From 3fe352040ad56c7df2781f72691bf522d7a843c9 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 19:58:16 +0100
Subject: [PATCH] sec-policy/selinux-base: Clean slate to reapply our changes

---
 ...s-kernel-all-more-actions-for-kernel.patch | 24 ---------
 ...-policy-ms-MCS-restricts-relabelfrom.patch | 27 ----------
 .../sec-policy/selinux-base/files/booleans    |  1 +
 .../sec-policy/selinux-base/files/config      |  2 +-
 .../selinux-base/files/lxc_contexts           | 10 ----
 .../files/tmpfiles.d/selinux-base.conf        |  4 --
 .../selinux-base-2.20200818-r2.ebuild         | 50 +++----------------
 7 files changed, 8 insertions(+), 110 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf

diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
deleted file mode 100644
index cf6406da73..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From 607ff9b67848aafd1bdefa6eda7ade0fd7161d04 Mon Sep 17 00:00:00 2001
-From: Mathieu Tortuyaux <mathieu@kinvolk.io>
-Date: Fri, 4 Jun 2021 13:17:44 +0200
-Subject: [PATCH] policy/modules/kernel: all more actions for kernel
-
-Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
----
- policy/modules/kernel/kernel.te | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git refpolicy/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te
---- refpolicy/policy/modules/kernel/kernel.te
-+++ refpolicy/policy/modules/kernel/kernel.te
-@@ -351,6 +351,10 @@ files_list_home(kernel_t)
- files_read_usr_files(kernel_t)
- 
- mcs_process_set_categories(kernel_t)
-+mcs_killall(kernel_t)
-+mcs_file_read_all(kernel_t)
-+mcs_file_write_all(kernel_t)
-+mcs_ptrace_all(kernel_t)
- 
- mls_process_read_all_levels(kernel_t)
- mls_process_write_all_levels(kernel_t)
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch
deleted file mode 100644
index 5cce12771a..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch
+++ /dev/null
@@ -1,27 +0,0 @@
---- refpolicy/policy/mcs
-+++ refpolicy/policy/mcs
-@@ -1,4 +1,6 @@
- ifdef(`enable_mcs',`
-+
-+default_range dir_file_class_set target low-high;
- #
- # Define sensitivities
- #
-@@ -99,14 +101,14 @@ mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
- # New filesystem object labels must be dominated by the relabeling subject
- # clearance, also the objects are single-level.
- mlsconstrain file { create relabelto }
--	(( h1 dom h2 ) and ( l2 eq h2 ));
-+	((( h1 dom h2 ) and ( l2 eq h2 )) or (t1 == mcswriteall));
- 
- # new file labels must be dominated by the relabeling subject clearance
- mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
--	( h1 dom h2 );
-+	(( h1 dom h2 ) or (t1 == mcswriteall));
- 
- mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
--	(( h1 dom h2 ) and ( l2 eq h2 ));
-+	((( h1 dom h2 ) and ( l2 eq h2 ) or (t1 == mcswriteall)));
- 
- mlsconstrain process { transition dyntransition }
- 	(( h1 dom h2 ) or ( t1 == mcssetcats ));
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans
new file mode 100644
index 0000000000..c12771d473
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans
@@ -0,0 +1 @@
+allow_execmem = true
\ No newline at end of file
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config
index 7b66367667..55933ea0e5 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config
@@ -12,4 +12,4 @@ SELINUX=permissive
 #	mls      - Full SELinux protection with Multi-Level Security
 #	mcs      - Full SELinux protection with Multi-Category Security 
 #	           (mls, but only one sensitivity level)
-SELINUXTYPE=mcs
+SELINUXTYPE=strict
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts
deleted file mode 100644
index b9ce512118..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts
+++ /dev/null
@@ -1,10 +0,0 @@
-# This file is used to configure the per-instance contexts of rkt and other
-# applications that use libvirt for lxc container support.
-#
-# See:
-#    https://coreos.com/rkt/docs/latest/selinux.html
-#    https://selinuxproject.org/page/PolicyConfigurationFiles#contexts.2Flxc_contexts_File
-
-process = "system_u:system_r:svirt_lxc_net_t:s0"
-content = "system_u:object_r:virt_var_lib_t:s0"
-file = "system_u:object_r:svirt_lxc_file_t:s0"
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf
deleted file mode 100644
index a123a51d15..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-#Type	Path			Mode	UID 	GID 	Age	Argument
-d	/etc/selinux/		-	-	-	-	-
-L	/etc/selinux/config	-	-	-	-	../../usr/lib/selinux/config
-L	/etc/selinux/mcs	-	-	-	-	../../usr/lib/selinux/mcs
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild
index 17d06e1149..9eaddb863d 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild
@@ -3,9 +3,6 @@
 
