSOF_CC="${BUILD_CC}"
+}
+
+do_compile () {
+ oe_runmake 'CC=${CC}' 'DEBUG='
+}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/net-tools/files/netstat-selinux-support.patch b/cap/zx297520v3/sources/meta-selinux/recipes-extended/net-tools/files/netstat-selinux-support.patch
new file mode 100755
index 0000000..f089041
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/net-tools/files/netstat-selinux-support.patch
@@ -0,0 +1,244 @@
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Wed, 13 Jun 2012 13:32:01 +0800
+Subject: [PATCH] net-tools: netstat add SELinux support.
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
+---
+ Makefile | 9 ++++++++-
+ netstat.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---
+ 2 files changed, 74 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 8fcc55c..0b5c395 100644
+--- a/Makefile
++++ b/Makefile
+@@ -116,6 +116,13 @@ NET_LIB = $(NET_LIB_PATH)/lib$(NET_LIB_NAME).a
+ CFLAGS = $(COPTS) -I. -idirafter ./include/ -I$(NET_LIB_PATH)
+ LDFLAGS = $(LOPTS) -L$(NET_LIB_PATH)
+
++ifeq ($(HAVE_SELINUX),1)
++SELINUX_LDFLAGS = -lselinux
++CFLAGS += -DHAVE_SELINUX
++else
++SELINUX_LDFLAGS =
++endif
++
+ SUBDIRS = man/ $(NET_LIB_PATH)/
+
+ ifeq ($(origin CC), undefined)
+@@ -209,7 +216,7 @@ plipconfig: $(NET_LIB) plipconfig.o
+ $(CC) $(LDFLAGS) -o plipconfig plipconfig.o $(NLIB)
+
+ netstat: $(NET_LIB) netstat.o statistics.o
+- $(CC) $(LDFLAGS) -o netstat netstat.o statistics.o $(NLIB) $(RESLIB)
++ $(CC) $(SELINUX_LDFLAGS) $(LDFLAGS) -o netstat netstat.o statistics.o $(NLIB) $(RESLIB)
+
+ iptunnel: $(NET_LIB) iptunnel.o
+ $(CC) $(LDFLAGS) -o iptunnel iptunnel.o $(NLIB) $(RESLIB)
+diff --git a/netstat.c b/netstat.c
+index fc10414..a773e81 100644
+--- a/netstat.c
++++ b/netstat.c
+@@ -90,6 +90,12 @@
+ #include <sys/types.h>
+ #include <asm-generic/param.h>
+
++#if HAVE_SELINUX
++#include <selinux/selinux.h>
++#else
++#define security_context_t char*
++#endif
++
+ #include "net-support.h"
+ #include "pathnames.h"
+ #include "version.h"
+@@ -101,6 +107,7 @@
+ #include "proc.h"
+
+ #define PROGNAME_WIDTH 20
++#define SELINUX_WIDTH 50
+
+ #if !defined(s6_addr32) && defined(in6a_words)
+ #define s6_addr32 in6a_words /* libinet6 */
+@@ -180,6 +187,7 @@ int flag_wide= 0;
+ int flag_prg = 0;
+ int flag_arg = 0;
+ int flag_ver = 0;
++int flag_selinux = 0;
+
+ FILE *procinfo;
+
+@@ -243,12 +251,17 @@ FILE *procinfo;
+ #define PROGNAME_WIDTH1(s) PROGNAME_WIDTH2(s)
+ #define PROGNAME_WIDTH2(s) #s
+
++#define SELINUX_WIDTHs SELINUX_WIDTH1(SELINUX_WIDTH)
++#define SELINUX_WIDTH1(s) SELINUX_WIDTH2(s)
++#define SELINUX_WIDTH2(s) #s
++
+ #define PRG_HASH_SIZE 211
+
+ static struct prg_node {
+ struct prg_node *next;
+ unsigned long inode;
+ char name[PROGNAME_WIDTH];
++ char scon[SELINUX_WIDTH];
+ } *prg_hash[PRG_HASH_SIZE];
+
+ static char prg_cache_loaded = 0;
+@@ -256,9 +269,12 @@ static char prg_cache_loaded = 0;
+ #define PRG_HASHIT(x) ((x) % PRG_HASH_SIZE)
+
+ #define PROGNAME_BANNER "PID/Program name"
++#define SELINUX_BANNER "Security Context"
+
+ #define print_progname_banner() do { if (flag_prg) printf("%-" PROGNAME_WIDTHs "s"," " PROGNAME_BANNER); } while (0)
+
++#define print_selinux_banner() do { if (flag_selinux) printf("%-" SELINUX_WIDTHs "s"," " SELINUX_BANNER); } while (0)
++
+ #define PRG_LOCAL_ADDRESS "local_address"
+ #define PRG_INODE "inode"
+ #define PRG_SOCKET_PFX "socket:["
+@@ -280,7 +296,7 @@ static char prg_cache_loaded = 0;
+ /* NOT working as of glibc-2.0.7: */
+ #undef DIRENT_HAVE_D_TYPE_WORKS
+
+-static void prg_cache_add(unsigned long inode, char *name)
++static void prg_cache_add(unsigned long inode, char *name, char *scon)
+ {
+ unsigned hi = PRG_HASHIT(inode);
+ struct prg_node **pnp,*pn;
+@@ -301,6 +317,14 @@ static void prg_cache_add(unsigned long inode, char *name)
+ if (strlen(name)>sizeof(pn->name)-1)
+ name[sizeof(pn->name)-1]='\0';
+ strcpy(pn->name,name);
++
++ {
++ int len=(strlen(scon)-sizeof(pn->scon))+1;
++ if (len > 0)
++ strcpy(pn->scon,&scon[len+1]);
++ else
++ strcpy(pn->scon,scon);
++ }
+ }
+
+ static const char *prg_cache_get(unsigned long inode)
+@@ -313,6 +337,16 @@ static const char *prg_cache_get(unsigned long inode)
+ return("-");
+ }
+
++static const char *prg_cache_get_con(unsigned long inode)
++{
++ unsigned hi=PRG_HASHIT(inode);
++ struct prg_node *pn;
++
++ for (pn=prg_hash[hi];pn;pn=pn->next)
++ if (pn->inode==inode) return(pn->scon);
++ return("-");
++}
++
+ static void prg_cache_clear(void)
+ {
+ struct prg_node **pnp,*pn;
+@@ -384,6 +418,7 @@ static void prg_cache_load(void)
+ const char *cs,*cmdlp;
+ DIR *dirproc=NULL,*dirfd=NULL;
+ struct dirent *direproc,*direfd;
++ security_context_t scon=NULL;
+
+ if (prg_cache_loaded || !flag_prg) return;
+ prg_cache_loaded=1;
+@@ -453,7 +488,15 @@ static void prg_cache_load(void)
+ }
+
+ snprintf(finbuf, sizeof(finbuf), "%s/%s", direproc->d_name, cmdlp);
+- prg_cache_add(inode, finbuf);
++#if HAVE_SELINUX
++ if (getpidcon(atoi(direproc->d_name), &scon) == -1) {
++ scon=strdup("-");
++ }
++ prg_cache_add(inode, finbuf, scon);
++ freecon(scon);
++#else
++ prg_cache_add(inode, finbuf, "-");
++#endif
+ }
+ closedir(dirfd);
+ dirfd = NULL;
+@@ -573,6 +616,8 @@ static void finish_this_one(int uid, unsigned long inode, const char *timers)
+ }
+ if (flag_prg)
+ printf(" %-16s",prg_cache_get(inode));
++ if (flag_selinux)
++ printf("%-" SELINUX_WIDTHs "s",prg_cache_get_con(inode));
+ if (flag_opt)
+ printf(" %s", timers);
+ putchar('\n');
+@@ -1566,6 +1611,8 @@ static void unix_do_one(int nr, const char *line)
+ printf("- ");
+ if (flag_prg)
+ printf("%-" PROGNAME_WIDTHs "s",(has & HAS_INODE?prg_cache_get(inode):"-"));
++ if (flag_selinux)
++ printf("%-" SELINUX_WIDTHs "s",(has & HAS_INODE?prg_cache_get_con(inode):"-"));
+ puts(path);
+ }
+
+@@ -1584,6 +1631,7 @@ static int unix_info(void)
+
+ printf(_("\nProto RefCnt Flags Type State I-Node "));
+ print_progname_banner();
++ print_selinux_banner();
+ printf(_(" Path\n")); /* xxx */
+
+ {
+@@ -1874,6 +1922,7 @@ static void usage(void)
+ fprintf(stderr, _(" -o, --timers display timers\n"));
+ fprintf(stderr, _(" -F, --fib display Forwarding Information Base (default)\n"));
+ fprintf(stderr, _(" -C, --cache display routing cache instead of FIB\n\n"));
++ fprintf(stderr, _(" -Z, --context display SELinux security context for sockets\n\n"));
+
+ fprintf(stderr, _(" <Socket>={-t|--tcp} {-u|--udp} {-S|--sctp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom\n"));
+ fprintf(stderr, _(" <AF>=Use '-6|-4' or '-A <af>' or '--<af>'; default: %s\n"), DFLT_AF);
+@@ -1920,6 +1969,7 @@ int main
+ {"cache", 0, 0, 'C'},
+ {"fib", 0, 0, 'F'},
+ {"groups", 0, 0, 'g'},
++ {"context", 0, 0, 'Z'},
+ {NULL, 0, 0, 0}
+ };
+
+@@ -1931,7 +1981,7 @@ int main
+ getroute_init(); /* Set up AF routing support */
+
+ afname[0] = '\0';
+- while ((i = getopt_long(argc, argv, "MCFA:acdegphinNorstuSWVv?wxl64", longopts, &lop)) != EOF)
++ while ((i = getopt_long(argc, argv, "MCFA:acdegphinNorstuSWVv?wxlZ64", longopts, &lop)) != EOF)
+ switch (i) {
+ case -1:
+ break;
+@@ -2036,6 +2086,19 @@ int main
+ if (aftrans_opt("unix"))
+ exit(1);
+ break;
++ case 'Z':
++#if HAVE_SELINUX
++ if (is_selinux_enabled() <= 0) {
++ fprintf(stderr, _("SELinux is not enabled on this machine.\n"));
++ exit(1);
++ }
++ flag_prg++;
++ flag_selinux++;
++#else
++ fprintf(stderr, _("SELinux is not enabled for this application.\n"));
++ exit(1);
++#endif
++ break;
+ case '?':
+ case 'h':
+ usage();
+--
+1.9.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/net-tools/net-tools_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-extended/net-tools/net-tools_%.bbappend
new file mode 100755
index 0000000..7719d3b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/net-tools/net-tools_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/net-tools/net-tools_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-extended/net-tools/net-tools_selinux.inc
new file mode 100755
index 0000000..cc3196f
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/net-tools/net-tools_selinux.inc
@@ -0,0 +1,9 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+SRC_URI += "file://netstat-selinux-support.patch"
+
+inherit selinux
+
+DEPENDS += "${LIBSELINUX}"
+
+EXTRA_OEMAKE += "${@target_selinux(d, 'HAVE_SELINUX=1', 'HAVE_SELINUX=0')}"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/pam/libpam_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-extended/pam/libpam_%.bbappend
new file mode 100755
index 0000000..7719d3b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/pam/libpam_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/pam/libpam_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-extended/pam/libpam_selinux.inc
new file mode 100755
index 0000000..adcf938
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/pam/libpam_selinux.inc
@@ -0,0 +1,3 @@
+inherit enable-selinux
+
+RDEPENDS_${PN}-runtime += "${@target_selinux(d, 'pam-plugin-selinux')}"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/parted/parted_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-extended/parted/parted_%.bbappend
new file mode 100755
index 0000000..74e22b3
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/parted/parted_%.bbappend
@@ -0,0 +1 @@
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/psmisc/psmisc_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-extended/psmisc/psmisc_%.bbappend
new file mode 100755
index 0000000..74e22b3
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/psmisc/psmisc_%.bbappend
@@ -0,0 +1 @@
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/sed/sed_4.%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-extended/sed/sed_4.%.bbappend
new file mode 100755
index 0000000..b01ad25
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/sed/sed_4.%.bbappend
@@ -0,0 +1 @@
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/shadow/files/pam.d/login b/cap/zx297520v3/sources/meta-selinux/recipes-extended/shadow/files/pam.d/login
new file mode 100755
index 0000000..ec5bba9
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/shadow/files/pam.d/login
@@ -0,0 +1,95 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth optional pam_faildelay.so delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth required pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+# Note that it is included as a "requisite" module. No password prompts will
+# be displayed if this module fails to avoid having the root password
+# transmitted on unsecure ttys.
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root).
+auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth requisite pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+#
+# parsing /etc/environment needs "readenv=1"
+session required pam_env.so readenv=1
+
+# Standard Un*x authentication.
+auth include common-auth
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth optional pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restrainst on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account requisite pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account required pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session required pam_limits.so
+
+# Prints the last login info upon succesful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session optional pam_lastlog.so
+
+# Prints the motd upon succesful login
+# (Replaces the `MOTD_FILE' option in login.defs)
+session optional pam_motd.so
+
+# Prints the status of the user's mailbox upon succesful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session optional pam_mail.so standard
+
+# Standard Un*x account and session
+account include common-account
+password include common-password
+session include common-session
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/shadow/shadow_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-extended/shadow/shadow_%.bbappend
new file mode 100755
index 0000000..7719d3b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/shadow/shadow_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/shadow/shadow_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-extended/shadow/shadow_selinux.inc
new file mode 100755
index 0000000..496ea6a
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/shadow/shadow_selinux.inc
@@ -0,0 +1,6 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+inherit with-selinux with-audit
+
+PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux libsemanage,"
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/sudo/sudo_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-extended/sudo/sudo_%.bbappend
new file mode 100755
index 0000000..b01ad25
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/sudo/sudo_%.bbappend
@@ -0,0 +1 @@
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/sysklogd/files/sysklogd b/cap/zx297520v3/sources/meta-selinux/recipes-extended/sysklogd/files/sysklogd
new file mode 100755
index 0000000..e49c2da
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/sysklogd/files/sysklogd
@@ -0,0 +1,152 @@
+#! /bin/sh
+# /etc/init.d/sysklogd: start the system log daemon.
+
+### BEGIN INIT INFO
+# Provides: sysklogd
+# Required-Start: $remote_fs $time
+# Required-Stop: $remote_fs $time
+# Should-Start: $network
+# Should-Stop: $network
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: System logger
+### END INIT INFO
+
+# Source function library.
+. /etc/init.d/functions
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+pidfile_syslogd=/var/run/syslogd.pid
+binpath_syslogd=/usr/sbin/syslogd
+
+test -x $binpath || exit 0
+
+test ! -r /etc/default/syslogd || . /etc/default/syslogd
+
+create_xconsole()
+{
+ # Only proceed if /dev/xconsole is used at all
+ if ! grep -q '^[^#].*/dev/xconsole' /etc/syslog.conf
+ then
+ return
+ fi
+
+ if [ ! -e /dev/xconsole ]; then
+ mknod -m 640 /dev/xconsole p
+ else
+ chmod 0640 /dev/xconsole
+ fi
+ chown root:adm /dev/xconsole
+ test ! -x /sbin/restorecon || /sbin/restorecon -F /dev/xconsole
+}
+
+log_begin_msg () {
+ echo -n $1
+}
+
+log_end_msg () {
+ echo $1
+}
+
+log_success_msg () {
+ echo $1
+}
+
+running()
+{
+ # No pidfile, probably no daemon present
+ #
+ if [ ! -f $pidfile ]
+ then
+ return 1
+ fi
+
+ pid=`cat $pidfile_syslogd`
+
+ # No pid, probably no daemon present
+ #
+ if [ -z "$pid" ]
+ then
+ return 1
+ fi
+
+ if [ ! -d /proc/$pid ]
+ then
+ return 1
+ fi
+
+ cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1`
+
+ # No syslogd?
+ #
+ if [ "$cmd" != "$binpath" ]
+ then
+ return 1
+ fi
+
+ return 0
+}
+
+waitpid ()
+{
+ pid=$1
+ # Give pid a chance to exit before we restart with a 5s timeout in 1s intervals
+ if [ -z "$pid" ]; then
+ return
+ fi
+ timeout=5;
+ while [ $timeout -gt 0 ]
+ do
+ timeout=$(( $timeout-1 ))
+ kill -0 $pid 2> /dev/null || break
+ sleep 1
+ done
+}
+
+case "$1" in
+ start)
+ log_begin_msg "Starting system log daemon..."
+ create_xconsole
+ start-stop-daemon --start --quiet --pidfile $pidfile_syslogd --name syslogd --startas $binpath_syslogd -- $SYSLOGD
+ test ! -x /sbin/restorecon || /sbin/restorecon -RF /dev/log /var/log/
+ log_end_msg $?
+ ;;
+ stop)
+ log_begin_msg "Stopping system log daemon..."
+ start-stop-daemon --stop --quiet --pidfile $pidfile_syslogd --name syslogd
+ log_end_msg $?
+ ;;
+ reload|force-reload)
+ log_begin_msg "Reloading system log daemon..."
+ start-stop-daemon --stop --quiet --signal 1 --pidfile $pidfile_syslogd --name syslogd
+ log_end_msg $?
+ ;;
+ restart)
+ log_begin_msg "Restarting system log daemon..."
+ pid=`cat $pidfile_syslogd 2> /dev/null`
+ start-stop-daemon --stop --retry 5 --quiet --pidfile $pidfile_syslogd --name syslogd
+ waitpid $pid
+ start-stop-daemon --start --quiet --pidfile $pidfile_syslogd --name syslogd --startas $binpath_syslogd -- $SYSLOGD
+ log_end_msg $?
+ ;;
+ reload-or-restart)
+ if running
+ then
+ $0 reload
+ else
+ $0 start
+ fi
+ ;;
+ status)
+ status syslogd
+ RETVAL=$?
+ [ $RETVAL -eq 0 ] && exit $rval
+ exit $RETVAL
+ ;;
+ *)
+ log_success_msg "Usage: /etc/init.d/sysklogd {start|stop|reload|restart|force-reload|reload-or-restart|status}"
+ exit 1
+esac
+
+exit 0
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/sysklogd/sysklogd_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-extended/sysklogd/sysklogd_%.bbappend
new file mode 100755
index 0000000..7719d3b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/sysklogd/sysklogd_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/sysklogd/sysklogd_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-extended/sysklogd/sysklogd_selinux.inc
new file mode 100755
index 0000000..81fe7b7
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/sysklogd/sysklogd_selinux.inc
@@ -0,0 +1 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/tar/tar_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-extended/tar/tar_%.bbappend
new file mode 100755
index 0000000..7719d3b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/tar/tar_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-extended/tar/tar_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-extended/tar/tar_selinux.inc
new file mode 100755
index 0000000..341df8b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-extended/tar/tar_selinux.inc
@@ -0,0 +1,3 @@
+inherit with-selinux
+
+PACKAGECONFIG_append = "${@bb.utils.contains('DISTRO_FEATURES', 'acl', ' acl', '', d)}"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-graphics/mesa/mesa_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-graphics/mesa/mesa_%.bbappend
new file mode 100755
index 0000000..02c4918
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-graphics/mesa/mesa_%.bbappend
@@ -0,0 +1,2 @@
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'meson-selinux', '', d)}
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-graphics/xcb/libxcb_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-graphics/xcb/libxcb_%.bbappend
new file mode 100755
index 0000000..7719d3b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-graphics/xcb/libxcb_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-graphics/xcb/libxcb_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-graphics/xcb/libxcb_selinux.inc
new file mode 100755
index 0000000..29bdadb
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-graphics/xcb/libxcb_selinux.inc
@@ -0,0 +1,6 @@
+inherit enable-selinux
+# libxcb-xselinux will not build with libselinux, so remove the depend
+PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,,"
+
+PACKAGES += "${PN}-xselinux"
+FILES_${PN}-xselinux += "${libdir}/libxcb-xselinux.so.*"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-kernel/linux-libc-headers/linux-libc-headers_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-kernel/linux-libc-headers/linux-libc-headers_%.bbappend
new file mode 100755
index 0000000..d6f5869
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-kernel/linux-libc-headers/linux-libc-headers_%.bbappend
@@ -0,0 +1 @@
+BBCLASSEXTEND += "native"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-kernel/linux/files/selinux.cfg b/cap/zx297520v3/sources/meta-selinux/recipes-kernel/linux/files/selinux.cfg
new file mode 100755
index 0000000..7d16dc5
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-kernel/linux/files/selinux.cfg
@@ -0,0 +1,30 @@
+..........................................................................
+. WARNING
+.
+. This file is a kernel configuration fragment, and not a full kernel
+. configuration file. The final kernel configuration is made up of
+. an assembly of processed fragments, each of which is designed to
+. capture a specific part of the final configuration (e.g. platform
+. configuration, feature configuration, and board specific hardware
+. configuration). For more information on kernel configuration, please
+. consult the product documentation.
+.
+..........................................................................
+CONFIG_AUDIT=y
+CONFIG_NETWORK_SECMARK=y
+CONFIG_EXT2_FS_SECURITY=y
+CONFIG_EXT3_FS_SECURITY=y
+CONFIG_EXT4_FS_SECURITY=y
+CONFIG_JFS_SECURITY=y
+CONFIG_REISERFS_FS_SECURITY=y
+CONFIG_JFFS2_FS_SECURITY=y
+CONFIG_SECURITY=y
+CONFIG_SECURITYFS=y
+CONFIG_SECURITY_NETWORK=y
+CONFIG_SECURITY_SELINUX=y
+CONFIG_SECURITY_SELINUX_BOOTPARAM=y
+CONFIG_SECURITY_SELINUX_DISABLE=y
+CONFIG_SECURITY_SELINUX_DEVELOP=y
+CONFIG_SECURITY_SELINUX_AVC_STATS=y
+CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
+CONFIG_AUDIT_GENERIC=y
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-kernel/linux/linux-yocto_5.%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-kernel/linux/linux-yocto_5.%.bbappend
new file mode 100755
index 0000000..7719d3b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-kernel/linux/linux-yocto_5.%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-kernel/linux/linux-yocto_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-kernel/linux/linux-yocto_selinux.inc
new file mode 100755
index 0000000..3312e06
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-kernel/linux/linux-yocto_selinux.inc
@@ -0,0 +1,4 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+# Enable selinux support in the kernel if the feature is enabled
+SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'file://selinux.cfg', '', d)}"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-kernel/perf/perf.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-kernel/perf/perf.bbappend
new file mode 100755
index 0000000..b0b03ec
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-kernel/perf/perf.bbappend
@@ -0,0 +1,2 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-kernel/perf/perf_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-kernel/perf/perf_selinux.inc
new file mode 100755
index 0000000..bed3cc2
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-kernel/perf/perf_selinux.inc
@@ -0,0 +1 @@
+DEPENDS .= "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', ' audit', '', d)}"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch
new file mode 100755
index 0000000..6e1827c
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch
@@ -0,0 +1,42 @@
+From df878b92e01f4d1c3de7f7d8229cea6a431509eb Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@windriver.com>
+Date: Wed, 19 Feb 2020 15:23:40 +0800
+Subject: [PATCH] lib/i386_table.h: add new syscall
+
+On 32bit system,
+After upgrade glibc to 2.31
+ # strace -o /tmp/test.log date -s 09:16:45
+ # tail -f /tmp/test.log
+ close(3) = 0
+ stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=114, ...}) = 0
+ clock_settime64(CLOCK_REALTIME, {tv_sec=1582103805, tv_nsec=0}) = 0
+ fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(0x4, 0x40), ...}) = 0
+ ioctl(1, TCGETS, {B115200 opost isig icanon echo ...}) = 0
+ write(1, "Wed Feb 19 09:16:45 UTC 2020\n", 29) = 29
+ close(1) = 0
+ close(2) = 0
+ exit_group(0) = ?
+ +++ exited with 0 +++
+
+It means the clock_settime64 syscall is used, so
+add the syscall.
+
+Upstream-Status: Submitted [https://github.com/linux-audit/audit-userspace/pull/116]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ lib/i386_table.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/i386_table.h b/lib/i386_table.h
+index 1a64c88..65fd4d9 100644
+--- a/lib/i386_table.h
++++ b/lib/i386_table.h
+@@ -405,3 +405,4 @@ _S(383, "statx")
+ _S(384, "arch_prctl")
+ _S(385, "io_pgetevents")
+ _S(386, "rseq")
++_S(404, "clock_settime64")
+--
+2.7.4
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch
new file mode 100755
index 0000000..bb6c61e
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch
@@ -0,0 +1,133 @@
+From bdcdc3dff4469aac88e718bd15958d5ed4b9392a Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Tue, 26 Feb 2019 18:33:33 -0500
+Subject: [PATCH] Add substitue functions for strndupa & rawmemchr
+
+Upstream-Status: Backport
+[https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e]
+---
+ auparse/auparse.c | 12 +++++++++++-
+ auparse/interpret.c | 9 ++++++++-
+ configure.ac | 14 +++++++++++++-
+ src/ausearch-lol.c | 12 +++++++++++-
+ 4 files changed, 43 insertions(+), 4 deletions(-)
+
+diff --git a/auparse/auparse.c b/auparse/auparse.c
+index 650db02..2e1c737 100644
+--- a/auparse/auparse.c
++++ b/auparse/auparse.c
+@@ -1,5 +1,5 @@
+ /* auparse.c --
+- * Copyright 2006-08,2012-17 Red Hat Inc., Durham, North Carolina.
++ * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+@@ -1118,6 +1118,16 @@ static int str2event(char *s, au_event_t *e)
+ return 0;
+ }
+
++#ifndef HAVE_STRNDUPA
++static inline char *strndupa(const char *old, size_t n)
++{
++ size_t len = strnlen(old, n);
++ char *tmp = alloca(len + 1);
++ tmp[len] = 0;
++ return memcpy(tmp, old, len);
++}
++#endif
++
+ /* Returns 0 on success and 1 on error */
+ static int extract_timestamp(const char *b, au_event_t *e)
+ {
+diff --git a/auparse/interpret.c b/auparse/interpret.c
+index 51c4a5e..67b7b77 100644
+--- a/auparse/interpret.c
++++ b/auparse/interpret.c
+@@ -853,6 +853,13 @@ err_out:
+ return print_escaped(id->val);
+ }
+
++// rawmemchr is faster. Let's use it if we have it.
++#ifdef HAVE_RAWMEMCHR
++#define STRCHR rawmemchr
++#else
++#define STRCHR strchr
++#endif
++
+ static const char *print_proctitle(const char *val)
+ {
+ char *out = (char *)print_escaped(val);
+@@ -863,7 +870,7 @@ static const char *print_proctitle(const char *val)
+ // Proctitle has arguments separated by NUL bytes
+ // We need to write over the NUL bytes with a space
+ // so that we can see the arguments
+- while ((ptr = rawmemchr(ptr, '\0'))) {
++ while ((ptr = STRCHR(ptr, '\0'))) {
+ if (ptr >= end)
+ break;
+ *ptr = ' ';
+diff --git a/configure.ac b/configure.ac
+index 54bdbf1..aef07fb 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1,7 +1,7 @@
+ dnl
+ define([AC_INIT_NOTICE],
+ [### Generated automatically using autoconf version] AC_ACVERSION [
+-### Copyright 2005-18 Steve Grubb <sgrubb@redhat.com>
++### Copyright 2005-19 Steve Grubb <sgrubb@redhat.com>
+ ###
+ ### Permission is hereby granted, free of charge, to any person obtaining a
+ ### copy of this software and associated documentation files (the "Software"),
+@@ -72,6 +72,18 @@ dnl; posix_fallocate is used in audisp-remote
+ AC_CHECK_FUNCS([posix_fallocate])
+ dnl; signalfd is needed for libev
+ AC_CHECK_FUNC([signalfd], [], [ AC_MSG_ERROR([The signalfd system call is necessary for auditd]) ])
++dnl; check if rawmemchr is available
++AC_CHECK_FUNCS([rawmemchr])
++dnl; check if strndupa is available
++AC_LINK_IFELSE(
++ [AC_LANG_SOURCE(
++ [[
++ #define _GNU_SOURCE
++ #include <string.h>
++ int main() { (void) strndupa("test", 10); return 0; }]])],
++ [AC_DEFINE(HAVE_STRNDUPA, 1, [Let us know if we have it or not])],
++ []
++)
+
+ ALLWARNS=""
+ ALLDEBUG="-g"
+diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c
+index 5d17a72..758c33e 100644
+--- a/src/ausearch-lol.c
++++ b/src/ausearch-lol.c
+@@ -1,6 +1,6 @@
+ /*
+ * ausearch-lol.c - linked list of linked lists library
+-* Copyright (c) 2008,2010,2014,2016 Red Hat Inc., Durham, North Carolina.
++* Copyright (c) 2008,2010,2014,2016,2019 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This software may be freely redistributed and/or modified under the
+@@ -152,6 +152,16 @@ static int compare_event_time(event *e1, event *e2)
+ return 0;
+ }
+
++#ifndef HAVE_STRNDUPA
++static inline char *strndupa(const char *old, size_t n)
++{
++ size_t len = strnlen(old, n);
++ char *tmp = alloca(len + 1);
++ tmp[len] = 0;
++ return memcpy(tmp, old, len);
++}
++#endif
++
+ /*
+ * This function will look at the line and pick out pieces of it.
+ */
+--
+2.7.4
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch
new file mode 100755
index 0000000..7c26995
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch
@@ -0,0 +1,57 @@
+From a07271f1cce82122610b622bcea4a8a37528f321 Mon Sep 17 00:00:00 2001
+From: Li xin <lixin.fnst@cn.fujitsu.com>
+Date: Sun, 19 Jul 2015 02:42:58 +0900
+Subject: [PATCH] audit: Fixed swig host contamination issue
+
+The audit build uses swig to generate a python wrapper.
+Unfortunately, the swig info file references host include
+directories. Some of these were previously noticed and
+eliminated, but the one fixed here was not.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Anders Hedlund <anders.hedlund@windriver.com>
+Signed-off-by: Joe Slater <jslater@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ bindings/swig/python3/Makefile.am | 3 ++-
+ bindings/swig/src/auditswig.i | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/bindings/swig/python3/Makefile.am b/bindings/swig/python3/Makefile.am
+index 9938418..fa46aac 100644
+--- a/bindings/swig/python3/Makefile.am
++++ b/bindings/swig/python3/Makefile.am
+@@ -22,6 +22,7 @@
+ CONFIG_CLEAN_FILES = *.loT *.rej *.orig
+ AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing $(PYTHON3_CFLAGS)
+ AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES)
++STDINC ?= /usr/include
+ LIBS = $(top_builddir)/lib/libaudit.la
+ SWIG_FLAGS = -python -py3 -modern
+ SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES)
+@@ -37,7 +38,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h ${top_builddir}/lib/libaudi
+ _audit_la_LIBADD = ${top_builddir}/lib/libaudit.la
+ nodist__audit_la_SOURCES = audit_wrap.c
+ audit.py audit_wrap.c: ${srcdir}/../src/auditswig.i
+- swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} ${srcdir}/../src/auditswig.i
++ swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} -I$(STDINC) ${srcdir}/../src/auditswig.i
+
+ CLEANFILES = audit.py* audit_wrap.c *~
+
+diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i
+index 7ebb373..424fb68 100644
+--- a/bindings/swig/src/auditswig.i
++++ b/bindings/swig/src/auditswig.i
+@@ -39,7 +39,7 @@ signed
+ #define __attribute(X) /*nothing*/
+ typedef unsigned __u32;
+ typedef unsigned uid_t;
+-%include "/usr/include/linux/audit.h"
++%include "linux/audit.h"
+ #define __extension__ /*nothing*/
+ #include <stdint.h>
+ %include "../lib/libaudit.h"
+--
+2.7.4
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/audit/audit/audit-volatile.conf b/cap/zx297520v3/sources/meta-selinux/recipes-security/audit/audit/audit-volatile.conf
new file mode 100755
index 0000000..9cbe154
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/audit/audit/audit-volatile.conf
@@ -0,0 +1 @@
+d /var/log/audit 0750 root root -
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/audit/audit/auditd b/cap/zx297520v3/sources/meta-selinux/recipes-security/audit/audit/auditd
new file mode 100755
index 0000000..cda2e43
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/audit/audit/auditd
@@ -0,0 +1,153 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: auditd
+# Required-Start: $local_fs
+# Required-Stop: $local_fs
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Audit Daemon
+# Description: Collects audit information from Linux 2.6 Kernels.
+### END INIT INFO
+
+# Author: Philipp Matthias Hahn <pmhahn@debian.org>
+# Based on Debians /etc/init.d/skeleton and Auditds init.d/auditd.init
+
+# June, 2012: Adopted for yocto <amy.fong@windriver.com>
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+DESC="audit daemon"
+NAME=auditd
+DAEMON=/sbin/auditd
+PIDFILE=/var/run/"$NAME".pid
+SCRIPTNAME=/etc/init.d/"$NAME"
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/"$NAME" ] && . /etc/default/"$NAME"
+
+. /etc/default/rcS
+
+. /etc/init.d/functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+ start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" --test > /dev/null \
+ || return 1
+ start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" -- \
+ $EXTRAOPTIONS \
+ || return 2
+ if [ -f /etc/audit/audit.rules ]
+ then
+ /sbin/auditctl -R /etc/audit/audit.rules >/dev/null
+ fi
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ start-stop-daemon -K --quiet --pidfile "$PIDFILE" --name "$NAME"
+ RETVAL="$?"
+ [ "$RETVAL" = 2 ] && return 2
+ # Many daemons don't delete their pidfiles when they exit.
+ rm -f "$PIDFILE"
+ rm -f /var/run/audit_events
+ # Remove watches so shutdown works cleanly
+ case "$AUDITD_CLEAN_STOP" in
+ no|NO) ;;
+ *) /sbin/auditctl -D >/dev/null ;;
+ esac
+ return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+ start-stop-daemon -K --signal HUP --quiet --pidfile $PIDFILE --name $NAME
+ return 0
+}
+
+if [ ! -e /var/log/audit ]; then
+ mkdir -p /var/log/audit
+ [ -x /sbin/restorecon ] && /sbin/restorecon -F /var/log/audit
+fi
+
+case "$1" in
+ start)
+ [ "$VERBOSE" != no ] && echo "Starting $DESC" "$NAME"
+ do_start
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && echo 0 ;;
+ 2) [ "$VERBOSE" != no ] && echo 1 ;;
+ esac
+ ;;
+ stop)
+ [ "$VERBOSE" != no ] && echo "Stopping $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && echo 0 ;;
+ 2) [ "$VERBOSE" != no ] && echo 1 ;;
+ esac
+ ;;
+ reload|force-reload)
+ echo "Reloading $DESC" "$NAME"
+ do_reload
+ echo $?
+ ;;
+ restart)
+ echo "Restarting $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1)
+ do_start
+ case "$?" in
+ 0) echo 0 ;;
+ 1) echo 1 ;; # Old process is still running
+ *) echo 1 ;; # Failed to start
+ esac
+ ;;
+ *)
+ # Failed to stop
+ echo 1
+ ;;
+ esac
+ ;;
+ rotate)
+ echo "Rotating $DESC logs" "$NAME"
+ start-stop-daemon -K --signal USR1 --quiet --pidfile "$PIDFILE" --name "$NAME"
+ echo $?
+ ;;
+ status)
+ pidofproc "$DAEMON" >/dev/null
+ status=$?
+ if [ $status -eq 0 ]; then
+ echo "$NAME is running."
+ else
+ echo "$NAME is not running."
+ fi
+ exit $status
+ ;;
+ *)
+ echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload|rotate|status}" >&2
+ exit 3
+ ;;
+esac
+
+:
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/audit/audit/auditd.service b/cap/zx297520v3/sources/meta-selinux/recipes-security/audit/audit/auditd.service
new file mode 100755
index 0000000..ebc0798
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/audit/audit/auditd.service
@@ -0,0 +1,20 @@
+[Unit]
+Description=Security Auditing Service
+DefaultDependencies=no
+After=local-fs.target
+Conflicts=shutdown.target
+Before=sysinit.target shutdown.target
+After=systemd-tmpfiles-setup.service
+
+[Service]
+ExecStart=/sbin/auditd -n
+## To use augenrules, copy this file to /etc/systemd/system/auditd.service
+## and uncomment the next line and delete/comment out the auditctl line.
+## Then copy existing rules to /etc/audit/rules.d/
+## Not doing this last step can cause loss of existing rules
+#ExecStartPost=-/sbin/augenrules --load
+ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/audit/audit_2.8.5.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/audit/audit_2.8.5.bb
new file mode 100755
index 0000000..af36ed5
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/audit/audit_2.8.5.bb
@@ -0,0 +1,106 @@
+SUMMARY = "User space tools for kernel auditing"
+DESCRIPTION = "The audit package contains the user space utilities for \
+storing and searching the audit records generated by the audit subsystem \
+in the Linux kernel."
+HOMEPAGE = "http://people.redhat.com/sgrubb/audit/"
+SECTION = "base"
+LICENSE = "GPLv2+ & LGPLv2+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
+
+SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=2.8_maintenance \
+ file://Add-substitue-functions-for-strndupa-rawmemchr.patch \
+ file://Fixed-swig-host-contamination-issue.patch \
+ file://0001-lib-i386_table.h-add-new-syscall.patch \
+ file://auditd \
+ file://auditd.service \
+ file://audit-volatile.conf \
+"
+
+S = "${WORKDIR}/git"
+SRCREV = "5fae55c1ad15b3cefe6890eba7311af163e9133c"
+
+inherit autotools python3native update-rc.d systemd
+
+UPDATERCPN = "auditd"
+INITSCRIPT_NAME = "auditd"
+INITSCRIPT_PARAMS = "defaults"
+
+SYSTEMD_PACKAGES = "auditd"
+SYSTEMD_SERVICE_auditd = "auditd.service"
+
+DEPENDS += "python3 tcp-wrappers libcap-ng linux-libc-headers swig-native"
+
+EXTRA_OECONF += "--without-prelude \
+ --with-libwrap \
+ --enable-gssapi-krb5=no \
+ --with-libcap-ng=yes \
+ --with-python3=yes \
+ --libdir=${base_libdir} \
+ --sbindir=${base_sbindir} \
+ --without-python \
+ --without-golang \
+ --disable-zos-remote \
+ "
+EXTRA_OECONF_append_arm = " --with-arm=yes"
+EXTRA_OECONF_append_aarch64 = " --with-aarch64=yes"
+
+EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \
+ PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \
+ pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \
+ STDINC='${STAGING_INCDIR}' \
+ pkgconfigdir=${libdir}/pkgconfig \
+ "
+
+SUMMARY_audispd-plugins = "Plugins for the audit event dispatcher"
+DESCRIPTION_audispd-plugins = "The audispd-plugins package provides plugins for the real-time \
+interface to the audit system, audispd. These plugins can do things \
+like relay events to remote machines or analyze events for suspicious \
+behavior."
