sec-policy/selinux-base: sync with Gentoo

Commit-Ref: ea4cd1f216
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>

sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/Manifest

@@ -1,4 +0,0 @@
-DIST patchbundle-selinux-base-policy-2.20200818-r2.tar.bz2 433623 BLAKE2B f0655c45c50347faf1217e5861298dce822e4b726c0b4489d4c70c4815842f7c17ac1b0a302ae5482a3ad25d1d5b6c4c3b6395194e79005f31560d103ad0fce6 SHA512 9fd22683ecd602a429b2d489f7b8c2936409fa060046255b72a4b95c9fdefa2455ba7655945278dc972c22f3ade6617898ed169e22001aaaaded4b47ca51b0c3
-DIST patchbundle-selinux-base-policy-2.20210203-r1.tar.bz2 298116 BLAKE2B 50c5523a8b758652af6aa59d548e9499b899898b58f52f74f1667a0c552f2b2d0ed5a44352e59245c7f0ebd199e2391400168d6ab27b4160d726fccded0c56f2 SHA512 ddb877ec3e2883f57e54e7380dd449d4d89a0769a1fb87141786e5de741ac21b2ead60362fd17c25888eb1334c68f71da561f4f29f406f0d4b5d13d378f6baff
-DIST refpolicy-2.20200818.tar.bz2 570896 BLAKE2B 502c00fec39e1b81e42de3f7f942623f8b3fbdeac19f9f01126722a368b7d4f70427d6e4a574754c4f2fa551e4bc75c912dbc515c004f0dcd5eb28ab416498f6 SHA512 e4b527bb7a87b9359fc42eb111d5008103f57c37128998ea0e21ec7b0b8607ffe3f67697450e4c51a0db172ece69083335b279bacef4b1bd0b7748b58caa99a7
-DIST refpolicy-2.20210203.tar.bz2 564099 BLAKE2B a94a11ebb78890ba2c98714be2fe9054fdb8ccaf5154f47b881a9575a4a6865e8df475805550d7bba8039b4230c6a0c9f5c6130bf8c35a26bc7c473d550fb40d SHA512 a6ffe718626dd6121023b4cbc424c933d44ca8b662bd708baad307cf6284be0d80fef40cdc8b37f6f17ecb3636fd8d6c1d5d4072c17d835b7f500e17a3acd9fc

sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch

@@ -1,24 +0,0 @@
-From 607ff9b67848aafd1bdefa6eda7ade0fd7161d04 Mon Sep 17 00:00:00 2001
-From: Mathieu Tortuyaux <mathieu@kinvolk.io>
-Date: Fri, 4 Jun 2021 13:17:44 +0200
-Subject: [PATCH] policy/modules/kernel: all more actions for kernel
-
-Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
----
- policy/modules/kernel/kernel.te | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git refpolicy/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te
---- refpolicy/policy/modules/kernel/kernel.te
-+++ refpolicy/policy/modules/kernel/kernel.te
-@@ -351,6 +351,10 @@ files_list_home(kernel_t)
- files_read_usr_files(kernel_t)
- 
- mcs_process_set_categories(kernel_t)
-+mcs_killall(kernel_t)
-+mcs_file_read_all(kernel_t)
-+mcs_file_write_all(kernel_t)
-+mcs_ptrace_all(kernel_t)
- 
- mls_process_read_all_levels(kernel_t)
- mls_process_write_all_levels(kernel_t)

sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch

@@ -1,27 +0,0 @@
---- refpolicy/policy/mcs
-+++ refpolicy/policy/mcs
-@@ -1,4 +1,6 @@
- ifdef(`enable_mcs',`
-+
-+default_range dir_file_class_set target low-high;
- #
- # Define sensitivities
- #
-@@ -99,14 +101,14 @@ mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
- # New filesystem object labels must be dominated by the relabeling subject
- # clearance, also the objects are single-level.
- mlsconstrain file { create relabelto }
--	(( h1 dom h2 ) and ( l2 eq h2 ));
-+	((( h1 dom h2 ) and ( l2 eq h2 )) or (t1 == mcswriteall));
- 
- # new file labels must be dominated by the relabeling subject clearance
- mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
--	( h1 dom h2 );
-+	(( h1 dom h2 ) or (t1 == mcswriteall));
- 
- mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
--	(( h1 dom h2 ) and ( l2 eq h2 ));
-+	((( h1 dom h2 ) and ( l2 eq h2 ) or (t1 == mcswriteall)));
- 
- mlsconstrain process { transition dyntransition }
- 	(( h1 dom h2 ) or ( t1 == mcssetcats ));

sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/icmp-bind.patch

@@ -1,40 +0,0 @@
-diff -u -r refpolicy/policy/modules/kernel/corenetwork.if.in refpolicy2/policy/modules/kernel/corenetwork.if.in
---- refpolicy/policy/modules/kernel/corenetwork.if.in	2022-01-12 16:59:47.572670384 -0000
-+++ refpolicy2/policy/modules/kernel/corenetwork.if.in	2022-01-12 17:01:54.974858982 -0000
-@@ -879,6 +879,24 @@
- 
- ########################################
- ## <summary>
-+##	Bind ICMP sockets to generic nodes.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`corenet_icmp_bind_generic_node',`
-+	gen_require(`
-+		type node_t;
-+	')
-+
-+	allow $1 node_t:icmp_socket node_bind;
-+')
-+
-+########################################
-+## <summary>
- ##	Bind TCP sockets to generic nodes.
- ## </summary>
- ## <desc>
-diff -u -r refpolicy/policy/modules/kernel/corenetwork.te.in refpolicy2/policy/modules/kernel/corenetwork.te.in
---- refpolicy/policy/modules/kernel/corenetwork.te.in	2022-01-12 16:59:47.573670362 -0000
-+++ refpolicy2/policy/modules/kernel/corenetwork.te.in	2022-01-12 17:03:12.754142616 -0000
-@@ -373,7 +373,7 @@
- 
- # Bind to any network address.
- allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind;
--allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
-+allow corenet_unconfined_type node_type:{ icmp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
- 
- # Infiniband
- corenet_ib_access_all_pkeys(corenet_unconfined_type)

sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts

@@ -1,10 +0,0 @@
-# This file is used to configure the per-instance contexts of rkt and other
-# applications that use libvirt for lxc container support.
-#
-# See:
-#    https://coreos.com/rkt/docs/latest/selinux.html
-#    https://selinuxproject.org/page/PolicyConfigurationFiles#contexts.2Flxc_contexts_File
-
-process = "system_u:system_r:svirt_lxc_net_t:s0"
-content = "system_u:object_r:virt_var_lib_t:s0"
-file = "system_u:object_r:svirt_lxc_file_t:s0"

sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf

@@ -1,4 +0,0 @@
-#Type	Path			Mode	UID 	GID 	Age	Argument
-d	/etc/selinux/		-	-	-	-	-
-L	/etc/selinux/config	-	-	-	-	../../usr/lib/selinux/config
-L	/etc/selinux/mcs	-	-	-	-	../../usr/lib/selinux/mcs

sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/Manifest

@@ -0,0 +1,3 @@
+DIST patchbundle-selinux-base-policy-2.20221101-r3.tar.bz2 444710 BLAKE2B e33cc01a8be5a354e022be1e8bf242883b09b15ead0673f859819f5e668f18773a16527f2e608878e6976695dcb2890c55658e77877e93c716ae0b2dd2ed5a9b SHA512 52e60b22346903a6fead95c9fb348fa1d4037b7dcd3e5781248a7dfc426c8c3fced258fd22762c779a5f436d8be21eaed5425ed36ff99c267daae5e1cb9c8e7f
+DIST patchbundle-selinux-base-policy-2.20221101-r4.tar.bz2 457886 BLAKE2B 1e085f9f1739e0640c5eafa70db4c7ec19bca887c682ca2312a457fa57ee3eb176d0c8f16c2f84a1a026669b1240be3ff69066bd825c92fad75dcd2c13739f6c SHA512 da3ba1f076c04746719698aedb3aad48eb7c8a09df95c314b36f7a052538a07d893be413f35f4c34b01c1bf967ebe35ff32c2cea0722fe74a6e089a9d6aa47a6
+DIST refpolicy-2.20221101.tar.bz2 583183 BLAKE2B 783d8af40fd77d7ddb848dba32e91921dd7c1380c094c45b719ada7b15f91aacbb52b410ffa6341f2f705ecbc9674b8570bd4867ce998e944fa0054ffd8bdf74 SHA512 29e5a29d90f714018c88fead2d5006ea90338fb5b7a1e4e98cb2e588c96cd861871d32176f6cc6f7c4e864ce5acae1aeed85d4c706ce2da8168986535baaf3a6

sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/files/config

@@ -12,4 +12,4 @@ SELINUX=permissive
 #	mls      - Full SELinux protection with Multi-Level Security
 #	mcs      - Full SELinux protection with Multi-Category Security 
 #	           (mls, but only one sensitivity level)
-SELINUXTYPE=mcs
+SELINUXTYPE=strict

sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/metadata.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<maintainer type="project">
 		<email>selinux@gentoo.org</email>

sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r3.ebuild

@@ -1,8 +1,12 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
 
+PYTHON_COMPAT=( python3_{9..11} )
+PYTHON_REQ_USE="xml(+)"
+inherit python-any-r1
+
 if [[ ${PV} == 9999* ]]; then
 	EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
 	EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}"
@@ -13,7 +17,7 @@ else
 	SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2
 			https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2"
 
-	KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
+	KEYWORDS="amd64 arm arm64 ~mips x86"
 fi
 