 EAPI="7"
 
-# flatcar changes
-inherit systemd
-
 if [[ ${PV} == 9999* ]]; then
 	EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
 	EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}"
@@ -26,23 +23,11 @@ HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
 LICENSE="GPL-2"
 SLOT="0"
 
-# flatcar changes
-RDEPEND=">=sys-apps/policycoreutils-2.8
-	>=sys-apps/checkpolicy-2.8
-"
+RDEPEND=">=sys-apps/policycoreutils-2.8"
 DEPEND="${RDEPEND}"
-# flatcar: BDEPEND on python3[xml] - normally pulled in through policycoreutils
-# but we made that dep conditional on USE=python
-BDEPEND="sys-devel/m4
-    >=dev-lang/python-3[xml]
-"
-
-
-# flatcar changes
-PATCHES=(
-	"${FILESDIR}"/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
-	"${FILESDIR}"/0001-policy-ms-MCS-restricts-relabelfrom.patch
-)
+BDEPEND="
+	>=sys-apps/checkpolicy-2.8
+	sys-devel/m4"
 
 S=${WORKDIR}/
 
@@ -52,8 +37,6 @@ src_prepare() {
 		eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
 	fi
 
-	# flatcar changes
-	eapply -p0 "${PATCHES[@]}"
 	eapply_user
 
 	cd "${S}/refpolicy" || die
@@ -95,10 +78,6 @@ src_configure() {
 
 		sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf" || die
 
-		# flatcar changes: it's required to run polkit without segfault
-		# we need to pass this argument now before the compilation of the policy
-		sed -i "s/allow_execmem = false/allow_execmem = true/" "${S}/${i}/policy/booleans.conf" || die
-
 		sed -i -e '/^QUIET/s/n/y/' -e "/^NAME/s/refpolicy/$i/" \
 			"${S}/${i}/build.conf" || die "build.conf setup failed."
 
@@ -128,9 +107,7 @@ src_compile() {
 
 	for i in ${POLICY_TYPES}; do
 		cd "${S}/${i}" || die
-		# flatcar changes
-		emake base BINDIR="${ROOT}/usr/bin" NAME=$i SHAREDIR="${ROOT%/}"/usr/share/selinux \
-			LD_LIBRARY_PATH="${ROOT}/usr/lib64:${LD_LIBRARY_PATH}" -C "${S}"/${i}
+		emake base
 		if use doc; then
 			emake html
 		fi
@@ -163,29 +140,14 @@ src_install() {
 
 	done
 
-	# flatcar changes
-	systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/selinux-base.conf"
-	systemd-tmpfiles --root="${D}" --create selinux-base.conf
-
 	docinto /
 	dodoc doc/Makefile.example doc/example.{te,fc,if}
 
 	doman man/man8/*.8;
 
-	# flatcar changes
-	insinto /usr/lib/selinux
+	insinto /etc/selinux
 	doins "${FILESDIR}/config"
 
-	insinto /etc/selinux/mcs/contexts
-	doins "${FILESDIR}/lxc_contexts"
-
-	# flatcar changes
-	mkdir -p "${D}/usr/lib/selinux"
-	for i in ${POLICY_TYPES}; do
-		mv "${D}/etc/selinux/${i}" "${D}/usr/lib/selinux"
-		dosym "../../usr/lib/selinux/${i}" "/etc/selinux/${i}"
-	done
-
 	insinto /usr/share/portage/config/sets
 	doins "${FILESDIR}/selinux.conf"
 }