+
+PACKAGES =+ "audispd-plugins"
+PACKAGES += "auditd ${PN}-python"
+
+FILES_${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* ${base_libdir}/libauparse.so.*"
+FILES_auditd += "${bindir}/* ${base_sbindir}/* ${sysconfdir}/*"
+FILES_audispd-plugins += "${sysconfdir}/audisp/audisp-remote.conf \
+ ${sysconfdir}/audisp/plugins.d/au-remote.conf \
+ ${sbindir}/audisp-remote ${localstatedir}/spool/audit \
+ "
+FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug"
+FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}"
+
+CONFFILES_auditd += "${sysconfdir}/audit/audit.rules"
+RDEPENDS_auditd += "bash"
+
+do_install_append() {
+ rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a
+ rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.la
+
+ # reuse auditd config
+ [ ! -e ${D}/etc/default ] && mkdir ${D}/etc/default
+ mv ${D}/etc/sysconfig/auditd ${D}/etc/default
+ rmdir ${D}/etc/sysconfig/
+
+ # replace init.d
+ install -D -m 0755 ${WORKDIR}/auditd ${D}/etc/init.d/auditd
+ rm -rf ${D}/etc/rc.d
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ install -d ${D}${sysconfdir}/tmpfiles.d/
+ install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/
+ fi
+
+ # install systemd unit files
+ install -d ${D}${systemd_unitdir}/system
+ install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system
+
+ # audit-2.5 doesn't install any rules by default, so we do that here
+ mkdir -p ${D}/etc/audit ${D}/etc/audit/rules.d
+ cp ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules
+
+ chmod 750 ${D}/etc/audit ${D}/etc/audit/rules.d
+ chmod 640 ${D}/etc/audit/auditd.conf ${D}/etc/audit/rules.d/audit.rules
+
+ # Based on the audit.spec "Copy default rules into place on new installation"
+ cp ${D}/etc/audit/rules.d/audit.rules ${D}/etc/audit/audit.rules
+}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/images/core-image-selinux-minimal.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/images/core-image-selinux-minimal.bb
new file mode 100755
index 0000000..45bb099
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/images/core-image-selinux-minimal.bb
@@ -0,0 +1,15 @@
+DESCRIPTION = "Minimal image with SELinux support (no python)"
+
+IMAGE_FEATURES += "splash ssh-server-openssh"
+
+LICENSE = "MIT"
+
+IMAGE_INSTALL = "\
+ ${CORE_IMAGE_BASE_INSTALL} \
+ bash \
+ util-linux-agetty \
+ packagegroup-core-boot \
+ packagegroup-selinux-minimal \
+"
+
+inherit selinux-image
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/images/core-image-selinux.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/images/core-image-selinux.bb
new file mode 100755
index 0000000..68bf7ef
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/images/core-image-selinux.bb
@@ -0,0 +1,14 @@
+DESCRIPTION = "Image with SELinux support"
+
+IMAGE_FEATURES += "splash ssh-server-openssh"
+
+LICENSE = "MIT"
+
+IMAGE_INSTALL = "\
+ ${CORE_IMAGE_BASE_INSTALL} \
+ util-linux-agetty \
+ packagegroup-core-full-cmdline \
+ packagegroup-core-selinux \
+"
+
+inherit selinux-image
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/packagegroups/packagegroup-core-selinux.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/packagegroups/packagegroup-core-selinux.bb
new file mode 100755
index 0000000..a4cf1b8
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/packagegroups/packagegroup-core-selinux.bb
@@ -0,0 +1,27 @@
+DESCRIPTION = "SELinux packagegroup for Poky"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+PACKAGES = "\
+ ${PN} \
+ "
+
+ALLOW_EMPTY_${PN} = "1"
+
+RDEPENDS_${PN} = " \
+ libsepol \
+ libsepol-bin \
+ libselinux \
+ libselinux-bin \
+ libsemanage \
+ checkpolicy \
+ selinux-python-sepolgen \
+ packagegroup-selinux-policycoreutils \
+ setools \
+ setools-console \
+ selinux-autorelabel \
+ selinux-init \
+ selinux-labeldev \
+ refpolicy \
+ coreutils \
+ "
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
new file mode 100755
index 0000000..e198e84
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
@@ -0,0 +1,25 @@
+DESCRIPTION = "SELinux packagegroup with only packages required for basic operations"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+PACKAGES = "\
+ ${PN} \
+"
+
+ALLOW_EMPTY_${PN} = "1"
+
+RDEPENDS_${PN} = "\
+ coreutils \
+ libsepol \
+ libselinux \
+ libselinux-bin \
+ libsemanage \
+ policycoreutils-fixfiles \
+ policycoreutils-secon \
+ policycoreutils-semodule \
+ policycoreutils-sestatus \
+ policycoreutils-setfiles \
+ selinux-init \
+ selinux-labeldev \
+ refpolicy \
+"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb
new file mode 100755
index 0000000..2263592
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb
@@ -0,0 +1,35 @@
+DESCRIPTION = "SELinux policycoreutils packagegroup"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+PACKAGES = "\
+ ${PN} \
+"
+
+ALLOW_EMPTY_${PN} = "1"
+
+RDEPENDS_${PN} = "\
+ policycoreutils-fixfiles \
+ policycoreutils-genhomedircon \
+ policycoreutils-loadpolicy \
+ policycoreutils-newrole \
+ policycoreutils-runinit \
+ policycoreutils-secon \
+ policycoreutils-semodule \
+ policycoreutils-sestatus \
+ policycoreutils-setfiles \
+ policycoreutils-setsebool \
+ policycoreutils-hll \
+ semodule-utils-semodule-expand \
+ semodule-utils-semodule-link \
+ semodule-utils-semodule-package \
+ selinux-python-audit2allow \
+ selinux-python-sepolgen-ifgen \
+ selinux-python-semanage \
+ selinux-python-sepolicy \
+ selinux-python-chcat \
+ selinux-python \
+ selinux-sandbox \
+ selinux-dbus \
+ selinux-gui \
+"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/files/customizable_types b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/files/customizable_types
new file mode 100755
index 0000000..527d835
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/files/customizable_types
@@ -0,0 +1 @@
+user_tty_device_t
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/files/setrans-mcs.conf b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/files/setrans-mcs.conf
new file mode 100755
index 0000000..0ac9c90
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/files/setrans-mcs.conf
@@ -0,0 +1,17 @@
+#
+# Multi-Category Security translation table for SELinux
+#
+#
+# Objects can be categorized with 0-1023 categories defined by the admin.
+# Objects can be in more than one category at a time.
+# Categories are stored in the system as c0-c1023. Users can use this
+# table to translate the categories into a more meaningful output.
+# Examples:
+# s0:c0=CompanyConfidential
+# s0:c1=PatientRecord
+# s0:c2=Unclassified
+# s0:c3=TopSecret
+# s0:c1,c3=CompanyConfidentialRedHat
+s0=SystemLow
+s0-s0:c0.c1023=SystemLow-SystemHigh
+s0:c0.c1023=SystemHigh
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/files/setrans-mls.conf b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/files/setrans-mls.conf
new file mode 100755
index 0000000..eb181d2
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/files/setrans-mls.conf
@@ -0,0 +1,52 @@
+#
+# Multi-Level Security translation table for SELinux
+#
+# Uncomment the following to disable translation libary
+# disable=1
+#
+# Objects can be labeled with one of 16 levels and be categorized with 0-1023
+# categories defined by the admin.
+# Objects can be in more than one category at a time.
+# Users can modify this table to translate the MLS labels for different purpose.
+#
+# Assumptions: using below MLS labels.
+# SystemLow
+# SystemHigh
+# Unclassified
+# Secret with compartments A and B.
+#
+# SystemLow and SystemHigh
+s0=SystemLow
+s15:c0.c1023=SystemHigh
+s0-s15:c0.c1023=SystemLow-SystemHigh
+
+# Unclassified level
+s1=Unclassified
+
+# Secret level with compartments
+s2=Secret
+s2:c0=A
+s2:c1=B
+
+# ranges for Unclassified
+s0-s1=SystemLow-Unclassified
+s1-s2=Unclassified-Secret
+s1-s15:c0.c1023=Unclassified-SystemHigh
+
+# ranges for Secret with compartments
+s0-s2=SystemLow-Secret
+s0-s2:c0=SystemLow-Secret:A
+s0-s2:c1=SystemLow-Secret:B
+s0-s2:c0,c1=SystemLow-Secret:AB
+s1-s2:c0=Unclassified-Secret:A
+s1-s2:c1=Unclassified-Secret:B
+s1-s2:c0,c1=Unclassified-Secret:AB
+s2-s2:c0=Secret-Secret:A
+s2-s2:c1=Secret-Secret:B
+s2-s2:c0,c1=Secret-Secret:AB
+s2-s15:c0.c1023=Secret-SystemHigh
+s2:c0-s2:c0,c1=Secret:A-Secret:AB
+s2:c0-s15:c0.c1023=Secret:A-SystemHigh
+s2:c1-s2:c0,c1=Secret:B-Secret:AB
+s2:c1-s15:c0.c1023=Secret:B-SystemHigh
+s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
new file mode 100755
index 0000000..2692ffa
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
@@ -0,0 +1,36 @@
+From 49dd08e69938debc792ac9c3ac3e81a38929d11f Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 16:14:09 -0400
+Subject: [PATCH 01/34] fc/subs/volatile: alias common /var/volatile paths
+
+Ensure /var/volatile paths get the appropriate base file context.
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ config/file_contexts.subs_dist | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
+index 346d920e..be532d7f 100644
+--- a/config/file_contexts.subs_dist
++++ b/config/file_contexts.subs_dist
+@@ -31,3 +31,13 @@
+ # not for refpolicy intern, but for /var/run using applications,
+ # like systemd tmpfiles or systemd socket configurations
+ /var/run /run
++
++# volatile aliases
++# ensure the policy applied to the base filesystem objects are reflected in the
++# volatile hierarchy.
++/var/volatile/log /var/log
++/var/volatile/run /var/run
++/var/volatile/cache /var/cache
++/var/volatile/tmp /var/tmp
++/var/volatile/lock /var/lock
++/var/volatile/run/lock /var/lock
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0001-fix-update-alternatives-for-sysvinit.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0001-fix-update-alternatives-for-sysvinit.patch
new file mode 100755
index 0000000..62e7da1
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0001-fix-update-alternatives-for-sysvinit.patch
@@ -0,0 +1,53 @@
+From 83508f3365277c0ef8c570e744879b904de64cd7 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] fix update-alternatives for sysvinit
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/admin/shutdown.fc | 1 +
+ policy/modules/kernel/corecommands.fc | 1 +
+ policy/modules/system/init.fc | 1 +
+ 3 files changed, 3 insertions(+)
+
+diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc
+index 03a2230c..2ba049ff 100644
+--- a/policy/modules/admin/shutdown.fc
++++ b/policy/modules/admin/shutdown.fc
+@@ -5,5 +5,6 @@
+ /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+ /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
++/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+ /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
+diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
+index cf3848db..86920167 100644
+--- a/policy/modules/kernel/corecommands.fc
++++ b/policy/modules/kernel/corecommands.fc
+@@ -149,6 +149,7 @@ ifdef(`distro_gentoo',`
+ /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
+index 11a6ce93..93e9d2b4 100644
+--- a/policy/modules/system/init.fc
++++ b/policy/modules/system/init.fc
+@@ -23,6 +23,7 @@ ifdef(`distro_gentoo',`
+ # /usr
+ #
+ /usr/bin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
++/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0)
+ /usr/bin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
+ /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
+ /usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
new file mode 100755
index 0000000..f92ddb8
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
@@ -0,0 +1,68 @@
+From aa79b5e7803232a4e57e2cf60613f6fb7dcfc025 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:51:44 +0530
+Subject: [PATCH 1/9] refpolicy-minimum: audit: logging: getty: audit related
+ allow rules
+
+add allow rules for audit.log file & resolve dependent avc denials.
+
+without this change we are getting audit avc denials mixed into bootlog &
+audit other avc denials.
+
+audit: type=1400 audit(): avc: denied { getattr } for pid=217 comm="mount"
+name="/" dev="proc" ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_0
+audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd"
+path="/run/systemd/journal/dev-log" scontext=sy0
+audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd"
+path="/run/systemd/journal/dev-log" scontext=system_u:system_r:klogd_t:s0
+audit(): avc: denied { open } for pid=540 comm="agetty" path="/var/
+volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t
+:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/getty.te | 3 +++
+ policy/modules/system/logging.te | 8 ++++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
+index 6d3c4284..423db0cc 100644
+--- a/policy/modules/system/getty.te
++++ b/policy/modules/system/getty.te
+@@ -129,3 +129,6 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(getty_t)
+ ')
++
++allow getty_t tmpfs_t:dir search;
++allow getty_t tmpfs_t:file { open write lock };
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 63e92a8e..8ab46925 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -249,6 +249,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms;
+ allow audisp_t self:unix_dgram_socket create_socket_perms;
+
+ allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
++allow audisp_t initrc_t:unix_dgram_socket sendto;
+
+ manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
+ files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
+@@ -620,3 +621,10 @@ optional_policy(`
+ # log to the xconsole
+ xserver_rw_console(syslogd_t)
+ ')
++
++
++allow auditd_t tmpfs_t:file { getattr setattr create open read append };
++allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
++allow auditd_t initrc_t:unix_dgram_socket sendto;
++
++allow klogd_t initrc_t:unix_dgram_socket sendto;
+\ No newline at end of file
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
new file mode 100755
index 0000000..a963751
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
@@ -0,0 +1,31 @@
+From c02445a1073ca6fcb42c771c233ab8aa822cbdda Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 20:48:10 -0400
+Subject: [PATCH 02/34] fc/subs/busybox: set aliases for bin, sbin and usr
+
+The objects in /usr/lib/busybox/* should have the same policy applied as
+the corresponding objects in the / hierarchy.
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ config/file_contexts.subs_dist | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
+index be532d7f..04fca3c3 100644
+--- a/config/file_contexts.subs_dist
++++ b/config/file_contexts.subs_dist
+@@ -41,3 +41,10 @@
+ /var/volatile/tmp /var/tmp
+ /var/volatile/lock /var/lock
+ /var/volatile/run/lock /var/lock
++
++# busybox aliases
++# quickly match up the busybox built-in tree to the base filesystem tree
++/usr/lib/busybox/bin /bin
++/usr/lib/busybox/sbin /sbin
++/usr/lib/busybox/usr /usr
++
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
new file mode 100755
index 0000000..37423ec
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
@@ -0,0 +1,54 @@
+From d8fe68150ae85657b2091bc193b11bd77f7b1f31 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:53:46 +0530
+Subject: [PATCH 2/9] refpolicy-minimum: locallogin: add allow rules for type
+ local_login_t
+
+add allow rules for locallogin module avc denials.
+
+without this change we are getting errors like these:
+
+type=AVC msg=audit(): avc: denied { read write open } for pid=353
+comm="login" path="/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext
+=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:
+var_log_t:s0 tclass=file permissive=1
+
+type=AVC msg=audit(): avc: denied { sendto } for pid=353 comm="login"
+path="/run/systemd/journal/dev-log" scontext=system_u:system_r:
+local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0
+tclass=unix_dgram_socket permissive=1
+
+type=AVC msg=audit(): avc: denied { lock } for pid=353 comm="login" path=
+"/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext=system_u:system_r
+:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass
+=file permissive=1
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/locallogin.te | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index 4c679ff3..75750e4c 100644
+--- a/policy/modules/system/locallogin.te
++++ b/policy/modules/system/locallogin.te
+@@ -288,3 +288,13 @@ optional_policy(`
+ optional_policy(`
+ nscd_use(sulogin_t)
+ ')
++
++allow local_login_t initrc_t:fd use;
++allow local_login_t initrc_t:unix_dgram_socket sendto;
++allow local_login_t initrc_t:unix_stream_socket connectto;
++allow local_login_t self:capability net_admin;
++allow local_login_t var_log_t:file { create lock open read write };
++allow local_login_t var_run_t:file { open read write lock};
++allow local_login_t var_run_t:sock_file write;
++allow local_login_t tmpfs_t:dir { add_name write search};
++allow local_login_t tmpfs_t:file { create open read write lock };
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch
new file mode 100755
index 0000000..ad94252
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch
@@ -0,0 +1,57 @@
+From fdbd4461bbd6ce8a7f2b2702f7801ed07c41d5a9 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:39:41 +0800
+Subject: [PATCH 03/34] fc/sysklogd: apply policy to sysklogd symlink
+
+/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow
+rule for syslogd_t to read syslog_conf_t lnk_file is needed.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/logging.fc | 3 +++
+ policy/modules/system/logging.te | 1 +
+ 2 files changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index 6693d87b..0cf108e0 100644
+--- a/policy/modules/system/logging.fc
++++ b/policy/modules/system/logging.fc
+@@ -2,6 +2,7 @@
+
+ /etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
++/etc/syslog\.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/rsyslog\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+ /etc/systemd/journal.*\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
+@@ -32,10 +33,12 @@
+ /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
+ /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
+ /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
++/usr/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+ /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+ /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++/usr/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index adc628f8..07ed546d 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -399,6 +399,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
+ allow syslogd_t self:tcp_socket create_stream_socket_perms;
+
+ allow syslogd_t syslog_conf_t:file read_file_perms;
++allow syslogd_t syslog_conf_t:lnk_file read_file_perms;
+ allow syslogd_t syslog_conf_t:dir list_dir_perms;
+
+ # Create and bind to /dev/log or /var/run/log.
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
new file mode 100755
index 0000000..ed470e4
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
@@ -0,0 +1,121 @@
+From 53aaf2acb8bc3fb115e5d5327f6e7a994cfbf0bd Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:51:32 +0530
+Subject: [PATCH 3/9] refpolicy-minimum: systemd:unconfined:lib: add systemd
+ services allow rules
+
+systemd allow rules for systemd service file operations: start, stop, restart
+& allow rule for unconfined systemd service.
+
+without this change we are getting these errors:
+:~# systemctl status selinux-init.service
+Failed to get properties: Access denied
+
+:~# systemctl stop selinux-init.service
+Failed to stop selinux-init.service: Access denied
+
+:~# systemctl restart selinux-init.service
+audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
+system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0
+gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl
+restart selinux-init.service" scontext=unconfined_u:unconfined_r:
+unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/init.te | 4 +++
+ policy/modules/system/libraries.te | 3 +++
+ policy/modules/system/systemd.if | 39 +++++++++++++++++++++++++++++
+ policy/modules/system/unconfined.te | 6 +++++
+ 4 files changed, 52 insertions(+)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 8352428a..15745c83 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1425,3 +1425,7 @@ optional_policy(`
+ allow kernel_t init_t:process dyntransition;
+ allow devpts_t device_t:filesystem associate;
+ allow init_t self:capability2 block_suspend;
++allow init_t self:capability2 audit_read;
++
++allow initrc_t init_t:system { start status };
++allow initrc_t init_var_run_t:service { start status };
+diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
+index 422b0ea1..80b0c9a5 100644
+--- a/policy/modules/system/libraries.te
++++ b/policy/modules/system/libraries.te
+@@ -145,3 +145,6 @@ optional_policy(`
+ optional_policy(`
+ unconfined_domain(ldconfig_t)
+ ')
++
++# systemd: init domain to start lib domain service
++systemd_service_lib_function(lib_t)
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index 8d2bb8da..8fc61843 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -887,3 +887,42 @@ interface(`systemd_getattr_updated_runtime',`
+
+ getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
+ ')
++
++########################################
++## <summary>
++## Allow specified domain to start stop reset systemd service
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`systemd_service_file_operations',`
++ gen_require(`
++ class service { start status stop };
++ ')
++
++ allow $1 lib_t:service { start status stop };
++
++')
++
++
++########################################
++## <summary>
++## Allow init domain to start lib domain service
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`systemd_service_lib_function',`
++ gen_require(`
++ class service start;
++ ')
++
++ allow initrc_t $1:service start;
++
++')
+diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
+index 12cc0d7c..c09e94a5 100644
+--- a/policy/modules/system/unconfined.te
++++ b/policy/modules/system/unconfined.te
+@@ -240,3 +240,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
+ optional_policy(`
+ unconfined_dbus_chat(unconfined_execmem_t)
+ ')
++
++
++# systemd: specified domain to start stop reset systemd service
++systemd_service_file_operations(unconfined_t)
++
++allow unconfined_t init_t:system reload;
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
new file mode 100755
index 0000000..77c6829
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
@@ -0,0 +1,27 @@
+From 85f5825111d4c6d6b276ed07fec2292804b97a39 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 04/34] fc/hostname: apply policy to common yocto hostname
+ alternatives
+
+Upstream-Status: Inappropriate [only for Yocto]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/hostname.fc | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
+index 83ddeb57..653e038d 100644
+--- a/policy/modules/system/hostname.fc
++++ b/policy/modules/system/hostname.fc
+@@ -1 +1,5 @@
++/usr/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0)
++/usr/bin/hostname\.coreutils -- gen_context(system_u:object_r:hostname_exec_t,s0)
++/usr/lib/busybox/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
++
+ /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
new file mode 100755
index 0000000..98b6156
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
@@ -0,0 +1,96 @@
+From 5694d5bdc5ff824c4d5848dcd61cf021305b5e00 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:53:37 +0530
+Subject: [PATCH 4/9] refpolicy-minimum: systemd: mount: logging: authlogin:
+ add allow rules
+
+add allow rules for avc denails for systemd, mount, logging & authlogin
+modules.
+
+without this change we are getting avc denial like these:
+
+type=AVC msg=audit(): avc: denied { sendto } for pid=893 comm="systemd-
+tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r:
+systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=
+unix_dgram_socket permissive=0
+
+type=AVC msg=audit(): avc: denied { open } for pid=703 comm="systemd-
+tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u:
+system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=
+file permissive=0
+
+type=AVC msg=audit(): avc: denied { read write } for pid=486 comm="mount"
+path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r:
+mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket
+
+type=AVC msg=audit(): avc: denied { unix_read unix_write } for pid=292
+comm="syslogd" key=1095648583 scontext=system_u:system_r:syslogd_t:s0
+tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/authlogin.te | 2 ++
+ policy/modules/system/logging.te | 7 ++++++-
+ policy/modules/system/mount.te | 3 +++
+ policy/modules/system/systemd.te | 5 +++++
+ 4 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
+index 345e07f3..39f860e0 100644
+--- a/policy/modules/system/authlogin.te
++++ b/policy/modules/system/authlogin.te
+@@ -472,3 +472,5 @@ optional_policy(`
+ samba_read_var_files(nsswitch_domain)
+ samba_dontaudit_write_var_files(nsswitch_domain)
+ ')
++
++allow chkpwd_t proc_t:filesystem getattr;
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 8ab46925..520f7da6 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -627,4 +627,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append };
+ allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
+ allow auditd_t initrc_t:unix_dgram_socket sendto;
+
+-allow klogd_t initrc_t:unix_dgram_socket sendto;
+\ No newline at end of file
++allow klogd_t initrc_t:unix_dgram_socket sendto;
++
++allow syslogd_t self:shm create;
++allow syslogd_t self:sem { create read unix_write write };
++allow syslogd_t self:shm { read unix_read unix_write write };
++allow syslogd_t tmpfs_t:file { read write };
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index 3dcb8493..a87d0e82 100644
+--- a/policy/modules/system/mount.te
++++ b/policy/modules/system/mount.te
+@@ -231,3 +231,6 @@ optional_policy(`
+ files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+ unconfined_domain(unconfined_mount_t)
+ ')
++
++allow mount_t proc_t:filesystem getattr;
++allow mount_t initrc_t:udp_socket { read write };
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index a6f09dfd..68b80de3 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -993,6 +993,11 @@ allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
+ allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
+ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
+
++allow systemd_tmpfiles_t init_t:dir search;
++allow systemd_tmpfiles_t proc_t:filesystem getattr;
++allow systemd_tmpfiles_t init_t:file read;
++allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
++
+ kernel_getattr_proc(systemd_tmpfiles_t)
+ kernel_read_kernel_sysctls(systemd_tmpfiles_t)
+ kernel_read_network_state(systemd_tmpfiles_t)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
new file mode 100755
index 0000000..60d585b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
@@ -0,0 +1,30 @@
+From ed53bb0452aab6aee11c6d6442b8524d3b27fa6f Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 21:37:32 -0400
+Subject: [PATCH 05/34] fc/bash: apply /usr/bin/bash context to /bin/bash.bash
+
+We include /bin/bash.bash as a valid alias for /bin/bash, so ensure we apply
+the proper context to the target for our policy.
+
+Upstream-Status: Inappropriate [only for Yocto]
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/corecommands.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
+index e7415cac..cf3848db 100644
+--- a/policy/modules/kernel/corecommands.fc
++++ b/policy/modules/kernel/corecommands.fc
+@@ -141,6 +141,7 @@ ifdef(`distro_gentoo',`
+ /usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/bash.bash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
new file mode 100755
index 0000000..7d7908f
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
@@ -0,0 +1,37 @@
+From bf8da1fd057ce11e8ce6e445ccd532fde11868a6 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:53:53 +0530
+Subject: [PATCH 5/9] refpolicy-minimum: init: fix reboot with systemd as init
+ manager.
+
+add allow rule to fix avc denial during system reboot.
+
+without this change we are getting:
+
+audit: type=1107 audit(): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
+system_u:system_r:init_t:s0 msg='avc: denied { reboot } for auid=n/a uid=0
+gid=0 cmdline="/bin/systemctl --force reboot" scontext=system_u:system_r:
+initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/init.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 15745c83..d6a0270a 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1427,5 +1427,5 @@ allow devpts_t device_t:filesystem associate;
+ allow init_t self:capability2 block_suspend;
+ allow init_t self:capability2 audit_read;
+
+-allow initrc_t init_t:system { start status };
++allow initrc_t init_t:system { start status reboot };
+ allow initrc_t init_var_run_t:service { start status };
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
new file mode 100755
index 0000000..f318c23
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
@@ -0,0 +1,30 @@
+From 8614bc85ab13b72f7f83892ffd227c73b3df42bc Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 4 Apr 2019 10:45:03 -0400
+Subject: [PATCH 06/34] fc/resolv.conf: label resolv.conf in var/run/ properly
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/sysnetwork.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
+index 1e5432a4..ac7c2dd1 100644
+--- a/policy/modules/system/sysnetwork.fc
++++ b/policy/modules/system/sysnetwork.fc
+@@ -22,6 +22,7 @@ ifdef(`distro_debian',`
+ /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
++/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+
+ /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
new file mode 100755
index 0000000..4f7d916
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
@@ -0,0 +1,92 @@
+From 853b6611e50369b386a77d5bd8a28eeb9ef4cb9b Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Wed, 3 Apr 2019 14:51:29 -0400
+Subject: [PATCH 6/9] refpolicy-minimum: systemd: mount: enable required
+ refpolicy booleans
+
+enable required refpolicy booleans for these modules
+
+i. mount: allow_mount_anyfile
+without enabling this boolean we are getting below avc denial
+
+audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media
+/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0
+tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0
+
+This avc can be allowed using the boolean 'allow_mount_anyfile'
+allow mount_t initrc_var_run_t:dir mounton;
+
+ii. systemd : systemd_tmpfiles_manage_all
+without enabling this boolean we are not getting access to mount systemd
+essential tmpfs during bootup, also not getting access to create audit.log
+
+audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name=
+"sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles
+_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0
+
+ ls /var/log
+ /var/log -> volatile/log
+:~#
+
+The old refpolicy included a pre-generated booleans.conf that could be
+patched. That's no longer the case so we're left with a few options,
+tweak the default directly or create a template booleans.conf file which
+will be updated during build time. Since this is intended to be applied
+only for specific configuraitons it seems like the same either way and
+this avoids us playing games to work around .gitignore.
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/booleans.conf | 9 +++++++++
+ policy/modules/system/mount.te | 2 +-
+ policy/modules/system/systemd.te | 2 +-
+ 3 files changed, 11 insertions(+), 2 deletions(-)
+ create mode 100644 policy/booleans.conf
+
+diff --git a/policy/booleans.conf b/policy/booleans.conf
+new file mode 100644
+index 00000000..850f56ed
+--- /dev/null
++++ b/policy/booleans.conf
+@@ -0,0 +1,9 @@
++#
++# Allow the mount command to mount any directory or file.
++#
++allow_mount_anyfile = true
++
++#
++# Enable support for systemd-tmpfiles to manage all non-security files.
++#
++systemd_tmpfiles_manage_all = true
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index a87d0e82..868052b7 100644
+--- a/policy/modules/system/mount.te
++++ b/policy/modules/system/mount.te
+@@ -10,7 +10,7 @@ policy_module(mount, 1.20.0)
+ ## Allow the mount command to mount any directory or file.
+ ## </p>
+ ## </desc>
+-gen_tunable(allow_mount_anyfile, false)
++gen_tunable(allow_mount_anyfile, true)
+
+ attribute_role mount_roles;
+ roleattribute system_r mount_roles;
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 68b80de3..a1ef6990 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -10,7 +10,7 @@ policy_module(systemd, 1.7.0)
+ ## Enable support for systemd-tmpfiles to manage all non-security files.
+ ## </p>
+ ## </desc>
+-gen_tunable(systemd_tmpfiles_manage_all, false)
++gen_tunable(systemd_tmpfiles_manage_all, true)
+
+ ## <desc>
+ ## <p>
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0007-fc-login-apply-login-context-to-login.shadow.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0007-fc-login-apply-login-context-to-login.shadow.patch
new file mode 100755
index 0000000..8c71c90
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0007-fc-login-apply-login-context-to-login.shadow.patch
@@ -0,0 +1,27 @@
+From c1f7e3033057dfb613bd92d723094b06c00e82f8 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 21:43:53 -0400
+Subject: [PATCH 07/34] fc/login: apply login context to login.shadow
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/authlogin.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
+index e22945cd..a42bc0da 100644
+--- a/policy/modules/system/authlogin.fc
++++ b/policy/modules/system/authlogin.fc
+@@ -5,6 +5,7 @@
+ /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+
+ /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
++/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0)
+ /usr/bin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
+ /usr/bin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
+ /usr/bin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch
new file mode 100755
index 0000000..27cbc9f
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch
@@ -0,0 +1,103 @@
+From 34630eecb211199c60c9b01fd77f0ede6e182712 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:54:09 +0530
+Subject: [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal
+ service
+
+1. fix for systemd services: login & journal wile using refpolicy-minimum and
+systemd as init manager.
+2. fix login duration after providing root password.
+
+without these changes we are getting avc denails like these and below
+systemd services failure:
+
+audit[]: AVC avc: denied { write } for pid=422 comm="login" path="/run/
+systemd/sessions/c1.ref" dev="tmpfs" ino=13455 scontext=system_u:system_r:
+local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0
+tclass=fifo_file permissive=0
+
+audit[]: AVC avc: denied { open } for pid=216 comm="systemd-tmpfile" path
+="/proc/1/environ" dev="proc" ino=9221 scontext=system_u:system_r:
+systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
+
+audit[]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:
+system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path
+="/lib/systemd/system/systemd-journald.service" cmdline="/bin/journalctl
+--flush" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:
+lib_t:s0 tclass=service
+
+[FAILED] Failed to start Flush Journal to Persistent Storage.
+See 'systemctl status systemd-journal-flush.service' for details.
+
+[FAILED] Failed to start Login Service.
+See 'systemctl status systemd-logind.service' for details.
+
+[FAILED] Failed to start Avahi mDNS/DNS-SD Stack.
+See 'systemctl status avahi-daemon.service' for details.
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/init.te | 2 ++
+ policy/modules/system/locallogin.te | 3 +++
+ policy/modules/system/systemd.if | 6 ++++--
+ policy/modules/system/systemd.te | 2 +-
+ 4 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index d6a0270a..035c7ad2 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1429,3 +1429,5 @@ allow init_t self:capability2 audit_read;
+
+ allow initrc_t init_t:system { start status reboot };
+ allow initrc_t init_var_run_t:service { start status };
++
++allow initrc_t init_var_run_t:service stop;
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index 75750e4c..2c2cfc7d 100644
+--- a/policy/modules/system/locallogin.te
++++ b/policy/modules/system/locallogin.te
+@@ -298,3 +298,6 @@ allow local_login_t var_run_t:file { open read write lock};
+ allow local_login_t var_run_t:sock_file write;
+ allow local_login_t tmpfs_t:dir { add_name write search};
+ allow local_login_t tmpfs_t:file { create open read write lock };
++allow local_login_t init_var_run_t:fifo_file write;
++allow local_login_t initrc_t:dbus send_msg;
++allow initrc_t local_login_t:dbus send_msg;
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index 8fc61843..1166505f 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -920,9 +920,11 @@ interface(`systemd_service_file_operations',`
+ #
+ interface(`systemd_service_lib_function',`
+ gen_require(`
+- class service start;
++ class service { start status stop };
++ class file { execmod open };
+ ')
+
+- allow initrc_t $1:service start;
++ allow initrc_t $1:service { start status stop };
++ allow initrc_t $1:file execmod;
+
+ ')
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index a1ef6990..a62c3c38 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -995,7 +995,7 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
+
+ allow systemd_tmpfiles_t init_t:dir search;
+ allow systemd_tmpfiles_t proc_t:filesystem getattr;
+-allow systemd_tmpfiles_t init_t:file read;
++allow systemd_tmpfiles_t init_t:file { open getattr read };
+ allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
+
+ kernel_getattr_proc(systemd_tmpfiles_t)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0008-fc-bind-fix-real-path-for-bind.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0008-fc-bind-fix-real-path-for-bind.patch
new file mode 100755
index 0000000..7a9f3f2
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0008-fc-bind-fix-real-path-for-bind.patch
@@ -0,0 +1,31 @@
+From 878b005462f7b2208427af60ed6b670dca697b6c Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 21:58:53 -0400
+Subject: [PATCH 08/34] fc/bind: fix real path for bind
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/services/bind.fc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
+index b4879dc1..59498e25 100644
+--- a/policy/modules/services/bind.fc
++++ b/policy/modules/services/bind.fc
+@@ -1,8 +1,10 @@
+ /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+
+ /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+ /etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0)
++/etc/bind/rndc\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+ /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+ /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+ /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
new file mode 100755
index 0000000..efe81a4
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
@@ -0,0 +1,109 @@
+From 6ac3c261a7cfc3a5d38ccc420f1ea371258c49fa Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:54:17 +0530
+Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files
+ services
+
+fix for systemd tmp files setup service while using refpolicy-minimum and
+systemd as init manager.
+
+these allow rules require kernel domain & files access, so added interfaces
+at systemd.te to merge these allow rules.
+
+without these changes we are getting avc denails like these and below
+systemd services failure:
+
+audit[]: AVC avc: denied { getattr } for pid=232 comm="systemd-tmpfile"
+path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd
+_tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file
+
+audit[]: AVC avc: denied { search } for pid=232 comm="systemd-tmpfile"
+name="kernel" dev="proc" ino=9341 scontext=system_u:system_r:
+systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0
+tclass=dir permissive=0
+
+[FAILED] Failed to start Create Static Device Nodes in /dev.
+See 'systemctl status systemd-tmpfiles-setup-dev.service' for details.
+
+[FAILED] Failed to start Create Volatile Files and Directories.
+See 'systemctl status systemd-tmpfiles-setup.service' for details.
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/files.if | 19 +++++++++++++++++++
+ policy/modules/kernel/kernel.if | 21 +++++++++++++++++++++
+ policy/modules/system/systemd.te | 2 ++
+ 3 files changed, 42 insertions(+)
+
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index eb067ad3..ff74f55a 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -7076,3 +7076,22 @@ interface(`files_unconfined',`
+
+ typeattribute $1 files_unconfined_type;
+ ')
++
++########################################
++## <summary>
++## systemd tmp files access to kernel tmp files domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',`
++ gen_require(`
++ type tmp_t;
++ class lnk_file getattr;
++ ')
++
++ allow $1 tmp_t:lnk_file getattr;
++')
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index 1ad282aa..342eb033 100644
+--- a/policy/modules/kernel/kernel.if
++++ b/policy/modules/kernel/kernel.if
+@@ -3584,3 +3584,24 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',`
+ allow $1 unlabeled_t:infiniband_endport manage_subnet;
+ ')
+
++########################################
++## <summary>
++## systemd tmp files access to kernel sysctl domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',`
++ gen_require(`
++ type sysctl_kernel_t;
++ class dir search;
++ class file { open read };
++ ')
++
++ allow $1 sysctl_kernel_t:dir search;
++ allow $1 sysctl_kernel_t:file { open read };
++
++')
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index a62c3c38..9b696823 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1121,3 +1121,5 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated
+
+ kernel_read_system_state(systemd_update_done_t)
+
++systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t)
++systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch
new file mode 100755
index 0000000..6039f49
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch
@@ -0,0 +1,28 @@
+From d21287d2c0b63e19e1004f098a1934b6b02a0c05 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 21:59:18 -0400
+Subject: [PATCH 09/34] fc/hwclock: add hwclock alternatives
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/clock.fc | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
+index 30196589..e0dc4b6f 100644
+--- a/policy/modules/system/clock.fc
++++ b/policy/modules/system/clock.fc
+@@ -2,4 +2,7 @@
+
+ /usr/bin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+
+-/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
++/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0)
++/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
++/usr/lib/busybox/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
++/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0009-refpolicy-minimum-systemd-fix-for-syslog.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
new file mode 100755
index 0000000..f67221a
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
@@ -0,0 +1,70 @@
+From 57d554187619e32ecf925ecb015a60f1fca26fb8 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:54:29 +0530
+Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog
+
+syslog & getty related allow rules required to fix the syslog mixup with
+boot log, while using systemd as init manager.