 IUSE="doc +unknown-perms systemd +ubac +unconfined"
@@ -26,6 +30,7 @@ SLOT="0"
 RDEPEND=">=sys-apps/policycoreutils-2.8"
 DEPEND="${RDEPEND}"
 BDEPEND="
+	${PYTHON_DEPS}
 	>=sys-apps/checkpolicy-2.8
 	sys-devel/m4"
 

sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r4.ebuild

@@ -1,13 +1,11 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
 
-# flatcar changes
-PYTHON_COMPAT=( python3_{8,9,10,11} )
+PYTHON_COMPAT=( python3_{9..11} )
 PYTHON_REQ_USE="xml(+)"
-TMPFILES_OPTIONAL=1
-inherit systemd tmpfiles python-any-r1
+inherit python-any-r1
 
 if [[ ${PV} == 9999* ]]; then
 	EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
@@ -17,9 +15,9 @@ if [[ ${PV} == 9999* ]]; then
 	inherit git-r3
 else
 	SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2
-			https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PV}-r2.tar.bz2"
+			https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2"
 
-	KEYWORDS="amd64 -arm ~arm64 ~mips x86"
+	KEYWORDS="amd64 arm arm64 ~mips x86"
 fi
 
 IUSE="doc +unknown-perms systemd +ubac +unconfined"
@@ -29,24 +27,12 @@ HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
 LICENSE="GPL-2"
 SLOT="0"
 
-# flatcar changes
-RDEPEND=">=sys-apps/policycoreutils-2.8
-	>=sys-apps/checkpolicy-2.8
-"
+RDEPEND=">=sys-apps/policycoreutils-2.8"
 DEPEND="${RDEPEND}"
-# flatcar: BDEPEND on python - normally pulled in through policycoreutils
-# but we made that dep conditional on USE=python
-BDEPEND="sys-devel/m4
-    ${PYTHON_DEPS}
-"
-
-
-# flatcar changes
-PATCHES=(
-	"${FILESDIR}"/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
-	"${FILESDIR}"/0001-policy-ms-MCS-restricts-relabelfrom.patch
-	"${FILESDIR}"/icmp-bind.patch
-)
+BDEPEND="
+	${PYTHON_DEPS}
+	>=sys-apps/checkpolicy-2.8
+	sys-devel/m4"
 
 S=${WORKDIR}/
 
@@ -56,8 +42,6 @@ src_prepare() {
 		eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
 	fi
 
-	# flatcar changes
-	eapply -p0 "${PATCHES[@]}"
 	eapply_user
 
 	cd "${S}/refpolicy" || die
@@ -99,10 +83,6 @@ src_configure() {
 
 		sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf" || die
 
-		# flatcar changes: it's required to run polkit without segfault
-		# we need to pass this argument now before the compilation of the policy
-		sed -i "s/allow_execmem = false/allow_execmem = true/" "${S}/${i}/policy/booleans.conf" || die
-
 		sed -i -e '/^QUIET/s/n/y/' -e "/^NAME/s/refpolicy/$i/" \
 			"${S}/${i}/build.conf" || die "build.conf setup failed."
 
@@ -132,9 +112,7 @@ src_compile() {
 
 	for i in ${POLICY_TYPES}; do
 		cd "${S}/${i}" || die
-		# flatcar changes
-		emake base BINDIR="${ROOT}/usr/bin" NAME=$i SHAREDIR="${ROOT%/}"/usr/share/selinux \
-			LD_LIBRARY_PATH="${ROOT}/usr/lib64:${LD_LIBRARY_PATH}" -C "${S}"/${i}
+		emake base
 		if use doc; then
 			emake html
 		fi
@@ -167,29 +145,14 @@ src_install() {
 
 	done
 
-	# flatcar changes
-	dotmpfiles "${FILESDIR}/tmpfiles.d/selinux-base.conf"
-	systemd-tmpfiles --root="${D}" --create selinux-base.conf
-
 	docinto /
 	dodoc doc/Makefile.example doc/example.{te,fc,if}
 
 	doman man/man8/*.8;
 
-	# flatcar changes
-	insinto /usr/lib/selinux
+	insinto /etc/selinux
 	doins "${FILESDIR}/config"
 
-	insinto /etc/selinux/mcs/contexts
-	doins "${FILESDIR}/lxc_contexts"
-
-	# flatcar changes
-	mkdir -p "${D}/usr/lib/selinux"
-	for i in ${POLICY_TYPES}; do
-		mv "${D}/etc/selinux/${i}" "${D}/usr/lib/selinux"
-		dosym "../../usr/lib/selinux/${i}" "/etc/selinux/${i}"
-	done
-
 	insinto /usr/share/portage/config/sets
 	doins "${FILESDIR}/selinux.conf"
 }

sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-9999.ebuild

@@ -1,8 +1,12 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
 
+PYTHON_COMPAT=( python3_{9..11} )
+PYTHON_REQ_USE="xml(+)"
+inherit python-any-r1
+
 if [[ ${PV} == 9999* ]]; then
 	EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
 	EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}"
@@ -13,7 +17,7 @@ else
 	SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2
 			https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2"
 
-	KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
+	KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
 fi
 
 IUSE="doc +unknown-perms systemd +ubac +unconfined"
@@ -26,6 +30,7 @@ SLOT="0"
 RDEPEND=">=sys-apps/policycoreutils-2.8"
 DEPEND="${RDEPEND}"
 BDEPEND="
+	${PYTHON_DEPS}
 	>=sys-apps/checkpolicy-2.8
 	sys-devel/m4"