Enable selinux

Pull in various selinux bits that need modification, and enable them. setools: Needs patching to support cross building policycoreutils: Needs patching to remove python runtime dependency sec-policy/*: We need custom policy modifications In addition, modify selinux-policy-2.eclass to support pulling in selinux includes from the build root rather than /, enable selinux in systemd's use flags and enable selinux support in the kernel.
2025-08-21 14:31:02 +02:00 · 2015-06-26 16:52:47 -07:00 · 2015-06-26 16:52:47 -07:00 · 07aa4a264b
commit 07aa4a264b
parent 4efcf2f2ed
20 changed files with 148 additions and 91 deletions
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/setools/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/setools/Manifest
@ -1,33 +1,4 @@
-----BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA256
-
-AUX fix-check-role_set_expand-libsepol-2.1.0.patch 1150 SHA256 8b9bcb857a77ae446721a4c7387493d74500bced0c6e2fc967c991a488122b3f SHA512 4e944cf6ff52792429004a432ea84f6fa0605418abff34a87bff21861e95a75e7a0da2860e49cf8ca54466ddb96d4693f765ca59659aa9ed38b95df0d3a73d3d WHIRLPOOL aabb28a97e57d343ece582080ce0b4a2dba8ae12147052f759da28cb4a567affdcaae8735129b5b28126b125f2ecd83f6ee5a163c6dfbbb137ecff2b0339f7e3
-AUX fix-implicit-def-fstat.patch 441 SHA256 3d0c55580056353ab3ca575899fb8f669d0b7a3f00f62dedf3a643a7e0ea8a9b SHA512 f9780fe4ff1e637ff6c2669fcc2cce18b269eeacde30064dc92711d6c4fcfe177e6d3884fd5f88db2e67ea803fbd32edc8f524f33103c53300c4477a8cf24eb4 WHIRLPOOL 766826b2c2564fd1e59af137ba1a57ca89eaa21e7d7462546780264b26f34465424c43789d173d1124a2534a4dc67a682857733f0436096efc031611b23fb25f
-AUX setools3-userspace-2.4-compatibility.patch 4245 SHA256 02bb2496f1c33177099ee025be3c297eec718dfe41565695e21056e165d4d626 SHA512 7f8bd3b48c23ea596d521c5a2d71fd714767167df24ee3cdf20b41ab19b077af267e83dec0db4ac9ef3333af26beb4c5e040607e3d33429c2ca96ae827da692b WHIRLPOOL f0752e5c4a5b5124af6be5cfdb9d29c7655983283b5bb71ef2976126231dc3115390f212375765a41dca5d9384b0c914457e7a5c93ed40a2ac9cc902563b9060
 DIST setools-3.3.8-01-fedora-patches.tar.gz 1128 SHA256 420b852d4209d07b73cec84586e000e7a6a719135ea677711abf97d420840bb6 SHA512 1aa2cc50c307929b522e029a552bfd545aef07656d1983289b0ea9be67aa94c07272a59c17630fc09fd79b06845ada318cdfa48d6cc243a24026e015c23b9634 WHIRLPOOL 25ae2b15fb15060fd0d34c55f4cc098b70a3a616f5334b092657a9c5df037b7fcf00fd185f33ba142e47d46c36b2fb7e9434021d6e987832fe833367a50d7449
 DIST setools-3.3.8-03-gentoo-patches.tar.gz 6584 SHA256 8eac460b7dc2ee5e2f23148cdbf187316edd78ce0ec7ebbb6b0f68d6ad33d86a SHA512 5458dab5775b558e287f946c299753be5cb5eb6c1c2b9df0e32c7cfa758bb5316d142aa6338d3019f5f1eeb72876e4d5ed4939b0dbfe7b7e01c08a19a086bacc WHIRLPOOL e1afa6bb28f3aee2f3acdc66efd8ca02548c4f8e5707052ea455f1db558126f069d63278251630ee68bf4987157279161006975cb14d44055492228fa476cd72
 DIST setools-3.3.8-04-gentoo-patches.tar.bz2 94986 SHA256 9a8a43ac97606fde9b2610ceed65f640638929853f871ce530982bedfd919b64 SHA512 39bf00b6aaf31821c6e2e2fb4c460dd1914fba4bf8385acebedf88f1533da990f1fb925dd49d75827aebef3f394a50a1edea46a07204193b58c65a066a064e6a WHIRLPOOL 4a92e4cf6930584de931c5d0805815aacd1c1af4434ca8e73414eda33588a55ef8d7bdfe4195be642889eee480128cbe12d1c5612e07ea304021b230e0b74816
 DIST setools-3.3.8.tar.bz2 951428 SHA256 44387ecc9a231ec536a937783440cd8960a72c51f14bffc1604b7525e341e999 SHA512 2c42ee9904174ed6c6fc129e374ec3591925094ab0ef65001b0104e365c5634bf4a79f28369608c80199d8f59fafaa5f274107c04c129c380eeef7adb0c32667 WHIRLPOOL 11c4065809909764f4364b78df1a8030d189315601b882919ccacb5fb147c1b3a061c5bbf9ced3c243d4615ab7727e9db0c89e931a884ae8b317ae3a879e5371
-EBUILD setools-3.3.8-r5.ebuild 4345 SHA256 e16a7cc8e89e45c2760c8b5576e5955eaf44a07512269e48fb9bc4a0727b42b7 SHA512 4df946c6697454c9c6044b394a5e5d65449d572c6461d3aa06a5c20ae07cdb36ef3b2475c7eb81ea8a913663dbbda43afe2aaf67eecf64f29da9730105571191 WHIRLPOOL af5f526222a845ea59ca00e97f4f02d31e6facc52979279ae9ba36f60cf5ce7123a695c34eb9c8513f04c014df27cdb9d672f01f835f95eb8c9978cf2d8daa67
