From 3227e5614cc1cb25c618cd5bb36fe7ac883e4f75 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 20:00:22 +0100
Subject: [PATCH] sec-policy/selinux-base: Apply Flatcar modifications

  - run sshd (and child) as unconfined_t
  - add init.patch to allow execute_no_trans,map and exec from init to
    unconfined
  - add AVC patch for local login and journald
  - add python[lxml] to BDEPEND (not pulled through policycoreutils
    any more due to our changes there)
---
 ...s-kernel-all-more-actions-for-kernel.patch | 24 +++++++++
 ...-policy-ms-MCS-restricts-relabelfrom.patch | 27 ++++++++++
 .../sec-policy/selinux-base/files/booleans    |  1 -
 .../sec-policy/selinux-base/files/config      |  2 +-
 .../selinux-base/files/lxc_contexts           | 10 ++++
 .../files/tmpfiles.d/selinux-base.conf        |  4 ++
 .../selinux-base-2.20200818-r2.ebuild         | 51 ++++++++++++++++---
 7 files changed, 111 insertions(+), 8 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf

diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
new file mode 100644
index 0000000000..cf6406da73
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
@@ -0,0 +1,24 @@
+From 607ff9b67848aafd1bdefa6eda7ade0fd7161d04 Mon Sep 17 00:00:00 2001
+From: Mathieu Tortuyaux <mathieu@kinvolk.io>
+Date: Fri, 4 Jun 2021 13:17:44 +0200
+Subject: [PATCH] policy/modules/kernel: all more actions for kernel
+
+Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
+---
+ policy/modules/kernel/kernel.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git refpolicy/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te
+--- refpolicy/policy/modules/kernel/kernel.te
++++ refpolicy/policy/modules/kernel/kernel.te
+@@ -351,6 +351,10 @@ files_list_home(kernel_t)
+ files_read_usr_files(kernel_t)
+ 
+ mcs_process_set_categories(kernel_t)
++mcs_killall(kernel_t)
++mcs_file_read_all(kernel_t)
++mcs_file_write_all(kernel_t)
++mcs_ptrace_all(kernel_t)
+ 
+ mls_process_read_all_levels(kernel_t)
+ mls_process_write_all_levels(kernel_t)
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch
new file mode 100644
index 0000000000..5cce12771a
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch
@@ -0,0 +1,27 @@
+--- refpolicy/policy/mcs
++++ refpolicy/policy/mcs
+@@ -1,4 +1,6 @@
+ ifdef(`enable_mcs',`
++
++default_range dir_file_class_set target low-high;
+ #
+ # Define sensitivities
+ #
+@@ -99,14 +101,14 @@ mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
+ # New filesystem object labels must be dominated by the relabeling subject
+ # clearance, also the objects are single-level.
+ mlsconstrain file { create relabelto }
+-	(( h1 dom h2 ) and ( l2 eq h2 ));
++	((( h1 dom h2 ) and ( l2 eq h2 )) or (t1 == mcswriteall));
+ 
+ # new file labels must be dominated by the relabeling subject clearance
+ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
+-	( h1 dom h2 );
++	(( h1 dom h2 ) or (t1 == mcswriteall));
+ 
+ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
+-	(( h1 dom h2 ) and ( l2 eq h2 ));
++	((( h1 dom h2 ) and ( l2 eq h2 ) or (t1 == mcswriteall)));
+ 
+ mlsconstrain process { transition dyntransition }
+ 	(( h1 dom h2 ) or ( t1 == mcssetcats ));
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans
deleted file mode 100644
index c12771d473..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans
+++ /dev/null
@@ -1 +0,0 @@
-allow_execmem = true
\ No newline at end of file
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config
index 55933ea0e5..7b66367667 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config
@@ -12,4 +12,4 @@ SELINUX=permissive
 #	mls      - Full SELinux protection with Multi-Level Security
 #	mcs      - Full SELinux protection with Multi-Category Security 
 #	           (mls, but only one sensitivity level)
-SELINUXTYPE=strict
+SELINUXTYPE=mcs
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts
new file mode 100644
index 0000000000..b9ce512118
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts
@@ -0,0 +1,10 @@
+# This file is used to configure the per-instance contexts of rkt and other
+# applications that use libvirt for lxc container support.
+#
+# See:
+#    https://coreos.com/rkt/docs/latest/selinux.html
+#    https://selinuxproject.org/page/PolicyConfigurationFiles#contexts.2Flxc_contexts_File
+
+process = "system_u:system_r:svirt_lxc_net_t:s0"
+content = "system_u:object_r:virt_var_lib_t:s0"
+file = "system_u:object_r:svirt_lxc_file_t:s0"
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf
new file mode 100644
index 0000000000..a123a51d15
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf
@@ -0,0 +1,4 @@
+#Type	Path			Mode	UID 	GID 	Age	Argument
+d	/etc/selinux/		-	-	-	-	-
+L	/etc/selinux/config	-	-	-	-	../../usr/lib/selinux/config
+L	/etc/selinux/mcs	-	-	-	-	../../usr/lib/selinux/mcs
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild
index 9eaddb863d..63859fde4d 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild
@@ -3,6 +3,10 @@
 
