coreos/user-patches: add selinux-base-policy

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/init.patch

@@ -0,0 +1,11 @@
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index dbd39cf8f..563559ca7 100644
+--- a/refpolicy/policy/modules/system/init.te
++++ b/refpolicy/policy/modules/system/init.te
+@@ -1503,3 +1503,6 @@ optional_policy(`
+ 	userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
+ 	userdom_dontaudit_write_user_tmp_files(systemprocess)
+ ')
++
++require { type unconfined_t; }
++allow init_t unconfined_t:file exec_file_perms;

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/locallogin.patch

@@ -0,0 +1,13 @@
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index 109980e79..d5c4a5d95 100644
+--- a/refpolicy/policy/modules/system/locallogin.te
++++ b/refpolicy/policy/modules/system/locallogin.te
+@@ -34,7 +34,7 @@ role system_r types sulogin_t;
+
+ allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+ dontaudit local_login_t self:capability net_admin;
+-allow local_login_t self:process { getcap setcap setexec setrlimit setsched };
++allow local_login_t self:process { setpgid getcap setcap setexec setrlimit setsched };
+ allow local_login_t self:fd use;
+ allow local_login_t self:fifo_file rw_fifo_file_perms;
+ allow local_login_t self:sock_file read_sock_file_perms;

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/logging.patch

@@ -0,0 +1,18 @@
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index abd61e6bd..fb5d69366 100644
+--- a/refpolicy/policy/modules/system/logging.te
++++ b/refpolicy/policy/modules/system/logging.te
+@@ -525,11 +525,13 @@ userdom_dontaudit_search_user_home_dirs(syslogd_t)
+ 
+ ifdef(`init_systemd',`
+ 	# for systemd-journal
++	require { type kernel_t; }
+ 	allow syslogd_t self:capability audit_control;
+ 	allow syslogd_t self:netlink_audit_socket connected_socket_perms;
+ 	allow syslogd_t self:capability2 audit_read;
+ 	allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
+ 	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
++	allow syslogd_t kernel_t:netlink_audit_socket getattr;
+ 
+ 	# remove /run/log/journal when switching to permanent storage
+ 	allow syslogd_t var_log_t:dir rmdir;

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/ping.patch

@@ -0,0 +1,19 @@
+diff -u -r refpolicy/policy/modules/admin/netutils.te refpolicy/policy/modules/admin/netutils.te
+--- a/refpolicy/policy/modules/admin/netutils.te	2022-01-12 14:28:26.850809330 -0000
++++ b/refpolicy/policy/modules/admin/netutils.te	2022-01-12 14:29:50.323880882 -0000
+@@ -117,6 +117,7 @@
+ corenet_raw_sendrecv_generic_node(ping_t)
+ corenet_tcp_sendrecv_generic_node(ping_t)
+ corenet_raw_bind_generic_node(ping_t)
++corenet_icmp_bind_generic_node(ping_t)
+
+ dev_read_urand(ping_t)
+
+@@ -189,6 +190,7 @@
+ corenet_tcp_connect_all_ports(traceroute_t)
+ corenet_sendrecv_all_client_packets(traceroute_t)
+ corenet_sendrecv_traceroute_server_packets(traceroute_t)
++corenet_icmp_bind_generic_node(traceroute_t)
+
+ dev_read_rand(traceroute_t)
+ dev_read_urand(traceroute_t)