-EBUILD setools-3.3.8-r7.ebuild 3638 SHA256 15358bffe3115141d1f5810aa542c52960712fd55a0ada916da38b809a995f5a SHA512 d6fd9441af9bd5ca5b17d867e505f94b5afda7e2d98207c0605913b643274111abd2d34e60dbe978fb370fe5fad1b14b63a72ad5608d2bf669e55bdc6ca99145 WHIRLPOOL 6beeab2543fbfdeb45b3268b7154d3ccc3933599db76cf1b3f2515f9e55a8a971d33eddd9b37126d1291076396c1e27acba69506acd1ffecdcf125aa8e0568a6
-MISC ChangeLog 13853 SHA256 cc57d86fb1144a638b8ff0ffc8bf224e0accf971e4f8f421f97b0f80f0c342c8 SHA512 198c5933254e00c840c04fc0b90e9c12829765ccf68c6acfa6bcfd3c41748552e2fd730f7417b408b3f9c4f86164858510318352ed9d0c36f816dadf00b3b1d5 WHIRLPOOL e9fc9e922d5e27cbaa6a795ec9d6a9fdb8cfd977c294900fab211322a18716e2d39e4dc505395c2e8c76fe568ee2cdcf9cd5da891234d8c8e833e7b64444d3f7
-MISC metadata.xml 228 SHA256 bbcb1daec06953b214112a968d7691679891d41b620789200450e8fabf533951 SHA512 23a02e7ab38822642d81150177d3ce4d24f8aef3e422ba71bc8a9a04e777a2d462f45f4de839fcf39d32207fe60799b890157f90b1aedf5c4369656dc6303851 WHIRLPOOL 7e866656536cb45b9efd876bda1455a6554c5019647ff7d600fe0efb905d4e6102ee1d3041943f411505628e9c0d8d5e14d784589538d93a5d68064c526a2aac
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0
-
-iQJ8BAEBCABmBQJVTx+HXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
-ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFMTYyREVBRDFDQ0REMTEzRjA0QjNENDky
-QkJFRDlDQjFBNjhFRjU1AAoJECu+2csaaO9V+mgQAIQH9B1/HeDZYHPmQ1gG8sM8
-o1TqYbAQUXxKDoT/L30XRSrbZFJY8H0suaz4DifouUvJBoRSnd6iIoqCeYcuJj8V
-wravBH3NKW8MtP9ze8sxSPZnzGwLDCz0FM0Ww87+cSsOQjA7yjuU10F5IP6gtgcd
-PbvRppluEB5VJdtnbDCrcGoc14WHNaPO4BOcjCiWhIZcwFJDkfRMa4tDItCUsNGE
-kgUS28To+oMWYXJI/WQJFEvvIin35BLhhffMRpDcnRcGqhEMquJq/Vb/2z4eYUgB
-VKxtqtuviNDubdJgVDY4AeCQLPZQhIHblb87PknTXrxIWdE4yi7LD5GQRotbQDsY
-xeAn92TLRwxwp+CqAHNQdGNVyRl5Cr7206PANP4JmuEvWOp1emYqSkzmLgbkNoUB
-KkIN5Dlagfr03d6S+y0h6XUNTgg2UsVuFR8OmQzf39UGT82GZYeyJ8wpL4VPzbPL
-ShfLaexSSgzW/fWRz8kFjoSsgcHlljU6boWpXX9Y13g2w7DqidRpdxMlKbhWLvNx
-e5tNbdyEDodKogaOw0jzDfTGibthHO3cqpgdKdxkSkT2RkslKIcs3pWjYtJOLBQa
-7U9i8E2TTB26DaRntuCzAqsgO11KyYzptvBcyB39b4I41st8swTerd28sp7DuGTW
-ODIacLP79eRouHMhko4j
-=VFeZ
-----END PGP SIGNATURE-----
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/setools/files/support-cross-build.patch
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/setools/files/support-cross-build.patch
@ -0,0 +1,29 @@
+diff -ur setools-3.3.8.orig/configure.ac setools-3.3.8/configure.ac
+--- setools-3.3.8.orig/configure.ac	2013-01-16 08:36:24.000000000 -0800
+++ setools-3.3.8/configure.ac	2015-06-11 15:01:16.476072420 -0700
+@@ -593,25 +593,6 @@
+ 	        sepol_new_errcodes="yes",
+                 sepol_new_errcodes="no")
+ 
+-AC_RUN_IFELSE(
+-   [AC_LANG_SOURCE([
+-#include <sepol/policydb/policydb.h>
+-#include <stdio.h>
+-#include <stdlib.h>
+-int main(void) {
+-    FILE *f = fopen("conftest.data", "w");
+-    if (f != NULL && fprintf(f, "%d", POLICYDB_VERSION_MAX) > 0) {
+-       fclose(f);
+-       exit(EXIT_SUCCESS);
+-    }
+-    exit(EXIT_FAILURE);
+-}])],
+-    sepol_policy_version_max=`cat conftest.data`,
+-    AC_MSG_FAILURE([could not determine maximum libsepol policy version]))
+-AC_DEFINE_UNQUOTED(SEPOL_POLICY_VERSION_MAX, ${sepol_policy_version_max}, [maximum policy version supported by libsepol])
+-CFLAGS="${sepol_save_CFLAGS}"
+-CPPFLAGS="${sepol_save_CPPFLAGS}"
+-
+ if test ${use_selinux} = "yes"; then
+ dnl Locate selinux policy root directory
+     AC_MSG_CHECKING([for selinux policy root])
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/setools/setools-3.3.8-r7.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/setools/setools-3.3.8-r7.ebuild
@ -52,6 +52,8 @@ pkg_setup() {
 }