+
+without this change we are getting these avc denials:
+
+audit: avc: denied { search } for pid=484 comm="syslogd" name="/"
+dev="tmpfs" ino=7269 scontext=system_u:system_r:syslogd_t:s0 tcontext=
+system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
+
+audit: avc: denied { write } for pid=372 comm="syslogd" name="log" dev=
+"tmpfs" ino=954 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:
+object_r:tmpfs_t:s0 tclass=dir permissive=0
+
+audit: avc: denied { add_name } for pid=390 comm="syslogd" name=
+"messages" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r
+:tmpfs_t:s0 tclass=dir permissive=0
+
+audit: avc: denied { sendto } for pid=558 comm="agetty" path="/run/systemd
+/journal/dev-log" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:
+system_r:initrc_t:s0 tclass=unix_dgram_socket permissive=0
+
+audit: avc: denied { create } for pid=374 comm="syslogd" name="messages"
+scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:
+s0 tclass=file permissive=0
+
+audit: avc: denied { append } for pid=423 comm="syslogd" name="messages"
+dev="tmpfs" ino=7995 scontext=system_u:system_r:syslogd_t:s0 tcontext=
+system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
+
+audit: avc: denied { getattr } for pid=425 comm="syslogd" path="/var/
+volatile/log/messages" dev="tmpfs" ino=8857 scontext=system_u:system_r:
+syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/getty.te | 1 +
+ policy/modules/system/logging.te | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
+index 423db0cc..9ab03956 100644
+--- a/policy/modules/system/getty.te
++++ b/policy/modules/system/getty.te
+@@ -132,3 +132,4 @@ optional_policy(`
+
+ allow getty_t tmpfs_t:dir search;
+ allow getty_t tmpfs_t:file { open write lock };
++allow getty_t initrc_t:unix_dgram_socket sendto;
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 520f7da6..4e02dab8 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -632,4 +632,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto;
+ allow syslogd_t self:shm create;
+ allow syslogd_t self:sem { create read unix_write write };
+ allow syslogd_t self:shm { read unix_read unix_write write };
+-allow syslogd_t tmpfs_t:file { read write };
++allow syslogd_t tmpfs_t:file { read write create getattr append open };
++allow syslogd_t tmpfs_t:dir { search write add_name };
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
new file mode 100755
index 0000000..dc715c4
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
@@ -0,0 +1,24 @@
+From 0ee40e0a68645e23f59842929629a94ebe9873b4 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 08:26:55 -0400
+Subject: [PATCH 10/34] fc/dmesg: apply policy to dmesg alternatives
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/admin/dmesg.fc | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
+index e52fdfcf..85d15127 100644
+--- a/policy/modules/admin/dmesg.fc
++++ b/policy/modules/admin/dmesg.fc
+@@ -1 +1,3 @@
+-/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
++/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
++/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0)
++/usr/lib/busybox/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch
new file mode 100755
index 0000000..09576fa
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch
@@ -0,0 +1,27 @@
+From 10548eeaba694ff4320fdcbddc9e6cbb71856280 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 09:20:58 -0400
+Subject: [PATCH 11/34] fc/ssh: apply policy to ssh alternatives
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/services/ssh.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
+index 4ac3e733..1f453091 100644
+--- a/policy/modules/services/ssh.fc
++++ b/policy/modules/services/ssh.fc
+@@ -4,6 +4,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+ /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+
+ /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
++/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
+ /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
+ /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
+ /usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch
new file mode 100755
index 0000000..f02bd3a
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch
@@ -0,0 +1,48 @@
+From 457f278717ef53e19392c40ea8645ca216c0ae83 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Tue, 9 Jun 2015 21:22:52 +0530
+Subject: [PATCH 12/34] fc/sysnetwork: apply policy to ip alternatives
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/sysnetwork.fc | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
+index ac7c2dd1..4e441503 100644
+--- a/policy/modules/system/sysnetwork.fc
++++ b/policy/modules/system/sysnetwork.fc
+@@ -60,6 +60,8 @@ ifdef(`distro_redhat',`
+ /usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+@@ -67,9 +69,17 @@ ifdef(`distro_redhat',`
+ /usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+
++#
++# /usr/lib/busybox
++#
++/usr/lib/busybox/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/lib/busybox/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/lib/busybox/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++
+ #
+ # /var
+ #
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
new file mode 100755
index 0000000..495b82f
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
@@ -0,0 +1,28 @@
+From e38e269b172ec75dcd218cfeac64271fbb3d17db Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 09:36:08 -0400
+Subject: [PATCH 13/34] fc/udev: apply policy to udevadm in libexec
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/udev.fc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
+index 009d821a..cc438609 100644
+--- a/policy/modules/system/udev.fc
++++ b/policy/modules/system/udev.fc
+@@ -28,6 +28,8 @@ ifdef(`distro_debian',`
+ /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
+
++/usr/libexec/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
++
+ ifdef(`distro_redhat',`
+ /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+ ')
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
new file mode 100755
index 0000000..6ffabe4
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
@@ -0,0 +1,29 @@
+From 8d730316e752601949346c9ebd4aff8a3cb2b1bf Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 09:54:07 -0400
+Subject: [PATCH 14/34] fc/rpm: apply rpm_exec policy to cpio binaries
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/admin/rpm.fc | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
+index 578d465c..f2b8003a 100644
+--- a/policy/modules/admin/rpm.fc
++++ b/policy/modules/admin/rpm.fc
+@@ -65,5 +65,8 @@ ifdef(`distro_redhat',`
+ /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
+
+ ifdef(`enable_mls',`
+-/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ ')
++
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0015-fc-su-apply-policy-to-su-alternatives.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0015-fc-su-apply-policy-to-su-alternatives.patch
new file mode 100755
index 0000000..c0fbb69
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0015-fc-su-apply-policy-to-su-alternatives.patch
@@ -0,0 +1,26 @@
+From d9f2d5857c1d558fa09f7e7864bba8427437bea6 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Thu, 13 Feb 2014 00:33:07 -0500
+Subject: [PATCH 15/34] fc/su: apply policy to su alternatives
+
+Upstream-Status: Pending
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/admin/su.fc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
+index 3375c969..435a6892 100644
+--- a/policy/modules/admin/su.fc
++++ b/policy/modules/admin/su.fc
+@@ -1,3 +1,5 @@
+ /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
+ /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
+ /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
++/usr/bin/su\.shadow -- gen_context(system_u:object_r:su_exec_t,s0)
++/usr/bin/su\.util-linux -- gen_context(system_u:object_r:su_exec_t,s0)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0016-fc-fstools-fix-real-path-for-fstools.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0016-fc-fstools-fix-real-path-for-fstools.patch
new file mode 100755
index 0000000..34e9830
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0016-fc-fstools-fix-real-path-for-fstools.patch
@@ -0,0 +1,76 @@
+From 5d8f2e090c9dbb270156c2f76f1614b03f3b0191 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Mon, 27 Jan 2014 03:54:01 -0500
+Subject: [PATCH 16/34] fc/fstools: fix real path for fstools
+
+Upstream-Status: Pending
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/fstools.fc | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
+index 8fbd5ce4..d719e22c 100644
+--- a/policy/modules/system/fstools.fc
++++ b/policy/modules/system/fstools.fc
+@@ -58,6 +58,7 @@
+ /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -72,10 +73,12 @@
+ /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/hdparm\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -88,17 +91,20 @@
+ /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -108,6 +114,12 @@
+ /usr/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
++/usr/lib/busybox/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/lib/busybox/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/lib/busybox/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/lib/busybox/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/lib/busybox/sbin/swapon -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++
+ /var/swap -- gen_context(system_u:object_r:swapfile_t,s0)
+
+ /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch
new file mode 100755
index 0000000..8455c08
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch
@@ -0,0 +1,33 @@
+From 628281e2e192269468cbe2c2818b6cab40975532 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 17/34] policy/module/logging: Add the syslogd_t to trusted
+ object
+
+We add the syslogd_t to trusted object, because other process need
+to have the right to connectto/sendto /dev/log.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Roy.Li <rongqing.li@windriver.com>
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/logging.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 07ed546d..a7b69932 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -501,6 +501,7 @@ fs_getattr_all_fs(syslogd_t)
+ fs_search_auto_mountpoints(syslogd_t)
+
+ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
++mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log
+
+ term_write_console(syslogd_t)
+ # Allow syslog to a terminal
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
new file mode 100755
index 0000000..b253f84
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
@@ -0,0 +1,100 @@
+From 0036dfb42db831e2dd6c6dc71c093e983a30dbd6 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 18/34] policy/module/logging: add rules for the symlink of
+ /var/log
+
+/var/log is a symlink in poky, so we need allow rules for files to read
+lnk_file while doing search/list/delete/rw... in /var/log/ directory.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/logging.fc | 1 +
+ policy/modules/system/logging.if | 6 ++++++
+ policy/modules/system/logging.te | 2 ++
+ 3 files changed, 9 insertions(+)
+
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index 0cf108e0..5bec7e99 100644
+--- a/policy/modules/system/logging.fc
++++ b/policy/modules/system/logging.fc
+@@ -55,6 +55,7 @@ ifdef(`distro_suse', `
+ /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+ /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
++/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+ /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
+diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
+index 16091eb6..e83cb5b5 100644
+--- a/policy/modules/system/logging.if
++++ b/policy/modules/system/logging.if
+@@ -948,10 +948,12 @@ interface(`logging_append_all_inherited_logs',`
+ interface(`logging_read_all_logs',`
+ gen_require(`
+ attribute logfile;
++ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 logfile:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, logfile, logfile)
+ ')
+
+@@ -970,10 +972,12 @@ interface(`logging_read_all_logs',`
+ interface(`logging_exec_all_logs',`
+ gen_require(`
+ attribute logfile;
++ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 logfile:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ can_exec($1, logfile)
+ ')
+
+@@ -1075,6 +1079,7 @@ interface(`logging_read_generic_logs',`
+
+ files_search_var($1)
+ allow $1 var_log_t:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, var_log_t, var_log_t)
+ ')
+
+@@ -1176,6 +1181,7 @@ interface(`logging_manage_generic_logs',`
+
+ files_search_var($1)
+ manage_files_pattern($1, var_log_t, var_log_t)
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index a7b69932..fa5664b0 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -161,6 +161,7 @@ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t auditd_log_t:dir setattr;
+ manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t var_log_t:dir search_dir_perms;
++allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
+
+ manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+ manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+@@ -288,6 +289,7 @@ allow audisp_remote_t self:capability { setpcap setuid };
+ allow audisp_remote_t self:process { getcap setcap };
+ allow audisp_remote_t self:tcp_socket create_socket_perms;
+ allow audisp_remote_t var_log_t:dir search_dir_perms;
++allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+ manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch
new file mode 100755
index 0000000..588c5c6
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch
@@ -0,0 +1,33 @@
+From 51e282aa2730e4c6e038d42a84a561c080f41187 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 10:33:18 -0400
+Subject: [PATCH 19/34] policy/module/logging: add rules for syslogd symlink of
+ /var/log
+
+We have added rules for the symlink of /var/log in logging.if, while
+syslogd_t uses /var/log but does not use the interfaces in logging.if. So
+still need add a individual rule for syslogd_t.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/logging.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index fa5664b0..63e92a8e 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -417,6 +417,7 @@ files_search_spool(syslogd_t)
+
+ # Allow access for syslog-ng
+ allow syslogd_t var_log_t:dir { create setattr };
++allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
+
+ # for systemd but can not be conditional
+ files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
new file mode 100755
index 0000000..3d55476
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
@@ -0,0 +1,36 @@
+From 6a0b9c735253a2596bfb2a453694e620a1fdc50b Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Fri, 23 Aug 2013 11:20:00 +0800
+Subject: [PATCH 20/34] policy/module/logging: add domain rules for the subdir
+ symlinks in /var/
+
+Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
+/var for poky, so we need allow rules for all domains to read these
+symlinks. Domains still need their practical allow rules to read the
+contents, so this is still a secure relax.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/domain.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
+index 1a55e3d2..babb794f 100644
+--- a/policy/modules/kernel/domain.te
++++ b/policy/modules/kernel/domain.te
+@@ -110,6 +110,9 @@ term_use_controlling_term(domain)
+ # list the root directory
+ files_list_root(domain)
+
++# Yocto/oe-core use some var volatile links
++files_read_var_symlinks(domain)
++
+ ifdef(`hide_broken_symptoms',`
+ # This check is in the general socket
+ # listen code, before protocol-specific
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch
new file mode 100755
index 0000000..2546457
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch
@@ -0,0 +1,100 @@
+From 437bb5a3318fd0fb268f6e015564b006135368d1 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 21/34] policy/module/files: add rules for the symlink of /tmp
+
+/tmp is a symlink in poky, so we need allow rules for files to read
+lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/files.fc | 1 +
+ policy/modules/kernel/files.if | 8 ++++++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
+index c3496c21..05b1734b 100644
+--- a/policy/modules/kernel/files.fc
++++ b/policy/modules/kernel/files.fc
+@@ -176,6 +176,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+ # /tmp
+ #
+ /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
++/tmp -l gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+ /tmp/.* <<none>>
+ /tmp/\.journal <<none>>
+
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index f1c94411..eb067ad3 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -4350,6 +4350,7 @@ interface(`files_search_tmp',`
+ ')
+
+ allow $1 tmp_t:dir search_dir_perms;
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4386,6 +4387,7 @@ interface(`files_list_tmp',`
+ ')
+
+ allow $1 tmp_t:dir list_dir_perms;
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4422,6 +4424,7 @@ interface(`files_delete_tmp_dir_entry',`
+ ')
+
+ allow $1 tmp_t:dir del_entry_dir_perms;
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4440,6 +4443,7 @@ interface(`files_read_generic_tmp_files',`
+ ')
+
+ read_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4458,6 +4462,7 @@ interface(`files_manage_generic_tmp_dirs',`
+ ')
+
+ manage_dirs_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4476,6 +4481,7 @@ interface(`files_manage_generic_tmp_files',`
+ ')
+
+ manage_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4512,6 +4518,7 @@ interface(`files_rw_generic_tmp_sockets',`
+ ')
+
+ rw_sock_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4719,6 +4726,7 @@ interface(`files_tmp_filetrans',`
+ ')
+
+ filetrans_pattern($1, tmp_t, $2, $3, $4)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch
new file mode 100755
index 0000000..3281ae8
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch
@@ -0,0 +1,123 @@
+From 2512a367f4c16d4af6dd90d5f93f223466595d86 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 22/34] policy/module/terminals: add rules for bsdpty_device_t
+ to complete pty devices.
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/terminal.if | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index 61308843..a84787e6 100644
+--- a/policy/modules/kernel/terminal.if
++++ b/policy/modules/kernel/terminal.if
+@@ -623,9 +623,11 @@ interface(`term_getattr_generic_ptys',`
+ interface(`term_dontaudit_getattr_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ dontaudit $1 devpts_t:chr_file getattr;
++ dontaudit $1 bsdpty_device_t:chr_file getattr;
+ ')
+ ########################################
+ ## <summary>
+@@ -641,11 +643,13 @@ interface(`term_dontaudit_getattr_generic_ptys',`
+ interface(`term_ioctl_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir search;
+ allow $1 devpts_t:chr_file ioctl;
++ allow $1 bsdpty_device_t:chr_file ioctl;
+ ')
+
+ ########################################
+@@ -663,9 +667,11 @@ interface(`term_ioctl_generic_ptys',`
+ interface(`term_setattr_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ allow $1 devpts_t:chr_file setattr;
++ allow $1 bsdpty_device_t:chr_file setattr;
+ ')
+
+ ########################################
+@@ -683,9 +689,11 @@ interface(`term_setattr_generic_ptys',`
+ interface(`term_dontaudit_setattr_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ dontaudit $1 devpts_t:chr_file setattr;
++ dontaudit $1 bsdpty_device_t:chr_file setattr;
+ ')
+
+ ########################################
+@@ -703,11 +711,13 @@ interface(`term_dontaudit_setattr_generic_ptys',`
+ interface(`term_use_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir list_dir_perms;
+ allow $1 devpts_t:chr_file { rw_term_perms lock append };
++ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
+ ')
+
+ ########################################
+@@ -725,9 +735,11 @@ interface(`term_use_generic_ptys',`
+ interface(`term_dontaudit_use_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
++ dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl };
+ ')
+
+ #######################################
+@@ -743,10 +755,12 @@ interface(`term_dontaudit_use_generic_ptys',`
+ interface(`term_setattr_controlling_term',`
+ gen_require(`
+ type devtty_t;
++ type bsdpty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devtty_t:chr_file setattr;
++ allow $1 bsdpty_device_t:chr_file setattr;
+ ')
+
+ ########################################
+@@ -763,10 +777,12 @@ interface(`term_setattr_controlling_term',`
+ interface(`term_use_controlling_term',`
+ gen_require(`
+ type devtty_t;
++ type bsdpty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devtty_t:chr_file { rw_term_perms lock append };
++ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
+ ')
+
+ #######################################
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch
new file mode 100755
index 0000000..887af46
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch
@@ -0,0 +1,37 @@
+From fcf756e6906bba50d09224184d64ac56f40b6424 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 23/34] policy/module/terminals: don't audit tty_device_t in
+ term_dontaudit_use_console.
+
+We should also not audit terminal to rw tty_device_t and fds in
+term_dontaudit_use_console.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/terminal.if | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index a84787e6..cf66da2f 100644
+--- a/policy/modules/kernel/terminal.if
++++ b/policy/modules/kernel/terminal.if
+@@ -335,9 +335,12 @@ interface(`term_use_console',`
+ interface(`term_dontaudit_use_console',`
+ gen_require(`
+ type console_device_t;
++ type tty_device_t;
+ ')
+
++ init_dontaudit_use_fds($1)
+ dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
++ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
+ ')
+
+ ########################################
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
new file mode 100755
index 0000000..0188fa9
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
@@ -0,0 +1,29 @@
+From 85d5fc695ae69956715b502a8f1d95e9070dfbcc Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 24/34] policy/module/rpc: allow nfsd to exec shell commands.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/services/rpc.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
+index 47fa2fd0..d4209231 100644
+--- a/policy/modules/services/rpc.te
++++ b/policy/modules/services/rpc.te
+@@ -227,7 +227,7 @@ kernel_read_network_state(nfsd_t)
+ kernel_dontaudit_getattr_core_if(nfsd_t)
+ kernel_setsched(nfsd_t)
+ kernel_request_load_module(nfsd_t)
+-# kernel_mounton_proc(nfsd_t)
++kernel_mounton_proc(nfsd_t)
+
+ corenet_sendrecv_nfs_server_packets(nfsd_t)
+ corenet_tcp_bind_nfs_port(nfsd_t)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch
new file mode 100755
index 0000000..b4befdd
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch
@@ -0,0 +1,77 @@
+From 97a6eec0d2ea437b5155090ba880a88666f40059 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Fri, 23 Aug 2013 12:01:53 +0800
+Subject: [PATCH 25/34] policy/module/rpc: fix policy for nfsserver to mount
+ nfsd_fs_t.
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/filesystem.te | 1 +
+ policy/modules/kernel/kernel.te | 2 ++
+ policy/modules/services/rpc.te | 5 +++++
+ policy/modules/services/rpcbind.te | 5 +++++
+ 4 files changed, 13 insertions(+)
+
+diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
+index 1db0c652..bf1c0173 100644
+--- a/policy/modules/kernel/filesystem.te
++++ b/policy/modules/kernel/filesystem.te
+@@ -129,6 +129,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+
+ type nfsd_fs_t;
+ fs_type(nfsd_fs_t)
++files_mountpoint(nfsd_fs_t)
+ genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
+
+ type nsfs_t;
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index e971c533..ad7c823a 100644
+--- a/policy/modules/kernel/kernel.te
++++ b/policy/modules/kernel/kernel.te
+@@ -334,6 +334,8 @@ mls_process_read_all_levels(kernel_t)
+ mls_process_write_all_levels(kernel_t)
+ mls_file_write_all_levels(kernel_t)
+ mls_file_read_all_levels(kernel_t)
++mls_socket_write_all_levels(kernel_t)
++mls_fd_use_all_levels(kernel_t)
+
+ ifdef(`distro_redhat',`
+ # Bugzilla 222337
+diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
+index d4209231..a2327b44 100644
+--- a/policy/modules/services/rpc.te
++++ b/policy/modules/services/rpc.te
+@@ -280,6 +280,11 @@ tunable_policy(`nfs_export_all_ro',`
+
+ optional_policy(`
+ mount_exec(nfsd_t)
++ # Should domtrans to mount_t while mounting nfsd_fs_t.
++ mount_domtrans(nfsd_t)
++ # nfsd_t need to chdir to /var/lib/nfs and read files.
++ files_list_var(nfsd_t)
++ rpc_read_nfs_state_data(nfsd_t)
+ ')
+
+ ########################################
+diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
+index 5914af99..2055c114 100644
+--- a/policy/modules/services/rpcbind.te
++++ b/policy/modules/services/rpcbind.te
+@@ -75,6 +75,11 @@ logging_send_syslog_msg(rpcbind_t)
+
+ miscfiles_read_localization(rpcbind_t)
+
++# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
++# because the are running in different level. So add rules to allow this.
++mls_socket_read_all_levels(rpcbind_t)
++mls_socket_write_all_levels(rpcbind_t)
++
+ ifdef(`distro_debian',`
+ term_dontaudit_use_unallocated_ttys(rpcbind_t)
+ ')
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
new file mode 100755
index 0000000..94b7dd3
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
@@ -0,0 +1,126 @@
+From 00d81a825519cac67d88e513d75e82ab3269124c Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 11:16:37 -0400
+Subject: [PATCH 26/34] policy/module/sysfs: fix for new SELINUXMNT in /sys
+
+SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
+add rules to access sysfs.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/selinux.if | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
+index 6790e5d0..2c95db81 100644
+--- a/policy/modules/kernel/selinux.if
++++ b/policy/modules/kernel/selinux.if
+@@ -117,6 +117,9 @@ interface(`selinux_mount_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
++ dev_search_sysfs($1)
++
+ allow $1 security_t:filesystem mount;
+ ')
+
+@@ -136,6 +139,9 @@ interface(`selinux_remount_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
++ dev_search_sysfs($1)
++
+ allow $1 security_t:filesystem remount;
+ ')
+
+@@ -155,6 +161,9 @@ interface(`selinux_unmount_fs',`
+ ')
+
+ allow $1 security_t:filesystem unmount;
++
++ dev_getattr_sysfs($1)
++ dev_search_sysfs($1)
+ ')
+
+ ########################################
+@@ -217,6 +226,8 @@ interface(`selinux_dontaudit_getattr_dir',`
+ ')
+
+ dontaudit $1 security_t:dir getattr;
++ dev_dontaudit_getattr_sysfs($1)
++ dev_dontaudit_search_sysfs($1)
+ ')
+
+ ########################################
+@@ -253,6 +264,7 @@ interface(`selinux_dontaudit_search_fs',`
+ type security_t;
+ ')
+
++ dev_dontaudit_search_sysfs($1)
+ dontaudit $1 security_t:dir search_dir_perms;
+ ')
+
+@@ -272,6 +284,7 @@ interface(`selinux_dontaudit_read_fs',`
+ type security_t;
+ ')
+
++ dev_dontaudit_getattr_sysfs($1)
+ dontaudit $1 security_t:dir search_dir_perms;
+ dontaudit $1 security_t:file read_file_perms;
+ ')
+@@ -361,6 +374,7 @@ interface(`selinux_read_policy',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file read_file_perms;
+@@ -394,6 +408,7 @@ interface(`selinux_set_generic_booleans',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+
+ allow $1 security_t:dir list_dir_perms;
+@@ -431,6 +446,7 @@ interface(`selinux_set_all_booleans',`
+ bool secure_mode_policyload;
+ ')
+
++ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+
+ allow $1 security_t:dir list_dir_perms;
+@@ -512,6 +528,7 @@ interface(`selinux_dontaudit_validate_context',`
+ type security_t;
+ ')
+
++ dev_dontaudit_search_sysfs($1)
+ dontaudit $1 security_t:dir list_dir_perms;
+ dontaudit $1 security_t:file rw_file_perms;
+ dontaudit $1 security_t:security check_context;
+@@ -533,6 +550,7 @@ interface(`selinux_compute_access_vector',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+ allow $1 self:netlink_selinux_socket create_socket_perms;
+ allow $1 security_t:dir list_dir_perms;
+@@ -629,6 +647,7 @@ interface(`selinux_compute_user_contexts',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch
new file mode 100755
index 0000000..c20dd5f
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch
@@ -0,0 +1,31 @@
+From fbb7431a4288c7dd2739bc3adfa521d427e6375a Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li@windriver.com>
+Date: Sat, 15 Feb 2014 09:45:00 +0800
+Subject: [PATCH 27/34] policy/module/rpc: allow sysadm to run rpcinfo
+
+Upstream-Status: Pending
+
+type=AVC msg=audit(1392427946.976:264): avc: denied { connectto } for pid=2111 comm="rpcinfo" path="/run/rpcbind.sock" scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tclass=unix_stream_socket
+type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null)
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/roles/sysadm.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index e411d4fd..f326d1d7 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -939,6 +939,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rpcbind_stream_connect(sysadm_t)
+ rpcbind_admin(sysadm_t, sysadm_r)
+ ')
+
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch
new file mode 100755
index 0000000..e0208aa
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch
@@ -0,0 +1,45 @@
+From 8a3c685c1f868f04cb4a7953d14443527b920310 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 28/34] policy/module/userdomain: fix selinux utils to manage
+ config files
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/selinuxutil.if | 1 +
+ policy/modules/system/userdomain.if | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
+index 20024993..0fdc8c10 100644
+--- a/policy/modules/system/selinuxutil.if
++++ b/policy/modules/system/selinuxutil.if
+@@ -674,6 +674,7 @@ interface(`seutil_manage_config',`
+ ')
+
+ files_search_etc($1)
++ manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
+ manage_files_pattern($1, selinux_config_t, selinux_config_t)
+ read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
+ ')
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index 5221bd13..4cf987d1 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -1431,6 +1431,10 @@ template(`userdom_security_admin_template',`
+ logging_read_audit_config($1)
+
+ seutil_manage_bin_policy($1)
++ seutil_manage_default_contexts($1)
++ seutil_manage_file_contexts($1)
++ seutil_manage_module_store($1)
++ seutil_manage_config($1)
+ seutil_run_checkpolicy($1, $2)
+ seutil_run_loadpolicy($1, $2)
+ seutil_run_semanage($1, $2)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
new file mode 100755
index 0000000..e62c81e
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
@@ -0,0 +1,33 @@
+From 524f823bb07e0eb763683b72f18999ef29ae43c9 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 11:30:27 -0400
+Subject: [PATCH 29/34] policy/module/selinuxutil: fix setfiles statvfs to get
+ file count
+
+New setfiles will read /proc/mounts and use statvfs in
+file_system_count() to get file count of filesystems.
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/selinuxutil.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index db6bb368..98fed2d0 100644
+--- a/policy/modules/system/selinuxutil.te
++++ b/policy/modules/system/selinuxutil.te
+@@ -607,6 +607,7 @@ files_relabel_all_files(setfiles_t)
+ files_read_usr_symlinks(setfiles_t)
+ files_dontaudit_read_all_symlinks(setfiles_t)
+
++fs_getattr_all_fs(setfiles_t)
+ fs_getattr_all_xattr_fs(setfiles_t)
+ fs_getattr_cgroup(setfiles_t)
+ fs_getattr_nfs(setfiles_t)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
new file mode 100755
index 0000000..88c94c5
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
@@ -0,0 +1,25 @@
+From 78210f371391ccfad1d18b89a91ffb5a83f451e0 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Fri, 23 Aug 2013 16:36:09 +0800
+Subject: [PATCH 30/34] policy/module/admin: fix dmesg to use /dev/kmsg as
+ default input
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/admin/dmesg.if | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
+index e1973c78..739a4bc5 100644
+--- a/policy/modules/admin/dmesg.if
++++ b/policy/modules/admin/dmesg.if
+@@ -37,4 +37,5 @@ interface(`dmesg_exec',`
+
+ corecmd_search_bin($1)
+ can_exec($1, dmesg_exec_t)
++ dev_read_kmsg($1)
+ ')
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch
new file mode 100755
index 0000000..d002830
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch
@@ -0,0 +1,41 @@
+From a406bcd2838772573e2cdde1a408ea52a60adc87 Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li@windriver.com>
+Date: Mon, 10 Feb 2014 18:10:12 +0800
+Subject: [PATCH 31/34] policy/module/ftp: add ftpd_t to
+ mls_file_write_all_levels
+
+Proftpd will create file under /var/run, but its mls is in high, and
+can not write to lowlevel
+
+Upstream-Status: Pending
+
+type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm="proftpd" name="/" dev="tmpfs" ino=5853 scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
+type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
+type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null)
+
+root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name
+ allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
+root@localhost:~#
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/services/ftp.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
+index 29bc077c..d582cf80 100644
+--- a/policy/modules/services/ftp.te
++++ b/policy/modules/services/ftp.te
+@@ -150,6 +150,8 @@ role ftpdctl_roles types ftpdctl_t;
+ type ftpdctl_tmp_t;
+ files_tmp_file(ftpdctl_tmp_t)
+
++mls_file_write_all_levels(ftpd_t)
++
+ type sftpd_t;
+ domain_type(sftpd_t)
+ role system_r types sftpd_t;
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0032-policy-module-init-update-for-systemd-related-allow-.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0032-policy-module-init-update-for-systemd-related-allow-.patch
new file mode 100755
index 0000000..37d180c
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0032-policy-module-init-update-for-systemd-related-allow-.patch
@@ -0,0 +1,32 @@
+From dfbda15401f92e5d1b9b55c7ba24a543deea18e8 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 12 Jun 2015 19:37:52 +0530
+Subject: [PATCH 32/34] policy/module/init: update for systemd related allow
+ rules
+
+It provide, the systemd support related allow rules
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/init.te | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index eabba1ed..5da25cd6 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1418,3 +1418,8 @@ optional_policy(`
+ userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
+ userdom_dontaudit_write_user_tmp_files(systemprocess)
+ ')
++
++# systemd related allow rules
++allow kernel_t init_t:process dyntransition;
++allow devpts_t device_t:filesystem associate;
++allow init_t self:capability2 block_suspend;
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0033-refpolicy-minimum-make-sysadmin-module-optional.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0033-refpolicy-minimum-make-sysadmin-module-optional.patch
new file mode 100755
index 0000000..644c2cd
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0033-refpolicy-minimum-make-sysadmin-module-optional.patch
@@ -0,0 +1,67 @@
+From 937924e34c516c4a18d183084958b2612439ba52 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 5 Apr 2019 11:53:28 -0400
+Subject: [PATCH 33/34] refpolicy/minimum: make sysadmin module optional
+
+init and locallogin modules have a depend for sysadm module because
+they have called sysadm interfaces(sysadm_shell_domtrans). Since
+sysadm is not a core module, we could make the sysadm_shell_domtrans
+calls optionally by optional_policy.
+
+So, we could make the minimum policy without sysadm module.
+
+Upstream-Status: pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/init.te | 16 +++++++++-------
+ policy/modules/system/locallogin.te | 4 +++-
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 5da25cd6..8352428a 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -446,13 +446,15 @@ ifdef(`init_systemd',`
+ modutils_domtrans(init_t)
+ ')
+ ',`
+- tunable_policy(`init_upstart',`
+- corecmd_shell_domtrans(init_t, initrc_t)
+- ',`
+- # Run the shell in the sysadm role for single-user mode.
+- # causes problems with upstart
+- ifndef(`distro_debian',`
+- sysadm_shell_domtrans(init_t)
++ optional_policy(`
++ tunable_policy(`init_upstart',`
++ corecmd_shell_domtrans(init_t, initrc_t)
++ ',`
++ # Run the shell in the sysadm role for single-user mode.
++ # causes problems with upstart
++ ifndef(`distro_debian',`
++ sysadm_shell_domtrans(init_t)
++ ')
+ ')
+ ')
+ ')
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index a56f3d1f..4c679ff3 100644
+--- a/policy/modules/system/locallogin.te
++++ b/policy/modules/system/locallogin.te
+@@ -266,7 +266,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
+ userdom_search_user_home_dirs(sulogin_t)
+ userdom_use_user_ptys(sulogin_t)
+
+-sysadm_shell_domtrans(sulogin_t)
++optional_policy(`
++ sysadm_shell_domtrans(sulogin_t)
++')
+
+ # by default, sulogin does not use pam...
+ # sulogin_pam might need to be defined otherwise
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch
new file mode 100755
index 0000000..c374384
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch
@@ -0,0 +1,33 @@
+From bbad13d008ab4df827ac2ba8dfc6dd3e430f6dd6 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 19:36:44 +0800
+Subject: [PATCH 34/34] policy/module/apache: add rules for the symlink of
+ /var/log - apache2
+
+We have added rules for the symlink of /var/log in logging.if,
+while apache.te uses /var/log but does not use the interfaces in
+logging.if. So still need add a individual rule for apache.te.
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/services/apache.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
+index 15c4ea53..596370b1 100644
+--- a/policy/modules/services/apache.te
++++ b/policy/modules/services/apache.te
+@@ -412,6 +412,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
++read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
+ logging_log_filetrans(httpd_t, httpd_log_t, file)
+
+ allow httpd_t httpd_modules_t:dir list_dir_perms;
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
new file mode 100755
index 0000000..5e38b8c
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
@@ -0,0 +1,36 @@
+From ab97bea9248f62e735526292fc1253ebb1ecfa6c Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 16:14:09 -0400
+Subject: [PATCH 01/34] fc/subs/volatile: alias common /var/volatile paths
+
+Ensure /var/volatile paths get the appropriate base file context.
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ config/file_contexts.subs_dist | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
+index 346d920e..be532d7f 100644
+--- a/config/file_contexts.subs_dist
++++ b/config/file_contexts.subs_dist
+@@ -31,3 +31,13 @@
+ # not for refpolicy intern, but for /var/run using applications,
+ # like systemd tmpfiles or systemd socket configurations
+ /var/run /run
++
++# volatile aliases
++# ensure the policy applied to the base filesystem objects are reflected in the
++# volatile hierarchy.
++/var/volatile/log /var/log
++/var/volatile/run /var/run
++/var/volatile/cache /var/cache
++/var/volatile/tmp /var/tmp
++/var/volatile/lock /var/lock
++/var/volatile/run/lock /var/lock
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch
new file mode 100755
index 0000000..98d98d4
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch
@@ -0,0 +1,53 @@
+From cf2f08bdb2d64b38b6c83c96f409c1cd9975fe6a Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] fix update-alternatives for sysvinit
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/admin/shutdown.fc | 1 +
+ policy/modules/kernel/corecommands.fc | 1 +
+ policy/modules/system/init.fc | 1 +
+ 3 files changed, 3 insertions(+)
+
+diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc
+index 03a2230c..2ba049ff 100644
+--- a/policy/modules/admin/shutdown.fc
++++ b/policy/modules/admin/shutdown.fc
+@@ -5,5 +5,6 @@
+ /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+ /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
++/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+ /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
+diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
+index cf3848db..86920167 100644
+--- a/policy/modules/kernel/corecommands.fc
++++ b/policy/modules/kernel/corecommands.fc
+@@ -149,6 +149,7 @@ ifdef(`distro_gentoo',`
+ /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
+index 11a6ce93..93e9d2b4 100644
+--- a/policy/modules/system/init.fc
++++ b/policy/modules/system/init.fc
+@@ -23,6 +23,7 @@ ifdef(`distro_gentoo',`
+ # /usr
+ #
+ /usr/bin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
++/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0)
+ /usr/bin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
+ /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
+ /usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
new file mode 100755
index 0000000..3cc5395
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
@@ -0,0 +1,68 @@
+From 0f25b7c345d516eccd1c02c93f752ce073b84865 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:51:44 +0530
+Subject: [PATCH 1/9] refpolicy-minimum: audit: logging: getty: audit related
+ allow rules
+
+add allow rules for audit.log file & resolve dependent avc denials.
+
+without this change we are getting audit avc denials mixed into bootlog &
+audit other avc denials.
+
+audit: type=1400 audit(): avc: denied { getattr } for pid=217 comm="mount"
+name="/" dev="proc" ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_0
+audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd"
+path="/run/systemd/journal/dev-log" scontext=sy0
+audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd"
+path="/run/systemd/journal/dev-log" scontext=system_u:system_r:klogd_t:s0
+audit(): avc: denied { open } for pid=540 comm="agetty" path="/var/
+volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t
+:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/getty.te | 3 +++
+ policy/modules/system/logging.te | 8 ++++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
+index 6d3c4284..423db0cc 100644
+--- a/policy/modules/system/getty.te
++++ b/policy/modules/system/getty.te
+@@ -129,3 +129,6 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(getty_t)
+ ')
++
++allow getty_t tmpfs_t:dir search;
++allow getty_t tmpfs_t:file { open write lock };
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index e6221a02..4cc73327 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -249,6 +249,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms;
+ allow audisp_t self:unix_dgram_socket create_socket_perms;
+
+ allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
++allow audisp_t initrc_t:unix_dgram_socket sendto;
+
+ manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
+ files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
+@@ -620,3 +621,10 @@ optional_policy(`
+ # log to the xconsole
+ xserver_rw_console(syslogd_t)
+ ')
++
++
++allow auditd_t tmpfs_t:file { getattr setattr create open read append };
++allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
++allow auditd_t initrc_t:unix_dgram_socket sendto;
++
++allow klogd_t initrc_t:unix_dgram_socket sendto;
+\ No newline at end of file
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
new file mode 100755
index 0000000..22eab15
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
@@ -0,0 +1,31 @@
+From a47fb4d6a25574d900213ef63b5c7e3ce7182419 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 20:48:10 -0400
+Subject: [PATCH 02/34] fc/subs/busybox: set aliases for bin, sbin and usr
+
+The objects in /usr/lib/busybox/* should have the same policy applied as
+the corresponding objects in the / hierarchy.
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ config/file_contexts.subs_dist | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
+index be532d7f..04fca3c3 100644
+--- a/config/file_contexts.subs_dist
++++ b/config/file_contexts.subs_dist
+@@ -41,3 +41,10 @@
+ /var/volatile/tmp /var/tmp
+ /var/volatile/lock /var/lock
+ /var/volatile/run/lock /var/lock
++
++# busybox aliases
++# quickly match up the busybox built-in tree to the base filesystem tree
++/usr/lib/busybox/bin /bin
++/usr/lib/busybox/sbin /sbin
++/usr/lib/busybox/usr /usr
++
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
new file mode 100755
index 0000000..e2c6c89
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
@@ -0,0 +1,54 @@
+From b69a82237ccc8de3f5b822739760f5cb6596fe51 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:53:46 +0530
+Subject: [PATCH 2/9] refpolicy-minimum: locallogin: add allow rules for type
+ local_login_t
+
+add allow rules for locallogin module avc denials.
+
+without this change we are getting errors like these:
+
+type=AVC msg=audit(): avc: denied { read write open } for pid=353
+comm="login" path="/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext
+=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:
+var_log_t:s0 tclass=file permissive=1
+
+type=AVC msg=audit(): avc: denied { sendto } for pid=353 comm="login"
+path="/run/systemd/journal/dev-log" scontext=system_u:system_r:
+local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0
+tclass=unix_dgram_socket permissive=1
+
+type=AVC msg=audit(): avc: denied { lock } for pid=353 comm="login" path=
+"/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext=system_u:system_r
+:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass
+=file permissive=1
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/locallogin.te | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index 4c679ff3..75750e4c 100644
+--- a/policy/modules/system/locallogin.te
++++ b/policy/modules/system/locallogin.te
+@@ -288,3 +288,13 @@ optional_policy(`
+ optional_policy(`
+ nscd_use(sulogin_t)
+ ')
++
++allow local_login_t initrc_t:fd use;
++allow local_login_t initrc_t:unix_dgram_socket sendto;
++allow local_login_t initrc_t:unix_stream_socket connectto;
++allow local_login_t self:capability net_admin;
++allow local_login_t var_log_t:file { create lock open read write };
++allow local_login_t var_run_t:file { open read write lock};
++allow local_login_t var_run_t:sock_file write;
++allow local_login_t tmpfs_t:dir { add_name write search};
++allow local_login_t tmpfs_t:file { create open read write lock };
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch
new file mode 100755
index 0000000..f194d6d
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch
@@ -0,0 +1,57 @@
+From d0fd07dda45b349af634e4671a70e47fef102386 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:39:41 +0800
+Subject: [PATCH 03/34] fc/sysklogd: apply policy to sysklogd symlink
+
+/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow
+rule for syslogd_t to read syslog_conf_t lnk_file is needed.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/logging.fc | 3 +++
+ policy/modules/system/logging.te | 1 +
+ 2 files changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index 6693d87b..0cf108e0 100644
+--- a/policy/modules/system/logging.fc
++++ b/policy/modules/system/logging.fc
+@@ -2,6 +2,7 @@
+
+ /etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
++/etc/syslog\.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/rsyslog\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+ /etc/systemd/journal.*\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
+@@ -32,10 +33,12 @@
+ /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
+ /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
+ /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
++/usr/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+ /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+ /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++/usr/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 0c5be1cd..38ccfe3a 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -399,6 +399,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
+ allow syslogd_t self:tcp_socket create_stream_socket_perms;
+
+ allow syslogd_t syslog_conf_t:file read_file_perms;
++allow syslogd_t syslog_conf_t:lnk_file read_file_perms;
+ allow syslogd_t syslog_conf_t:dir list_dir_perms;
+
+ # Create and bind to /dev/log or /var/run/log.
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
new file mode 100755
index 0000000..968a9be
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
@@ -0,0 +1,121 @@
+From ec36df125da565fe1a9b64000151afaf40c2887d Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:51:32 +0530
+Subject: [PATCH 3/9] refpolicy-minimum: systemd:unconfined:lib: add systemd
+ services allow rules
+
+systemd allow rules for systemd service file operations: start, stop, restart
+& allow rule for unconfined systemd service.