 EAPI="7"
 
+# flatcar changes
+TMPFILES_OPTIONAL=1
+inherit systemd tmpfiles
+
 if [[ ${PV} == 9999* ]]; then
 	EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
 	EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}"
@@ -23,11 +27,23 @@ HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
 LICENSE="GPL-2"
 SLOT="0"
 
-RDEPEND=">=sys-apps/policycoreutils-2.8"
-DEPEND="${RDEPEND}"
-BDEPEND="
+# flatcar changes
+RDEPEND=">=sys-apps/policycoreutils-2.8
 	>=sys-apps/checkpolicy-2.8
-	sys-devel/m4"
+"
+DEPEND="${RDEPEND}"
+# flatcar: BDEPEND on python3[xml] - normally pulled in through policycoreutils
+# but we made that dep conditional on USE=python
+BDEPEND="sys-devel/m4
+    >=dev-lang/python-3[xml]
+"
+
+
+# flatcar changes
+PATCHES=(
+	"${FILESDIR}"/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
+	"${FILESDIR}"/0001-policy-ms-MCS-restricts-relabelfrom.patch
+)
 
 S=${WORKDIR}/
 
@@ -37,6 +53,8 @@ src_prepare() {
 		eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
 	fi
 
+	# flatcar changes
+	eapply -p0 "${PATCHES[@]}"
 	eapply_user
 
 	cd "${S}/refpolicy" || die
@@ -78,6 +96,10 @@ src_configure() {
 
 		sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf" || die
 
+		# flatcar changes: it's required to run polkit without segfault
+		# we need to pass this argument now before the compilation of the policy
+		sed -i "s/allow_execmem = false/allow_execmem = true/" "${S}/${i}/policy/booleans.conf" || die
+
 		sed -i -e '/^QUIET/s/n/y/' -e "/^NAME/s/refpolicy/$i/" \
 			"${S}/${i}/build.conf" || die "build.conf setup failed."
 
@@ -107,7 +129,9 @@ src_compile() {
 
 	for i in ${POLICY_TYPES}; do
 		cd "${S}/${i}" || die
-		emake base
+		# flatcar changes
+		emake base BINDIR="${ROOT}/usr/bin" NAME=$i SHAREDIR="${ROOT%/}"/usr/share/selinux \
+			LD_LIBRARY_PATH="${ROOT}/usr/lib64:${LD_LIBRARY_PATH}" -C "${S}"/${i}
 		if use doc; then
 			emake html
 		fi
@@ -140,14 +164,29 @@ src_install() {
 
 	done
 
+	# flatcar changes
+	dotmpfiles "${FILESDIR}/tmpfiles.d/selinux-base.conf"
+	systemd-tmpfiles --root="${D}" --create selinux-base.conf
+
 	docinto /
 	dodoc doc/Makefile.example doc/example.{te,fc,if}
 
 	doman man/man8/*.8;
 
-	insinto /etc/selinux
+	# flatcar changes
+	insinto /usr/lib/selinux
 	doins "${FILESDIR}/config"
 
+	insinto /etc/selinux/mcs/contexts
+	doins "${FILESDIR}/lxc_contexts"
+
+	# flatcar changes
+	mkdir -p "${D}/usr/lib/selinux"
+	for i in ${POLICY_TYPES}; do
+		mv "${D}/etc/selinux/${i}" "${D}/usr/lib/selinux"
+		dosym "../../usr/lib/selinux/${i}" "/etc/selinux/${i}"
+	done
+
 	insinto /usr/share/portage/config/sets
 	doins "${FILESDIR}/selinux.conf"
 }