 src_prepare() {
+	epatch "${FILESDIR}/support-cross-build.patch"
+
 	EPATCH_MULTI_MSG="Applying various (Gentoo) setool fixes... " \
 	EPATCH_SUFFIX="patch" \
 	EPATCH_SOURCE="${WORKDIR}/gentoo-patches" \
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r258.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r258.ebuild
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
@ -119,6 +119,7 @@ RDEPEND="${RDEPEND}
 	net-misc/ntp
 	net-misc/rsync
 	net-misc/wget
+	sec-policy/selinux-virt
 	sys-apps/coreutils
 	sys-apps/dbus
 	sys-apps/ethtool
--- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-admin/setools
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-admin/setools
@ -0,0 +1,2 @@
+export ac_cv_file__usr_lib64_libsepol_a=yes
+
--- a/sdk_container/src/third_party/coreos-overlay/eclass/selinux-policy-2.eclass
+++ b/sdk_container/src/third_party/coreos-overlay/eclass/selinux-policy-2.eclass
@ -230,9 +230,9 @@ selinux-policy-2_src_compile() {
 		export M4PARAM="${makeuse}"
 		if [[ ${BASEPOL} == 2.20140311* ]]; then
 			# Parallel builds are broken in 2.20140311-r7 and earlier, bug 530178
-			emake -j1 NAME=$i -C "${S}"/${i} || die "${i} compile failed"
+			emake -j1 NAME=$i SHAREDIR="${ROOT}/usr/share/selinux" -C "${S}"/${i} || die "${i} compile failed"
 		else
-			emake NAME=$i -C "${S}"/${i} || die "${i} compile failed"
+			emake NAME=$i SHAREDIR="${ROOT}/usr/share/selinux" -C "${S}"/${i} || die "${i} compile failed"
 		fi
 	done
 }
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
@ -28,6 +28,9 @@ USE="${USE} -zeroconf"
 # No need for OpenMP support in GCC and other apps
 USE="${USE} -openmp"