+
+without this change we are getting these errors:
+:~# systemctl status selinux-init.service
+Failed to get properties: Access denied
+
+:~# systemctl stop selinux-init.service
+Failed to stop selinux-init.service: Access denied
+
+:~# systemctl restart selinux-init.service
+audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
+system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0
+gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl
+restart selinux-init.service" scontext=unconfined_u:unconfined_r:
+unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/init.te | 4 +++
+ policy/modules/system/libraries.te | 3 +++
+ policy/modules/system/systemd.if | 39 +++++++++++++++++++++++++++++
+ policy/modules/system/unconfined.te | 6 +++++
+ 4 files changed, 52 insertions(+)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index d8696580..e15ec4b9 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1425,3 +1425,7 @@ optional_policy(`
+ allow kernel_t init_t:process dyntransition;
+ allow devpts_t device_t:filesystem associate;
+ allow init_t self:capability2 block_suspend;
++allow init_t self:capability2 audit_read;
++
++allow initrc_t init_t:system { start status };
++allow initrc_t init_var_run_t:service { start status };
+diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
+index 422b0ea1..80b0c9a5 100644
+--- a/policy/modules/system/libraries.te
++++ b/policy/modules/system/libraries.te
+@@ -145,3 +145,6 @@ optional_policy(`
+ optional_policy(`
+ unconfined_domain(ldconfig_t)
+ ')
++
++# systemd: init domain to start lib domain service
++systemd_service_lib_function(lib_t)
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index 6353ca69..4519a448 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -905,3 +905,42 @@ interface(`systemd_getattr_updated_runtime',`
+
+ getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
+ ')
++
++########################################
++## <summary>
++## Allow specified domain to start stop reset systemd service
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`systemd_service_file_operations',`
++ gen_require(`
++ class service { start status stop };
++ ')
++
++ allow $1 lib_t:service { start status stop };
++
++')
++
++
++########################################
++## <summary>
++## Allow init domain to start lib domain service
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`systemd_service_lib_function',`
++ gen_require(`
++ class service start;
++ ')
++
++ allow initrc_t $1:service start;
++
++')
+diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
+index 12cc0d7c..c09e94a5 100644
+--- a/policy/modules/system/unconfined.te
++++ b/policy/modules/system/unconfined.te
+@@ -240,3 +240,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
+ optional_policy(`
+ unconfined_dbus_chat(unconfined_execmem_t)
+ ')
++
++
++# systemd: specified domain to start stop reset systemd service
++systemd_service_file_operations(unconfined_t)
++
++allow unconfined_t init_t:system reload;
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
new file mode 100755
index 0000000..36bfdcf
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
@@ -0,0 +1,27 @@
+From abd7d9fa3398be45e733930ebaec9e05b1aba252 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 04/34] fc/hostname: apply policy to common yocto hostname
+ alternatives
+
+Upstream-Status: Inappropriate [only for Yocto]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/hostname.fc | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
+index 83ddeb57..653e038d 100644
+--- a/policy/modules/system/hostname.fc
++++ b/policy/modules/system/hostname.fc
+@@ -1 +1,5 @@
++/usr/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0)
++/usr/bin/hostname\.coreutils -- gen_context(system_u:object_r:hostname_exec_t,s0)
++/usr/lib/busybox/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
++
+ /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
new file mode 100755
index 0000000..06b9192
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
@@ -0,0 +1,96 @@
+From 0918b156dcf4d126fd0e36de5a6c61f114448c8a Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:53:37 +0530
+Subject: [PATCH 4/9] refpolicy-minimum: systemd: mount: logging: authlogin:
+ add allow rules
+
+add allow rules for avc denails for systemd, mount, logging & authlogin
+modules.
+
+without this change we are getting avc denial like these:
+
+type=AVC msg=audit(): avc: denied { sendto } for pid=893 comm="systemd-
+tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r:
+systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=
+unix_dgram_socket permissive=0
+
+type=AVC msg=audit(): avc: denied { open } for pid=703 comm="systemd-
+tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u:
+system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=
+file permissive=0
+
+type=AVC msg=audit(): avc: denied { read write } for pid=486 comm="mount"
+path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r:
+mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket
+
+type=AVC msg=audit(): avc: denied { unix_read unix_write } for pid=292
+comm="syslogd" key=1095648583 scontext=system_u:system_r:syslogd_t:s0
+tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/authlogin.te | 2 ++
+ policy/modules/system/logging.te | 7 ++++++-
+ policy/modules/system/mount.te | 3 +++
+ policy/modules/system/systemd.te | 5 +++++
+ 4 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
+index 28f74bac..dfa46612 100644
+--- a/policy/modules/system/authlogin.te
++++ b/policy/modules/system/authlogin.te
+@@ -479,3 +479,5 @@ optional_policy(`
+ samba_read_var_files(nsswitch_domain)
+ samba_dontaudit_write_var_files(nsswitch_domain)
+ ')
++
++allow chkpwd_t proc_t:filesystem getattr;
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 4cc73327..98c2bd19 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -627,4 +627,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append };
+ allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
+ allow auditd_t initrc_t:unix_dgram_socket sendto;
+
+-allow klogd_t initrc_t:unix_dgram_socket sendto;
+\ No newline at end of file
++allow klogd_t initrc_t:unix_dgram_socket sendto;
++
++allow syslogd_t self:shm create;
++allow syslogd_t self:sem { create read unix_write write };
++allow syslogd_t self:shm { read unix_read unix_write write };
++allow syslogd_t tmpfs_t:file { read write };
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index 3dcb8493..a87d0e82 100644
+--- a/policy/modules/system/mount.te
++++ b/policy/modules/system/mount.te
+@@ -231,3 +231,6 @@ optional_policy(`
+ files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+ unconfined_domain(unconfined_mount_t)
+ ')
++
++allow mount_t proc_t:filesystem getattr;
++allow mount_t initrc_t:udp_socket { read write };
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index f6455f6f..b13337b9 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1011,6 +1011,11 @@ allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
+ allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
+ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
+
++allow systemd_tmpfiles_t init_t:dir search;
++allow systemd_tmpfiles_t proc_t:filesystem getattr;
++allow systemd_tmpfiles_t init_t:file read;
++allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
++
+ kernel_getattr_proc(systemd_tmpfiles_t)
+ kernel_read_kernel_sysctls(systemd_tmpfiles_t)
+ kernel_read_network_state(systemd_tmpfiles_t)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
new file mode 100755
index 0000000..194a474
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
@@ -0,0 +1,30 @@
+From 783ba03eff9d5b94363fff148aa1c745ff02ddd4 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 21:37:32 -0400
+Subject: [PATCH 05/34] fc/bash: apply /usr/bin/bash context to /bin/bash.bash
+
+We include /bin/bash.bash as a valid alias for /bin/bash, so ensure we apply
+the proper context to the target for our policy.
+
+Upstream-Status: Inappropriate [only for Yocto]
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/corecommands.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
+index e7415cac..cf3848db 100644
+--- a/policy/modules/kernel/corecommands.fc
++++ b/policy/modules/kernel/corecommands.fc
+@@ -141,6 +141,7 @@ ifdef(`distro_gentoo',`
+ /usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/bash.bash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
new file mode 100755
index 0000000..aec54cd
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
@@ -0,0 +1,37 @@
+From 54a00a22a0d9aca794440bf51511f5477e9249d2 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:53:53 +0530
+Subject: [PATCH 5/9] refpolicy-minimum: init: fix reboot with systemd as init
+ manager.
+
+add allow rule to fix avc denial during system reboot.
+
+without this change we are getting:
+
+audit: type=1107 audit(): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
+system_u:system_r:init_t:s0 msg='avc: denied { reboot } for auid=n/a uid=0
+gid=0 cmdline="/bin/systemctl --force reboot" scontext=system_u:system_r:
+initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/init.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index e15ec4b9..843fdcff 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1427,5 +1427,5 @@ allow devpts_t device_t:filesystem associate;
+ allow init_t self:capability2 block_suspend;
+ allow init_t self:capability2 audit_read;
+
+-allow initrc_t init_t:system { start status };
++allow initrc_t init_t:system { start status reboot };
+ allow initrc_t init_var_run_t:service { start status };
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
new file mode 100755
index 0000000..d098118
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
@@ -0,0 +1,30 @@
+From 9818faa2a732d6d1cda72926526f104de74bd992 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 4 Apr 2019 10:45:03 -0400
+Subject: [PATCH 06/34] fc/resolv.conf: label resolv.conf in var/run/ properly
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/sysnetwork.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
+index 1e5432a4..ac7c2dd1 100644
+--- a/policy/modules/system/sysnetwork.fc
++++ b/policy/modules/system/sysnetwork.fc
+@@ -22,6 +22,7 @@ ifdef(`distro_debian',`
+ /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
++/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+
+ /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
new file mode 100755
index 0000000..bf770d9
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
@@ -0,0 +1,92 @@
+From ca6644e1f1066a8354f2f6dbb068713f59225f37 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Wed, 3 Apr 2019 14:51:29 -0400
+Subject: [PATCH 6/9] refpolicy-minimum: systemd: mount: enable required
+ refpolicy booleans
+
+enable required refpolicy booleans for these modules
+
+i. mount: allow_mount_anyfile
+without enabling this boolean we are getting below avc denial
+
+audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media
+/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0
+tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0
+
+This avc can be allowed using the boolean 'allow_mount_anyfile'
+allow mount_t initrc_var_run_t:dir mounton;
+
+ii. systemd : systemd_tmpfiles_manage_all
+without enabling this boolean we are not getting access to mount systemd
+essential tmpfs during bootup, also not getting access to create audit.log
+
+audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name=
+"sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles
+_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0
+
+ ls /var/log
+ /var/log -> volatile/log
+:~#
+
+The old refpolicy included a pre-generated booleans.conf that could be
+patched. That's no longer the case so we're left with a few options,
+tweak the default directly or create a template booleans.conf file which
+will be updated during build time. Since this is intended to be applied
+only for specific configuraitons it seems like the same either way and
+this avoids us playing games to work around .gitignore.
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/booleans.conf | 9 +++++++++
+ policy/modules/system/mount.te | 2 +-
+ policy/modules/system/systemd.te | 2 +-
+ 3 files changed, 11 insertions(+), 2 deletions(-)
+ create mode 100644 policy/booleans.conf
+
+diff --git a/policy/booleans.conf b/policy/booleans.conf
+new file mode 100644
+index 00000000..850f56ed
+--- /dev/null
++++ b/policy/booleans.conf
+@@ -0,0 +1,9 @@
++#
++# Allow the mount command to mount any directory or file.
++#
++allow_mount_anyfile = true
++
++#
++# Enable support for systemd-tmpfiles to manage all non-security files.
++#
++systemd_tmpfiles_manage_all = true
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index a87d0e82..868052b7 100644
+--- a/policy/modules/system/mount.te
++++ b/policy/modules/system/mount.te
+@@ -10,7 +10,7 @@ policy_module(mount, 1.20.0)
+ ## Allow the mount command to mount any directory or file.
+ ## </p>
+ ## </desc>
+-gen_tunable(allow_mount_anyfile, false)
++gen_tunable(allow_mount_anyfile, true)
+
+ attribute_role mount_roles;
+ roleattribute system_r mount_roles;
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index b13337b9..74f9c1cb 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -10,7 +10,7 @@ policy_module(systemd, 1.7.5)
+ ## Enable support for systemd-tmpfiles to manage all non-security files.
+ ## </p>
+ ## </desc>
+-gen_tunable(systemd_tmpfiles_manage_all, false)
++gen_tunable(systemd_tmpfiles_manage_all, true)
+
+ ## <desc>
+ ## <p>
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch
new file mode 100755
index 0000000..824c136
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch
@@ -0,0 +1,27 @@
+From 3323cd185bd27a010fb4353d16cb6c3a8608fd20 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 21:43:53 -0400
+Subject: [PATCH 07/34] fc/login: apply login context to login.shadow
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/authlogin.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
+index e22945cd..a42bc0da 100644
+--- a/policy/modules/system/authlogin.fc
++++ b/policy/modules/system/authlogin.fc
+@@ -5,6 +5,7 @@
+ /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+
+ /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
++/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0)
+ /usr/bin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
+ /usr/bin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
+ /usr/bin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch
new file mode 100755
index 0000000..307574c
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch
@@ -0,0 +1,103 @@
+From a1b92a176fe791468e750b95fa8299e8beecf2b1 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:54:09 +0530
+Subject: [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal
+ service
+
+1. fix for systemd services: login & journal wile using refpolicy-minimum and
+systemd as init manager.
+2. fix login duration after providing root password.
+
+without these changes we are getting avc denails like these and below
+systemd services failure:
+
+audit[]: AVC avc: denied { write } for pid=422 comm="login" path="/run/
+systemd/sessions/c1.ref" dev="tmpfs" ino=13455 scontext=system_u:system_r:
+local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0
+tclass=fifo_file permissive=0
+
+audit[]: AVC avc: denied { open } for pid=216 comm="systemd-tmpfile" path
+="/proc/1/environ" dev="proc" ino=9221 scontext=system_u:system_r:
+systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
+
+audit[]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:
+system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path
+="/lib/systemd/system/systemd-journald.service" cmdline="/bin/journalctl
+--flush" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:
+lib_t:s0 tclass=service
+
+[FAILED] Failed to start Flush Journal to Persistent Storage.
+See 'systemctl status systemd-journal-flush.service' for details.
+
+[FAILED] Failed to start Login Service.
+See 'systemctl status systemd-logind.service' for details.
+
+[FAILED] Failed to start Avahi mDNS/DNS-SD Stack.
+See 'systemctl status avahi-daemon.service' for details.
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/init.te | 2 ++
+ policy/modules/system/locallogin.te | 3 +++
+ policy/modules/system/systemd.if | 6 ++++--
+ policy/modules/system/systemd.te | 2 +-
+ 4 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 843fdcff..ca8678b8 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1429,3 +1429,5 @@ allow init_t self:capability2 audit_read;
+
+ allow initrc_t init_t:system { start status reboot };
+ allow initrc_t init_var_run_t:service { start status };
++
++allow initrc_t init_var_run_t:service stop;
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index 75750e4c..2c2cfc7d 100644
+--- a/policy/modules/system/locallogin.te
++++ b/policy/modules/system/locallogin.te
+@@ -298,3 +298,6 @@ allow local_login_t var_run_t:file { open read write lock};
+ allow local_login_t var_run_t:sock_file write;
+ allow local_login_t tmpfs_t:dir { add_name write search};
+ allow local_login_t tmpfs_t:file { create open read write lock };
++allow local_login_t init_var_run_t:fifo_file write;
++allow local_login_t initrc_t:dbus send_msg;
++allow initrc_t local_login_t:dbus send_msg;
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index 4519a448..79133e6f 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -938,9 +938,11 @@ interface(`systemd_service_file_operations',`
+ #
+ interface(`systemd_service_lib_function',`
+ gen_require(`
+- class service start;
++ class service { start status stop };
++ class file { execmod open };
+ ')
+
+- allow initrc_t $1:service start;
++ allow initrc_t $1:service { start status stop };
++ allow initrc_t $1:file execmod;
+
+ ')
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 74f9c1cb..f1d26a44 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1013,7 +1013,7 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
+
+ allow systemd_tmpfiles_t init_t:dir search;
+ allow systemd_tmpfiles_t proc_t:filesystem getattr;
+-allow systemd_tmpfiles_t init_t:file read;
++allow systemd_tmpfiles_t init_t:file { open getattr read };
+ allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
+
+ kernel_getattr_proc(systemd_tmpfiles_t)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0008-fc-bind-fix-real-path-for-bind.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0008-fc-bind-fix-real-path-for-bind.patch
new file mode 100755
index 0000000..6472a21
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0008-fc-bind-fix-real-path-for-bind.patch
@@ -0,0 +1,31 @@
+From 9207386c0a860b3b6520eca5e509b9633c67c1e4 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 21:58:53 -0400
+Subject: [PATCH 08/34] fc/bind: fix real path for bind
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/services/bind.fc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
+index b4879dc1..59498e25 100644
+--- a/policy/modules/services/bind.fc
++++ b/policy/modules/services/bind.fc
+@@ -1,8 +1,10 @@
+ /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+
+ /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+ /etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0)
++/etc/bind/rndc\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+ /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+ /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+ /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
new file mode 100755
index 0000000..05543da
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
@@ -0,0 +1,110 @@
+From c268b15ec696aa23be73e040daae433b509fa82f Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:54:17 +0530
+Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files
+ services
+
+fix for systemd tmp files setup service while using refpolicy-minimum and
+systemd as init manager.
+
+these allow rules require kernel domain & files access, so added interfaces
+at systemd.te to merge these allow rules.
+
+without these changes we are getting avc denails like these and below
+systemd services failure:
+
+audit[]: AVC avc: denied { getattr } for pid=232 comm="systemd-tmpfile"
+path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd
+_tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file
+
+audit[]: AVC avc: denied { search } for pid=232 comm="systemd-tmpfile"
+name="kernel" dev="proc" ino=9341 scontext=system_u:system_r:
+systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0
+tclass=dir permissive=0
+
+[FAILED] Failed to start Create Static Device Nodes in /dev.
+See 'systemctl status systemd-tmpfiles-setup-dev.service' for details.
+
+[FAILED] Failed to start Create Volatile Files and Directories.
+See 'systemctl status systemd-tmpfiles-setup.service' for details.
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/files.if | 19 +++++++++++++++++++
+ policy/modules/kernel/kernel.if | 21 +++++++++++++++++++++
+ policy/modules/system/systemd.te | 2 ++
+ 3 files changed, 42 insertions(+)
+
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index eb067ad3..ff74f55a 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -7076,3 +7076,22 @@ interface(`files_unconfined',`
+
+ typeattribute $1 files_unconfined_type;
+ ')
++
++########################################
++## <summary>
++## systemd tmp files access to kernel tmp files domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',`
++ gen_require(`
++ type tmp_t;
++ class lnk_file getattr;
++ ')
++
++ allow $1 tmp_t:lnk_file getattr;
++')
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index 1ad282aa..342eb033 100644
+--- a/policy/modules/kernel/kernel.if
++++ b/policy/modules/kernel/kernel.if
+@@ -3584,3 +3584,24 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',`
+ allow $1 unlabeled_t:infiniband_endport manage_subnet;
+ ')
+
++########################################
++## <summary>
++## systemd tmp files access to kernel sysctl domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',`
++ gen_require(`
++ type sysctl_kernel_t;
++ class dir search;
++ class file { open read };
++ ')
++
++ allow $1 sysctl_kernel_t:dir search;
++ allow $1 sysctl_kernel_t:file { open read };
++
++')
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index f1d26a44..b4c64bc1 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1139,4 +1139,6 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated
+
+ seutil_read_file_contexts(systemd_update_done_t)
+
++systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t)
++systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t)
+ systemd_log_parse_environment(systemd_update_done_t)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch
new file mode 100755
index 0000000..382a62c
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch
@@ -0,0 +1,28 @@
+From afaee985ce8cb915905b9cbef141db5d4b7f228c Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 28 Mar 2019 21:59:18 -0400
+Subject: [PATCH 09/34] fc/hwclock: add hwclock alternatives
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/clock.fc | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
+index 30196589..e0dc4b6f 100644
+--- a/policy/modules/system/clock.fc
++++ b/policy/modules/system/clock.fc
+@@ -2,4 +2,7 @@
+
+ /usr/bin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+
+-/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
++/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0)
++/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
++/usr/lib/busybox/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
++/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
new file mode 100755
index 0000000..de9180a
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
@@ -0,0 +1,70 @@
+From 3c7c492f060212bf7c854a27ffa6afa5035f4862 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:54:29 +0530
+Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog
+
+syslog & getty related allow rules required to fix the syslog mixup with
+boot log, while using systemd as init manager.
+
+without this change we are getting these avc denials:
+
+audit: avc: denied { search } for pid=484 comm="syslogd" name="/"
+dev="tmpfs" ino=7269 scontext=system_u:system_r:syslogd_t:s0 tcontext=
+system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
+
+audit: avc: denied { write } for pid=372 comm="syslogd" name="log" dev=
+"tmpfs" ino=954 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:
+object_r:tmpfs_t:s0 tclass=dir permissive=0
+
+audit: avc: denied { add_name } for pid=390 comm="syslogd" name=
+"messages" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r
+:tmpfs_t:s0 tclass=dir permissive=0
+
+audit: avc: denied { sendto } for pid=558 comm="agetty" path="/run/systemd
+/journal/dev-log" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:
+system_r:initrc_t:s0 tclass=unix_dgram_socket permissive=0
+
+audit: avc: denied { create } for pid=374 comm="syslogd" name="messages"
+scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:
+s0 tclass=file permissive=0
+
+audit: avc: denied { append } for pid=423 comm="syslogd" name="messages"
+dev="tmpfs" ino=7995 scontext=system_u:system_r:syslogd_t:s0 tcontext=
+system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
+
+audit: avc: denied { getattr } for pid=425 comm="syslogd" path="/var/
+volatile/log/messages" dev="tmpfs" ino=8857 scontext=system_u:system_r:
+syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/getty.te | 1 +
+ policy/modules/system/logging.te | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
+index 423db0cc..9ab03956 100644
+--- a/policy/modules/system/getty.te
++++ b/policy/modules/system/getty.te
+@@ -132,3 +132,4 @@ optional_policy(`
+
+ allow getty_t tmpfs_t:dir search;
+ allow getty_t tmpfs_t:file { open write lock };
++allow getty_t initrc_t:unix_dgram_socket sendto;
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 98c2bd19..6a94ac12 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -632,4 +632,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto;
+ allow syslogd_t self:shm create;
+ allow syslogd_t self:sem { create read unix_write write };
+ allow syslogd_t self:shm { read unix_read unix_write write };
+-allow syslogd_t tmpfs_t:file { read write };
++allow syslogd_t tmpfs_t:file { read write create getattr append open };
++allow syslogd_t tmpfs_t:dir { search write add_name };
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
new file mode 100755
index 0000000..5de6d0d
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
@@ -0,0 +1,24 @@
+From 9f8b5359ce85eab23a5c46157497c44fd3bc4335 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 08:26:55 -0400
+Subject: [PATCH 10/34] fc/dmesg: apply policy to dmesg alternatives
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/admin/dmesg.fc | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
+index e52fdfcf..85d15127 100644
+--- a/policy/modules/admin/dmesg.fc
++++ b/policy/modules/admin/dmesg.fc
+@@ -1 +1,3 @@
+-/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
++/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
++/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0)
++/usr/lib/busybox/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch
new file mode 100755
index 0000000..ab81b31
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch
@@ -0,0 +1,27 @@
+From c7002e990710f83763a1481ddaa56a1f658defee Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 09:20:58 -0400
+Subject: [PATCH 11/34] fc/ssh: apply policy to ssh alternatives
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/services/ssh.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
+index 4ac3e733..1f453091 100644
+--- a/policy/modules/services/ssh.fc
++++ b/policy/modules/services/ssh.fc
+@@ -4,6 +4,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+ /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+
+ /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
++/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
+ /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
+ /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
+ /usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch
new file mode 100755
index 0000000..8346fcf
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch
@@ -0,0 +1,48 @@
+From 881a9f637b6eec90d1fa20bf4c102bb595225aaf Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Tue, 9 Jun 2015 21:22:52 +0530
+Subject: [PATCH 12/34] fc/sysnetwork: apply policy to ip alternatives
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/sysnetwork.fc | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
+index ac7c2dd1..4e441503 100644
+--- a/policy/modules/system/sysnetwork.fc
++++ b/policy/modules/system/sysnetwork.fc
+@@ -60,6 +60,8 @@ ifdef(`distro_redhat',`
+ /usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+@@ -67,9 +69,17 @@ ifdef(`distro_redhat',`
+ /usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+
++#
++# /usr/lib/busybox
++#
++/usr/lib/busybox/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/lib/busybox/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/lib/busybox/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++
+ #
+ # /var
+ #
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
new file mode 100755
index 0000000..9ec2e21
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
@@ -0,0 +1,28 @@
+From 434fe791713127cea8a796529266b87763833117 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 09:36:08 -0400
+Subject: [PATCH 13/34] fc/udev: apply policy to udevadm in libexec
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/udev.fc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
+index 606ad517..2919c0bd 100644
+--- a/policy/modules/system/udev.fc
++++ b/policy/modules/system/udev.fc
+@@ -28,6 +28,8 @@ ifdef(`distro_debian',`
+ /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
+
++/usr/libexec/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
++
+ ifdef(`distro_redhat',`
+ /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+ ')
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
new file mode 100755
index 0000000..fff816a
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
@@ -0,0 +1,29 @@
+From c8dbbbaed4371c600d057736d1dab78371066fdd Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 09:54:07 -0400
+Subject: [PATCH 14/34] fc/rpm: apply rpm_exec policy to cpio binaries
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/admin/rpm.fc | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
+index 578d465c..f2b8003a 100644
+--- a/policy/modules/admin/rpm.fc
++++ b/policy/modules/admin/rpm.fc
+@@ -65,5 +65,8 @@ ifdef(`distro_redhat',`
+ /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
+
+ ifdef(`enable_mls',`
+-/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ ')
++
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch
new file mode 100755
index 0000000..b26eeea
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch
@@ -0,0 +1,26 @@
+From d6eb7326773a01cea4cb6949e8e8f94e12d145ca Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Thu, 13 Feb 2014 00:33:07 -0500
+Subject: [PATCH 15/34] fc/su: apply policy to su alternatives
+
+Upstream-Status: Pending
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/admin/su.fc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
+index 3375c969..435a6892 100644
+--- a/policy/modules/admin/su.fc
++++ b/policy/modules/admin/su.fc
+@@ -1,3 +1,5 @@
+ /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
+ /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
+ /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
++/usr/bin/su\.shadow -- gen_context(system_u:object_r:su_exec_t,s0)
++/usr/bin/su\.util-linux -- gen_context(system_u:object_r:su_exec_t,s0)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch
new file mode 100755
index 0000000..35676f8
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch
@@ -0,0 +1,76 @@
+From 4cc043905534403d2c6c5882ed982bd09a6c605f Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Mon, 27 Jan 2014 03:54:01 -0500
+Subject: [PATCH 16/34] fc/fstools: fix real path for fstools
+
+Upstream-Status: Pending
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/fstools.fc | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
+index 8fbd5ce4..d719e22c 100644
+--- a/policy/modules/system/fstools.fc
++++ b/policy/modules/system/fstools.fc
+@@ -58,6 +58,7 @@
+ /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -72,10 +73,12 @@
+ /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/hdparm\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -88,17 +91,20 @@
+ /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -108,6 +114,12 @@
+ /usr/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
++/usr/lib/busybox/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/lib/busybox/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/lib/busybox/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/lib/busybox/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/lib/busybox/sbin/swapon -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++
+ /var/swap -- gen_context(system_u:object_r:swapfile_t,s0)
+
+ /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch
new file mode 100755
index 0000000..af24d90
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch
@@ -0,0 +1,33 @@
+From f84b1809e45bf08ce2a603827de3ade876ce8683 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 17/34] policy/module/logging: Add the syslogd_t to trusted
+ object
+
+We add the syslogd_t to trusted object, because other process need
+to have the right to connectto/sendto /dev/log.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Roy.Li <rongqing.li@windriver.com>
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/logging.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 38ccfe3a..c892f547 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -501,6 +501,7 @@ fs_getattr_all_fs(syslogd_t)
+ fs_search_auto_mountpoints(syslogd_t)
+
+ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
++mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log
+
+ term_write_console(syslogd_t)
+ # Allow syslog to a terminal
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
new file mode 100755
index 0000000..6dca744
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
@@ -0,0 +1,100 @@
+From ccb0b3884513829a2ab344f1682df6ea6ff4e7de Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 18/34] policy/module/logging: add rules for the symlink of
+ /var/log
+
+/var/log is a symlink in poky, so we need allow rules for files to read
+lnk_file while doing search/list/delete/rw... in /var/log/ directory.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/logging.fc | 1 +
+ policy/modules/system/logging.if | 6 ++++++
+ policy/modules/system/logging.te | 2 ++
+ 3 files changed, 9 insertions(+)
+
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index 0cf108e0..5bec7e99 100644
+--- a/policy/modules/system/logging.fc
++++ b/policy/modules/system/logging.fc
+@@ -55,6 +55,7 @@ ifdef(`distro_suse', `
+ /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+ /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
++/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+ /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
+diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
+index 7b7644f7..0c7268ff 100644
+--- a/policy/modules/system/logging.if
++++ b/policy/modules/system/logging.if
+@@ -972,10 +972,12 @@ interface(`logging_append_all_inherited_logs',`
+ interface(`logging_read_all_logs',`
+ gen_require(`
+ attribute logfile;
++ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 logfile:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, logfile, logfile)
+ ')
+
+@@ -994,10 +996,12 @@ interface(`logging_read_all_logs',`
+ interface(`logging_exec_all_logs',`
+ gen_require(`
+ attribute logfile;
++ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 logfile:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ can_exec($1, logfile)
+ ')
+
+@@ -1099,6 +1103,7 @@ interface(`logging_read_generic_logs',`
+
+ files_search_var($1)
+ allow $1 var_log_t:dir list_dir_perms;
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, var_log_t, var_log_t)
+ ')
+
+@@ -1200,6 +1205,7 @@ interface(`logging_manage_generic_logs',`
+
+ files_search_var($1)
+ manage_files_pattern($1, var_log_t, var_log_t)
++ allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index c892f547..499a4552 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -161,6 +161,7 @@ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t auditd_log_t:dir setattr;
+ manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t var_log_t:dir search_dir_perms;
++allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
+
+ manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+ manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+@@ -288,6 +289,7 @@ allow audisp_remote_t self:capability { setpcap setuid };
+ allow audisp_remote_t self:process { getcap setcap };
+ allow audisp_remote_t self:tcp_socket create_socket_perms;
+ allow audisp_remote_t var_log_t:dir search_dir_perms;
++allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+ manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch
new file mode 100755
index 0000000..a532316
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch
@@ -0,0 +1,33 @@
+From b52614cce12e4a7d3437350bb35688d5470f92fc Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 10:33:18 -0400
+Subject: [PATCH 19/34] policy/module/logging: add rules for syslogd symlink of
+ /var/log
+
+We have added rules for the symlink of /var/log in logging.if, while
+syslogd_t uses /var/log but does not use the interfaces in logging.if. So
+still need add a individual rule for syslogd_t.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/logging.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 499a4552..e6221a02 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -417,6 +417,7 @@ files_search_spool(syslogd_t)
+
+ # Allow access for syslog-ng
+ allow syslogd_t var_log_t:dir { create setattr };
++allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
+
+ # for systemd but can not be conditional
+ files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
new file mode 100755
index 0000000..a494671
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
@@ -0,0 +1,36 @@
+From 07456143d9478b345dbe480e1b418b744de96751 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Fri, 23 Aug 2013 11:20:00 +0800
+Subject: [PATCH 20/34] policy/module/logging: add domain rules for the subdir
+ symlinks in /var/
+
+Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
+/var for poky, so we need allow rules for all domains to read these
+symlinks. Domains still need their practical allow rules to read the
+contents, so this is still a secure relax.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/domain.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
+index 1a55e3d2..babb794f 100644
+--- a/policy/modules/kernel/domain.te
++++ b/policy/modules/kernel/domain.te
+@@ -110,6 +110,9 @@ term_use_controlling_term(domain)
+ # list the root directory
+ files_list_root(domain)
+
++# Yocto/oe-core use some var volatile links
++files_read_var_symlinks(domain)
++
+ ifdef(`hide_broken_symptoms',`
+ # This check is in the general socket
+ # listen code, before protocol-specific
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch
new file mode 100755
index 0000000..aa61a80
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch
@@ -0,0 +1,100 @@
+From edcfc7eb98658352f3ffdeb8079517c54ba7f984 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 21/34] policy/module/files: add rules for the symlink of /tmp
+
+/tmp is a symlink in poky, so we need allow rules for files to read
+lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/files.fc | 1 +
+ policy/modules/kernel/files.if | 8 ++++++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
+index c3496c21..05b1734b 100644
+--- a/policy/modules/kernel/files.fc
++++ b/policy/modules/kernel/files.fc
+@@ -176,6 +176,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+ # /tmp
+ #
+ /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
++/tmp -l gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+ /tmp/.* <<none>>
+ /tmp/\.journal <<none>>
+
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index f1c94411..eb067ad3 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -4350,6 +4350,7 @@ interface(`files_search_tmp',`
+ ')
+
+ allow $1 tmp_t:dir search_dir_perms;
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4386,6 +4387,7 @@ interface(`files_list_tmp',`
+ ')
+
+ allow $1 tmp_t:dir list_dir_perms;
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4422,6 +4424,7 @@ interface(`files_delete_tmp_dir_entry',`
+ ')
+
+ allow $1 tmp_t:dir del_entry_dir_perms;
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4440,6 +4443,7 @@ interface(`files_read_generic_tmp_files',`
+ ')
+
+ read_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4458,6 +4462,7 @@ interface(`files_manage_generic_tmp_dirs',`
+ ')
+
+ manage_dirs_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4476,6 +4481,7 @@ interface(`files_manage_generic_tmp_files',`
+ ')
+
+ manage_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4512,6 +4518,7 @@ interface(`files_rw_generic_tmp_sockets',`
+ ')
+
+ rw_sock_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4719,6 +4726,7 @@ interface(`files_tmp_filetrans',`
+ ')
+
+ filetrans_pattern($1, tmp_t, $2, $3, $4)
++ allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch
new file mode 100755
index 0000000..68235b1
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch
@@ -0,0 +1,123 @@
+From 938ae00d2358d6ebad8173fce274ebb70d95cf72 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 22/34] policy/module/terminals: add rules for bsdpty_device_t
+ to complete pty devices.
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/terminal.if | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index 61308843..a84787e6 100644
+--- a/policy/modules/kernel/terminal.if
++++ b/policy/modules/kernel/terminal.if
+@@ -623,9 +623,11 @@ interface(`term_getattr_generic_ptys',`
+ interface(`term_dontaudit_getattr_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ dontaudit $1 devpts_t:chr_file getattr;
++ dontaudit $1 bsdpty_device_t:chr_file getattr;
+ ')
+ ########################################
+ ## <summary>
+@@ -641,11 +643,13 @@ interface(`term_dontaudit_getattr_generic_ptys',`
+ interface(`term_ioctl_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir search;
+ allow $1 devpts_t:chr_file ioctl;
++ allow $1 bsdpty_device_t:chr_file ioctl;
+ ')
+
+ ########################################
+@@ -663,9 +667,11 @@ interface(`term_ioctl_generic_ptys',`
+ interface(`term_setattr_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ allow $1 devpts_t:chr_file setattr;
++ allow $1 bsdpty_device_t:chr_file setattr;
+ ')
+
+ ########################################
+@@ -683,9 +689,11 @@ interface(`term_setattr_generic_ptys',`
+ interface(`term_dontaudit_setattr_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ dontaudit $1 devpts_t:chr_file setattr;
++ dontaudit $1 bsdpty_device_t:chr_file setattr;
+ ')
+
+ ########################################
+@@ -703,11 +711,13 @@ interface(`term_dontaudit_setattr_generic_ptys',`
+ interface(`term_use_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir list_dir_perms;
+ allow $1 devpts_t:chr_file { rw_term_perms lock append };
++ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
+ ')
+
+ ########################################
+@@ -725,9 +735,11 @@ interface(`term_use_generic_ptys',`
+ interface(`term_dontaudit_use_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ type bsdpty_device_t;
+ ')
+
+ dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
++ dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl };
+ ')
+
+ #######################################
+@@ -743,10 +755,12 @@ interface(`term_dontaudit_use_generic_ptys',`
+ interface(`term_setattr_controlling_term',`
+ gen_require(`
+ type devtty_t;
++ type bsdpty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devtty_t:chr_file setattr;
++ allow $1 bsdpty_device_t:chr_file setattr;
+ ')
+
+ ########################################
+@@ -763,10 +777,12 @@ interface(`term_setattr_controlling_term',`
+ interface(`term_use_controlling_term',`
+ gen_require(`
+ type devtty_t;
++ type bsdpty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devtty_t:chr_file { rw_term_perms lock append };
++ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
+ ')
+
+ #######################################
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch
new file mode 100755
index 0000000..06f9207
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch
@@ -0,0 +1,37 @@
+From 3f5a9b987211ef511bfd1c76b1a7dffad51fba0c Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 23/34] policy/module/terminals: don't audit tty_device_t in
+ term_dontaudit_use_console.
+
+We should also not audit terminal to rw tty_device_t and fds in
+term_dontaudit_use_console.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/terminal.if | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index a84787e6..cf66da2f 100644
+--- a/policy/modules/kernel/terminal.if
++++ b/policy/modules/kernel/terminal.if
+@@ -335,9 +335,12 @@ interface(`term_use_console',`
+ interface(`term_dontaudit_use_console',`
+ gen_require(`
+ type console_device_t;
++ type tty_device_t;
+ ')
+
++ init_dontaudit_use_fds($1)
+ dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
++ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
+ ')
+
+ ########################################
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
new file mode 100755
index 0000000..01f6c8b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
@@ -0,0 +1,29 @@
+From bc1f2fba24fb63cd9a65ec22b34fcc59798bbaff Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 24/34] policy/module/rpc: allow nfsd to exec shell commands.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/services/rpc.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
+index 47fa2fd0..d4209231 100644
+--- a/policy/modules/services/rpc.te
++++ b/policy/modules/services/rpc.te
+@@ -227,7 +227,7 @@ kernel_read_network_state(nfsd_t)
+ kernel_dontaudit_getattr_core_if(nfsd_t)
+ kernel_setsched(nfsd_t)
+ kernel_request_load_module(nfsd_t)
+-# kernel_mounton_proc(nfsd_t)
++kernel_mounton_proc(nfsd_t)
+
+ corenet_sendrecv_nfs_server_packets(nfsd_t)
+ corenet_tcp_bind_nfs_port(nfsd_t)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch
new file mode 100755
index 0000000..78a4328
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch
@@ -0,0 +1,77 @@
+From f24c277f622d1ae72275525c6d5863f1ddce1d58 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Fri, 23 Aug 2013 12:01:53 +0800
+Subject: [PATCH 25/34] policy/module/rpc: fix policy for nfsserver to mount
+ nfsd_fs_t.
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/filesystem.te | 1 +
+ policy/modules/kernel/kernel.te | 2 ++
+ policy/modules/services/rpc.te | 5 +++++
+ policy/modules/services/rpcbind.te | 5 +++++
+ 4 files changed, 13 insertions(+)
+
+diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
+index 41037951..b341ba83 100644
+--- a/policy/modules/kernel/filesystem.te
++++ b/policy/modules/kernel/filesystem.te
+@@ -129,6 +129,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+
+ type nfsd_fs_t;
+ fs_type(nfsd_fs_t)
++files_mountpoint(nfsd_fs_t)
+ genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
+
+ type nsfs_t;
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index 8e958074..7b81c732 100644
+--- a/policy/modules/kernel/kernel.te
++++ b/policy/modules/kernel/kernel.te
+@@ -334,6 +334,8 @@ mls_process_read_all_levels(kernel_t)
+ mls_process_write_all_levels(kernel_t)
+ mls_file_write_all_levels(kernel_t)
+ mls_file_read_all_levels(kernel_t)
++mls_socket_write_all_levels(kernel_t)
++mls_fd_use_all_levels(kernel_t)
+
+ ifdef(`distro_redhat',`
+ # Bugzilla 222337
+diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
+index d4209231..a2327b44 100644
+--- a/policy/modules/services/rpc.te
++++ b/policy/modules/services/rpc.te
+@@ -280,6 +280,11 @@ tunable_policy(`nfs_export_all_ro',`
+
+ optional_policy(`
+ mount_exec(nfsd_t)
++ # Should domtrans to mount_t while mounting nfsd_fs_t.
++ mount_domtrans(nfsd_t)
++ # nfsd_t need to chdir to /var/lib/nfs and read files.
++ files_list_var(nfsd_t)
++ rpc_read_nfs_state_data(nfsd_t)
+ ')
+
+ ########################################
+diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
+index 5914af99..2055c114 100644
+--- a/policy/modules/services/rpcbind.te
++++ b/policy/modules/services/rpcbind.te
+@@ -75,6 +75,11 @@ logging_send_syslog_msg(rpcbind_t)
+
+ miscfiles_read_localization(rpcbind_t)
+
++# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
++# because the are running in different level. So add rules to allow this.
