From 193ef15b912b40ce2f3343db06101a54c49cb16d Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Fri, 26 Jun 2015 16:53:57 -0700
Subject: [PATCH] Fix up selinux policy

We need some additional selinux policy to get rkt working. Right now
this is a slightly rough cut - we'll tidy this up over time and ensure
that it's not overly permissive. In addition, ensure that policy is
installed in /usr rather than /etc and /var in order to allow upgrades
to work properly.
---
 .../selinux-base/files/kernel_mcs.diff        | 12 +++
 .../selinux-base-2.20141203-r5.ebuild         |  9 ++
 .../sec-policy/selinux-virt/files/virt.diff   | 90 +++++++++++++++++++
 .../selinux-virt-2.20141203-r5.ebuild         |  2 +
 .../files/tmpfiles.d/policycoreutils.conf     |  2 +
 .../policycoreutils-2.4.ebuild                |  5 +-
 6 files changed, 118 insertions(+), 2 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/kernel_mcs.diff
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/files/tmpfiles.d/policycoreutils.conf

diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/kernel_mcs.diff b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/kernel_mcs.diff
new file mode 100644
index 0000000000..5167e2ff79
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/kernel_mcs.diff
@@ -0,0 +1,12 @@
+diff -ur refpolicy.orig/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te
+--- refpolicy.orig/policy/modules/kernel/kernel.te	2015-06-24 14:05:01.160318849 -0700
++++ refpolicy/policy/modules/kernel/kernel.te	2015-06-24 14:06:23.468516424 -0700
+@@ -442,3 +442,8 @@
+ 	#dev_manage_all_dev_nodes(kernel_t)
+ 	dev_setattr_generic_chr_files(kernel_t)
+ ')
++
++mcs_file_read_all(kernel_t)
++mcs_file_write_all(kernel_t)
++mcs_process_set_categories(kernel_t)
++
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r5.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r5.ebuild
index 1df174aace..05733bf86e 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r5.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r5.ebuild
@@ -51,6 +51,8 @@ src_prepare() {
 		epatch
 	fi
 
+	epatch "${FILESDIR}/kernel_mcs.diff"
+
 	cd "${S}/refpolicy"
 	make bare
 
@@ -134,6 +136,7 @@ src_install() {
 	for i in ${POLICY_TYPES}; do
 		cd "${S}/${i}"
 
+
 		make DESTDIR="${D}" install \
 			|| die "${i} install failed."
 
@@ -166,6 +169,12 @@ src_install() {
 
 	insinto /etc/selinux/mcs/contexts
 	doins "${FILESDIR}/lxc_contexts"
+
+	mkdir -p "${D}/usr/lib/selinux"
+	for i in ${POLICY_TYPES}; do
+		mv "${D}/etc/selinux/${i}" "${D}/usr/lib/selinux"
+		dosym "../../usr/lib/selinux/${i}" "/etc/selinux/${i}"
+	done
 }
 