+# Set SELinux policy
+POLICY_TYPES="targeted mcs mls"
+
 # Override upstream's python settings
 USE="$USE python_targets_python2_7 python_single_target_python2_7"
 USE="$USE -python_targets_python3_2 -python_single_target_python3_2"
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
@ -37,7 +37,7 @@ net-analyzer/nmap ncat -lua
 app-admin/sudo -sendmail

 # avoid pulling in gnutls, disable gentoo-only bits, enable journal upload
-sys-apps/systemd -ssl curl vanilla -lz4 lzma gcrypt
+sys-apps/systemd -ssl curl vanilla -lz4 lzma gcrypt selinux

 # disable kernel config detection and module building
 net-firewall/ipset -modules
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask
@ -1 +1,2 @@
 kdbus
+-selinux
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r5.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r5.ebuild
@ -99,7 +99,7 @@ src_prepare() {

 src_compile() {
 	for i in ${POLICY_TYPES}; do
-		emake NAME=$i -C "${S}"/${i} || die "${i} compile failed"
+		emake SHAREDIR="${ROOT}/usr/share/selinux" NAME=$i -C "${S}"/${i} || die "${i} compile failed"
 	done
 }

--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config
@ -12,4 +12,4 @@ SELINUX=permissive
 #	mls      - Full SELinux protection with Multi-Level Security
 #	mcs      - Full SELinux protection with Multi-Category Security 
 #	           (mls, but only one sensitivity level)
-SELINUXTYPE=strict
+SELINUXTYPE=mcs
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts
@ -0,0 +1,4 @@
+process = "system_u:system_r:svirt_lxc_net_t:s0"
+content = "system_u:object_r:virt_var_lib_t:s0"
+file = "system_u:object_r:svirt_lxc_file_t:s0"
+
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf
@ -0,0 +1,2 @@
+d	/etc/selinux/		-	-	-	-	-
+L	/etc/selinux/mcs	-	-	-	-	../../usr/lib/selinux/mcs
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r5.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r5.ebuild
@ -156,12 +156,16 @@ src_install() {

 	done

+	systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/selinux-base.conf"
 	dodoc doc/Makefile.example doc/example.{te,fc,if}

 	doman man/man8/*.8;

 	insinto /etc/selinux
 	doins "${FILESDIR}/config"
+
+	insinto /etc/selinux/mcs/contexts
+	doins "${FILESDIR}/lxc_contexts"
 }

 pkg_preinst() {
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/Manifest
@ -1,5 +1,5 @@
 -----BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA512
+Hash: SHA256