++mls_socket_read_all_levels(rpcbind_t)
++mls_socket_write_all_levels(rpcbind_t)
++
+ ifdef(`distro_debian',`
+ term_dontaudit_use_unallocated_ttys(rpcbind_t)
+ ')
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
new file mode 100755
index 0000000..257395a
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
@@ -0,0 +1,126 @@
+From 06d2bad9325fdc6b0a73858bca7ba51fe591f39d Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 11:16:37 -0400
+Subject: [PATCH 26/34] policy/module/sysfs: fix for new SELINUXMNT in /sys
+
+SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
+add rules to access sysfs.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/selinux.if | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
+index 6790e5d0..2c95db81 100644
+--- a/policy/modules/kernel/selinux.if
++++ b/policy/modules/kernel/selinux.if
+@@ -117,6 +117,9 @@ interface(`selinux_mount_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
++ dev_search_sysfs($1)
++
+ allow $1 security_t:filesystem mount;
+ ')
+
+@@ -136,6 +139,9 @@ interface(`selinux_remount_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
++ dev_search_sysfs($1)
++
+ allow $1 security_t:filesystem remount;
+ ')
+
+@@ -155,6 +161,9 @@ interface(`selinux_unmount_fs',`
+ ')
+
+ allow $1 security_t:filesystem unmount;
++
++ dev_getattr_sysfs($1)
++ dev_search_sysfs($1)
+ ')
+
+ ########################################
+@@ -217,6 +226,8 @@ interface(`selinux_dontaudit_getattr_dir',`
+ ')
+
+ dontaudit $1 security_t:dir getattr;
++ dev_dontaudit_getattr_sysfs($1)
++ dev_dontaudit_search_sysfs($1)
+ ')
+
+ ########################################
+@@ -253,6 +264,7 @@ interface(`selinux_dontaudit_search_fs',`
+ type security_t;
+ ')
+
++ dev_dontaudit_search_sysfs($1)
+ dontaudit $1 security_t:dir search_dir_perms;
+ ')
+
+@@ -272,6 +284,7 @@ interface(`selinux_dontaudit_read_fs',`
+ type security_t;
+ ')
+
++ dev_dontaudit_getattr_sysfs($1)
+ dontaudit $1 security_t:dir search_dir_perms;
+ dontaudit $1 security_t:file read_file_perms;
+ ')
+@@ -361,6 +374,7 @@ interface(`selinux_read_policy',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file read_file_perms;
+@@ -394,6 +408,7 @@ interface(`selinux_set_generic_booleans',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+
+ allow $1 security_t:dir list_dir_perms;
+@@ -431,6 +446,7 @@ interface(`selinux_set_all_booleans',`
+ bool secure_mode_policyload;
+ ')
+
++ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+
+ allow $1 security_t:dir list_dir_perms;
+@@ -512,6 +528,7 @@ interface(`selinux_dontaudit_validate_context',`
+ type security_t;
+ ')
+
++ dev_dontaudit_search_sysfs($1)
+ dontaudit $1 security_t:dir list_dir_perms;
+ dontaudit $1 security_t:file rw_file_perms;
+ dontaudit $1 security_t:security check_context;
+@@ -533,6 +550,7 @@ interface(`selinux_compute_access_vector',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+ allow $1 self:netlink_selinux_socket create_socket_perms;
+ allow $1 security_t:dir list_dir_perms;
+@@ -629,6 +647,7 @@ interface(`selinux_compute_user_contexts',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch
new file mode 100755
index 0000000..23226a0
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch
@@ -0,0 +1,31 @@
+From 447036f5ead83977933b375f5587595b85307a7d Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li@windriver.com>
+Date: Sat, 15 Feb 2014 09:45:00 +0800
+Subject: [PATCH 27/34] policy/module/rpc: allow sysadm to run rpcinfo
+
+Upstream-Status: Pending
+
+type=AVC msg=audit(1392427946.976:264): avc: denied { connectto } for pid=2111 comm="rpcinfo" path="/run/rpcbind.sock" scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tclass=unix_stream_socket
+type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null)
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/roles/sysadm.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 2ae952bf..d781378f 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -945,6 +945,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rpcbind_stream_connect(sysadm_t)
+ rpcbind_admin(sysadm_t, sysadm_r)
+ ')
+
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch
new file mode 100755
index 0000000..732eaaf
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch
@@ -0,0 +1,45 @@
+From 391ab30556a3276bac131b3d4bd6c5e52b49c77c Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH 28/34] policy/module/userdomain: fix selinux utils to manage
+ config files
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/selinuxutil.if | 1 +
+ policy/modules/system/userdomain.if | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
+index 20024993..0fdc8c10 100644
+--- a/policy/modules/system/selinuxutil.if
++++ b/policy/modules/system/selinuxutil.if
+@@ -674,6 +674,7 @@ interface(`seutil_manage_config',`
+ ')
+
+ files_search_etc($1)
++ manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
+ manage_files_pattern($1, selinux_config_t, selinux_config_t)
+ read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
+ ')
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index 5221bd13..4cf987d1 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -1431,6 +1431,10 @@ template(`userdom_security_admin_template',`
+ logging_read_audit_config($1)
+
+ seutil_manage_bin_policy($1)
++ seutil_manage_default_contexts($1)
++ seutil_manage_file_contexts($1)
++ seutil_manage_module_store($1)
++ seutil_manage_config($1)
+ seutil_run_checkpolicy($1, $2)
+ seutil_run_loadpolicy($1, $2)
+ seutil_run_semanage($1, $2)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
new file mode 100755
index 0000000..14734b2
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
@@ -0,0 +1,33 @@
+From d97aef0ecdb2ff964b1ed3d0b18ce83c2ab42f14 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 29 Mar 2019 11:30:27 -0400
+Subject: [PATCH 29/34] policy/module/selinuxutil: fix setfiles statvfs to get
+ file count
+
+New setfiles will read /proc/mounts and use statvfs in
+file_system_count() to get file count of filesystems.
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/selinuxutil.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index 8a1688cc..a9930e9e 100644
+--- a/policy/modules/system/selinuxutil.te
++++ b/policy/modules/system/selinuxutil.te
+@@ -607,6 +607,7 @@ files_relabel_all_files(setfiles_t)
+ files_read_usr_symlinks(setfiles_t)
+ files_dontaudit_read_all_symlinks(setfiles_t)
+
++fs_getattr_all_fs(setfiles_t)
+ fs_getattr_all_xattr_fs(setfiles_t)
+ fs_getattr_cgroup(setfiles_t)
+ fs_getattr_nfs(setfiles_t)
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
new file mode 100755
index 0000000..aebdcb3
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
@@ -0,0 +1,25 @@
+From 43eba9b9205c5e63f634d60ab8eb5302f7bf4408 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Fri, 23 Aug 2013 16:36:09 +0800
+Subject: [PATCH 30/34] policy/module/admin: fix dmesg to use /dev/kmsg as
+ default input
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/admin/dmesg.if | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
+index e1973c78..739a4bc5 100644
+--- a/policy/modules/admin/dmesg.if
++++ b/policy/modules/admin/dmesg.if
+@@ -37,4 +37,5 @@ interface(`dmesg_exec',`
+
+ corecmd_search_bin($1)
+ can_exec($1, dmesg_exec_t)
++ dev_read_kmsg($1)
+ ')
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch
new file mode 100755
index 0000000..afba90f
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch
@@ -0,0 +1,41 @@
+From 2d81043e7c98b31b37a1ecd1f037a04c60e662aa Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li@windriver.com>
+Date: Mon, 10 Feb 2014 18:10:12 +0800
+Subject: [PATCH 31/34] policy/module/ftp: add ftpd_t to
+ mls_file_write_all_levels
+
+Proftpd will create file under /var/run, but its mls is in high, and
+can not write to lowlevel
+
+Upstream-Status: Pending
+
+type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm="proftpd" name="/" dev="tmpfs" ino=5853 scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
+type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
+type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null)
+
+root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name
+ allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
+root@localhost:~#
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/services/ftp.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
+index 29bc077c..d582cf80 100644
+--- a/policy/modules/services/ftp.te
++++ b/policy/modules/services/ftp.te
+@@ -150,6 +150,8 @@ role ftpdctl_roles types ftpdctl_t;
+ type ftpdctl_tmp_t;
+ files_tmp_file(ftpdctl_tmp_t)
+
++mls_file_write_all_levels(ftpd_t)
++
+ type sftpd_t;
+ domain_type(sftpd_t)
+ role system_r types sftpd_t;
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch
new file mode 100755
index 0000000..ced90be
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch
@@ -0,0 +1,32 @@
+From ddb7393018483be0ce1cfc4734043b413e3b8a04 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 12 Jun 2015 19:37:52 +0530
+Subject: [PATCH 32/34] policy/module/init: update for systemd related allow
+ rules
+
+It provide, the systemd support related allow rules
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/init.te | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index f7635d6f..2e6b57a6 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1418,3 +1418,8 @@ optional_policy(`
+ userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
+ userdom_dontaudit_write_user_tmp_files(systemprocess)
+ ')
++
++# systemd related allow rules
++allow kernel_t init_t:process dyntransition;
++allow devpts_t device_t:filesystem associate;
++allow init_t self:capability2 block_suspend;
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch
new file mode 100755
index 0000000..09a16fb
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch
@@ -0,0 +1,67 @@
+From a45624beb571ad5dadfca95d53ff69925c9f628c Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 5 Apr 2019 11:53:28 -0400
+Subject: [PATCH 33/34] refpolicy/minimum: make sysadmin module optional
+
+init and locallogin modules have a depend for sysadm module because
+they have called sysadm interfaces(sysadm_shell_domtrans). Since
+sysadm is not a core module, we could make the sysadm_shell_domtrans
+calls optionally by optional_policy.
+
+So, we could make the minimum policy without sysadm module.
+
+Upstream-Status: pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/init.te | 16 +++++++++-------
+ policy/modules/system/locallogin.te | 4 +++-
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 2e6b57a6..d8696580 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -448,13 +448,15 @@ ifdef(`init_systemd',`
+ modutils_domtrans(init_t)
+ ')
+ ',`
+- tunable_policy(`init_upstart',`
+- corecmd_shell_domtrans(init_t, initrc_t)
+- ',`
+- # Run the shell in the sysadm role for single-user mode.
+- # causes problems with upstart
+- ifndef(`distro_debian',`
+- sysadm_shell_domtrans(init_t)
++ optional_policy(`
++ tunable_policy(`init_upstart',`
++ corecmd_shell_domtrans(init_t, initrc_t)
++ ',`
++ # Run the shell in the sysadm role for single-user mode.
++ # causes problems with upstart
++ ifndef(`distro_debian',`
++ sysadm_shell_domtrans(init_t)
++ ')
+ ')
+ ')
+ ')
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index a56f3d1f..4c679ff3 100644
+--- a/policy/modules/system/locallogin.te
++++ b/policy/modules/system/locallogin.te
+@@ -266,7 +266,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
+ userdom_search_user_home_dirs(sulogin_t)
+ userdom_use_user_ptys(sulogin_t)
+
+-sysadm_shell_domtrans(sulogin_t)
++optional_policy(`
++ sysadm_shell_domtrans(sulogin_t)
++')
+
+ # by default, sulogin does not use pam...
+ # sulogin_pam might need to be defined otherwise
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch
new file mode 100755
index 0000000..03b1439
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-git/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch
@@ -0,0 +1,33 @@
+From 2e2abdbc7a0e57a27518de0d879ecc84053203d8 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 19:36:44 +0800
+Subject: [PATCH 34/34] policy/module/apache: add rules for the symlink of
+ /var/log - apache2
+
+We have added rules for the symlink of /var/log in logging.if,
+while apache.te uses /var/log but does not use the interfaces in
+logging.if. So still need add a individual rule for apache.te.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/services/apache.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
+index 15c4ea53..596370b1 100644
+--- a/policy/modules/services/apache.te
++++ b/policy/modules/services/apache.te
+@@ -412,6 +412,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
++read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
+ logging_log_filetrans(httpd_t, httpd_log_t, file)
+
+ allow httpd_t httpd_modules_t:dir list_dir_perms;
+--
+2.19.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-mcs_2.20190201.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-mcs_2.20190201.bb
new file mode 100755
index 0000000..062727b7
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-mcs_2.20190201.bb
@@ -0,0 +1,11 @@
+SUMMARY = "MCS (Multi Category Security) variant of the SELinux policy"
+DESCRIPTION = "\
+This is the reference policy for SE Linux built with MCS support. \
+An MCS policy is the same as an MLS policy but with only one sensitivity \
+level. This is useful on systems where a hierarchical policy (MLS) isn't \
+needed (pretty much all systems) but the non-hierarchical categories are. \
+"
+
+POLICY_TYPE = "mcs"
+
+include refpolicy_${PV}.inc
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-mcs_git.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-mcs_git.bb
new file mode 100755
index 0000000..062727b7
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-mcs_git.bb
@@ -0,0 +1,11 @@
+SUMMARY = "MCS (Multi Category Security) variant of the SELinux policy"
+DESCRIPTION = "\
+This is the reference policy for SE Linux built with MCS support. \
+An MCS policy is the same as an MLS policy but with only one sensitivity \
+level. This is useful on systems where a hierarchical policy (MLS) isn't \
+needed (pretty much all systems) but the non-hierarchical categories are. \
+"
+
+POLICY_TYPE = "mcs"
+
+include refpolicy_${PV}.inc
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb
new file mode 100755
index 0000000..01c9fc0
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb
@@ -0,0 +1,91 @@
+################################################################################
+# Note that -minimum specifically inherits from -targeted. Key policy pieces
+# will be missing if you do not preserve this relationship.
+include refpolicy-targeted_${PV}.bb
+
+SUMMARY = "SELinux minimum policy"
+DESCRIPTION = "\
+This is a minimum reference policy with just core policy modules, and \
+could be used as a base for customizing targeted policy. \
+Pretty much everything runs as initrc_t or unconfined_t so all of the \
+domains are unconfined. \
+"
+
+POLICY_NAME = "minimum"
+
+CORE_POLICY_MODULES = "unconfined \
+ selinuxutil \
+ storage \
+ sysnetwork \
+ application \
+ libraries \
+ miscfiles \
+ logging \
+ userdomain \
+ init \
+ mount \
+ modutils \
+ getty \
+ authlogin \
+ locallogin \
+ "
+#systemd dependent policy modules
+CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev fstools', '', d)}"
+
+# nscd caches libc-issued requests to the name service.
+# Without nscd.pp, commands want to use these caches will be blocked.
+EXTRA_POLICY_MODULES += "nscd"
+
+# pam_mail module enables checking and display of mailbox status upon
+# "login", so "login" process will access to /var/spool/mail.
+EXTRA_POLICY_MODULES += "mta"
+
+# sysnetwork requires type definitions (insmod_t, consoletype_t,
+# hostname_t, ping_t, netutils_t) from modules:
+EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils"
+
+# Add specific policy modules here that should be purged from the system
+# policy. Purged modules will not be built and will not be installed on the
+# target. To use them at some later time you must specifically build and load
+# the modules by hand on the target.
+#
+# USE WITH CARE! With this feature it is easy to break your policy by purging
+# core modules (eg. userdomain)
+#
+# PURGE_POLICY_MODULES += "xdg xen"
+
+POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
+
+# re-write the same func from refpolicy_common.inc
+prepare_policy_store () {
+ oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
+ POL_PRIORITY=100
+ POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
+ POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
+ POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
+
+ # Prepare to create policy store
+ mkdir -p ${POL_STORE}
+ mkdir -p ${POL_ACTIVE_MODS}
+
+ # get hll type from suffix on base policy module
+ HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
+ HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
+
+ for i in base ${POLICY_MODULES_MIN}; do
+ MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE}
+ MOD_DIR=${POL_ACTIVE_MODS}/${i}
+ mkdir -p ${MOD_DIR}
+ echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
+
+ if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then
+ ${HLL_BIN} ${MOD_FILE} | bzip2 --stdout > ${MOD_DIR}/cil
+ bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2 ${MOD_FILE}
+ else
+ bunzip2 --stdout ${MOD_FILE} | \
+ ${HLL_BIN} | \
+ bzip2 --stdout > ${MOD_DIR}/cil
+ fi
+ cp ${MOD_FILE} ${MOD_DIR}/hll
+ done
+}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-minimum_git.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-minimum_git.bb
new file mode 100755
index 0000000..3b3ca15
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-minimum_git.bb
@@ -0,0 +1,92 @@
+################################################################################
+# Note that -minimum specifically inherits from -targeted. Key policy pieces
+# will be missing if you do not preserve this relationship.
+include refpolicy-targeted_${PV}.bb
+
+SUMMARY = "SELinux minimum policy"
+DESCRIPTION = "\
+This is a minimum reference policy with just core policy modules, and \
+could be used as a base for customizing targeted policy. \
+Pretty much everything runs as initrc_t or unconfined_t so all of the \
+domains are unconfined. \
+"
+
+POLICY_NAME = "minimum"
+
+CORE_POLICY_MODULES = "unconfined \
+ selinuxutil \
+ storage \
+ sysnetwork \
+ application \
+ libraries \
+ miscfiles \
+ logging \
+ userdomain \
+ init \
+ mount \
+ modutils \
+ getty \
+ authlogin \
+ locallogin \
+ "
+#systemd dependent policy modules
+CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev fstools', '', d)}"
+
+# nscd caches libc-issued requests to the name service.
+# Without nscd.pp, commands want to use these caches will be blocked.
+EXTRA_POLICY_MODULES += "nscd"
+
+# pam_mail module enables checking and display of mailbox status upon
+# "login", so "login" process will access to /var/spool/mail.
+EXTRA_POLICY_MODULES += "mta"
+
+# sysnetwork requires type definitions (insmod_t, consoletype_t,
+# hostname_t, ping_t, netutils_t) from modules:
+EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils"
+
+# Add specific policy modules here that should be purged from the system
+# policy. Purged modules will not be built and will not be installed on the
+# target. To use them at some later time you must specifically build and load
+# the modules by hand on the target.
+#
+# USE WITH CARE! With this feature it is easy to break your policy by purging
+# core modules (eg. userdomain)
+#
+# PURGE_POLICY_MODULES += "xdg xen"
+
+
+POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
+
+# re-write the same func from refpolicy_common.inc
+prepare_policy_store () {
+ oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
+ POL_PRIORITY=100
+ POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
+ POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
+ POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
+
+ # Prepare to create policy store
+ mkdir -p ${POL_STORE}
+ mkdir -p ${POL_ACTIVE_MODS}
+
+ # get hll type from suffix on base policy module
+ HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
+ HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
+
+ for i in base ${POLICY_MODULES_MIN}; do
+ MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE}
+ MOD_DIR=${POL_ACTIVE_MODS}/${i}
+ mkdir -p ${MOD_DIR}
+ echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
+
+ if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then
+ ${HLL_BIN} ${MOD_FILE} | bzip2 --stdout > ${MOD_DIR}/cil
+ bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2 ${MOD_FILE}
+ else
+ bunzip2 --stdout ${MOD_FILE} | \
+ ${HLL_BIN} | \
+ bzip2 --stdout > ${MOD_DIR}/cil
+ fi
+ cp ${MOD_FILE} ${MOD_DIR}/hll
+ done
+}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-mls_2.20190201.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-mls_2.20190201.bb
new file mode 100755
index 0000000..7388232
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-mls_2.20190201.bb
@@ -0,0 +1,10 @@
+SUMMARY = "MLS (Multi Level Security) variant of the SELinux policy"
+DESCRIPTION = "\
+This is the reference policy for SE Linux built with MLS support. \
+It allows giving data labels such as \"Top Secret\" and preventing \
+such data from leaking to processes or files with lower classification. \
+"
+
+POLICY_TYPE = "mls"
+
+include refpolicy_${PV}.inc
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-mls_git.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-mls_git.bb
new file mode 100755
index 0000000..7388232
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-mls_git.bb
@@ -0,0 +1,10 @@
+SUMMARY = "MLS (Multi Level Security) variant of the SELinux policy"
+DESCRIPTION = "\
+This is the reference policy for SE Linux built with MLS support. \
+It allows giving data labels such as \"Top Secret\" and preventing \
+such data from leaking to processes or files with lower classification. \
+"
+
+POLICY_TYPE = "mls"
+
+include refpolicy_${PV}.inc
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-standard_2.20190201.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-standard_2.20190201.bb
new file mode 100755
index 0000000..3674fdd
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-standard_2.20190201.bb
@@ -0,0 +1,8 @@
+SUMMARY = "Standard variants of the SELinux policy"
+DESCRIPTION = "\
+This is the reference policy for SELinux built with type enforcement \
+only."
+
+POLICY_TYPE = "standard"
+
+include refpolicy_${PV}.inc
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-standard_git.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-standard_git.bb
new file mode 100755
index 0000000..3674fdd
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-standard_git.bb
@@ -0,0 +1,8 @@
+SUMMARY = "Standard variants of the SELinux policy"
+DESCRIPTION = "\
+This is the reference policy for SELinux built with type enforcement \
+only."
+
+POLICY_TYPE = "standard"
+
+include refpolicy_${PV}.inc
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb
new file mode 100755
index 0000000..1ecdb4e
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb
@@ -0,0 +1,35 @@
+SUMMARY = "SELinux targeted policy"
+DESCRIPTION = "\
+This is the targeted variant of the SELinux reference policy. Most service \
+domains are locked down. Users and admins will login in with unconfined_t \
+domain, so they have the same access to the system as if SELinux was not \
+enabled. \
+"
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
+
+POLICY_NAME = "targeted"
+POLICY_TYPE = "mcs"
+POLICY_MLS_SENS = "0"
+
+include refpolicy_${PV}.inc
+
+SYSTEMD_REFPOLICY_PATCHES = " \
+ file://0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch \
+ file://0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \
+ file://0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \
+ file://0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \
+ file://0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch \
+ file://0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch \
+ file://0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch \
+ file://0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch \
+ file://0009-refpolicy-minimum-systemd-fix-for-syslog.patch \
+ "
+
+SYSVINIT_REFPOLICY_PATCHES = " \
+ file://0001-fix-update-alternatives-for-sysvinit.patch \
+ "
+
+SRC_URI += " \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${SYSTEMD_REFPOLICY_PATCHES}', '${SYSVINIT_REFPOLICY_PATCHES}', d)} \
+ "
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-targeted_git.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-targeted_git.bb
new file mode 100755
index 0000000..1ecdb4e
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy-targeted_git.bb
@@ -0,0 +1,35 @@
+SUMMARY = "SELinux targeted policy"
+DESCRIPTION = "\
+This is the targeted variant of the SELinux reference policy. Most service \
+domains are locked down. Users and admins will login in with unconfined_t \
+domain, so they have the same access to the system as if SELinux was not \
+enabled. \
+"
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
+
+POLICY_NAME = "targeted"
+POLICY_TYPE = "mcs"
+POLICY_MLS_SENS = "0"
+
+include refpolicy_${PV}.inc
+
+SYSTEMD_REFPOLICY_PATCHES = " \
+ file://0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch \
+ file://0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \
+ file://0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \
+ file://0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \
+ file://0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch \
+ file://0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch \
+ file://0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch \
+ file://0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch \
+ file://0009-refpolicy-minimum-systemd-fix-for-syslog.patch \
+ "
+
+SYSVINIT_REFPOLICY_PATCHES = " \
+ file://0001-fix-update-alternatives-for-sysvinit.patch \
+ "
+
+SRC_URI += " \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${SYSTEMD_REFPOLICY_PATCHES}', '${SYSVINIT_REFPOLICY_PATCHES}', d)} \
+ "
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy_2.20190201.inc b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy_2.20190201.inc
new file mode 100755
index 0000000..4030b36
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy_2.20190201.inc
@@ -0,0 +1,9 @@
+SRC_URI = "https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20190201/refpolicy-${PV}.tar.bz2"
+SRC_URI[md5sum] = "babb0d5ca2ae333631d25392b2b3ce8d"
+SRC_URI[sha256sum] = "ed620dc91c4e09eee6271b373f7c61a364a82ea57bd2dc86ca1f7075304e2843"
+
+UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)"
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20190201:"
+
+include refpolicy_common.inc
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy_common.inc b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy_common.inc
new file mode 100755
index 0000000..1d9ca93
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy_common.inc
@@ -0,0 +1,242 @@
+DEFAULT_ENFORCING ??= "enforcing"
+
+SECTION = "admin"
+LICENSE = "GPLv2"
+
+LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+PROVIDES += "virtual/refpolicy"
+RPROVIDES_${PN} += "refpolicy"
+
+# Specific config files for Poky
+SRC_URI += "file://customizable_types \
+ file://setrans-mls.conf \
+ file://setrans-mcs.conf \
+ "
+
+# Base patches applied to all Yocto-based platforms. Your own version of
+# refpolicy should provide a version of these and place them in your own
+# refpolicy-${PV} directory.
+SRC_URI += " \
+ file://0001-fc-subs-volatile-alias-common-var-volatile-paths.patch \
+ file://0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch \
+ file://0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch \
+ file://0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch \
+ file://0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch \
+ file://0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch \
+ file://0007-fc-login-apply-login-context-to-login.shadow.patch \
+ file://0008-fc-bind-fix-real-path-for-bind.patch \
+ file://0009-fc-hwclock-add-hwclock-alternatives.patch \
+ file://0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \
+ file://0011-fc-ssh-apply-policy-to-ssh-alternatives.patch \
+ file://0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch \
+ file://0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch \
+ file://0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \
+ file://0015-fc-su-apply-policy-to-su-alternatives.patch \
+ file://0016-fc-fstools-fix-real-path-for-fstools.patch \
+ file://0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch \
+ file://0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch \
+ file://0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch \
+ file://0020-policy-module-logging-add-domain-rules-for-the-subdi.patch \
+ file://0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch \
+ file://0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch \
+ file://0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch \
+ file://0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch \
+ file://0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch \
+ file://0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch \
+ file://0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch \
+ file://0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch \
+ file://0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch \
+ file://0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch \
+ file://0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch \
+ file://0032-policy-module-init-update-for-systemd-related-allow-.patch \
+ file://0033-refpolicy-minimum-make-sysadmin-module-optional.patch \
+ file://0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch \
+ "
+
+S = "${WORKDIR}/refpolicy"
+
+CONFFILES_${PN} += "${sysconfdir}/selinux/config"
+FILES_${PN} += " \
+ ${sysconfdir}/selinux/${POLICY_NAME}/ \
+ ${datadir}/selinux/${POLICY_NAME}/*.pp \
+ ${localstatedir}/lib/selinux/${POLICY_NAME}/ \
+ "
+FILES_${PN}-dev =+ " \
+ ${datadir}/selinux/${POLICY_NAME}/include/ \
+ ${sysconfdir}/selinux/sepolgen.conf \
+"
+
+EXTRANATIVEPATH += "bzip2-native"
+
+DEPENDS += "bzip2-replacement-native checkpolicy-native policycoreutils-native semodule-utils-native m4-native"
+
+RDEPENDS_${PN}-dev =+ " \
+ python3-core \
+"
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+inherit python3native
+
+PARALLEL_MAKE = ""
+
+POLICY_NAME ?= "${POLICY_TYPE}"
+POLICY_DISTRO ?= "redhat"
+POLICY_UBAC ?= "n"
+POLICY_UNK_PERMS ?= "allow"
+POLICY_DIRECT_INITRC ?= "n"
+POLICY_SYSTEMD ?= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'y', 'n', d)}"
+POLICY_MONOLITHIC ?= "n"
+POLICY_CUSTOM_BUILDOPT ?= ""
+POLICY_QUIET ?= "y"
+POLICY_MLS_SENS ?= "16"
+POLICY_MLS_CATS ?= "1024"
+POLICY_MCS_CATS ?= "1024"
+
+EXTRA_OEMAKE += "NAME=${POLICY_NAME} \
+ TYPE=${POLICY_TYPE} \
+ DISTRO=${POLICY_DISTRO} \
+ UBAC=${POLICY_UBAC} \
+ UNK_PERMS=${POLICY_UNK_PERMS} \
+ DIRECT_INITRC=${POLICY_DIRECT_INITRC} \
+ SYSTEMD=${POLICY_SYSTEMD} \
+ MONOLITHIC=${POLICY_MONOLITHIC} \
+ CUSTOM_BUILDOPT=${POLICY_CUSTOM_BUILDOPT} \
+ QUIET=${POLICY_QUIET} \
+ MLS_SENS=${POLICY_MLS_SENS} \
+ MLS_CATS=${POLICY_MLS_CATS} \
+ MCS_CATS=${POLICY_MCS_CATS}"
+
+EXTRA_OEMAKE += "tc_usrbindir=${STAGING_BINDIR_NATIVE}"
+EXTRA_OEMAKE += "OUTPUT_POLICY=`${STAGING_BINDIR_NATIVE}/checkpolicy -V | cut -d' ' -f1`"
+EXTRA_OEMAKE += "CC='${BUILD_CC}' CFLAGS='${BUILD_CFLAGS}' PYTHON='${PYTHON}'"
+
+python __anonymous () {
+ import re
+
+ # make sure DEFAULT_ENFORCING is something sane
+ if not re.match('^(enforcing|permissive|disabled)$',
+ d.getVar('DEFAULT_ENFORCING'),
+ flags=0):
+ d.setVar('DEFAULT_ENFORCING', 'permissive')
+}
+
+disable_policy_modules () {
+ for module in ${PURGE_POLICY_MODULES} ; do
+ sed -i "s/^\(\<${module}\>\) *= *.*$/\1 = off/" ${S}/policy/modules.conf
+ done
+}
+
+do_compile() {
+ if [ -f "${WORKDIR}/modules.conf" ] ; then
+ cp -f ${WORKDIR}/modules.conf ${S}/policy/modules.conf
+ fi
+ oe_runmake conf
+ disable_policy_modules
+ oe_runmake policy
+}
+
+prepare_policy_store () {
+ oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
+ POL_PRIORITY=100
+ POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
+ POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
+ POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
+
+ # Prepare to create policy store
+ mkdir -p ${POL_STORE}
+ mkdir -p ${POL_ACTIVE_MODS}
+
+ # get hll type from suffix on base policy module
+ HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
+ HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
+
+ for i in ${POL_SRC}/*.${HLL_TYPE}; do
+ MOD_NAME=$(basename $i | sed "s/\.${HLL_TYPE}$//")
+ MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME}
+ mkdir -p ${MOD_DIR}
+ echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
+ if ! bzip2 -t $i >/dev/null 2>&1; then
+ ${HLL_BIN} $i | bzip2 --stdout > ${MOD_DIR}/cil
+ bzip2 -f $i && mv -f $i.bz2 $i
+ else
+ bunzip2 --stdout $i | \
+ ${HLL_BIN} | \
+ bzip2 --stdout > ${MOD_DIR}/cil
+ fi
+ cp $i ${MOD_DIR}/hll
+ done
+}
+
+rebuild_policy () {
+ cat <<-EOF > ${D}${sysconfdir}/selinux/semanage.conf
+module-store = direct
+[setfiles]
+path = ${STAGING_DIR_NATIVE}${base_sbindir_native}/setfiles
+args = -q -c \$@ \$<
+[end]
+[sefcontext_compile]
+path = ${STAGING_DIR_NATIVE}${sbindir_native}/sefcontext_compile
+args = \$@
+[end]
+
+policy-version = 31
+EOF
+
+ # Create policy store and build the policy
+ semodule -p ${D} -s ${POLICY_NAME} -n -B
+ rm -f ${D}${sysconfdir}/selinux/semanage.conf
+ # no need to leave final dir created by semanage laying around
+ rm -rf ${D}${localstatedir}/lib/selinux/final
+}
+
+install_misc_files () {
+ cat ${WORKDIR}/customizable_types >> \
+ ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/customizable_types
+
+ # install setrans.conf for mls/mcs policy
+ if [ -f ${WORKDIR}/setrans-${POLICY_TYPE}.conf ]; then
+ install -m 0644 ${WORKDIR}/setrans-${POLICY_TYPE}.conf \
+ ${D}${sysconfdir}/selinux/${POLICY_NAME}/setrans.conf
+ fi
+
+ # install policy headers
+ oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
+}
+
+install_config () {
+ echo "\
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+# enforcing - SELinux security policy is enforced.
+# permissive - SELinux prints warnings instead of enforcing.
+# disabled - No SELinux policy is loaded.
+SELINUX=${DEFAULT_ENFORCING}
+# SELINUXTYPE= can take one of these values:
+# minimum - Minimum Security protection.
+# standard - Standard Security protection.
+# mls - Multi Level Security protection.
+# targeted - Targeted processes are protected.
+# mcs - Multi Category Security protection.
+SELINUXTYPE=${POLICY_NAME}
+" > ${WORKDIR}/config
+ install -d ${D}/${sysconfdir}/selinux
+ install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
+}
+
+do_install () {
+ prepare_policy_store
+ rebuild_policy
+ install_misc_files
+ install_config
+}
+
+do_install_append(){
+ # While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
+ echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
+}
+
+sysroot_stage_all_append () {
+ sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
+}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy_git.inc b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy_git.inc
new file mode 100755
index 0000000..8de07c0
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/refpolicy/refpolicy_git.inc
@@ -0,0 +1,11 @@
+PV = "2.20190201+git${SRCPV}"
+
+SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=git;branch=master;name=refpolicy;destsuffix=refpolicy"
+
+SRCREV_refpolicy ?= "df696a325404b84c2c931c85356510005e5e6916"
+
+UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)"
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-git:"
+
+include refpolicy_common.inc
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/checkpolicy.inc b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/checkpolicy.inc
new file mode 100755
index 0000000..1d84ebb
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/checkpolicy.inc
@@ -0,0 +1,22 @@
+SUMMARY = "SELinux policy compiler"
+DESCRIPTION = "\
+This package contains checkpolicy, the SELinux policy compiler. Only \
+required for building policies. It uses libsepol to generate the \
+binary policy. checkpolicy uses the static libsepol since it deals \
+with low level details of the policy that have not been \
+encapsulated/abstracted by a proper shared library interface."
+
+SECTION = "base"
+LICENSE = "GPLv2+"
+
+DEPENDS += "libsepol bison-native flex-native"
+
+EXTRA_OEMAKE += "LEX='flex'"
+EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a"
+
+do_install_append() {
+ install test/dismod ${D}/${bindir}/sedismod
+ install test/dispol ${D}/${bindir}/sedispol
+}
+
+BBCLASSEXTEND = "native"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/checkpolicy/0001-checkpolicy-remove-unused-te_assertions.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/checkpolicy/0001-checkpolicy-remove-unused-te_assertions.patch
new file mode 100755
index 0000000..61c301e
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/checkpolicy/0001-checkpolicy-remove-unused-te_assertions.patch
@@ -0,0 +1,45 @@
+From 95d8f16ece96829109eb75a605b1459a25b5a6be Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Thu, 23 Jan 2020 13:57:15 +0100
+Subject: [PATCH] checkpolicy: remove unused te_assertions
+
+This variable is declared in a header file, but never defined or used.
+The te_assert structure definition is only used in this declaration, so
+remove both.
+
+Upstream-Status: Backport [https://github.com/SELinuxProject/selinux/commit/4d330d0d3155211f119b3082f728ae42dcc01e96]
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ checkpolicy/checkpolicy.h | 14 --------------
+ 1 file changed, 14 deletions(-)
+
+diff --git a/checkpolicy.h b/checkpolicy.h
+index 3868f1fa023b..f127687e72a6 100644
+--- a/checkpolicy.h
++++ b/checkpolicy.h
+@@ -1,20 +1,6 @@
+ #ifndef _CHECKPOLICY_H_
+ #define _CHECKPOLICY_H_
+
+-#include <sepol/policydb/ebitmap.h>
+-
+-typedef struct te_assert {
+- ebitmap_t stypes;
+- ebitmap_t ttypes;
+- ebitmap_t tclasses;
+- int self;
+- sepol_access_vector_t *avp;
+- unsigned long line;
+- struct te_assert *next;
+-} te_assert_t;
+-
+-te_assert_t *te_assertions;
+-
+ extern unsigned int policyvers;
+
+ #endif
+--
+2.24.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/checkpolicy_3.0.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/checkpolicy_3.0.bb
new file mode 100755
index 0000000..50d6217
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/checkpolicy_3.0.bb
@@ -0,0 +1,11 @@
+require selinux_20191204.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "b7c5547b95ce855bcdc10cb8adba8223"
+SRC_URI[sha256sum] = "c88c719a141dd5c1202d49c378c7f063349d630522d5e04dc6e0c53da81aa4f8"
+
+SRC_URI += "\
+ file://0001-checkpolicy-remove-unused-te_assertions.patch \
+"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux-python.inc b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux-python.inc
new file mode 100755
index 0000000..3760fd8
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux-python.inc
@@ -0,0 +1,41 @@
+SUMMARY = "SELinux library and simple utilities"
+DESCRIPTION = "libselinux provides an API for SELinux applications to get and set \
+process and file security contexts and to obtain security policy \
+decisions. Required for any applications that use the SELinux API."
+SECTION = "base"
+LICENSE = "PD"
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/libselinux:"
+
+inherit python3native
+
+DEPENDS += "python3 swig-native libpcre libsepol"
+RDEPENDS_${PN} += "libselinux python3-core python3-shell"
+
+def get_policyconfigarch(d):
+ import re
+ target = d.getVar('TARGET_ARCH')
+ p = re.compile('i.86')
+ target = p.sub('i386',target)
+ return "ARCH=%s" % (target)
+EXTRA_OEMAKE += "${@get_policyconfigarch(d)}"
+
+EXTRA_OEMAKE += "LDFLAGS='${LDFLAGS} -lpcre' LIBSEPOLA='${STAGING_LIBDIR}/libsepol.a'"
+EXTRA_OEMAKE_append_libc-musl = " FTS_LDLIBS=-lfts"
+
+FILES_${PN} = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*"
+INSANE_SKIP_${PN} = "dev-so"
+
+do_compile() {
+ oe_runmake pywrap -j1 \
+ PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \
+ PYINC='-I${STAGING_INCDIR}/${PYLIBVER}' \
+ PYLIBS='-L${STAGING_LIBDIR}/${PYLIBVER} -l${PYLIBVER}'
+}
+
+do_install() {
+ oe_runmake install-pywrap \
+ DESTDIR=${D} \
+ PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \
+ PYTHONLIBDIR='${libdir}/python${PYTHON_BASEVERSION}/site-packages'
+}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux-python_3.0.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux-python_3.0.bb
new file mode 100755
index 0000000..3c03df1
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux-python_3.0.bb
@@ -0,0 +1,23 @@
+SELINUX_RELEASE = "20191204"
+
+SRC_URI = "https://github.com/SELinuxProject/selinux/releases/download/${SELINUX_RELEASE}/libselinux-${PV}.tar.gz"
+
+require ${BPN}.inc
+
+inherit python3targetconfig
+
+LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0"
+
+SRC_URI[md5sum] = "b387a66f087b6d97713570e85ec89d89"
+SRC_URI[sha256sum] = "2ea2b30f671dae9d6b1391cbe8fb2ce5d36a3ee4fb1cd3c32f0d933c31b82433"
+
+SRC_URI += "\
+ file://libselinux-drop-Wno-unused-but-set-variable.patch \
+ file://libselinux-make-O_CLOEXEC-optional.patch \
+ file://libselinux-make-SOCK_CLOEXEC-optional.patch \
+ file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
+ file://0001-Fix-building-against-musl-and-uClibc-libc-libraries.patch \
+ file://0001-Makefile-fix-python-modules-install-path-for-multili.patch \
+ file://0001-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch \
+ "
+S = "${WORKDIR}/libselinux-${PV}"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux.inc
new file mode 100755
index 0000000..fe8c087
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux.inc
@@ -0,0 +1,24 @@
+SUMMARY = "SELinux library and simple utilities"
+DESCRIPTION = "libselinux provides an API for SELinux applications to get and set \
+process and file security contexts and to obtain security policy \
+decisions. Required for any applications that use the SELinux API."