 pkg_preinst() {
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff
new file mode 100644
index 0000000000..16bd929e4a
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff
@@ -0,0 +1,90 @@
+diff -ur policy.orig/modules/contrib/virt.te policy/modules/contrib/virt.te
+--- policy.orig/modules/contrib/virt.te	2015-06-24 14:19:59.049728749 -0700
++++ policy/modules/contrib/virt.te	2015-06-24 14:21:57.426003987 -0700
+@@ -1243,3 +1243,86 @@
+ files_pid_filetrans(virt_leaseshelper_t, virt_var_run_t, file)
+ 
+ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
++
++require {
++        type unlabeled_t;
++        type devpts_t;
++        type kernel_t;
++        type svirt_lxc_net_t;
++        type svirt_lxc_file_t;
++        type tmpfs_t;
++        type proc_t;
++        type sysfs_t;
++        type var_lib_t;
++        type init_var_run_t;
++        type sysctl_t;
++        type ptmx_t;
++        type sysctl_kernel_t;
++        type proc_kmsg_t;
++        class fifo_file { write setattr read create unlink open };
++        class process { execmem getcap transition sigchld };
++        class chr_file { setattr read create getattr mounton write ioctl open };
++        class capability { sys_chroot mknod };
++        class fd use;
++        class file { rename read lock execute_no_trans mounton ioctl unlink open append execute create write entrypoint };
++        class filesystem { unmount mount remount };
++        class sock_file { write create };
++        class lnk_file { read create };
++	class unix_stream_socket { connectto };
++        class dir { rename setattr relabelfrom create reparent mounton write remove_name relabelto add_name };
++}
++
++allow kernel_t svirt_lxc_net_t:process transition;
++allow svirt_lxc_net_t devpts_t:chr_file { write ioctl setattr read open getattr };
++allow svirt_lxc_net_t devpts_t:filesystem mount;
++allow svirt_lxc_net_t init_var_run_t:file { read open };
++allow svirt_lxc_net_t kernel_t:fd use;
++allow svirt_lxc_net_t kernel_t:process sigchld;
++allow svirt_lxc_net_t kernel_t:unix_stream_socket { connectto };
++kernel_read_messages(svirt_lxc_net_t)
++allow svirt_lxc_net_t proc_kmsg_t:file mounton;
++allow svirt_lxc_net_t proc_t:filesystem { mount remount };
++
++#!!!! The source type 'svirt_lxc_net_t' can write to a 'chr_file' of the following types:
++# svirt_lxc_file_t, user_devpts_t, zero_device_t, null_device_t, devtty_t
++
++allow svirt_lxc_net_t ptmx_t:chr_file { read write ioctl open };
++allow svirt_lxc_net_t self:capability { sys_chroot mknod };
++allow svirt_lxc_net_t self:process getcap;
++allow svirt_lxc_net_t svirt_lxc_file_t:file mounton;
++allow svirt_lxc_net_t sysctl_kernel_t:file mounton;
++allow svirt_lxc_net_t sysctl_t:dir mounton;
++allow svirt_lxc_net_t sysfs_t:dir mounton;
++allow svirt_lxc_net_t sysfs_t:filesystem mount;
++allow svirt_lxc_net_t tmpfs_t:chr_file { read write create open mounton };
++allow svirt_lxc_net_t tmpfs_t:dir { write remove_name create add_name mounton };
++
++#!!!! The source type 'svirt_lxc_net_t' can write to a 'fifo_file' of the following type:
++# svirt_lxc_file_t
++
++allow svirt_lxc_net_t tmpfs_t:fifo_file { write setattr read create unlink open };
++
++#!!!! The source type 'svirt_lxc_net_t' can write to a 'file' of the following type:
++# svirt_lxc_file_t
++
++allow svirt_lxc_net_t tmpfs_t:file { write read create unlink open };
++allow svirt_lxc_net_t tmpfs_t:filesystem { mount remount };
++allow svirt_lxc_net_t tmpfs_t:lnk_file { read create };
++allow svirt_lxc_net_t tmpfs_t:sock_file create;
++allow svirt_lxc_net_t unlabeled_t:dir mounton;
++allow svirt_lxc_net_t unlabeled_t:file { read execute open };
++allow svirt_lxc_net_t unlabeled_t:lnk_file read;
++allow svirt_lxc_net_t var_run_t:sock_file write;
++allow svirt_lxc_net_t var_lib_t:dir { rename setattr relabelfrom create reparent write relabelto remove_name add_name };
++allow svirt_lxc_net_t var_lib_t:file { rename execute read lock create execute_no_trans write entrypoint unlink open append };
++allow svirt_lxc_net_t var_lib_t:lnk_file create;
++allow svirt_lxc_net_t devpts_t:filesystem unmount;
++allow svirt_lxc_net_t proc_t:filesystem unmount;
++allow svirt_lxc_net_t self:process getpgid;
++allow svirt_lxc_net_t svirt_lxc_file_t:filesystem unmount;
++allow svirt_lxc_net_t sysfs_t:filesystem unmount;
++allow svirt_lxc_net_t tmpfs_t:chr_file ioctl;
++allow svirt_lxc_net_t tmpfs_t:filesystem unmount;
++allow svirt_lxc_net_t tmpfs_t:sock_file write;
++allow svirt_lxc_net_t var_lib_t:file ioctl;
++
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r5.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r5.ebuild
index b2e4c10a68..8e6c4604b4 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r5.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r5.ebuild
@@ -10,6 +10,8 @@ inherit selinux-policy-2
 
 DESCRIPTION="SELinux policy for virt"
 
+POLICY_PATCH="${FILESDIR}/virt.diff"
+
 if [[ $PV == 9999* ]] ; then
 	KEYWORDS=""
 else
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/files/tmpfiles.d/policycoreutils.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/files/tmpfiles.d/policycoreutils.conf
new file mode 100644
index 0000000000..fcc4269312
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/files/tmpfiles.d/policycoreutils.conf
@@ -0,0 +1,2 @@
+d	/var/lib/selinux	-	-	-	-	-
+L	/var/lib/selinux/policy	-	-	-	-	../../usr/lib/selinux/policy
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-2.4.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-2.4.ebuild
index d9711c717a..7ff3701e65 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-2.4.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-2.4.ebuild
@@ -155,8 +155,8 @@ src_install() {
 	dosym /$(get_libdir)/rc/runscript_selinux.so /$(get_libdir)/rcscripts/runscript_selinux.so
 
 	# location for policy definitions
-	dodir /var/lib/selinux
-	keepdir /var/lib/selinux
+	dodir /usr/lib/selinux/policy
+	dosym ../../usr/lib/selinux/policy /var/lib/selinux
 
 	if use python ; then
 		# Set version-specific scripts
@@ -168,6 +168,7 @@ src_install() {
 		done
 	fi
 
+	systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/policycoreutils.conf"
 	dodir /usr/share/doc/${PF}/mcstrans/examples
 	cp -dR "${S1}"/mcstrans/share/examples/* "${D}/usr/share/doc/${PF}/mcstrans/examples"
 }