 AUX 0001-policycoreutils-pp-add-roletype-statements-for-both-.patch 2157 SHA256 799b93fde622a168e0c7b1a0a1ec1a0a65873379e1245ec42859c00a06ca1372 SHA512 fb96bcf8bf045092be98dfce3c2d010984428f2a302e53c72af236eb1466465a27c6fba00e0912cafb28159e3d233fd82220c2456a2b8df36ba2d1286b9752fa WHIRLPOOL e1a829e0710e045c7a7ba622f4c79e8ff9d59c370b838e45ccca95416845d92a6d690cd65be2c99aa020ec7a6db2692988db7b5d72823d42f977124b35abcb17
 AUX 0010-remove-sesandbox-support.patch 747 SHA256 af6969721dede49f4de4e1db8e98e8400a8f0e3ec0b55aee9295aea0d6ba3b9a SHA512 b7b54191d2b8703393dd23a7fcccbdc3e2b7234acd962e994c8549eebae6cae3b6f62055b47a2d5db94510739abfb2fa365090c452422b6fbc02ad625ebe4859 WHIRLPOOL 1ed396c3346123af9fc8a5e911a6c241e2b64d7424b2d5194b0cc7c6b44a960c70afde3d04a508ecf525af038a52c739bc424230db34fcb52096304b2cda2771
@ -21,23 +21,21 @@ EBUILD policycoreutils-2.3-r3.ebuild 4388 SHA256 2b87e99e95421c093aed5fca66c6506
 EBUILD policycoreutils-2.4.ebuild 4495 SHA256 f58265fbd9bd64bba47eef2ef7f65d6a7a62c1fea0b6754f6a48bb879156dc36 SHA512 43a099ac242de40c42132f697e248da84cde5c38ca64be38c4cb8729153a8921597a082d095a6d312b0e6422b6345099460039798c0f626533141e1bf841138b WHIRLPOOL 8d5757ae72043247b9501510bb561d6f8ae516ae54ee97a9b3e9ad68f61626cef9463b73a278d043b472988f7499baf26ef16e3619f7a7efb0e1c9264125f74d
 EBUILD policycoreutils-9999.ebuild 5262 SHA256 0bf3f18e901197cfecd321bee41a7eff1e041a657a4e1824d3678728e11d1117 SHA512 e00c2cc009bfd413267723f08e265ef3f5746591d639f5273a4d50ffc601cd60f7db63aa54803bcc536cb543ccc4a78033bdd044ad0ae15d72191603de923189 WHIRLPOOL 218f9ee27401591352d69daf1d3a7ccaa596fc2c5ebd32842fcea33d96f15e90de0ce81346bbb671d9b8f9222f91dbad17a9535af35e06d5f453e2323ebaf4db
 MISC ChangeLog 26573 SHA256 ed7d9b9bc3fd89f29cb06c58cd1274191dd2e530a3b8dd83cb2da259d09d1824 SHA512 5e326782bd849516aa8afeed38c0bb9ec52049fc15dda4ab45d5ea84a54f576bf998b02bbe5f73b8c26c26eb388c064dc1e81fa2208f5989b4203ab4cf7adb6b WHIRLPOOL 8b57bc4114ca783c3bd492bfae5875124fd07c4225e64b5ccd7974d0c6e1e576e88bbbd8dde9ae5c0fb0a8aa7850124074c6bc634da87c0d05678c145be2ef00
-MISC metadata.xml 1031 SHA256 06b7505520a24771b371e3e969ec42a0d0235618c091f82d3c41fbcd313246ea SHA512 61c998ee18c95ff4b69b6c6d8b3b255801d8e15da326b5f0800adc76e0c264965303e0af56dc10b31ed484baa7b1f2d425f02e0454912480ad0ed6e3cc80ffed WHIRLPOOL d25970c2f991f0c6022a92248f749effe1d987425788353083ad8eb1d6aba29d97a6daed2115692c462cb66e8c441752466670c6b099a649b5ed177112970543
+MISC metadata.xml 971 SHA256 9d2157deddd1a457ff3d7b1232ec23e71367852b743ef6b4b8290349c3c9c698 SHA512 79fbbb6285a75f84fdd103ed704d62ede2695e7b8fe03f989ac4a065261a5e870675c1186173c1d4a65b88ac98f8bc2153146010513926e1a1b53efa52564a03 WHIRLPOOL eadde5fe3a3a2a71031d46f7e7c602f8069138914e62c44dff4be09afb8e23391a36d7c358a011722151437ee51be9f404ee1360a2d918078de3f783ff7e062f
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0