+SECTION = "base"
+LICENSE = "PD"
+
+inherit lib_package python3native
+
+DEPENDS += "libsepol libpcre"
+DEPENDS_append_libc-musl = " fts"
+
+def get_policyconfigarch(d):
+ import re
+ target = d.getVar('TARGET_ARCH')
+ p = re.compile('i.86')
+ target = p.sub('i386',target)
+ return "ARCH=%s" % (target)
+EXTRA_OEMAKE += "${@get_policyconfigarch(d)}"
+
+EXTRA_OEMAKE += "LDFLAGS='${LDFLAGS} -lpcre' LIBSEPOLA='${STAGING_LIBDIR}/libsepol.a'"
+EXTRA_OEMAKE_append_libc-musl = " FTS_LDLIBS=-lfts"
+
+BBCLASSEXTEND = "native"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/0001-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/0001-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch
new file mode 100755
index 0000000..b7cd59d
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/0001-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch
@@ -0,0 +1,52 @@
+From 0d4da8093bc2ef92b7c6f7fd1f4804f6ebc6cb56 Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Date: Fri, 25 Oct 2019 13:37:14 +0200
+Subject: [PATCH] Do not use PYCEXT, and rely on the installed file name
+
+PYCEXT is computed by asking the Python intrepreter what is the
+file extension used for native Python modules.
+
+Unfortunately, when cross-compiling, the host Python doesn't give the
+proper result: it gives the result matching the build machine, and not
+the target machine. Due to this, the symlink has an incorrect name,
+and doesn't point to the .so file that was actually built/installed.
+
+To address this and keep things simple, this patch just changes the ln
+invocation to rely on the name of the _selinux*.so Python module that
+was installed.
+
+[Upstream: https://github.com/SELinuxProject/selinux/pull/184]
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+
+Upstream-Status: Denied [https://patchwork.kernel.org/patch/11212405/]
+
+[Refreshed for 3.0]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/Makefile | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/Makefile b/src/Makefile
+index a384a10..82adf82 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -15,7 +15,6 @@ INCLUDEDIR ?= $(PREFIX)/include
+ PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
+ PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX))
+ PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(plat_specific=1, prefix='$(PREFIX)'))")
+-PYCEXT ?= $(shell $(PYTHON) -c 'import imp;print([s for s,m,t in imp.get_suffixes() if t == imp.C_EXTENSION][0])')
+ RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]')
+ RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -L" + RbConfig::CONFIG["archlibdir"] + " " + RbConfig::CONFIG["LIBRUBYARG_SHARED"]')
+ RUBYINSTALL ?= $(shell $(RUBY) -e 'puts RbConfig::CONFIG["vendorarchdir"]')
+@@ -175,7 +174,7 @@ install: all
+ install-pywrap: pywrap
+ $(PYTHON) setup.py install --prefix=$(PREFIX) --root=$(DESTDIR) --install-lib=$(PYTHONLIBDIR)
+ install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
+- ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux$(PYCEXT) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT)
++ ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux*.so $(DESTDIR)$(PYTHONLIBDIR)/
+
+ install-rubywrap: rubywrap
+ test -d $(DESTDIR)$(RUBYINSTALL) || install -m 755 -d $(DESTDIR)$(RUBYINSTALL)
+--
+2.24.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/0001-Fix-NULL-pointer-use-in-selinux_restorecon_set_sehandle.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/0001-Fix-NULL-pointer-use-in-selinux_restorecon_set_sehandle.patch
new file mode 100755
index 0000000..f392f68
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/0001-Fix-NULL-pointer-use-in-selinux_restorecon_set_sehandle.patch
@@ -0,0 +1,30 @@
+From 08f5e30177218fae7ce9f5c8d6856690126b2b30 Mon Sep 17 00:00:00 2001
+From: Ji Qin <jiqin.ji@huawei.com>
+Date: Sun, 14 Jun 2020 21:20:23 -0400
+Subject: [PATCH] libselinux: Fix NULL pointer use in
+ selinux_restorecon_set_sehandle
+
+error occur when selinux_restorecon_default_handle return NULL in
+restorecon_init.
+
+fixes: https://github.com/SELinuxProject/selinux/issues/249
+
+Signed-off-by: Ji Qin <jiqin.ji@huawei.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libselinux/src/selinux_restorecon.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
+index d1ce830c5..6993be6fd 100644
+--- libselinux/src/selinux_restorecon.c
++++ libselinux/src/selinux_restorecon.c
+@@ -1154,6 +1154,8 @@ void selinux_restorecon_set_sehandle(struct selabel_handle *hndl)
+ size_t num_specfiles, fc_digest_len;
+
+ fc_sehandle = (struct selabel_handle *) hndl;
++ if (!fc_sehandle)
++ return;
+
+ /* Check if digest requested in selabel_open(3), if so use it. */
+ if (selabel_digest(fc_sehandle, &fc_digest, &fc_digest_len,
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/0001-Fix-building-against-musl-and-uClibc-libc-libraries.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/0001-Fix-building-against-musl-and-uClibc-libc-libraries.patch
new file mode 100755
index 0000000..8308553
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/0001-Fix-building-against-musl-and-uClibc-libc-libraries.patch
@@ -0,0 +1,38 @@
+From 61bfcbffce32be51d712040c3f84293b78428184 Mon Sep 17 00:00:00 2001
+From: Adam Duskett <Aduskett@gmail.com>
+Date: Tue, 7 Apr 2020 13:53:05 -0700
+Subject: [PATCH] Fix building against musl and uClibc libc libraries.
+
+Currently, the src/Makefile provides the FTS_LDLIBS when building against musl
+or uClibc. However, this is missing from utils/Makefile, which causes linking
+to fail.
+
+Add the FTS_LDLIBS variable to the LDLIBS variable in utils/Makefile to fix
+compiling against uClibc and musl.
+
+Signed-off-by: Adam Duskett <Aduskett@gmail.com>
+
+Upstream-Status: Backport
+[https://github.com/SELinuxProject/selinux/commit/aa40067b7b86d5e4c951fccae1aa98baff148613]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ utils/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/utils/Makefile b/utils/Makefile
+index 3615063..a5632b7 100644
+--- a/utils/Makefile
++++ b/utils/Makefile
+@@ -45,7 +45,7 @@ endif
+
+ override CFLAGS += -I../include -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS)
+ override LDFLAGS += -L../src
+-override LDLIBS += -lselinux
++override LDLIBS += -lselinux $(FTS_LDLIBS)
+ PCRE_LDLIBS ?= -lpcre
+
+ ifeq ($(ANDROID_HOST),y)
+--
+2.7.4
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/0001-Makefile-fix-python-modules-install-path-for-multili.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/0001-Makefile-fix-python-modules-install-path-for-multili.patch
new file mode 100755
index 0000000..f0fee23
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/0001-Makefile-fix-python-modules-install-path-for-multili.patch
@@ -0,0 +1,28 @@
+From 930514c1b93335ccf6d70adf46ca7e3f8183603d Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Mon, 13 Apr 2020 12:44:23 +0800
+Subject: [PATCH] Makefile: fix python modules install path for multilib
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ src/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/Makefile b/src/Makefile
+index b0ce2c8..a384a10 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -173,7 +173,7 @@ install: all
+ ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
+
+ install-pywrap: pywrap
+- $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
++ $(PYTHON) setup.py install --prefix=$(PREFIX) --root=$(DESTDIR) --install-lib=$(PYTHONLIBDIR)
+ install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
+ ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux$(PYCEXT) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT)
+
+--
+2.7.4
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch
new file mode 100755
index 0000000..25d4b24
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch
@@ -0,0 +1,33 @@
+From d0aaf391ab30b253aa22ef6547a039bcac840fc6 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe.macdonald@windriver.com>
+Date: Tue, 15 Oct 2013 10:14:41 -0400
+Subject: [PATCH] libselinux: define FD_CLOEXEC as necessary
+
+In truly old systems, even FD_CLOEXEC may not be defined. Produce a
+warning and duplicate the #define for FD_CLOEXEC found in
+asm-generic/fcntl.h on more modern platforms.
+
+Upstream-Status: Inappropriate
+
+Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
+
+---
+ src/setrans_client.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/setrans_client.c b/src/setrans_client.c
+index fa188a8..a94f02c 100644
+--- a/src/setrans_client.c
++++ b/src/setrans_client.c
+@@ -39,6 +39,11 @@ static pthread_key_t destructor_key;
+ static int destructor_key_initialized = 0;
+ static __thread char destructor_initialized;
+
++#ifndef FD_CLOEXEC
++#warning FD_CLOEXEC undefined on this platform, this may leak file descriptors
++#define FD_CLOEXEC 1
++#endif
++
+ /*
+ * setransd_open
+ *
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/libselinux-drop-Wno-unused-but-set-variable.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/libselinux-drop-Wno-unused-but-set-variable.patch
new file mode 100755
index 0000000..688b4e3
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/libselinux-drop-Wno-unused-but-set-variable.patch
@@ -0,0 +1,26 @@
+From 865b8c40b331235ce2c9df1fcbbb3876c9b79338 Mon Sep 17 00:00:00 2001
+From: Randy MacLeod <Randy.MacLeod@windriver.com>
+Date: Tue, 30 Apr 2013 17:28:34 -0400
+Subject: [PATCH] libselinux: drop flag: -Wno-unused-but-set-variable
+
+Upstream status: Inappropriate [older compilers only]
+
+Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
+
+---
+ src/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/Makefile b/src/Makefile
+index 2408fae..a89c0f7 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -96,7 +96,7 @@ PCRE_LDLIBS ?= -lpcre
+
+ override CFLAGS += -I../include -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS)
+
+-SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \
++SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-parameter \
+ -Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations
+
+ RANLIB ?= ranlib
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch
new file mode 100755
index 0000000..1d6f3a7
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch
@@ -0,0 +1,99 @@
+From 802d224953294463fa9bc793e46f664ecfea057a Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe.macdonald@windriver.com>
+Date: Fri, 11 Oct 2013 09:56:25 -0400
+Subject: [PATCH] libselinux: make O_CLOEXEC optional
+
+Various commits in the selinux tree in the current release added O_CLOEXEC
+to open() calls in an attempt to address file descriptor leaks as
+described:
+
+ http://danwalsh.livejournal.com/53603.html
+
+However O_CLOEXEC isn't available on all platforms, so make it a
+compile-time option and generate a warning when it is not available. The
+actual impact of leaking these file descriptors is minimal, though it does
+produce curious AVC Denied messages.
+
+Upstream-Status: Inappropriate [O_CLOEXEC has been in Linux since 2007 and POSIX since 2008]
+
+Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+
+---
+ src/procattr.c | 16 ++++++++++++++--
+ src/sestatus.c | 8 +++++++-
+ src/stringrep.c | 8 +++++++-
+ 3 files changed, 28 insertions(+), 4 deletions(-)
+
+diff --git a/src/procattr.c b/src/procattr.c
+index 48dd8af..8bf8432 100644
+--- a/src/procattr.c
++++ b/src/procattr.c
+@@ -79,7 +79,13 @@ static int openattr(pid_t pid, const char *attr, int flags)
+ rc = asprintf(&path, "/proc/thread-self/attr/%s", attr);
+ if (rc < 0)
+ return -1;
+- fd = open(path, flags | O_CLOEXEC);
++ fd = open(path, flags
++#ifdef O_CLOEXEC
++ | O_CLOEXEC
++#else
++#warning O_CLOEXEC undefined on this platform, this may leak file descriptors
++#endif
++ );
+ if (fd >= 0 || errno != ENOENT)
+ goto out;
+ free(path);
+@@ -92,7 +98,13 @@ static int openattr(pid_t pid, const char *attr, int flags)
+ if (rc < 0)
+ return -1;
+
+- fd = open(path, flags | O_CLOEXEC);
++ fd = open(path, flags
++#ifdef O_CLOEXEC
++ | O_CLOEXEC
++#else
++#warning O_CLOEXEC undefined on this platform, this may leak file descriptors
++#endif
++ );
+ out:
+ free(path);
+ return fd;
+diff --git a/src/sestatus.c b/src/sestatus.c
+index ed29dc5..0cb15b6 100644
+--- a/src/sestatus.c
++++ b/src/sestatus.c
+@@ -268,7 +268,13 @@ int selinux_status_open(int fallback)
+ return -1;
+
+ snprintf(path, sizeof(path), "%s/status", selinux_mnt);
+- fd = open(path, O_RDONLY | O_CLOEXEC);
++ fd = open(path, O_RDONLY
++#ifdef O_CLOEXEC
++ | O_CLOEXEC
++#else
++#warning O_CLOEXEC undefined on this platform, this may leak file descriptors
++#endif
++ );
+ if (fd < 0)
+ goto error;
+
+diff --git a/src/stringrep.c b/src/stringrep.c
+index 2d83f96..17e9232 100644
+--- a/src/stringrep.c
++++ b/src/stringrep.c
+@@ -105,7 +105,13 @@ static struct discover_class_node * discover_class(const char *s)
+ struct stat m;
+
+ snprintf(path, sizeof path, "%s/class/%s/perms/%s", selinux_mnt,s,dentry->d_name);
+- fd = open(path, O_RDONLY | O_CLOEXEC);
++ fd = open(path, O_RDONLY
++#ifdef O_CLOEXEC
++ | O_CLOEXEC
++#else
++#warning O_CLOEXEC undefined on this platform, this may leak file descriptors
++#endif
++ );
+ if (fd < 0)
+ goto err4;
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch
new file mode 100755
index 0000000..77a9136
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch
@@ -0,0 +1,38 @@
+From e630805d15a3b8d09330353f87a7e4a9fcc9998a Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe.macdonald@windriver.com>
+Date: Tue, 15 Oct 2013 10:07:43 -0400
+Subject: [PATCH] libselinux: make SOCK_CLOEXEC optional
+
+libselinux/src/setrans_client.c checks for the existence of SOCK_CLOEXEC
+before using it, however libselinux/src/avc_internal.c does not. Since
+SOCK_CLOEXEC suffers the same problem as O_CLOEXEC on some older
+platforms, we need to ensure we protect the references it it in the same
+way.
+
+Upstream-Status: Inappropriate
+
+Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
+
+---
+ src/avc_internal.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/avc_internal.c b/src/avc_internal.c
+index 49cecc9..148cc83 100644
+--- a/src/avc_internal.c
++++ b/src/avc_internal.c
+@@ -60,7 +60,13 @@ int avc_netlink_open(int blocking)
+ int len, rc = 0;
+ struct sockaddr_nl addr;
+
+- fd = socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_SELINUX);
++ fd = socket(PF_NETLINK, SOCK_RAW
++#ifdef SOCK_CLOEXEC
++ | SOCK_CLOEXEC
++#else
++#warning SOCK_CLOEXEC undefined on this platform, this may leak file descriptors
++#endif
++ , NETLINK_SELINUX);
+ if (fd < 0) {
+ rc = fd;
+ goto out;
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux_3.0.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux_3.0.bb
new file mode 100755
index 0000000..4a60962
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libselinux_3.0.bb
@@ -0,0 +1,16 @@
+require selinux_20191204.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0"
+
+SRC_URI[md5sum] = "b387a66f087b6d97713570e85ec89d89"
+SRC_URI[sha256sum] = "2ea2b30f671dae9d6b1391cbe8fb2ce5d36a3ee4fb1cd3c32f0d933c31b82433"
+
+SRC_URI += "\
+ file://libselinux-drop-Wno-unused-but-set-variable.patch \
+ file://libselinux-make-O_CLOEXEC-optional.patch \
+ file://libselinux-make-SOCK_CLOEXEC-optional.patch \
+ file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
+ file://0001-Fix-building-against-musl-and-uClibc-libc-libraries.patch \
+ file://0001-Fix-NULL-pointer-use-in-selinux_restorecon_set_sehandle.patch \
+ "
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsemanage.inc b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsemanage.inc
new file mode 100755
index 0000000..0139511
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsemanage.inc
@@ -0,0 +1,45 @@
+SUMMARY = "SELinux binary policy manipulation library"
+DESCRIPTION = "libsemanage provides an API for the manipulation of SELinux binary policies. \
+It is used by checkpolicy (the policy compiler) and similar tools, as well \
+as by programs like load_policy that need to perform specific transformations \
+on binary policies such as customizing policy boolean settings."
+SECTION = "base"
+LICENSE = "LGPLv2.1+"
+
+inherit lib_package python3native
+
+DEPENDS += "libsepol libselinux bzip2 python3 bison-native flex-native swig-native"
+DEPENDS_append_class-target = " audit"
+
+PACKAGES =+ "${PN}-python"
+
+# For /usr/libexec/selinux/semanage_migrate_store
+RDEPENDS_${PN}-python += "python3-core"
+
+FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/* \
+ ${libexecdir}/selinux/semanage_migrate_store"
+FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/.debug/*"
+
+FILES_${PN} += "${libexecdir}"
+
+EXTRA_OEMAKE_class-native += "DISABLE_AUDIT=y"
+
+do_compile_append() {
+ oe_runmake pywrap \
+ PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \
+ PYINC='-I${STAGING_INCDIR}/${PYLIBVER}' \
+ PYLIBS='-L${STAGING_LIBDIR}/${PYLIBVER} -l${PYLIBVER}'
+}
+
+do_install_append() {
+ oe_runmake install-pywrap \
+ PYCEXT='.so' \
+ PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \
+ PYTHONLIBDIR='${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages'
+
+ # Update "policy-version" for semanage.conf
+ sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 31/' \
+ ${D}/etc/selinux/semanage.conf
+}
+
+BBCLASSEXTEND = "native"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsemanage/libsemanage-Fix-execve-segfaults-on-Ubuntu.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsemanage/libsemanage-Fix-execve-segfaults-on-Ubuntu.patch
new file mode 100755
index 0000000..0b1f3d8
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsemanage/libsemanage-Fix-execve-segfaults-on-Ubuntu.patch
@@ -0,0 +1,34 @@
+From 01a37b94a1f5605a395e8b45ee9ec653ce716c06 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Mon, 26 Mar 2012 15:15:16 +0800
+Subject: [PATCH] libsemanage: Fix execve segfaults on Ubuntu.
+
+semanage_exec_prog() has pass NULL as param 2 to call execve(),
+this may cause segfaults on Ubuntu.
+Such as "make load" while building refpolicy.
+
+http://oss.tresys.com/pipermail/refpolicy/2011-December/004859.html
+
+Upstream-Status: Pending
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ src/semanage_store.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/semanage_store.c b/src/semanage_store.c
+index 58dded6..1a94545 100644
+--- a/src/semanage_store.c
++++ b/src/semanage_store.c
+@@ -1441,7 +1441,7 @@ static int semanage_exec_prog(semanage_handle_t * sh,
+ if (forkval == 0) {
+ /* child process. file descriptors will be closed
+ * because they were set as close-on-exec. */
+- execve(e->path, argv, NULL);
++ execv(e->path, argv);
+ _exit(EXIT_FAILURE); /* if execve() failed */
+ }
+
+--
+2.7.4
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsemanage/libsemanage-allow-to-disable-audit-support.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsemanage/libsemanage-allow-to-disable-audit-support.patch
new file mode 100755
index 0000000..c588b61
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsemanage/libsemanage-allow-to-disable-audit-support.patch
@@ -0,0 +1,126 @@
+From 1633f72579e3b79d055759256b71e4169627889b Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Mon, 20 Jan 2014 03:53:48 -0500
+Subject: [PATCH] libsemanage: allow to disable audit support
+
+Upstream-Status: Pending
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+---
+ src/Makefile | 10 +++++++++-
+ src/seusers_local.c | 13 +++++++++++++
+ tests/Makefile | 10 +++++++++-
+ 3 files changed, 31 insertions(+), 2 deletions(-)
+
+diff --git a/src/Makefile b/src/Makefile
+index 3bd1e20..483e818 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -26,6 +26,14 @@ ifeq ($(DEBUG),1)
+ export LDFLAGS = -g
+ endif
+
++DISABLE_AUDIT ?= n
++ifeq ($(DISABLE_AUDIT),y)
++ LIBAUDIT =
++ CFLAGS += -DDISABLE_AUDIT
++else
++ LIBAUDIT = -laudit
++endif
++
+ LEX = flex
+ LFLAGS = -s
+ YACC = bison
+@@ -88,7 +96,7 @@ $(LIBA): $(OBJS)
+ $(RANLIB) $@
+
+ $(LIBSO): $(LOBJS)
+- $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol -laudit -lselinux -lbz2 -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs
++ $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol $(LIBAUDIT) -lselinux -lbz2 -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs
+ ln -sf $@ $(TARGET)
+
+ $(LIBPC): $(LIBPC).in ../VERSION
+diff --git a/src/seusers_local.c b/src/seusers_local.c
+index 3e2761c..8bc6b83 100644
+--- a/src/seusers_local.c
++++ b/src/seusers_local.c
+@@ -8,7 +8,11 @@ typedef struct semanage_seuser record_t;
+
+ #include <sepol/policydb.h>
+ #include <sepol/context.h>
++
++#ifndef DISABLE_AUDIT
+ #include <libaudit.h>
++#endif
++
+ #include <errno.h>
+ #include "user_internal.h"
+ #include "seuser_internal.h"
+@@ -55,6 +59,7 @@ static char *semanage_user_roles(semanage_handle_t * handle, const char *sename)
+ return roles;
+ }
+
++#ifndef DISABLE_AUDIT
+ static int semanage_seuser_audit(semanage_handle_t * handle,
+ const semanage_seuser_t * seuser,
+ const semanage_seuser_t * previous,
+@@ -119,6 +124,7 @@ err:
+ free(proles);
+ return rc;
+ }
++#endif
+
+ int semanage_seuser_modify_local(semanage_handle_t * handle,
+ const semanage_seuser_key_t * key,
+@@ -163,8 +169,11 @@ int semanage_seuser_modify_local(semanage_handle_t * handle,
+ (void) semanage_seuser_query(handle, key, &previous);
+ handle->msg_callback = callback;
+ rc = dbase_modify(handle, dconfig, key, new);
++
++#ifndef DISABLE_AUDIT
+ if (semanage_seuser_audit(handle, new, previous, AUDIT_ROLE_ASSIGN, rc == 0) < 0)
+ rc = -1;
++#endif
+ err:
+ if (previous)
+ semanage_seuser_free(previous);
+@@ -180,8 +189,12 @@ int semanage_seuser_del_local(semanage_handle_t * handle,
+ dbase_config_t *dconfig = semanage_seuser_dbase_local(handle);
+ rc = dbase_del(handle, dconfig, key);
+ semanage_seuser_query(handle, key, &seuser);
++
++#ifndef DISABLE_AUDIT
+ if (semanage_seuser_audit(handle, NULL, seuser, AUDIT_ROLE_REMOVE, rc == 0) < 0)
+ rc = -1;
++#endif
++
+ if (seuser)
+ semanage_seuser_free(seuser);
+ return rc;
+diff --git a/tests/Makefile b/tests/Makefile
+index 69f49a3..f914492 100644
+--- a/tests/Makefile
++++ b/tests/Makefile
+@@ -4,10 +4,18 @@ CILS = $(sort $(wildcard *.cil))
+
+ ###########################################################################
+
++DISABLE_AUDIT ?= n
++ifeq ($(DISABLE_AUDIT),y)
++ LIBAUDIT =
++ CFLAGS += -DDISABLE_AUDIT
++else
++ LIBAUDIT = -laudit
++endif
++
+ EXECUTABLE = libsemanage-tests
+ CFLAGS += -g -O0 -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute -Wno-unused-parameter
+ override CFLAGS += -I../src -I../include
+-override LDLIBS += -lcunit -lbz2 -laudit -lselinux -lsepol
++override LDLIBS += -lcunit -lbz2 $(LIBAUDIT) -lselinux -lsepol
+
+ OBJECTS = $(SOURCES:.c=.o)
+ POLICIES = $(CILS:.cil=.policy)
+--
+2.7.4
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch
new file mode 100755
index 0000000..45bcbe6
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch
@@ -0,0 +1,35 @@
+From 81f2e8b62ad2298a197c4b16e7182a133c1e116f Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe.macdonald@windriver.com>
+Date: Tue, 15 Oct 2013 10:17:38 -0400
+Subject: [PATCH] libsemanage: define FD_CLOEXEC as necessary
+
+In truly old systems, even FD_CLOEXEC may not be defined. Produce a
+warning and duplicate the #define for FD_CLOEXEC found in
+asm-generic/fcntl.h on more modern platforms.
+
+Upstream-Status: Inappropriate
+
+Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
+---
+ src/semanage_store.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/semanage_store.c b/src/semanage_store.c
+index 1a94545..b586a8f 100644
+--- a/src/semanage_store.c
++++ b/src/semanage_store.c
+@@ -66,6 +66,11 @@ typedef struct dbase_policydb dbase_t;
+
+ #define TRUE 1
+
++#ifndef FD_CLOEXEC
++#warning FD_CLOEXEC undefined on this platform, this may leak file descriptors
++#define FD_CLOEXEC 1
++#endif
++
+ enum semanage_file_defs {
+ SEMANAGE_ROOT,
+ SEMANAGE_TRANS_LOCK,
+--
+2.7.4
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch
new file mode 100755
index 0000000..d1e5720
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch
@@ -0,0 +1,33 @@
+From 35196d58cd37fec89fcf95e3d43b41de7008f0be Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe@deserted.net>
+Date: Wed, 7 May 2014 11:36:27 -0400
+Subject: [PATCH] libsemanage: disable expand-check on policy load
+
+For small policy modules it's not necessary to walk the hierarchy on load.
+On embedded devices that are low-powered or resource-constrained disabling
+the hierarchy processing can make the difference between seconds and
+(many) minutes of load time (or being able to load the policy at all).
+
+Upstream-Status: Denied [upstream developers want to preserve the default
+ checking: http://marc.info/?l=selinux&m=121794804217721&w=2]
+
+Signed-off-by: Joe MacDonald <joe@deserted.net>
+---
+ src/semanage.conf | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/semanage.conf b/src/semanage.conf
+index dc8d46b..254f156 100644
+--- a/src/semanage.conf
++++ b/src/semanage.conf
+@@ -39,3 +39,7 @@ module-store = direct
+ # By default, semanage will generate policies for the SELinux target.
+ # To build policies for Xen, uncomment the following line.
+ #target-platform = xen
++
++# Don't check the entire policy hierarchy when inserting / expanding a policy
++# module. This results in a significant speed-up in policy loading.
++expand-check=0
+--
+2.7.4
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsemanage/libsemanage-drop-Wno-unused-but-set-variable.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsemanage/libsemanage-drop-Wno-unused-but-set-variable.patch
new file mode 100755
index 0000000..c9b052c
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsemanage/libsemanage-drop-Wno-unused-but-set-variable.patch
@@ -0,0 +1,28 @@
+From 90a2459d1683e53f4a896b977e6b396db562c903 Mon Sep 17 00:00:00 2001
+From: Randy MacLeod <Randy.MacLeod@windriver.com>
+Date: Tue, 30 Apr 2013 23:15:57 -0400
+Subject: [PATCH] libselinux: drop flag: -Wno-unused-but-set-variable
+
+Upstream-Status: Inappropriate [older compilers only]
+
+Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
+---
+ src/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/Makefile b/src/Makefile
+index e029f09..8240c3a 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -55,7 +55,7 @@ OBJS= $(patsubst %.c,%.o,$(SRCS)) conf-scan.o conf-parse.o
+ LOBJS= $(patsubst %.c,%.lo,$(SRCS)) conf-scan.lo conf-parse.lo
+ CFLAGS ?= -Werror -Wall -W -Wundef -Wshadow -Wmissing-noreturn -Wmissing-format-attribute
+
+-SWIG_CFLAGS += -Wno-error -Wno-unused-but-set-variable -Wno-unused-variable -Wno-shadow \
++SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-shadow \
+ -Wno-unused-parameter
+
+ override CFLAGS += -I../include -D_GNU_SOURCE
+--
+2.7.4
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsemanage_3.0.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsemanage_3.0.bb
new file mode 100755
index 0000000..450675b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsemanage_3.0.bb
@@ -0,0 +1,15 @@
+require selinux_20191204.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
+
+SRC_URI[md5sum] = "17a2fc780af0a36f2cf27ab7c4e85946"
+SRC_URI[sha256sum] = "a497b0720d54eac427f1f3f618eed417e50ed8f4e47ed0f7a1d391bd416e84cf"
+
+SRC_URI += "\
+ file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch \
+ file://libsemanage-drop-Wno-unused-but-set-variable.patch \
+ file://libsemanage-define-FD_CLOEXEC-as-necessary.patch \
+ file://libsemanage-allow-to-disable-audit-support.patch \
+ file://libsemanage-disable-expand-check-on-policy-load.patch \
+ "
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsepol.inc b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsepol.inc
new file mode 100755
index 0000000..a8ee749
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsepol.inc
@@ -0,0 +1,17 @@
+SUMMARY = "SELinux binary policy manipulation library"
+DESCRIPTION = "libsepol provides an API for the manipulation of SELinux binary policies. \
+It is used by checkpolicy (the policy compiler) and similar tools, as well \
+as by programs like load_policy that need to perform specific transformations \
+on binary policies such as customizing policy boolean settings."
+SECTION = "base"
+LICENSE = "LGPLv2+"
+
+inherit lib_package
+
+# Change RANLIB for cross compiling, use host-tools $(AR) rather than
+# local ranlib.
+EXTRA_OEMAKE += "RANLIB='$(AR) s'"
+
+DEPENDS += "flex-native"
+
+BBCLASSEXTEND = "native"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsepol/0001-libsepol-fix-CIL_KEY_-build-errors-with-fno-common.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsepol/0001-libsepol-fix-CIL_KEY_-build-errors-with-fno-common.patch
new file mode 100755
index 0000000..46c56a4
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsepol/0001-libsepol-fix-CIL_KEY_-build-errors-with-fno-common.patch
@@ -0,0 +1,530 @@
+From a96e8c59ecac84096d870b42701a504791a8cc8c Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Thu, 23 Jan 2020 13:57:13 +0100
+Subject: [PATCH] libsepol: fix CIL_KEY_* build errors with -fno-common
+
+GCC 10 comes with -fno-common enabled by default - fix the CIL_KEY_*
+global variables to be defined only once in cil.c and declared in the
+header file correctly with the 'extern' keyword, so that other units
+including the file don't generate duplicate definitions.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+
+Upstream-Status: Backport
+[https://github.com/SELinuxProject/selinux/commit/a96e8c59ecac84096d870b42701a504791a8cc8c]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ cil/src/cil.c | 162 ++++++++++++++++
+ cil/src/cil_internal.h | 322 ++++++++++++++++----------------
+ 2 files changed, 323 insertions(+), 161 deletions(-)
+
+diff --git a/cil/src/cil.c b/cil/src/cil.c
+index de729cf8..d222ad3a 100644
+--- a/cil/src/cil.c
++++ b/cil/src/cil.c
+@@ -77,6 +77,168 @@ int cil_sym_sizes[CIL_SYM_ARRAY_NUM][CIL_SYM_NUM] = {
+ {1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}
+ };
+
++char *CIL_KEY_CONS_T1;
++char *CIL_KEY_CONS_T2;
++char *CIL_KEY_CONS_T3;
++char *CIL_KEY_CONS_R1;
++char *CIL_KEY_CONS_R2;
++char *CIL_KEY_CONS_R3;
++char *CIL_KEY_CONS_U1;
++char *CIL_KEY_CONS_U2;
++char *CIL_KEY_CONS_U3;
++char *CIL_KEY_CONS_L1;
++char *CIL_KEY_CONS_L2;
++char *CIL_KEY_CONS_H1;
++char *CIL_KEY_CONS_H2;
++char *CIL_KEY_AND;
++char *CIL_KEY_OR;
++char *CIL_KEY_NOT;
++char *CIL_KEY_EQ;
++char *CIL_KEY_NEQ;
++char *CIL_KEY_CONS_DOM;
++char *CIL_KEY_CONS_DOMBY;
++char *CIL_KEY_CONS_INCOMP;
++char *CIL_KEY_CONDTRUE;
++char *CIL_KEY_CONDFALSE;
++char *CIL_KEY_SELF;
++char *CIL_KEY_OBJECT_R;
++char *CIL_KEY_STAR;
++char *CIL_KEY_TCP;
++char *CIL_KEY_UDP;
++char *CIL_KEY_DCCP;
++char *CIL_KEY_SCTP;
++char *CIL_KEY_AUDITALLOW;
++char *CIL_KEY_TUNABLEIF;
++char *CIL_KEY_ALLOW;
++char *CIL_KEY_DONTAUDIT;
++char *CIL_KEY_TYPETRANSITION;
++char *CIL_KEY_TYPECHANGE;
++char *CIL_KEY_CALL;
++char *CIL_KEY_TUNABLE;
++char *CIL_KEY_XOR;
++char *CIL_KEY_ALL;
++char *CIL_KEY_RANGE;
++char *CIL_KEY_GLOB;
++char *CIL_KEY_FILE;
++char *CIL_KEY_DIR;
++char *CIL_KEY_CHAR;
++char *CIL_KEY_BLOCK;
++char *CIL_KEY_SOCKET;
++char *CIL_KEY_PIPE;
++char *CIL_KEY_SYMLINK;
++char *CIL_KEY_ANY;
++char *CIL_KEY_XATTR;
++char *CIL_KEY_TASK;
++char *CIL_KEY_TRANS;
++char *CIL_KEY_TYPE;
++char *CIL_KEY_ROLE;
++char *CIL_KEY_USER;
++char *CIL_KEY_USERATTRIBUTE;
++char *CIL_KEY_USERATTRIBUTESET;
++char *CIL_KEY_SENSITIVITY;
++char *CIL_KEY_CATEGORY;
++char *CIL_KEY_CATSET;
++char *CIL_KEY_LEVEL;
++char *CIL_KEY_LEVELRANGE;
++char *CIL_KEY_CLASS;
++char *CIL_KEY_IPADDR;
++char *CIL_KEY_MAP_CLASS;
++char *CIL_KEY_CLASSPERMISSION;
++char *CIL_KEY_BOOL;
++char *CIL_KEY_STRING;
++char *CIL_KEY_NAME;
++char *CIL_KEY_SOURCE;
++char *CIL_KEY_TARGET;
++char *CIL_KEY_LOW;
++char *CIL_KEY_HIGH;
++char *CIL_KEY_LOW_HIGH;
++char *CIL_KEY_GLBLUB;
++char *CIL_KEY_HANDLEUNKNOWN;
++char *CIL_KEY_HANDLEUNKNOWN_ALLOW;
++char *CIL_KEY_HANDLEUNKNOWN_DENY;
++char *CIL_KEY_HANDLEUNKNOWN_REJECT;
++char *CIL_KEY_MACRO;
++char *CIL_KEY_IN;
++char *CIL_KEY_MLS;
++char *CIL_KEY_DEFAULTRANGE;
++char *CIL_KEY_BLOCKINHERIT;
++char *CIL_KEY_BLOCKABSTRACT;
++char *CIL_KEY_CLASSORDER;
++char *CIL_KEY_CLASSMAPPING;
++char *CIL_KEY_CLASSPERMISSIONSET;
++char *CIL_KEY_COMMON;
++char *CIL_KEY_CLASSCOMMON;
++char *CIL_KEY_SID;
++char *CIL_KEY_SIDCONTEXT;
++char *CIL_KEY_SIDORDER;
++char *CIL_KEY_USERLEVEL;
++char *CIL_KEY_USERRANGE;
++char *CIL_KEY_USERBOUNDS;
++char *CIL_KEY_USERPREFIX;
++char *CIL_KEY_SELINUXUSER;
++char *CIL_KEY_SELINUXUSERDEFAULT;
++char *CIL_KEY_TYPEATTRIBUTE;
++char *CIL_KEY_TYPEATTRIBUTESET;
++char *CIL_KEY_EXPANDTYPEATTRIBUTE;
++char *CIL_KEY_TYPEALIAS;
++char *CIL_KEY_TYPEALIASACTUAL;
++char *CIL_KEY_TYPEBOUNDS;
++char *CIL_KEY_TYPEPERMISSIVE;
++char *CIL_KEY_RANGETRANSITION;
++char *CIL_KEY_USERROLE;
++char *CIL_KEY_ROLETYPE;
++char *CIL_KEY_ROLETRANSITION;
++char *CIL_KEY_ROLEALLOW;
++char *CIL_KEY_ROLEATTRIBUTE;
++char *CIL_KEY_ROLEATTRIBUTESET;
++char *CIL_KEY_ROLEBOUNDS;
++char *CIL_KEY_BOOLEANIF;
++char *CIL_KEY_NEVERALLOW;
++char *CIL_KEY_TYPEMEMBER;
++char *CIL_KEY_SENSALIAS;
++char *CIL_KEY_SENSALIASACTUAL;
++char *CIL_KEY_CATALIAS;
++char *CIL_KEY_CATALIASACTUAL;
++char *CIL_KEY_CATORDER;
++char *CIL_KEY_SENSITIVITYORDER;
++char *CIL_KEY_SENSCAT;
++char *CIL_KEY_CONSTRAIN;
++char *CIL_KEY_MLSCONSTRAIN;
++char *CIL_KEY_VALIDATETRANS;
++char *CIL_KEY_MLSVALIDATETRANS;
++char *CIL_KEY_CONTEXT;
++char *CIL_KEY_FILECON;
++char *CIL_KEY_IBPKEYCON;
++char *CIL_KEY_IBENDPORTCON;
++char *CIL_KEY_PORTCON;
++char *CIL_KEY_NODECON;
++char *CIL_KEY_GENFSCON;
++char *CIL_KEY_NETIFCON;
++char *CIL_KEY_PIRQCON;
++char *CIL_KEY_IOMEMCON;
++char *CIL_KEY_IOPORTCON;
++char *CIL_KEY_PCIDEVICECON;
++char *CIL_KEY_DEVICETREECON;
++char *CIL_KEY_FSUSE;
++char *CIL_KEY_POLICYCAP;
++char *CIL_KEY_OPTIONAL;
++char *CIL_KEY_DEFAULTUSER;
++char *CIL_KEY_DEFAULTROLE;
++char *CIL_KEY_DEFAULTTYPE;
++char *CIL_KEY_ROOT;
++char *CIL_KEY_NODE;
++char *CIL_KEY_PERM;
++char *CIL_KEY_ALLOWX;
++char *CIL_KEY_AUDITALLOWX;
++char *CIL_KEY_DONTAUDITX;
++char *CIL_KEY_NEVERALLOWX;
++char *CIL_KEY_PERMISSIONX;
++char *CIL_KEY_IOCTL;
++char *CIL_KEY_UNORDERED;
++char *CIL_KEY_SRC_INFO;
++char *CIL_KEY_SRC_CIL;
++char *CIL_KEY_SRC_HLL;
++
+ static void cil_init_keys(void)
+ {
+ /* Initialize CIL Keys into strpool */
+diff --git a/cil/src/cil_internal.h b/cil/src/cil_internal.h
+index 30fab649..9bdcbdd0 100644
+--- a/cil/src/cil_internal.h
++++ b/cil/src/cil_internal.h
+@@ -74,167 +74,167 @@ enum cil_pass {
+ /*
+ Keywords
+ */
+-char *CIL_KEY_CONS_T1;
+-char *CIL_KEY_CONS_T2;
+-char *CIL_KEY_CONS_T3;
+-char *CIL_KEY_CONS_R1;
+-char *CIL_KEY_CONS_R2;
+-char *CIL_KEY_CONS_R3;
+-char *CIL_KEY_CONS_U1;
+-char *CIL_KEY_CONS_U2;
+-char *CIL_KEY_CONS_U3;
+-char *CIL_KEY_CONS_L1;
+-char *CIL_KEY_CONS_L2;
+-char *CIL_KEY_CONS_H1;
+-char *CIL_KEY_CONS_H2;
+-char *CIL_KEY_AND;
+-char *CIL_KEY_OR;
+-char *CIL_KEY_NOT;
+-char *CIL_KEY_EQ;
+-char *CIL_KEY_NEQ;
+-char *CIL_KEY_CONS_DOM;
+-char *CIL_KEY_CONS_DOMBY;
+-char *CIL_KEY_CONS_INCOMP;
+-char *CIL_KEY_CONDTRUE;
+-char *CIL_KEY_CONDFALSE;
+-char *CIL_KEY_SELF;
+-char *CIL_KEY_OBJECT_R;
+-char *CIL_KEY_STAR;
+-char *CIL_KEY_TCP;
+-char *CIL_KEY_UDP;
+-char *CIL_KEY_DCCP;
+-char *CIL_KEY_SCTP;
+-char *CIL_KEY_AUDITALLOW;
+-char *CIL_KEY_TUNABLEIF;
+-char *CIL_KEY_ALLOW;
+-char *CIL_KEY_DONTAUDIT;
+-char *CIL_KEY_TYPETRANSITION;
+-char *CIL_KEY_TYPECHANGE;
+-char *CIL_KEY_CALL;
+-char *CIL_KEY_TUNABLE;
+-char *CIL_KEY_XOR;
+-char *CIL_KEY_ALL;
+-char *CIL_KEY_RANGE;
+-char *CIL_KEY_GLOB;
+-char *CIL_KEY_FILE;
+-char *CIL_KEY_DIR;
+-char *CIL_KEY_CHAR;
+-char *CIL_KEY_BLOCK;
+-char *CIL_KEY_SOCKET;
+-char *CIL_KEY_PIPE;
+-char *CIL_KEY_SYMLINK;
+-char *CIL_KEY_ANY;
+-char *CIL_KEY_XATTR;
+-char *CIL_KEY_TASK;
+-char *CIL_KEY_TRANS;
+-char *CIL_KEY_TYPE;
+-char *CIL_KEY_ROLE;
+-char *CIL_KEY_USER;
+-char *CIL_KEY_USERATTRIBUTE;
+-char *CIL_KEY_USERATTRIBUTESET;
+-char *CIL_KEY_SENSITIVITY;
+-char *CIL_KEY_CATEGORY;
+-char *CIL_KEY_CATSET;
+-char *CIL_KEY_LEVEL;
+-char *CIL_KEY_LEVELRANGE;
+-char *CIL_KEY_CLASS;
+-char *CIL_KEY_IPADDR;
+-char *CIL_KEY_MAP_CLASS;
+-char *CIL_KEY_CLASSPERMISSION;
+-char *CIL_KEY_BOOL;
+-char *CIL_KEY_STRING;
+-char *CIL_KEY_NAME;
+-char *CIL_KEY_SOURCE;
+-char *CIL_KEY_TARGET;
+-char *CIL_KEY_LOW;
+-char *CIL_KEY_HIGH;
+-char *CIL_KEY_LOW_HIGH;
+-char *CIL_KEY_GLBLUB;
+-char *CIL_KEY_HANDLEUNKNOWN;
+-char *CIL_KEY_HANDLEUNKNOWN_ALLOW;
+-char *CIL_KEY_HANDLEUNKNOWN_DENY;
+-char *CIL_KEY_HANDLEUNKNOWN_REJECT;
+-char *CIL_KEY_MACRO;
+-char *CIL_KEY_IN;
+-char *CIL_KEY_MLS;
+-char *CIL_KEY_DEFAULTRANGE;
+-char *CIL_KEY_BLOCKINHERIT;
+-char *CIL_KEY_BLOCKABSTRACT;
+-char *CIL_KEY_CLASSORDER;
+-char *CIL_KEY_CLASSMAPPING;
+-char *CIL_KEY_CLASSPERMISSIONSET;
+-char *CIL_KEY_COMMON;
+-char *CIL_KEY_CLASSCOMMON;
+-char *CIL_KEY_SID;
+-char *CIL_KEY_SIDCONTEXT;
+-char *CIL_KEY_SIDORDER;
+-char *CIL_KEY_USERLEVEL;
+-char *CIL_KEY_USERRANGE;
+-char *CIL_KEY_USERBOUNDS;
+-char *CIL_KEY_USERPREFIX;
+-char *CIL_KEY_SELINUXUSER;
+-char *CIL_KEY_SELINUXUSERDEFAULT;
+-char *CIL_KEY_TYPEATTRIBUTE;
+-char *CIL_KEY_TYPEATTRIBUTESET;
+-char *CIL_KEY_EXPANDTYPEATTRIBUTE;
+-char *CIL_KEY_TYPEALIAS;
+-char *CIL_KEY_TYPEALIASACTUAL;
+-char *CIL_KEY_TYPEBOUNDS;
+-char *CIL_KEY_TYPEPERMISSIVE;
+-char *CIL_KEY_RANGETRANSITION;
+-char *CIL_KEY_USERROLE;
+-char *CIL_KEY_ROLETYPE;
+-char *CIL_KEY_ROLETRANSITION;
+-char *CIL_KEY_ROLEALLOW;
+-char *CIL_KEY_ROLEATTRIBUTE;
+-char *CIL_KEY_ROLEATTRIBUTESET;
+-char *CIL_KEY_ROLEBOUNDS;
+-char *CIL_KEY_BOOLEANIF;
+-char *CIL_KEY_NEVERALLOW;
+-char *CIL_KEY_TYPEMEMBER;
+-char *CIL_KEY_SENSALIAS;
+-char *CIL_KEY_SENSALIASACTUAL;
+-char *CIL_KEY_CATALIAS;
+-char *CIL_KEY_CATALIASACTUAL;
+-char *CIL_KEY_CATORDER;
+-char *CIL_KEY_SENSITIVITYORDER;
+-char *CIL_KEY_SENSCAT;
+-char *CIL_KEY_CONSTRAIN;
+-char *CIL_KEY_MLSCONSTRAIN;
+-char *CIL_KEY_VALIDATETRANS;
+-char *CIL_KEY_MLSVALIDATETRANS;
+-char *CIL_KEY_CONTEXT;
+-char *CIL_KEY_FILECON;
+-char *CIL_KEY_IBPKEYCON;
+-char *CIL_KEY_IBENDPORTCON;
+-char *CIL_KEY_PORTCON;
+-char *CIL_KEY_NODECON;
+-char *CIL_KEY_GENFSCON;
+-char *CIL_KEY_NETIFCON;
+-char *CIL_KEY_PIRQCON;
+-char *CIL_KEY_IOMEMCON;
+-char *CIL_KEY_IOPORTCON;
+-char *CIL_KEY_PCIDEVICECON;
+-char *CIL_KEY_DEVICETREECON;
+-char *CIL_KEY_FSUSE;
+-char *CIL_KEY_POLICYCAP;
+-char *CIL_KEY_OPTIONAL;
+-char *CIL_KEY_DEFAULTUSER;
+-char *CIL_KEY_DEFAULTROLE;
+-char *CIL_KEY_DEFAULTTYPE;
+-char *CIL_KEY_ROOT;
+-char *CIL_KEY_NODE;
+-char *CIL_KEY_PERM;
+-char *CIL_KEY_ALLOWX;
+-char *CIL_KEY_AUDITALLOWX;
+-char *CIL_KEY_DONTAUDITX;
+-char *CIL_KEY_NEVERALLOWX;
+-char *CIL_KEY_PERMISSIONX;
+-char *CIL_KEY_IOCTL;
+-char *CIL_KEY_UNORDERED;
+-char *CIL_KEY_SRC_INFO;
+-char *CIL_KEY_SRC_CIL;
+-char *CIL_KEY_SRC_HLL;
++extern char *CIL_KEY_CONS_T1;
++extern char *CIL_KEY_CONS_T2;
++extern char *CIL_KEY_CONS_T3;
++extern char *CIL_KEY_CONS_R1;
++extern char *CIL_KEY_CONS_R2;
++extern char *CIL_KEY_CONS_R3;
++extern char *CIL_KEY_CONS_U1;
++extern char *CIL_KEY_CONS_U2;
++extern char *CIL_KEY_CONS_U3;
++extern char *CIL_KEY_CONS_L1;
++extern char *CIL_KEY_CONS_L2;
++extern char *CIL_KEY_CONS_H1;
++extern char *CIL_KEY_CONS_H2;
++extern char *CIL_KEY_AND;
++extern char *CIL_KEY_OR;
++extern char *CIL_KEY_NOT;
++extern char *CIL_KEY_EQ;
++extern char *CIL_KEY_NEQ;
++extern char *CIL_KEY_CONS_DOM;
++extern char *CIL_KEY_CONS_DOMBY;
++extern char *CIL_KEY_CONS_INCOMP;
++extern char *CIL_KEY_CONDTRUE;
++extern char *CIL_KEY_CONDFALSE;
++extern char *CIL_KEY_SELF;
++extern char *CIL_KEY_OBJECT_R;
++extern char *CIL_KEY_STAR;
++extern char *CIL_KEY_TCP;
++extern char *CIL_KEY_UDP;
++extern char *CIL_KEY_DCCP;
++extern char *CIL_KEY_SCTP;
++extern char *CIL_KEY_AUDITALLOW;
++extern char *CIL_KEY_TUNABLEIF;
++extern char *CIL_KEY_ALLOW;
++extern char *CIL_KEY_DONTAUDIT;
++extern char *CIL_KEY_TYPETRANSITION;
++extern char *CIL_KEY_TYPECHANGE;
++extern char *CIL_KEY_CALL;
++extern char *CIL_KEY_TUNABLE;
++extern char *CIL_KEY_XOR;
++extern char *CIL_KEY_ALL;
++extern char *CIL_KEY_RANGE;
++extern char *CIL_KEY_GLOB;
++extern char *CIL_KEY_FILE;
++extern char *CIL_KEY_DIR;
++extern char *CIL_KEY_CHAR;
++extern char *CIL_KEY_BLOCK;
++extern char *CIL_KEY_SOCKET;
++extern char *CIL_KEY_PIPE;
++extern char *CIL_KEY_SYMLINK;
++extern char *CIL_KEY_ANY;
++extern char *CIL_KEY_XATTR;
++extern char *CIL_KEY_TASK;
++extern char *CIL_KEY_TRANS;
++extern char *CIL_KEY_TYPE;
++extern char *CIL_KEY_ROLE;
++extern char *CIL_KEY_USER;
++extern char *CIL_KEY_USERATTRIBUTE;
++extern char *CIL_KEY_USERATTRIBUTESET;
++extern char *CIL_KEY_SENSITIVITY;
++extern char *CIL_KEY_CATEGORY;
++extern char *CIL_KEY_CATSET;
++extern char *CIL_KEY_LEVEL;
++extern char *CIL_KEY_LEVELRANGE;
++extern char *CIL_KEY_CLASS;
++extern char *CIL_KEY_IPADDR;
++extern char *CIL_KEY_MAP_CLASS;
++extern char *CIL_KEY_CLASSPERMISSION;
++extern char *CIL_KEY_BOOL;
++extern char *CIL_KEY_STRING;
++extern char *CIL_KEY_NAME;
++extern char *CIL_KEY_SOURCE;
++extern char *CIL_KEY_TARGET;
++extern char *CIL_KEY_LOW;
++extern char *CIL_KEY_HIGH;
++extern char *CIL_KEY_LOW_HIGH;
++extern char *CIL_KEY_GLBLUB;
++extern char *CIL_KEY_HANDLEUNKNOWN;
++extern char *CIL_KEY_HANDLEUNKNOWN_ALLOW;
++extern char *CIL_KEY_HANDLEUNKNOWN_DENY;
++extern char *CIL_KEY_HANDLEUNKNOWN_REJECT;
++extern char *CIL_KEY_MACRO;
++extern char *CIL_KEY_IN;
++extern char *CIL_KEY_MLS;
++extern char *CIL_KEY_DEFAULTRANGE;
++extern char *CIL_KEY_BLOCKINHERIT;
++extern char *CIL_KEY_BLOCKABSTRACT;
++extern char *CIL_KEY_CLASSORDER;
++extern char *CIL_KEY_CLASSMAPPING;
++extern char *CIL_KEY_CLASSPERMISSIONSET;
++extern char *CIL_KEY_COMMON;
++extern char *CIL_KEY_CLASSCOMMON;
++extern char *CIL_KEY_SID;
++extern char *CIL_KEY_SIDCONTEXT;
++extern char *CIL_KEY_SIDORDER;
++extern char *CIL_KEY_USERLEVEL;
++extern char *CIL_KEY_USERRANGE;
++extern char *CIL_KEY_USERBOUNDS;
++extern char *CIL_KEY_USERPREFIX;
++extern char *CIL_KEY_SELINUXUSER;
++extern char *CIL_KEY_SELINUXUSERDEFAULT;
++extern char *CIL_KEY_TYPEATTRIBUTE;
++extern char *CIL_KEY_TYPEATTRIBUTESET;
++extern char *CIL_KEY_EXPANDTYPEATTRIBUTE;
++extern char *CIL_KEY_TYPEALIAS;
++extern char *CIL_KEY_TYPEALIASACTUAL;
++extern char *CIL_KEY_TYPEBOUNDS;
++extern char *CIL_KEY_TYPEPERMISSIVE;
++extern char *CIL_KEY_RANGETRANSITION;
++extern char *CIL_KEY_USERROLE;
++extern char *CIL_KEY_ROLETYPE;
++extern char *CIL_KEY_ROLETRANSITION;
++extern char *CIL_KEY_ROLEALLOW;
++extern char *CIL_KEY_ROLEATTRIBUTE;
++extern char *CIL_KEY_ROLEATTRIBUTESET;
++extern char *CIL_KEY_ROLEBOUNDS;
++extern char *CIL_KEY_BOOLEANIF;
++extern char *CIL_KEY_NEVERALLOW;
++extern char *CIL_KEY_TYPEMEMBER;
++extern char *CIL_KEY_SENSALIAS;
++extern char *CIL_KEY_SENSALIASACTUAL;
++extern char *CIL_KEY_CATALIAS;
++extern char *CIL_KEY_CATALIASACTUAL;
++extern char *CIL_KEY_CATORDER;
++extern char *CIL_KEY_SENSITIVITYORDER;
++extern char *CIL_KEY_SENSCAT;
++extern char *CIL_KEY_CONSTRAIN;
++extern char *CIL_KEY_MLSCONSTRAIN;
++extern char *CIL_KEY_VALIDATETRANS;
++extern char *CIL_KEY_MLSVALIDATETRANS;
++extern char *CIL_KEY_CONTEXT;
++extern char *CIL_KEY_FILECON;
++extern char *CIL_KEY_IBPKEYCON;
++extern char *CIL_KEY_IBENDPORTCON;
++extern char *CIL_KEY_PORTCON;
++extern char *CIL_KEY_NODECON;
++extern char *CIL_KEY_GENFSCON;
++extern char *CIL_KEY_NETIFCON;
++extern char *CIL_KEY_PIRQCON;
++extern char *CIL_KEY_IOMEMCON;
++extern char *CIL_KEY_IOPORTCON;
++extern char *CIL_KEY_PCIDEVICECON;
++extern char *CIL_KEY_DEVICETREECON;
++extern char *CIL_KEY_FSUSE;
++extern char *CIL_KEY_POLICYCAP;
++extern char *CIL_KEY_OPTIONAL;
++extern char *CIL_KEY_DEFAULTUSER;
++extern char *CIL_KEY_DEFAULTROLE;
++extern char *CIL_KEY_DEFAULTTYPE;
++extern char *CIL_KEY_ROOT;
++extern char *CIL_KEY_NODE;
++extern char *CIL_KEY_PERM;
++extern char *CIL_KEY_ALLOWX;
++extern char *CIL_KEY_AUDITALLOWX;
++extern char *CIL_KEY_DONTAUDITX;
++extern char *CIL_KEY_NEVERALLOWX;
++extern char *CIL_KEY_PERMISSIONX;
++extern char *CIL_KEY_IOCTL;
++extern char *CIL_KEY_UNORDERED;
++extern char *CIL_KEY_SRC_INFO;
++extern char *CIL_KEY_SRC_CIL;
++extern char *CIL_KEY_SRC_HLL;
+
+ /*
+ Symbol Table Array Indices
+--
+2.17.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsepol/0001-libsepol-remove-leftovers-of-cil_mem_error_handler.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsepol/0001-libsepol-remove-leftovers-of-cil_mem_error_handler.patch
new file mode 100755
index 0000000..674fddd
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsepol/0001-libsepol-remove-leftovers-of-cil_mem_error_handler.patch
@@ -0,0 +1,65 @@
+From 3d32fc24d6aff360a538c63dad08ca5c957551b0 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Thu, 23 Jan 2020 13:57:14 +0100
+Subject: [PATCH] libsepol: remove leftovers of cil_mem_error_handler
+
+Commit 4459d635b8f1 ("libsepol: Remove cil_mem_error_handler() function
+pointer") replaced cil_mem_error_handler usage with inline contents of
+the default handler. However, it left over the header declaration and
+two callers. Convert these as well and remove the header declaration.
+
+This also fixes a build failure with -fno-common.
+
+Fixes: 4459d635b8f1 ("libsepol: Remove cil_mem_error_handler() function pointer")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+
+Upstream-Status: Backport
+[https://github.com/SELinuxProject/selinux/commit/3d32fc24d6aff360a538c63dad08ca5c957551b0]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ cil/src/cil_mem.h | 1 -
+ cil/src/cil_strpool.c | 8 ++++----
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/cil/src/cil_mem.h b/cil/src/cil_mem.h
+index 902ce131..794f02a3 100644
+--- a/cil/src/cil_mem.h
++++ b/cil/src/cil_mem.h
+@@ -36,7 +36,6 @@ void *cil_calloc(size_t num_elements, size_t element_size);
+ void *cil_realloc(void *ptr, size_t size);
+ char *cil_strdup(const char *str);
+ int cil_asprintf(char **strp, const char *fmt, ...);
+-void (*cil_mem_error_handler)(void);
+
+ #endif /* CIL_MEM_H_ */
+
+diff --git a/cil/src/cil_strpool.c b/cil/src/cil_strpool.c
+index 97d4c4b9..2598bbf3 100644
+--- a/cil/src/cil_strpool.c
++++ b/cil/src/cil_strpool.c
+@@ -80,8 +80,8 @@ char *cil_strpool_add(const char *str)
+ int rc = hashtab_insert(cil_strpool_tab, (hashtab_key_t)strpool_ref->str, strpool_ref);
+ if (rc != SEPOL_OK) {
+ pthread_mutex_unlock(&cil_strpool_mutex);
+- (*cil_mem_error_handler)();
+- pthread_mutex_lock(&cil_strpool_mutex);
++ cil_log(CIL_ERR, "Failed to allocate memory\n");
++ exit(1);
+ }
+ }
+
+@@ -104,8 +104,8 @@ void cil_strpool_init(void)
+ cil_strpool_tab = hashtab_create(cil_strpool_hash, cil_strpool_compare, CIL_STRPOOL_TABLE_SIZE);
+ if (cil_strpool_tab == NULL) {
+ pthread_mutex_unlock(&cil_strpool_mutex);
+- (*cil_mem_error_handler)();
+- return;
++ cil_log(CIL_ERR, "Failed to allocate memory\n");
++ exit(1);
+ }
+ }
+ cil_strpool_readers++;
+--
+2.17.1
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsepol/CVE-2021-36084.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsepol/CVE-2021-36084.patch
new file mode 100755
index 0000000..1001563
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsepol/CVE-2021-36084.patch
@@ -0,0 +1,99 @@
+From f34d3d30c8325e4847a6b696fe7a3936a8a361f3 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Thu, 8 Apr 2021 13:32:01 -0400
+Subject: [PATCH] libsepol/cil: Destroy classperms list when resetting
+ classpermission
+
+Nicolas Iooss reports:
+ A few months ago, OSS-Fuzz found a crash in the CIL compiler, which
+ got reported as
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title
+ is misleading, or is caused by another issue that conflicts with the
+ one I report in this message). Here is a minimized CIL policy which
+ reproduces the issue:
+
+ (class CLASS (PERM))
+ (classorder (CLASS))
+ (sid SID)
+ (sidorder (SID))
+ (user USER)
+ (role ROLE)
+ (type TYPE)
+ (category CAT)
+ (categoryorder (CAT))
+ (sensitivity SENS)
+ (sensitivityorder (SENS))
+ (sensitivitycategory SENS (CAT))
+ (allow TYPE self (CLASS (PERM)))
+ (roletype ROLE TYPE)
+ (userrole USER ROLE)
+ (userlevel USER (SENS))
+ (userrange USER ((SENS)(SENS (CAT))))
+ (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
+
+ (classpermission CLAPERM)
+
+ (optional OPT
+ (roletype nonexistingrole nonexistingtype)
+ (classpermissionset CLAPERM (CLASS (PERM)))
+ )
+
+ The CIL policy fuzzer (which mimics secilc built with clang Address
+ Sanitizer) reports:
+
+ ==36541==ERROR: AddressSanitizer: heap-use-after-free on address
+ 0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp
+ 0x7ffe2a256588
+ READ of size 8 at 0x603000004f98 thread T0
+ #0 0x56445134c841 in __cil_verify_classperms
+ /selinux/libsepol/src/../cil/src/cil_verify.c:1620:8
+ #1 0x56445134a43e in __cil_verify_classpermission
+ /selinux/libsepol/src/../cil/src/cil_verify.c:1650:9
+ #2 0x56445134a43e in __cil_pre_verify_helper
+ /selinux/libsepol/src/../cil/src/cil_verify.c:1715:8
+ #3 0x5644513225ac in cil_tree_walk_core
+ /selinux/libsepol/src/../cil/src/cil_tree.c:272:9
+ #4 0x564451322ab1 in cil_tree_walk
+ /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
+ #5 0x5644513226af in cil_tree_walk_core
+ /selinux/libsepol/src/../cil/src/cil_tree.c:284:9
+ #6 0x564451322ab1 in cil_tree_walk
+ /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
+ #7 0x5644512b88fd in cil_pre_verify
+ /selinux/libsepol/src/../cil/src/cil_post.c:2510:7
+ #8 0x5644512b88fd in cil_post_process
+ /selinux/libsepol/src/../cil/src/cil_post.c:2524:7
+ #9 0x5644511856ff in cil_compile
+ /selinux/libsepol/src/../cil/src/cil.c:564:7
+
+The classperms list of a classpermission rule is created and filled
+in when classpermissionset rules are processed, so it doesn't own any
+part of the list and shouldn't retain any of it when it is reset.
+
+Destroy the classperms list (without destroying the data in it) when
+resetting a classpermission rule.
+
+Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+Signed-off-by: James Carter <jwcart2@gmail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-36084
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libsepol/cil/src/cil_reset_ast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: libsepol-3.0/cil/src/cil_reset_ast.c
+===================================================================
+--- libsepol-3.0.orig/cil/src/cil_reset_ast.c
++++ libsepol-3.0/cil/src/cil_reset_ast.c
+@@ -52,7 +52,7 @@ static void cil_reset_classpermission(st
+ return;
+ }
+
+- cil_reset_classperms_list(cp->classperms);
++ cil_list_destroy(&cp->classperms, CIL_FALSE);
+ }
+
+ static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsepol/CVE-2021-36085.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsepol/CVE-2021-36085.patch
new file mode 100755
index 0000000..4bd05eb
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsepol/CVE-2021-36085.patch
@@ -0,0 +1,38 @@
+From 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Thu, 8 Apr 2021 13:32:04 -0400
+Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms
+
+Map perms share the same struct as regular perms, but only the
+map perms use the classperms field. This field is a pointer to a
+list of classperms that is created and added to when resolving
+classmapping rules, so the map permission doesn't own any of the
+data in the list and this list should be destroyed when the AST is
+reset.
+
+When resetting a perm, destroy the classperms list without destroying
+the data in the list.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-36085
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libsepol/cil/src/cil_reset_ast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: libsepol-3.0/cil/src/cil_reset_ast.c
+===================================================================
+--- libsepol-3.0.orig/cil/src/cil_reset_ast.c
++++ libsepol-3.0/cil/src/cil_reset_ast.c
+@@ -34,7 +34,7 @@ static void cil_reset_class(struct cil_c
+
+ static void cil_reset_perm(struct cil_perm *perm)
+ {
+- cil_reset_classperms_list(perm->classperms);
++ cil_list_destroy(&perm->classperms, CIL_FALSE);
+ }
+
+ static inline void cil_reset_classperms(struct cil_classperms *cp)
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsepol_3.0.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsepol_3.0.bb
new file mode 100755
index 0000000..b7a7071
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/libsepol_3.0.bb
@@ -0,0 +1,14 @@
+require selinux_20191204.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
+
+SRC_URI[md5sum] = "22ddb9994910cb9cfff5cb9663cb7ae7"
+SRC_URI[sha256sum] = "5b7ae1881909f1048b06f7a0c364c5c8a86ec12e0ec76e740fe9595a6033eb79"
+
+SRC_URI += "\
+ file://0001-libsepol-fix-CIL_KEY_-build-errors-with-fno-common.patch \
+ file://0001-libsepol-remove-leftovers-of-cil_mem_error_handler.patch \
+ file://CVE-2021-36084.patch \
+ file://CVE-2021-36085.patch \
+ "
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/mcstrans.inc b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/mcstrans.inc
new file mode 100755
index 0000000..b9c670b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/mcstrans.inc
@@ -0,0 +1,51 @@
+SUMMARY = "Daemon to translate SELinux MCS/MLS sensitivity labels"
+DESCRIPTION = "\
+mcstrans provides an translation daemon to translate SELinux categories \
+from internal representations to user defined representation."
+
+SECTION = "base"
+LICENSE = "GPLv2+"
+
+SRC_URI += "file://mcstrans-de-bashify.patch \
+ file://mcstrans-fix-the-init-script.patch \
+"
+
+inherit systemd update-rc.d
+
+DEPENDS += "libsepol libselinux libcap"
+
+# We do not need "${D}/" as a prefix anymore.
+EXTRA_OEMAKE += "SBINDIR=${base_sbindir} INITDIR=${sysconfdir}/init.d"
+
+do_install_append() {
+ install -d ${D}${sbindir}
+ install -m 755 utils/untranscon ${D}${sbindir}/
+ install -m 755 utils/transcon ${D}${sbindir}/
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ install -d ${D}${sysconfdir}/tmpfiles.d
+ echo "d ${localstatedir}/run/setrans - - - -" \
+ > ${D}${sysconfdir}/tmpfiles.d/setrans.conf
+ else
+ install -d ${D}${sysconfdir}/default/volatiles
+ echo "d root root 0755 /var/run/setrans none" \
+ >${D}${sysconfdir}/default/volatiles/80_mcstrans
+ fi
+ install -d ${D}${datadir}/mcstrans
+ cp -r share/* ${D}${datadir}/mcstrans/.
+}
+
+SYSTEMD_SERVICE_mcstrans = "mcstrans.service"
+INITSCRIPT_PACKAGES = "mcstrans"
+INITSCRIPT_NAME_mcstrans = "mcstrans"
+INITSCRIPT_PARAMS_mcstrans = "defaults"
+
+pkg_postinst_mcstrans () {
+ if [ -z "$D" ]; then
+ if command -v systemd-tmpfiles >/dev/null; then
+ systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/setrans.conf
+ elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
+ ${sysconfdir}/init.d/populate-volatile.sh update
+ fi
+ fi
+}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch
new file mode 100755
index 0000000..27fd677
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch
@@ -0,0 +1,31 @@
+From 544b3c078374e5001e7fdc1b7d0b2eafda36f8fe Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 7 Aug 2015 15:16:45 -0400
+Subject: [PATCH] mcstrans: remove dependency on bash in initscript
+
+There were no apparent bashisms in mcstrans.init, so remove the
+dependency on bash.
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+
+Upstream-Status: Pending
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ src/mcstrans.init | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mcstrans.init b/src/mcstrans.init
+index 2804ec0..8b4737d 100644
+--- a/src/mcstrans.init
++++ b/src/mcstrans.init
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/bin/sh
+ #
+ # mcstransd This starts and stops mcstransd
+ #
+--
+2.7.4
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/mcstrans/mcstrans-fix-the-init-script.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/mcstrans/mcstrans-fix-the-init-script.patch
new file mode 100755
index 0000000..79be090
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/mcstrans/mcstrans-fix-the-init-script.patch
@@ -0,0 +1,32 @@
+From 4d918a9679d2902ca2d41fe769a4d76f07a67b5f Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li@windriver.com>
+Date: Wed, 6 Nov 2019 22:13:33 +0800
+Subject: [PATCH] mcstrans: fix the init script
+
+replace daemon with start-stop-daemon, due to not daemon functions
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ src/mcstrans.init | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mcstrans.init b/src/mcstrans.init
+index 8b4737d..86c89ea 100644
+--- a/src/mcstrans.init
++++ b/src/mcstrans.init
+@@ -51,7 +51,7 @@ start(){
+ fi
+
+ unset HOME MAIL USER USERNAME
+- daemon $prog "$EXTRAOPTIONS"
++ start-stop-daemon --start --quiet --exec $prog -- "$EXTRAOPTIONS"
+ RETVAL=$?
+ echo
+ if test $RETVAL = 0 ; then
+--
+2.7.4
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/mcstrans_3.0.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/mcstrans_3.0.bb
new file mode 100755
index 0000000..27ddfce
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/mcstrans_3.0.bb
@@ -0,0 +1,7 @@
+require selinux_20191204.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
+
+SRC_URI[md5sum] = "0edc58a4d65425ffa5d58d32bf412352"
+SRC_URI[sha256sum] = "0992b8e7c4de1ba5f98a82547b02418370be5a5f588fc6d5f1cd2c7824bda87e"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/policycoreutils.inc b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/policycoreutils.inc
new file mode 100755
index 0000000..92f7a75
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/policycoreutils.inc
@@ -0,0 +1,174 @@
+SUMMARY = "SELinux policy core utilities"
+DESCRIPTION = "policycoreutils contains the policy core utilities that are required \
+for basic operation of a SELinux system. These utilities include \
+load_policy to load policies, setfiles to label filesystems, newrole \
+to switch roles, and run_init to run /etc/init.d scripts in the proper \
+context."
+SECTION = "base"
+LICENSE = "GPLv2+"
+
+SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
+ file://policycoreutils-fixfiles-de-bashify.patch \
+ "
+
+PAM_SRC_URI = "file://pam.d/newrole \
+ file://pam.d/run_init \
+"
+
+DEPENDS += "libsepol libselinux libsemanage libcap gettext-native"
+EXTRA_DEPENDS = "libcap-ng libcgroup"
+DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native']}"
+
+inherit selinux python3native
+
+RDEPENDS_${BPN}-fixfiles += "\
+ ${BPN}-setfiles \
+ grep \
+ findutils \
+"
+RDEPENDS_${BPN}-genhomedircon += "\
+ ${BPN}-semodule \
+"
+RDEPENDS_${BPN}-loadpolicy += "\
+ libselinux \
+ libsepol \
+"
+RDEPENDS_${BPN}-newrole += "\
+ libcap-ng \
+ libselinux \
+"
+RDEPENDS_${BPN}-runinit += "libselinux"
+RDEPENDS_${BPN}-secon += "libselinux"
+RDEPENDS_${BPN}-semodule += "\
+ libsepol \
+ libselinux \
+ libsemanage \
+"
+RDEPENDS_${BPN}-sestatus += "libselinux"
+RDEPENDS_${BPN}-setfiles += "\
+ libselinux \
+ libsepol \
+"
+RDEPENDS_${BPN}-setsebool += "\
+ libsepol \
+ libselinux \
+ libsemanage \
+"
+RDEPENDS_${BPN} += "selinux-python"
+
+PACKAGES =+ "\
+ ${PN}-fixfiles \
+ ${PN}-genhomedircon \
+ ${PN}-hll \
+ ${PN}-loadpolicy \
+ ${PN}-newrole \
+ ${PN}-runinit \
+ ${PN}-secon \
+ ${PN}-semodule \
+ ${PN}-sestatus \
+ ${PN}-setfiles \
+ ${PN}-setsebool \
+"
+FILES_${PN}-fixfiles += "${base_sbindir}/fixfiles"
+FILES_${PN}-genhomedircon += "${base_sbindir}/genhomedircon"
+FILES_${PN}-loadpolicy += "\
+ ${base_sbindir}/load_policy \
+"
+FILES_${PN}-newrole += "\
+ ${bindir}/newrole \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/newrole', '', d)} \
+"
+FILES_${PN}-runinit += "\
+ ${base_sbindir}/run_init \
+ ${base_sbindir}/open_init_pty \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/run_init', '', d)} \
+"
+FILES_${PN}-dbg += "${prefix}/libexec/selinux/hll/.debug"
+FILES_${PN}-secon += "${bindir}/secon"
+FILES_${PN}-semodule += "${base_sbindir}/semodule"
+FILES_${PN}-hll += "${prefix}/libexec/selinux/hll/*"
+FILES_${PN}-sestatus += "\
+ ${base_sbindir}/sestatus \
+ ${sysconfdir}/sestatus.conf \
+"
+FILES_${PN}-setfiles += "\
+ ${base_sbindir}/restorecon \
+ ${base_sbindir}/restorecon_xattr \
+ ${base_sbindir}/setfiles \
+"
+FILES_${PN}-setsebool += "\
+ ${base_sbindir}/setsebool \
+ ${datadir}/bash-completion/completions/setsebool \
+"
+
+export STAGING_INCDIR
+export STAGING_LIBDIR
+export BUILD_SYS
+export HOST_SYS
+
+PACKAGECONFIG_class-target ?= "\
+ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)} \
+ audit \
+"
+
+PACKAGECONFIG[libpam] = ",,libpam,"
+PACKAGECONFIG[audit] = ",,audit,"
+
+EXTRA_OEMAKE += "\
+ ${@bb.utils.contains('PACKAGECONFIG', 'libpam', 'PAMH=y', 'PAMH=', d)} \
+ ${@bb.utils.contains('PACKAGECONFIG', 'audit', 'AUDITH=y', 'AUDITH=', d)} \
+ INOTIFYH=n \
+ PREFIX=${D} \
+ SBINDIR=${base_sbindir} \
+"
+
+BBCLASSEXTEND = "native"
+
+PCU_NATIVE_CMDS = "setfiles semodule hll"
+
+do_compile_class-native() {
+ for PCU_CMD in ${PCU_NATIVE_CMDS} ; do
+ oe_runmake -C $PCU_CMD \
+ INCLUDEDIR='${STAGING_INCDIR}' \
+ LIBDIR='${STAGING_LIBDIR}'
+ done
+}
+
+sysroot_stage_dirs_append_class-native() {
+ cp -R $from/${prefix}/libexec $to/${prefix}/libexec
+}
+
+do_compile_prepend() {
+ export PYTHON=python3
+ export PYLIBVER='python${PYTHON_BASEVERSION}'
+ export PYTHON_CPPFLAGS="-I${STAGING_INCDIR}/${PYLIBVER}"
+ export PYTHON_LDFLAGS="${STAGING_LIBDIR}/lib${PYLIBVER}.so"
+ export PYTHON_SITE_PKG="${libdir}/${PYLIBVER}/site-packages"
+}
+
+do_install_prepend() {
+ export PYTHON=python3
+ export SBINDIR="${D}/${base_sbindir}"
+}
+
+do_install_class-native() {
+ for PCU_CMD in ${PCU_NATIVE_CMDS} ; do
+ oe_runmake -C $PCU_CMD install \
+ DESTDIR="${D}" \
+ PREFIX="${prefix}" \
+ SBINDIR="${base_sbindir}"
+ done
+}
+
+do_install_append_class-target() {
+ if [ -e ${WORKDIR}/pam.d ]; then
+ install -d ${D}${sysconfdir}/pam.d/
+ install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/
+ fi
+
+ # /var/lib/selinux is involved by seobject.py:
+ # + dirname = "/var/lib/selinux"
+ # and it's required for running command:
+ # $ semanage permissive [OPTS]
+ install -d ${D}${localstatedir}/lib/selinux
+}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/policycoreutils/pam.d/newrole b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/policycoreutils/pam.d/newrole
new file mode 100755
index 0000000..cbf5d55
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/policycoreutils/pam.d/newrole
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth include common-auth
+account include common-account
+password include common-password
+session include common-session
+session optional pam_xauth.so
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/policycoreutils/pam.d/run_init b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/policycoreutils/pam.d/run_init
new file mode 100755
index 0000000..cbf5d55
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/policycoreutils/pam.d/run_init
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth include common-auth
+account include common-account
+password include common-password
+session include common-session
+session optional pam_xauth.so
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/policycoreutils/policycoreutils-fixfiles-de-bashify.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/policycoreutils/policycoreutils-fixfiles-de-bashify.patch
new file mode 100755
index 0000000..70cdd4f
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/policycoreutils/policycoreutils-fixfiles-de-bashify.patch
@@ -0,0 +1,89 @@
+From 25ca94680f2fe20f49b80e8b5b180a0dbb903f17 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 20 Feb 2015 17:00:19 -0500
+Subject: [PATCH] fixfiles: de-bashify
+
+Most of the bashisms in fixfiles are pretty easy to work around, the only
+complex one is the use of PIPESTATUS. The common solution to this is to
+use fifos but considering the action this script is performing, that's not
+necessarily the best option here. Introducing a second invocation of rpm
+is minimal overhead on an operation that should happen very infrequently,
+so we'll try that instead.
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+---
+ scripts/fixfiles | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/scripts/fixfiles b/scripts/fixfiles
+index 1aa330f..a10837d 100755
+--- a/scripts/fixfiles
++++ b/scripts/fixfiles
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/bin/sh
+ # fixfiles
+ #
+ # Script to restore labels on a SELinux box
+@@ -27,7 +27,7 @@ set -o nounset
+ # number if the current kernel version is greater than 2.6.30, a negative
+ # number if the current is less than 2.6.30 and 0 if they are the same.
+ #
+-function useseclabel {
++useseclabel () {
+ VER=`uname -r`
+ SUP=2.6.30
+ expr '(' "$VER" : '\([^.]*\)' ')' '-' '(' "$SUP" : '\([^.]*\)' ')' '|' \
+@@ -93,9 +93,10 @@ exclude_dirs_from_relabelling() {
+ # skip not absolute path
+ # skip not directory
+ [ -z "${i}" ] && continue
+- [[ "${i}" =~ ^[[:blank:]]*# ]] && continue
+- [[ ! "${i}" =~ ^/.* ]] && continue
+- [[ ! -d "${i}" ]] && continue
++ echo "${i}" | egrep -q '^[[:space:]]*#' && continue
++ echo "${i}" | egrep -v '^/.*' && continue
++ [ ! -d "${i}" ] && continue
++
+ exclude_from_relabelling="$exclude_from_relabelling -e $i"
+ done < /etc/selinux/fixfiles_exclude_dirs
+ fi
+@@ -138,7 +139,7 @@ fi
+ # Log directories excluded from relabelling by configuration file
+ #
+ LogExcluded() {
+-for i in ${EXCLUDEDIRS//-e / }; do
++for i in `echo ${EXCLUDEDIRS} | sed -e 's/-e / /g'`; do
+ echo "skipping the directory $i"
+ done
+ }
+@@ -201,8 +202,12 @@ fi
+ }
+
+ rpmlist() {
+-rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
+-[ ${PIPESTATUS[0]} != 0 ] && echo "$1 not found" >/dev/stderr
++ if rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" >/dev/null
++ then
++ rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
++ else
++ echo "$1 not found" >/dev/stderr
++ fi
+ }
+
+ #
+@@ -276,7 +281,7 @@ relabel() {
+ exit 1
+ fi
+
+- if [ $fullFlag == 1 ]; then
++ if [ $fullFlag = 1 ]; then
+ fullrelabel
+ return
+ fi
+--
+2.13.0
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/policycoreutils_3.0.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/policycoreutils_3.0.bb
new file mode 100755
index 0000000..a4e0287
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/policycoreutils_3.0.bb
@@ -0,0 +1,7 @@
+require selinux_20191204.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "7e95941f1ac00b25b69c7157d49a375f"
+SRC_URI[sha256sum] = "3379c9bd722e36be9bf8856c6fa373bfa9b33305ac9da5fc807cfe7fa605f489"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/restorecond.inc b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/restorecond.inc
new file mode 100755
index 0000000..d168303
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/restorecond.inc
@@ -0,0 +1,24 @@
+SUMMARY = "Daemon to watch for file creation and set default file context"
+DESCRIPTION = "\
+The restorecond daemon uses inotify to watch files listed in the \
+/etc/selinux/restorecond.conf, when they are created, this daemon \
+will make sure they have the correct file context associated with \
+the policy."