-iQJ8BAEBCgBmBQJVfySwXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
-ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0QUU0N0I4NzFERUI0MTJFN0EyODE0NUFF
-OTQwMkE3OUIwMzUyOUEyAAoJEOlAKnmwNSmiZdoP/RMFcNOoP+7m2UQ0NvvLC+/6
-jxN5f+2hmhbNIzq6ebvbWYcJxPI0juRokV2QnVJNSHQFCBoRWp8bjwSlEeLZzAJ6
-MQLZ3UOCyqQ4wM897g3d85FAaBPRT1RHLyNo/GsuhgRhIRtPpfYVr+qnbB3C+XDC
-faik+Pe/4cdjAewp7a6WN7MXiG91P9t9/qNpJSTLm1H70CzCgDLrp/+3Yp2TOgkl
-XtuYJ+Uy1u/zljxWOGgMKU4Vrz6eU48THFo6MpfatkWX4hkQt/TowCHFmQi6djRV
-/jsIUybwCDo+CadMaqfhtFQvBHMju6zcD/bCyp2y2VdFlhCeUp1qVF0iO6VD5xXo
-2DCPb7QQMAKtFmb2GI0KoaTFjt4Z5kFPfuwfqCmHlIf6a3nijVHFNVrz5nhK0gqx
-ed1TEaN++f3gXor1xEUtCyqIUSyIsDSi1OlpstVudLnFf0guphSmKZHN33vfb2ou
-AMYx/3TOW8SLZdt1bqyzlwHTKzTUUuhB9eHHkrhbdT8pWZVi2YS+MzeLwJF4FzI3
-SsOD9P/bSBiA0ZIsBCHUVScc1jbw44sBkA9ASazvXqwwQZoZvrFnO2TmCM8KrB0G
-pIRGQwk0VsBE9V16IctG6Oq9RWzZL0BHgGc2lVf9mzMTzcnDBP67iAwib8nTq47y
-2cXhVWXMXttYpsJHgcOK
-=/8mn
+iQIcBAEBCAAGBQJVdwhsAAoJEC7dUkA7aK9HC2wQAJHJi9AsOmlUnFokVxMMkXSy
+SWR7FpmMv+fbqJOL6o1ZX11xBVKN6poqC3blCwr3Pv98iENqCbluJgzANiWFUmTd
+OS06d4Q0USfUPl3GSylEPRNIbqxoIlD24vdolN7TnU5WfxRvp5klYUAsYoTIQnmy
+LViUoBZMzgJZnoUbN7by2geHvkb5U8B1aEawkSAZq+s4M/dFlMtkgYD/DNAk/ZFV
+jNhde9bxcvxmmfV6+er2bUplzeTZtwh8wg/6Toh/dOa0kNCtbVMlzNvU9JbAjlK5
+r/1UsCE0aHrQvRSt5BNJ1DT7vUzyrYre+Wq11ox1HQBNXdwk/rDtTzRi9U/RVVSM
+I9f0OC2RSCVX/E39jjI7jwGUeAwgkVXqcOm7I4s6ThSpyZsi+VjdyMRwYJH3jUEN
+4xfT3hR1nGfPeXkBoGUqVf8n1x3tlzFManweFfxs+HZOBcUkGQh5AcDk4YDihsOM
+8mZD6R0aGkAOXzfWQMZHLUzwOdd+07FezFFfby7tYtyvbjmU5xosz1PcoyY85Kqm
+wey41drfr61lLedyufgmW4lAYAtNnUEn3bIeiwuvjSPl+J8BYhjSel/zPsPww0Ti
+kVyHB0FYagF18FR0Dg3ISYfyWJqjpf+gJQRjRhxPSTGQqcX69oRTjNR6Dds3IJE9
+UetIWSxlDBewq0kZxEOr
+=/Evg
 -----END PGP SIGNATURE-----
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/metadata.xml
@ -15,10 +15,9 @@
 		permissive.
 	</longdescription>
 	<use>
-		<flag name="audit">Enable support for <pkg>sys-process/audit</pkg> and use the audit_* functions (like audit_getuid instead of getuid())</flag>
+	  <flag name='audit'>Enable support for <pkg>sys-process/audit</pkg> and use the audit_* functions (like audit_getuid instead of getuid())</flag>
 	</use>
 	<upstream>
-		<remote-id type="cpe">cpe:/a:redhat:policycoreutils</remote-id>
-		<remote-id type="github">SELinuxProject/selinux</remote-id>
+	  <remote-id type="cpe">cpe:/a:redhat:policycoreutils</remote-id>
 	</upstream>
 </pkgmetadata>
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-2.4.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-2.4.ebuild
@ -15,7 +15,7 @@ SEMNG_VER="${PV}"
 SELNX_VER="${PV}"
 SEPOL_VER="${PV}"

-IUSE="audit pam dbus"
+IUSE="audit pam dbus python"

 DESCRIPTION="SELinux core utilities"
 HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"
@ -26,28 +26,35 @@ LICENSE="GPL-2"
 SLOT="0"
 KEYWORDS="amd64 x86"

-DEPEND=">=sys-libs/libselinux-${SELNX_VER}[python]
+DEPEND=">=sys-libs/libselinux-${SELNX_VER}[python?]
 	>=sys-libs/glibc-2.4
 	>=sys-libs/libcap-1.10-r10
-	>=sys-libs/libsemanage-${SEMNG_VER}[python]
+	>=sys-libs/libsemanage-${SEMNG_VER}[python?]
 	sys-libs/libcap-ng
 	>=sys-libs/libsepol-${SEPOL_VER}
 	sys-devel/gettext
-	dev-python/ipy[${PYTHON_USEDEP}]
+	python? (
+		dev-python/ipy[${PYTHON_USEDEP}]
+	)
 	dbus? (
 		sys-apps/dbus
 		dev-libs/dbus-glib
 	)
 	audit? ( >=sys-process/audit-1.5.1 )
 	pam? ( sys-libs/pam )
-	${PYTHON_DEPS}"
+	python? (
+		${PYTHON_DEPS}
+	)"

 ### libcgroup -> seunshare
 ### dbus -> restorecond

 # pax-utils for scanelf used by rlpkg
 RDEPEND="${DEPEND}
-	dev-python/sepolgen
+	python? (
+		dev-python/sepolgen
+	)
+	app-admin/setools
 	app-misc/pax-utils"

 S="${WORKDIR}/${MY_P}"
@ -71,13 +78,17 @@ src_prepare() {

 	epatch_user

-	python_copy_sources
-	# Our extra code is outside the regular directory, so set it to the extra
-	# directory. We really should optimize this as it is ugly, but the extra
-	# code is needed for Gentoo at the same time that policycoreutils is present
-	# (so we cannot use an additional package for now).
-	S="${S2}"
-	python_copy_sources
+        find -name Makefile -exec sed s/-Werror//g -i '{}' + 
+
+	if use python ; then
+		python_copy_sources
+		# Our extra code is outside the regular directory, so set it to the extra
+		# directory. We really should optimize this as it is ugly, but the extra
+		# code is needed for Gentoo at the same time that policycoreutils is present
+		# (so we cannot use an additional package for now).
+		S="${S2}"
+		python_copy_sources
+	fi
 }

 src_compile() {
@ -92,10 +103,17 @@ src_compile() {
 			PYLIBVER="${EPYTHON}" \
 			LIBDIR="\$(PREFIX)/$(get_libdir)"
 	}
-	S="${S1}" # Regular policycoreutils
-	python_foreach_impl building
-	S="${S2}" # Extra set
-	python_foreach_impl building
+	if use python ; then
+		S="${S1}" # Regular policycoreutils
+		python_foreach_impl building
+		S="${S2}" # Extra set
+		python_foreach_impl building
+	else
+		BUILD_DIR="${S1}"
+		building
+		BUILD_DIR="${S2}"
+		building
+	fi
 }

 src_install() {
@ -103,39 +121,52 @@ src_install() {
 	installation-policycoreutils() {
 		einfo "Installing policycoreutils"
 		emake -C "${BUILD_DIR}" DESTDIR="${D}" AUDITH="$(usex audit)" PAMH="$(usex pam)" INOTIFYH="$(usex dbus)" SESANDBOX="n" AUDIT_LOG_PRIV="y" PYLIBVER="${EPYTHON}" install
-		python_optimize
+		if use python ; then
+			python_optimize
+		fi
 	}

 	installation-extras() {
 		einfo "Installing policycoreutils-extra"
 		emake -C "${BUILD_DIR}" DESTDIR="${D}" INOTIFYH="$(usex dbus)" SHLIBDIR="${D}$(get_libdir)/rc" install
-		python_optimize
+		if use python ; then
+			python_optimize
+		fi
 	}