+
+SECTION = "base"
+LICENSE = "GPLv2+"
+
+SRC_URI += "file://policycoreutils-make-O_CLOEXEC-optional.patch \
+"
+
+inherit systemd update-rc.d
+
+DEPENDS += "libsepol libselinux libpcre dbus-glib glib-2.0 pkgconfig-native"
+
+FILES_${PN} += "${datadir}/dbus-1/services/org.selinux.Restorecond.service \
+"
+
+SYSTEMD_SERVICE_restorecond = "restorecond.service"
+INITSCRIPT_PACKAGES = "restorecond"
+INITSCRIPT_NAME_restorecond = "restorecond"
+INITSCRIPT_PARAMS_restorecond = "defaults"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch
new file mode 100755
index 0000000..83250eb
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch
@@ -0,0 +1,48 @@
+From 4adc1c02e4da42f64249c05534875e732f043693 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Wed, 6 Nov 2019 23:17:50 +0800
+Subject: [PATCH] policycoreutils: make O_CLOEXEC optional
+
+Various commits in the selinux tree in the current release added
+O_CLOEXEC to open() calls in an attempt to address file descriptor leaks
+as described:
+
+ http://danwalsh.livejournal.com/53603.html
+
+However O_CLOEXEC isn't available on all platforms, so make it a
+compile-time option and generate a warning when it is not available.
+The actual impact of leaking these file descriptors is minimal, though
+it does produce curious AVC Denied messages.
+
+Upstream-Status: Inappropriate
+[O_CLOEXEC has been in Linux since 2007 and POSIX since 2008]
+
+Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ user.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/user.c b/user.c
+index 714aae7..bbf018e 100644
+--- a/user.c
++++ b/user.c
+@@ -202,7 +202,13 @@ static int local_server(void) {
+ perror("asprintf");
+ return -1;
+ }
+- local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR);
++ local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW
++ #ifdef O_CLOEXEC
++ | O_CLOEXEC
++ #else
++ #warning O_CLOEXEC undefined on this platform, this may leak file descriptors
++ #endif
++ , S_IRUSR | S_IWUSR);
+ if (debug_mode)
+ g_warning ("Lock file: %s", ptr);
+
+--
+2.7.4
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/restorecond_3.0.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/restorecond_3.0.bb
new file mode 100755
index 0000000..8c840c9
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/restorecond_3.0.bb
@@ -0,0 +1,7 @@
+require selinux_20191204.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "f32edbd8a1f724ef1e4fa70bf9e22685"
+SRC_URI[sha256sum] = "32a92c9f4bf48c613f9f467ced58d8c369eec8892239cd44d5d0e139b41926dc"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/secilc.inc b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/secilc.inc
new file mode 100755
index 0000000..e263f11
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/secilc.inc
@@ -0,0 +1,11 @@
+SUMMARY = "SELinux Common Intermediate Language (CIL) compiler"
+DESCRIPTION = "\
+This package contains secilc, the SELinux Common Intermediate \
+Language (CIL) compiler."
+
+SECTION = "base"
+LICENSE = "BSD"
+
+DEPENDS += "libsepol xmlto-native"
+
+BBCLASSEXTEND = "native"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/secilc/CVE-2021-36087.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/secilc/CVE-2021-36087.patch
new file mode 100755
index 0000000..ad7bf9b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/secilc/CVE-2021-36087.patch
@@ -0,0 +1,134 @@
+From bad0a746e9f4cf260dedba5828d9645d50176aac Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Mon, 19 Apr 2021 09:06:15 -0400
+Subject: [PATCH] secilc/docs: Update the CIL documentation for various blocks
+
+Update the documentation for macros, booleans, booleanifs, tunables,
+tunableifs, blocks, blockabstracts, blockinherits, and optionals to
+tell where these statements can be used and, for those that have
+blocks, what statements are not allowed in them.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-36087
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ docs/cil_call_macro_statements.md | 2 ++
+ docs/cil_conditional_statements.md | 6 +++++
+ docs/cil_container_statements.md | 28 +++++++++++++++--------
+ 3 files changed, 26 insertions(+), 10 deletions(-)
+
+Index: secilc-3.0/docs/cil_call_macro_statements.md
+===================================================================
+--- secilc-3.0.orig/docs/cil_call_macro_statements.md
++++ secilc-3.0/docs/cil_call_macro_statements.md
+@@ -54,6 +54,8 @@ Note that when resolving macros the call
+
+ - Items defined in the global namespace
+
++[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockinherit`](cil_container_statements.md#blockinherit), [`blockabstract`](cil_container_statements.md#blockabstract), and other [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks.
++
+ **Statement definition:**
+
+ (macro macro_id ([(param_type param_id) ...])
+Index: secilc-3.0/docs/cil_conditional_statements.md
+===================================================================
+--- secilc-3.0.orig/docs/cil_conditional_statements.md
++++ secilc-3.0/docs/cil_conditional_statements.md
+@@ -6,6 +6,8 @@ boolean
+
+ Declares a run time boolean as true or false in the current namespace. The [`booleanif`](cil_conditional_statements.md#booleanif) statement contains the CIL code that will be in the binary policy file.
+
++[`boolean`](cil_conditional_statements.md#boolean) are not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks.
++
+ **Statement definition:**
+
+ (boolean boolean_id true|false)
+@@ -120,6 +122,8 @@ Tunables are similar to booleans, howeve
+
+ Note that tunables can be treated as booleans by the CIL compiler command line parameter `-P` or `--preserve-tunables` flags.
+
++Since [`tunableif`](cil_conditional_statements.md#tunableif) statements are resolved first, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in [`in`](cil_container_statements.md#in), [`macro`](cil_call_macro_statements.md#macro), [`optional`](cil_container_statements.md#optional), and [`booleanif`](cil_conditional_statements.md#booleanif) blocks. To simplify processing, they are also not allowed in [`tunableif`](cil_conditional_statements.md#tunableif) blocks.
++
+ **Statement definition:**
+
+ (tunable tunable_id true|false)
+@@ -156,6 +160,8 @@ tunableif
+
+ Compile time conditional statement that may or may not add CIL statements to be compiled.
+
++If tunables are being treated as booleans (by using the CIL compiler command line parameter `-P` or `--preserve-tunables` flag), then only the statements allowed in a [`booleanif`](cil_conditional_statements.md#booleanif) block are allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block. Otherwise, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block.
++
+ **Statement definition:**
+
+ (tunableif tunable_id | expr ...)
+Index: secilc-3.0/docs/cil_container_statements.md
+===================================================================
+--- secilc-3.0.orig/docs/cil_container_statements.md
++++ secilc-3.0/docs/cil_container_statements.md
+@@ -4,7 +4,11 @@ Container Statements
+ block
+ -----
+
+-Start a new namespace where any CIL statement is valid.
++Start a new namespace.
++
++Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks.
++
++[`sensitivity`](cil_mls_labeling_statements.md#sensitivity) and [`category`](cil_mls_labeling_statements.md#category) statements are not allowed in [`block`](cil_container_statements.md#block) blocks.
+
+ **Statement definition:**
+
+@@ -45,6 +49,8 @@ blockabstract
+
+ Declares the namespace as a 'template' and does not generate code until instantiated by another namespace that has a [`blockinherit`](cil_container_statements.md#blockinherit) statement.
+
++Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks.
++
+ **Statement definition:**
+
+ (block block_id
+@@ -93,6 +99,8 @@ blockinherit
+
+ Used to add common policy rules to the current namespace via a template that has been defined with the [`blockabstract`](cil_container_statements.md#blockabstract) statement. All [`blockinherit`](cil_container_statements.md#blockinherit) statements are resolved first and then the contents of the block are copied. This is so that inherited blocks will not be inherited. For a concrete example, please see the examples section.
+
++Not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks.
++
+ **Statement definition:**
+
+ (block block_id
+@@ -191,15 +199,11 @@ This example contains a template `client
+ optional
+ --------
+
+-Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy. [`tunableif`](cil_conditional_statements.md#tunableif) and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in optional containers. The same restrictions apply to CIL policy statements within [`optional`](cil_container_statements.md#optional)'s that apply to kernel policy statements, i.e. only the policy statements shown in the following table are valid:
++Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy.
+
+-| | | | |
+-| ------------------- | -------------- | ------------------ | ------------------ |
+-| [`allow`](cil_access_vector_rules.md#allow) | [`allowx`](cil_access_vector_rules.md#allowx) | [`auditallow`](cil_access_vector_rules.md#auditallow) | [`auditallowx`](cil_access_vector_rules.md#auditallowx) |
+-| [`booleanif`](cil_conditional_statements.md#booleanif) | [`dontaudit`](cil_access_vector_rules.md#dontaudit) | [`dontauditx`](cil_access_vector_rules.md#dontauditx) | [`typepermissive`](cil_type_statements.md#typepermissive) |
+-| [`rangetransition`](cil_mls_labeling_statements.md#rangetransition) | [`role`](cil_role_statements.md#role) | [`roleallow`](cil_role_statements.md#roleallow) | [`roleattribute`](cil_role_statements.md#roleattribute) |
+-| [`roletransition`](cil_role_statements.md#roletransition) | [`type`](cil_type_statements.md#type) | [`typealias`](cil_type_statements.md#typealias) | [`typeattribute`](cil_type_statements.md#typeattribute) |
+-| [`typechange`](cil_type_statements.md#typechange) | [`typemember`](cil_type_statements.md#typemember) | [`typetransition`](cil_type_statements.md#typetransition) | |
++Not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks.
++
++[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockabstract`](cil_container_statements.md#blockabstract), and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`optional`](cil_container_statements.md#optional) blocks.
+
+ **Statement definition:**
+
+@@ -254,7 +258,11 @@ This example will instantiate the option
+ in
+ --
+
+-Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements.
++Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)).
++
++Not allowed in [`macro`](cil_call_macro_statements.md#macro), [`booleanif`](cil_conditional_statements.md#booleanif), and other [`in`](cil_container_statements.md#in) blocks.
++
++[`tunable`](cil_conditional_statements.md#tunable) and [`in`](cil_container_statements.md#in) statements are not allowed in [`in`](cil_container_statements.md#in) blocks.
+
+ **Statement definition:**
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/secilc_3.0.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/secilc_3.0.bb
new file mode 100755
index 0000000..aa7d897
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/secilc_3.0.bb
@@ -0,0 +1,9 @@
+require selinux_20191204.inc
+require ${BPN}.inc
+
+SRC_URI += "file://CVE-2021-36087.patch"
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=c7e802b9a3b0c2c852669864c08b9138"
+
+SRC_URI[md5sum] = "be7ec221b874053a843ef90e49daa5cf"
+SRC_URI[sha256sum] = "78fafc4a8a8a212663d3d1e181047f5605430f0a0577ff772a4bb7fecd2b42b0"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.service b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.service
new file mode 100755
index 0000000..9520f6e
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=SELinux autorelabel service loading
+DefaultDependencies=no
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/selinux-autorelabel.sh
+
+[Install]
+WantedBy=multi-user.target
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
new file mode 100755
index 0000000..25b6921
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+/usr/sbin/selinuxenabled 2>/dev/null || exit 0
+
+FIXFILES=/sbin/fixfiles
+SETENFORCE=/usr/sbin/setenforce
+
+for i in ${FIXFILES} ${SETENFORCE}; do
+ test -x $i && continue
+ echo "$i is missing in the system."
+ echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
+ exit 1
+done
+
+# If /.autorelabel placed, the whole file system should be relabeled
+if [ -f /.autorelabel ]; then
+ echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
+ ${SETENFORCE} 0
+ ${FIXFILES} -F -f relabel
+ /bin/rm -f /.autorelabel
+ echo " * Relabel done, rebooting the system."
+ /sbin/reboot
+fi
+
+exit 0
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-autorelabel_0.1.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-autorelabel_0.1.bb
new file mode 100755
index 0000000..b898c3b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-autorelabel_0.1.bb
@@ -0,0 +1,26 @@
+SUMMARY = "SELinux autorelabel script"
+DESCRIPTION = "\
+Script to reset SELinux labels on the root file system when /.autorelabel \
+file is present.\
+"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+${PN}_RDEPENDS = " \
+ policycoreutils-setfiles \
+"
+
+SRC_URI = "file://${BPN}.sh \
+ file://${BPN}.service \
+ "
+
+INITSCRIPT_PARAMS = "start 01 S ."
+
+require selinux-initsh.inc
+
+do_install_append() {
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ echo "# first boot relabelling" > ${D}/.autorelabel
+ fi
+}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-dbus.inc b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-dbus.inc
new file mode 100755
index 0000000..62e45b7
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-dbus.inc
@@ -0,0 +1,14 @@
+SUMMARY = "SELinux dbus service files"
+DESCRIPTION = "\
+Provide SELinux dbus service files and scripts."
+
+SECTION = "base"
+LICENSE = "GPLv2+"
+
+RDEPENDS_${PN} += "python3-core selinux-python-sepolicy"
+
+FILES_${PN} += "\
+ ${datadir}/system-config-selinux/selinux_server.py \
+ ${datadir}/polkit-1/actions/org.selinux.policy \
+ ${datadir}/dbus-1/system-services/org.selinux.service \
+"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-dbus_3.0.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-dbus_3.0.bb
new file mode 100755
index 0000000..afae77b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-dbus_3.0.bb
@@ -0,0 +1,7 @@
+require selinux_20191204.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "775f058ea19f424d99ce3bd13297234c"
+SRC_URI[sha256sum] = "95d75603444c3eeaebf25da3de6febb6e1567d5f5d93cde5a4b73c88ef6c4f28"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-gui.inc b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-gui.inc
new file mode 100755
index 0000000..725eb23
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-gui.inc
@@ -0,0 +1,15 @@
+SUMMARY = "SELinux GUI tools"
+DESCRIPTION = "\
+Provide SELinux Management tool (system-config-selinux) and SELinux \
+Policy Generation Tool (selinux-polgengui)"
+
+SECTION = "base"
+LICENSE = "GPLv2+"
+
+RDEPENDS_${PN} += "python3-core"
+
+FILES_${PN} += " \
+ ${datadir}/system-config-selinux/* \
+ ${datadir}/icons/hicolor/* \
+ ${datadir}/polkit-1/actions/org.selinux.config.policy \
+"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-gui_3.0.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-gui_3.0.bb
new file mode 100755
index 0000000..e937836
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-gui_3.0.bb
@@ -0,0 +1,7 @@
+require selinux_20191204.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "988a564eccc01feb8cc6fa49630efc6d"
+SRC_URI[sha256sum] = "e9e9b599950a30857b0954bf10853ea50efb7de68a5ae756a27b8d03ccc44348"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-init/selinux-init.service b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-init/selinux-init.service
new file mode 100755
index 0000000..49c6d98
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-init/selinux-init.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=SELinux init service loading
+DefaultDependencies=no
+After=local-fs.target
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/selinux-init.sh
+
+[Install]
+WantedBy=multi-user.target
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-init/selinux-init.sh b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-init/selinux-init.sh
new file mode 100755
index 0000000..f93d231
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-init/selinux-init.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+/usr/sbin/selinuxenabled 2>/dev/null || exit 0
+
+CHCON=/usr/bin/chcon
+MATCHPATHCON=/usr/sbin/matchpathcon
+RESTORECON=/sbin/restorecon
+SECON=/usr/bin/secon
+SETENFORCE=/usr/sbin/setenforce
+
+for i in ${CHCON} ${MATCHPATHCON} ${RESTORECON} ${SECON} ${SETENFORCE}; do
+ test -x $i && continue
+ echo "$i is missing in the system."
+ echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
+ exit 1
+done
+
+check_rootfs()
+{
+ ${CHCON} `${MATCHPATHCON} -n /` / >/dev/null 2>&1 && return 0
+ echo ""
+ echo "* SELinux requires the root '/' filesystem support extended"
+ echo " filesystem attributes (XATTRs). It does not appear that this"
+ echo " filesystem has extended attribute support or it is not enabled."
+ echo ""
+ echo " - To continue using SELinux you will need to enable extended"
+ echo " attribute support on the root device."
+ echo ""
+ echo " - To disable SELinux, please add \"selinux=0\" in the kernel"
+ echo " command line."
+ echo ""
+ echo "* Halting the system now."
+ /sbin/shutdown -f -h now
+}
+
+# sysvinit firstboot relabel placeholder HERE
+
+exit 0
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit
new file mode 100755
index 0000000..d4f3f71
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit
@@ -0,0 +1,14 @@
+# Contents will be added to selinux-init.sh to support relabelling with sysvinit
+# If first booting, the security context type of init would be
+# "kernel_t", and the whole file system should be relabeled.
+if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
+ echo "Checking SELinux security contexts:"
+ check_rootfs
+ echo " * First booting, filesystem will be relabeled..."
+ test -x /etc/init.d/auditd && /etc/init.d/auditd start
+ ${SETENFORCE} 0
+ ${RESTORECON} -RF /
+ ${RESTORECON} -F /
+ echo " * Relabel done, rebooting the system."
+ /sbin/reboot
+fi
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-init_0.1.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-init_0.1.bb
new file mode 100755
index 0000000..78f571c
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-init_0.1.bb
@@ -0,0 +1,25 @@
+SUMMARY = "SELinux init script"
+DESCRIPTION = "\
+Script to detect and attempt to correct a misconfigured SELinux system at \
+boot time. \
+"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+${PN}_RDEPENDS = " \
+ coreutils \
+ libselinux-bin \
+ policycoreutils-secon \
+ policycoreutils-setfiles \
+"
+
+SRC_URI = " \
+ file://${BPN}.sh \
+ file://${BPN}.sh.sysvinit \
+ file://${BPN}.service \
+"
+
+INITSCRIPT_PARAMS = "start 01 S ."
+
+require selinux-initsh.inc
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-initsh.inc b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-initsh.inc
new file mode 100755
index 0000000..0a6cf4b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-initsh.inc
@@ -0,0 +1,41 @@
+S ?= "${WORKDIR}"
+SECTION ?= "base"
+
+# Default is for script name to be the same as the recipe name.
+# Script must have .sh suffix.
+SELINUX_SCRIPT_SRC ?= "${BPN}"
+SELINUX_SCRIPT_DST ?= "${SELINUX_SCRIPT_SRC}"
+
+INITSCRIPT_NAME ?= "${SELINUX_SCRIPT_DST}"
+INITSCRIPT_PARAMS ?= "start 00 S ."
+
+CONFFILES_${PN} += "${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}"
+
+PACKAGE_ARCH ?= "${MACHINE_ARCH}"
+
+inherit update-rc.d systemd
+
+SYSTEMD_SERVICE_${PN} = "${SELINUX_SCRIPT_SRC}.service"
+
+FILES_${PN} += "/.autorelabel"
+
+do_install () {
+ install -d ${D}${sysconfdir}/init.d/
+ install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}
+ # Insert the relabelling code which is only needed with sysvinit
+ sed -i -e '/HERE/r ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh.sysvinit' \
+ -e '/.*HERE$/d' -e '/.*Contents.*sysvinit/d' \
+ ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ install -d ${D}${systemd_unitdir}/system
+ install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service ${D}${systemd_unitdir}/system
+ install -d ${D}${bindir}
+ install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${bindir}
+ sed -i -e '/.*HERE$/d' ${D}${bindir}/${SELINUX_SCRIPT_SRC}.sh
+ fi
+}
+
+sysroot_stage_all_append () {
+ sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
+}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-labeldev/selinux-labeldev.service b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-labeldev/selinux-labeldev.service
new file mode 100755
index 0000000..d45ecbc
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-labeldev/selinux-labeldev.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=SELinux init for /dev service loading
+DefaultDependencies=no
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/selinux-labeldev.sh
+
+[Install]
+WantedBy=multi-user.target
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh
new file mode 100755
index 0000000..62e7a42
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+/usr/sbin/selinuxenabled 2>/dev/null || exit 0
+
+CHCON=/usr/bin/chcon
+MATCHPATHCON=/usr/sbin/matchpathcon
+RESTORECON=/sbin/restorecon
+
+for i in ${CHCON} ${MATCHPATHCON} ${RESTORECON}; do
+ test -x $i && continue
+ echo "$i is missing in the system."
+ echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
+ exit 1
+done
+
+# Because /dev/console is not relabeled by kernel, many commands
+# would can not use it, including restorecon.
+${CHCON} -t `${MATCHPATHCON} -n /dev/null | cut -d: -f3` /dev/null
+${CHCON} -t `${MATCHPATHCON} -n /dev/console | cut -d: -f3` /dev/console
+
+# Now, we should relabel /dev for most services.
+${RESTORECON} -RF /dev
+
+exit 0
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-labeldev_0.1.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-labeldev_0.1.bb
new file mode 100755
index 0000000..8eb5db4
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-labeldev_0.1.bb
@@ -0,0 +1,19 @@
+SUMMARY = "SELinux init script"
+DESCRIPTION = "Set SELinux labels for /dev."
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+${PN}_RDEPENDS = " \
+ coreutils \
+ libselinux-bin \
+ policycoreutils-setfiles \
+"
+
+SRC_URI = "file://${BPN}.sh \
+ file://${BPN}.service \
+ "
+
+SELINUX_SCRIPT_DST = "0${BPN}"
+
+require selinux-initsh.inc
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-python.inc b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-python.inc
new file mode 100755
index 0000000..e690ac5
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-python.inc
@@ -0,0 +1,107 @@
+SUMMARY = "Python modules and various SELinux utilities."
+DESCRIPTION = "\
+This package contains Python modules sepolgen, sepolicy; And the \
+SELinux utilities audit2allow, chcat, semanage ..."
+
+SECTION = "base"
+LICENSE = "GPLv2+"
+
+SRC_URI += "file://fix-sepolicy-install-path.patch"
+
+inherit python3native
+
+DEPENDS += "python3 libsepol"
+RDEPENDS_${BPN}-audit2allow += "\
+ python3-core \
+ libselinux-python \
+ ${BPN}-sepolgen \
+"
+RDEPENDS_${BPN}-chcat += "\
+ python3-core \
+ python3-codecs \
+ python3-shell \
+ python3-stringold \
+ python3-unixadmin \
+ libselinux-python \
+ ${BPN} \
+"
+RDEPENDS_${BPN} += "\
+ python3-core \
+ python3-codecs \
+ python3-io \
+ python3-ipy \
+ python3-stringold \
+ python3-syslog \
+ python3-unixadmin \
+ libselinux-python \
+ libsemanage-python \
+ setools \
+"
+RDEPENDS_${BPN}-semanage += "\
+ python3-core \
+ python3-ipy \
+ python3-compression \
+ python3-xml \
+ python3-misc \
+ libselinux-python \
+ ${BPN} \
+"
+RDEPENDS_${BPN}-sepolicy += "\
+ python3-core \
+ python3-codecs \
+ python3-syslog \
+ ${BPN} \
+"
+RDEPENDS_${BPN}-sepolgen-ifgen += "\
+ python3-core \
+ libselinux-python \
+"
+
+PACKAGES =+ "\
+ ${PN}-audit2allow \
+ ${PN}-sepolgen-ifgen \
+ ${PN}-chcat \
+ ${PN}-semanage \
+ ${PN}-sepolgen \
+ ${PN}-sepolicy \
+"
+FILES_${PN}-audit2allow = "\
+ ${bindir}/audit2allow \
+ ${bindir}/audit2why \
+"
+FILES_${PN}-chcat = "\
+ ${bindir}/chcat \
+"
+FILES_${PN}-semanage = "\
+ ${sbindir}/semanage \
+ ${datadir}/bash-completion/completions/semanage \
+"
+# The ${bindir}/sepolgen is a symlink to ${bindir}/sepolicy
+FILES_${PN}-sepolicy += "\
+ ${bindir}/sepolgen \
+ ${bindir}/sepolicy \
+ ${datadir}/bash-completion/completions/sepolicy \
+"
+FILES_${PN}-sepolgen-ifgen += "\
+ ${bindir}/sepolgen-ifgen \
+ ${bindir}/sepolgen-ifgen-attr-helper \
+"
+FILES_${PN}-sepolgen += "\
+ ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolgen* \
+ ${localstatedir}/lib/sepolgen/perm_map \
+"
+
+FILES_${PN} += "\
+ ${libdir}/python${PYTHON_BASEVERSION}/site-packages/seobject.py* \
+ ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy*.egg-info \
+ ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/* \
+"
+
+EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a"
+
+do_install() {
+ oe_runmake DESTDIR="${D}" \
+ PYLIBVER='python${PYTHON_BASEVERSION}' \
+ PYTHONLIBDIR='${libdir}/python${PYTHON_BASEVERSION}/site-packages' \
+ install
+}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch
new file mode 100755
index 0000000..527e02c
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch
@@ -0,0 +1,30 @@
+From e8fdfdf96a84209118deff7782cf82f8187af6c5 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Mon, 23 Sep 2013 21:17:59 +0800
+Subject: [PATCH] policycoreutils: fix install path for new pymodule sepolicy
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ sepolicy/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sepolicy/Makefile b/sepolicy/Makefile
+index 69f29fa..b474d80 100644
+--- a/sepolicy/Makefile
++++ b/sepolicy/Makefile
+@@ -27,7 +27,7 @@ test:
+ @$(PYTHON) test_sepolicy.py -v
+
+ install:
+- $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
++ $(PYTHON) setup.py install --prefix=$(PREFIX) --root=$(DESTDIR) --install-lib=$(PYTHONLIBDIR) --no-compile
+ [ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
+ install -m 755 sepolicy.py $(DESTDIR)$(BINDIR)/sepolicy
+ (cd $(DESTDIR)$(BINDIR); ln -sf sepolicy sepolgen)
+--
+2.7.4
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-python_3.0.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-python_3.0.bb
new file mode 100755
index 0000000..8222d28
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-python_3.0.bb
@@ -0,0 +1,7 @@
+require selinux_20191204.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "aa018c9b1b26034f84f3f427adac08be"
+SRC_URI[sha256sum] = "43c08fa881ccc64251d396b1ac6c56b354bf98421b4ec937d54a8db190135494"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-sandbox.inc b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-sandbox.inc
new file mode 100755
index 0000000..c8e335a
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-sandbox.inc
@@ -0,0 +1,27 @@
+SUMMARY = "Run cmd under an SELinux sandbox"
+DESCRIPTION = "\
+Run application within a tightly confined SELinux domain. The default \
+sandbox domain only allows applications the ability to read and write \
+stdin, stdout and any other file descriptors handed to it."
+
+SECTION = "base"
+LICENSE = "GPLv2+"
+
+SRC_URI += "file://sandbox-de-bashify.patch \
+"
+
+DEPENDS += "libcap-ng libselinux"
+
+RDEPENDS_${PN} += "\
+ python3-core \
+ python3-math \
+ python3-shell \
+ python3-unixadmin \
+ libselinux-python \
+ selinux-python \
+"
+
+FILES_${PN} += "\
+ ${datadir}/sandbox/sandboxX.sh \
+ ${datadir}/sandbox/start \
+"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch
new file mode 100755
index 0000000..e9622f0
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch
@@ -0,0 +1,41 @@
+From b92c39f0be5552c19923f75aef4487348a08b7dc Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 20 Feb 2015 21:07:47 -0500
+Subject: [PATCH] sandbox: de-bashify
+
+There's no bashisms apparent in either the sandbox initscript nor the
+sandboxX script, so point them at /bin/sh instead.
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ sandbox.init | 2 +-
+ sandboxX.sh | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sandbox.init b/sandbox.init
+index b3979bf..1893dc8 100644
+--- a/sandbox.init
++++ b/sandbox.init
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/bin/sh
+ ## BEGIN INIT INFO
+ # Provides: sandbox
+ # Default-Start: 3 4 5
+diff --git a/sandboxX.sh b/sandboxX.sh
+index eaa500d..8755d75 100644
+--- a/sandboxX.sh
++++ b/sandboxX.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/bin/sh
+ trap "" TERM
+ context=`id -Z | secon -t -l -P`
+ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`"
+--
+2.7.4
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-sandbox_3.0.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-sandbox_3.0.bb
new file mode 100755
index 0000000..a60f52c
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux-sandbox_3.0.bb
@@ -0,0 +1,7 @@
+require selinux_20191204.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "81447c46bf4cae9a5fa38c5fb8dc923e"
+SRC_URI[sha256sum] = "66fb4ea3a9e3d1e6004f13666b8390be751dd226a8496b995ed0332788758d0a"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux_20191204.inc b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux_20191204.inc
new file mode 100755
index 0000000..113fc30
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux_20191204.inc
@@ -0,0 +1,8 @@
+SELINUX_RELEASE = "20191204"
+
+SRC_URI = "https://github.com/SELinuxProject/selinux/releases/download/${SELINUX_RELEASE}/${BPN}-${PV}.tar.gz"
+
+UPSTREAM_CHECK_URI = "https://github.com/SELinuxProject/selinux/releases"
+UPSTREAM_CHECK_REGEX = "libselinux-(?P<pver>.+)\.tar\.gz"
+
+require selinux_common.inc
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux_common.inc b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux_common.inc
new file mode 100755
index 0000000..f6c4a6b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/selinux_common.inc
@@ -0,0 +1,15 @@
+HOMEPAGE = "https://github.com/SELinuxProject"
+
+do_compile() {
+ oe_runmake all
+}
+
+do_install() {
+ oe_runmake install \
+ DESTDIR="${D}" \
+ PREFIX="${prefix}" \
+ INCLUDEDIR="${includedir}" \
+ LIBDIR="${libdir}" \
+ SHLIBDIR="${base_libdir}" \
+ SYSTEMDDIR="${systemd_unitdir}"
+}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/semodule-utils.inc b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/semodule-utils.inc
new file mode 100755
index 0000000..23cbd14
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/semodule-utils.inc
@@ -0,0 +1,26 @@
+SUMMARY = "Utilities to manipulate SELinux policy module package"
+DESCRIPTION = "\
+The utilities to create, expand, link and show the dependencies between \
+the SELinux policy module packages."
+
+SECTION = "base"
+LICENSE = "GPLv2+"
+
+DEPENDS += "libsepol"
+RDEPENDS_${PN}-dev = ""
+
+EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a"
+
+PACKAGES =+ "\
+ ${PN}-semodule-expand \
+ ${PN}-semodule-link \
+ ${PN}-semodule-package \
+"
+FILES_${PN}-semodule-expand += "${bindir}/semodule_expand"
+FILES_${PN}-semodule-link += "${bindir}/semodule_link"
+FILES_${PN}-semodule-package += "\
+ ${bindir}/semodule_package \
+ ${bindir}/semodule_unpackage \
+"
+
+BBCLASSEXTEND = "native"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/semodule-utils_3.0.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/semodule-utils_3.0.bb
new file mode 100755
index 0000000..bccc707
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/selinux/semodule-utils_3.0.bb
@@ -0,0 +1,7 @@
+require selinux_20191204.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "58b0e4b85695dad6aff70c69f7a417fd"
+SRC_URI[sha256sum] = "14ee2db21f36766ffbbb65770f8e7236d21675db9f0f5d40f50974711da598cf"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/setools/setools/setools4-fixes-for-cross-compiling.patch b/cap/zx297520v3/sources/meta-selinux/recipes-security/setools/setools/setools4-fixes-for-cross-compiling.patch
new file mode 100755
index 0000000..51c7603
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/setools/setools/setools4-fixes-for-cross-compiling.patch
@@ -0,0 +1,32 @@
+From e0a112874d10dbf741c27b107edddedd86d51529 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Tue, 14 Feb 2017 06:32:35 +0000
+Subject: [PATCH] setools4: fixes for cross compiling
+
+* search libsepol from $STAGING_LIBDIR
+* fix manual install path as '/usr/share/man/man1'
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ setup.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/setup.py b/setup.py
+index ac8a876..df7ebbc 100644
+--- a/setup.py
++++ b/setup.py
+@@ -78,7 +78,7 @@ class QtHelpCommand(Command):
+
+
+ # Library linkage
+-lib_dirs = ['.', '/usr/lib64', '/usr/lib', '/usr/local/lib']
++lib_dirs = [os.environ["STAGING_LIBDIR"]]
+ include_dirs = []
+
+ with suppress(KeyError):
+--
+2.7.4
+
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-security/setools/setools_4.3.0.bb b/cap/zx297520v3/sources/meta-selinux/recipes-security/setools/setools_4.3.0.bb
new file mode 100755
index 0000000..ec73f7c
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-security/setools/setools_4.3.0.bb
@@ -0,0 +1,37 @@
+SUMMARY = "Policy analysis tools for SELinux"
+DESCRIPTION = "\
+SETools is a collection of graphical tools, command-line tools, and \
+libraries designed to facilitate SELinux policy analysis. \
+\n\
+This meta-package depends upon the main packages necessary to run \
+SETools."
+SECTION = "base"
+LICENSE = "GPLv2 & LGPLv2.1"
+
+S = "${WORKDIR}/git"
+SRC_URI = "git://github.com/SELinuxProject/${BPN}.git;branch=4.3 \
+ file://setools4-fixes-for-cross-compiling.patch \
+"
+
+SRCREV = "a57ad3cdb669a39f785c4e85d63416a469c8d445"
+
+LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=83a5eb6974c11f30785e90d0eeccf40c \
+ file://${S}/COPYING.GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
+ file://${S}/COPYING.LGPL;md5=4fbd65380cdd255951079008b364516c"
+
+DEPENDS += "bison-native flex-native swig-native python3 python3-cython-native libsepol libselinux"
+
+RDEPENDS_${PN} += "python3-networkx python3-decorator python3-setuptools \
+ python3-logging python3-json libselinux-python"
+
+RPROVIDES_${PN} += "${PN}-console"
+
+inherit setuptools3
+
+do_install_append() {
+ # Need PyQt5 support, disable gui tools
+ rm -f ${D}${bindir}/apol
+ rm -rf ${D}${libdir}/${PYTHON_DIR}/site-packages/setoolsgui
+ rm -rf ${D}${libdir}/${PYTHON_DIR}/site-packages/setools/__pycache__
+ rm -rf ${D}${libdir}/${PYTHON_DIR}/site-packages/setools/*/__pycache__
+}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-support/attr/attr_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-support/attr/attr_%.bbappend
new file mode 100755
index 0000000..7719d3b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-support/attr/attr_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-support/attr/attr_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-support/attr/attr_selinux.inc
new file mode 100755
index 0000000..ba0314e
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-support/attr/attr_selinux.inc
@@ -0,0 +1,5 @@
+inherit selinux
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+SRC_URI += "file://fix-ptest-failures-when-selinux-enabled.patch"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-support/attr/files/fix-ptest-failures-when-selinux-enabled.patch b/cap/zx297520v3/sources/meta-selinux/recipes-support/attr/files/fix-ptest-failures-when-selinux-enabled.patch
new file mode 100755
index 0000000..e1eefa7
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-support/attr/files/fix-ptest-failures-when-selinux-enabled.patch
@@ -0,0 +1,41 @@
+Upstream-Status: Pending
+
+When enable selinux, file has a default attribute:
+
+# file: here
+security.selinux="system_u:object_r:lib_t:s0"
+
+That cause there is always more output than expected.
+
+Filter out selinux related attribute info to make ptest pass.
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+diff --git a/test/run b/test/run
+index cf15252..945741e 100755
+--- a/test/run
++++ b/test/run
+@@ -132,6 +132,23 @@ sub process_test($$$$) {
+ print "[$prog_line] \$ ", join(' ',
+ map { s/\s/\\$&/g; $_ } @$p), " -- ";
+ my $result = exec_test($prog, $in);
++
++ # filter selinux related attributes info
++ my @strip1;
++ my @strip2;
++ foreach (@$result) {
++ unless (/security.selinux=.*\n/) {
++ push @strip1, $_;
++ }
++ }
++ for (my $i = 0; $i <= $#strip1; $i++) {
++ if ($strip1[$i] =~ /^# file:.*/ && $strip1[$i+1] =~ /^\n$/) {
++ $i++;
++ } else {
++ push @strip2, $strip1[$i];
++ }
++ }
++ $result = \@strip2;
+ my @good = ();
+ my $nmax = (@$out > @$result) ? @$out : @$result;
+ for (my $n=0; $n < $nmax; $n++) {
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-support/gnupg/gnupg_2.%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-support/gnupg/gnupg_2.%.bbappend
new file mode 100755
index 0000000..7719d3b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-support/gnupg/gnupg_2.%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-support/gnupg/gnupg_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-support/gnupg/gnupg_selinux.inc
new file mode 100755
index 0000000..12571b4
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-support/gnupg/gnupg_selinux.inc
@@ -0,0 +1,3 @@
+inherit enable-selinux
+# gnupg will not build with libselinux, so remove the depend
+PACKAGECONFIG[selinux] = "--enable-selinux-support,--disable-selinux-support,,"
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-support/libpcre/libpcre_%.bbappend b/cap/zx297520v3/sources/meta-selinux/recipes-support/libpcre/libpcre_%.bbappend
new file mode 100755
index 0000000..7719d3b
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-support/libpcre/libpcre_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
diff --git a/cap/zx297520v3/sources/meta-selinux/recipes-support/libpcre/libpcre_selinux.inc b/cap/zx297520v3/sources/meta-selinux/recipes-support/libpcre/libpcre_selinux.inc
new file mode 100755
index 0000000..3810078
--- /dev/null
+++ b/cap/zx297520v3/sources/meta-selinux/recipes-support/libpcre/libpcre_selinux.inc
@@ -0,0 +1,18 @@
+do_install_append () {
+ # This code creates libpcre for both the dev machine (SDK native)
+ # and for cross-compiling (machine arch). For Linux (SDK Linux native
+ # + all machine arch), symlinks to the .so files have to be created,
+ # but not for the Windows SDK native.
+ if [ ${TARGET_OS} != "mingw32" ]; then
+ if [ ! ${D}${libdir} -ef ${D}${base_libdir} -a -e ${D}${libdir}/libpcre.so ]; then
+ realsofile=`readlink ${D}${libdir}/libpcre.so`
+ mkdir -p ${D}/${base_libdir}/
+ mv -f ${D}${libdir}/libpcre.so.* ${D}${base_libdir}/
+ relpath=${@os.path.relpath("${base_libdir}", "${libdir}")}
+ ln -sf ${relpath}/${realsofile} ${D}${libdir}/libpcre.so
+ ln -sf ${relpath}/${realsofile} ${D}${libdir}/libpcre.so.1
+ fi
+ fi
+}
+
+FILES_${PN} += "${base_libdir}/libpcre.so.*"