-	S="${S1}" # policycoreutils
-	python_foreach_impl installation-policycoreutils
-	S="${S2}" # extras
-	python_foreach_impl installation-extras
-	S="${S1}" # back for later
+	if use python ; then
+		S="${S1}" # policycoreutils
+		python_foreach_impl installation-policycoreutils
+		S="${S2}" # extras
+		python_foreach_impl installation-extras
+		S="${S1}" # back for later
+	else
+		BUILD_DIR="${S1}"
+		installation-policycoreutils
+		BUILD_DIR="${S2}"
+		installation-extras
+	fi

 	# remove redhat-style init script
 	rm -fR "${D}/etc/rc.d"

 	# compatibility symlinks
-	dosym /sbin/setfiles /usr/sbin/setfiles
+#	dosym /sbin/setfiles /usr/sbin/setfiles
 	dosym /$(get_libdir)/rc/runscript_selinux.so /$(get_libdir)/rcscripts/runscript_selinux.so

 	# location for policy definitions
 	dodir /var/lib/selinux
 	keepdir /var/lib/selinux

-	# Set version-specific scripts
-	for pyscript in audit2allow sepolgen-ifgen sepolicy chcat; do
-	  python_replicate_script "${ED}/usr/bin/${pyscript}"
-	done
-	for pyscript in semanage rlpkg; do
-	  python_replicate_script "${ED}/usr/sbin/${pyscript}"
-	done
+	if use python ; then
+		# Set version-specific scripts
+		for pyscript in audit2allow sepolgen-ifgen sepolicy chcat; do
+		  python_replicate_script "${ED}/usr/bin/${pyscript}"
+		done
+		for pyscript in semanage rlpkg; do
+		  python_replicate_script "${ED}/usr/sbin/${pyscript}"
+		done
+	fi

 	dodir /usr/share/doc/${PF}/mcstrans/examples
 	cp -dR "${S1}"/mcstrans/share/examples/* "${D}/usr/share/doc/${PF}/mcstrans/examples"
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.0.5-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.0.5-r1.ebuild
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.0
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.0
@ -74,7 +74,7 @@ CONFIG_POSIX_MQUEUE_SYSCTL=y
 # CONFIG_CROSS_MEMORY_ATTACH is not set
 CONFIG_FHANDLE=y
 CONFIG_USELIB=y
-# CONFIG_AUDIT is not set
+CONFIG_AUDIT=y
 CONFIG_HAVE_ARCH_AUDITSYSCALL=y

 #
@ -3723,12 +3723,22 @@ CONFIG_KEYS=y
 CONFIG_TRUSTED_KEYS=m
 CONFIG_ENCRYPTED_KEYS=m
 # CONFIG_SECURITY_DMESG_RESTRICT is not set
-# CONFIG_SECURITY is not set
+CONFIG_SECURITY=y
 CONFIG_SECURITYFS=y
+CONFIG_SECURITY_NETWORK=y
+CONFIG_SECURITY_NETWORK_XFRM=y
+CONFIG_SECURITY_SELINUX=y
+CONFIG_SECURITY_SELINUX_BOOTPARAM=y
+CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
+CONFIG_SECURITY_SELINUX_DISABLE=y
+CONFIG_SECURITY_SELINUX_DEVELOP=y
+CONFIG_SECURITY_SELINUX_AVC_STATS=y
+CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
+# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
+CONFIG_DEFAULT_SECURITY_SELINUX=y
+CONFIG_DEFAULT_SECURITY="selinux"
 # CONFIG_INTEL_TXT is not set
-# CONFIG_DEFAULT_SECURITY_SELINUX is not set
-CONFIG_DEFAULT_SECURITY_DAC=y
-CONFIG_DEFAULT_SECURITY=""
+# CONFIG_DEFAULT_SECURITY_DAC is not set
 CONFIG_XOR_BLOCKS=m
 CONFIG_ASYNC_CORE=m
 CONFIG_ASYNC_MEMCPY=m
				`@ -0,0 +1,2 @@`
				`export ac_cv_file__usr_lib64_libsepol_a=yes`