From 40fca7ddf18d8b718984804775752a4435a4340a Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Mon, 24 Aug 2015 11:38:41 -0700
Subject: [PATCH] Fix selinux configuration file location

We were installing selinux configuration files in /etc which caused problems
on upgrades. Move them into /usr and ensure that systemd sets up appropriate
temporary files. Fixes https://github.com/coreos/bugs/issues/447
---
 ...03-r5.ebuild => selinux-base-policy-2.20141203-r6.ebuild} | 0
 .../selinux-base/files/tmpfiles.d/selinux-base.conf          | 1 +
 ....20141203-r5.ebuild => selinux-base-2.20141203-r6.ebuild} | 4 +++-
 .../sec-policy/selinux-base/selinux-base-9999.ebuild         | 5 ++++-
 ...203-r5.ebuild => selinux-unconfined-2.20141203-r6.ebuild} | 0
 ....20141203-r5.ebuild => selinux-virt-2.20141203-r6.ebuild} | 0
 .../sys-libs/libsemanage/files/tmpfiles.d/libsemanage.conf   | 1 +
 .../{libsemanage-2.4-r1.ebuild => libsemanage-2.4-r2.ebuild} | 4 +++-
 .../sys-libs/libsemanage/libsemanage-9999.ebuild             | 4 +++-
 9 files changed, 15 insertions(+), 4 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/{selinux-base-policy-2.20141203-r5.ebuild => selinux-base-policy-2.20141203-r6.ebuild} (100%)
 rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/{selinux-base-2.20141203-r5.ebuild => selinux-base-2.20141203-r6.ebuild} (98%)
 rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/{selinux-unconfined-2.20141203-r5.ebuild => selinux-unconfined-2.20141203-r6.ebuild} (100%)
 rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/{selinux-virt-2.20141203-r5.ebuild => selinux-virt-2.20141203-r6.ebuild} (100%)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/tmpfiles.d/libsemanage.conf
 rename sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/{libsemanage-2.4-r1.ebuild => libsemanage-2.4-r2.ebuild} (96%)

diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r5.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r6.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r5.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r6.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf
index 47d2403c04..d5023d851b 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf
@@ -1,2 +1,3 @@
 d	/etc/selinux/		-	-	-	-	-
+L	/etc/selinux/config	-	-	-	-	../../usr/lib/selinux/config
 L	/etc/selinux/mcs	-	-	-	-	../../usr/lib/selinux/mcs
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r5.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r6.ebuild
similarity index 98%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r5.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r6.ebuild
index eaa64ca17a..75c098feda 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r5.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r6.ebuild
@@ -160,11 +160,13 @@ src_install() {
 	done
 
 	systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/selinux-base.conf"
+	systemd-tmpfiles --root="${D}" --create selinux-base.conf
+
 	dodoc doc/Makefile.example doc/example.{te,fc,if}
 
 	doman man/man8/*.8;
 
-	insinto /etc/selinux
+	insinto /usr/lib/selinux
 	doins "${FILESDIR}/config"
 
 	insinto /etc/selinux/mcs/contexts
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-9999.ebuild
index 19cfbd7b52..12f53be9eb 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-9999.ebuild
@@ -156,11 +156,14 @@ src_install() {
 
 	done
 
+	systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/selinux-base.conf"
+	systemd-tmpfiles --root="${D}" --create selinux-base.conf
+
 	dodoc doc/Makefile.example doc/example.{te,fc,if}
 
 	doman man/man8/*.8;
 
-	insinto /etc/selinux
+	insinto /usr/lib/selinux
 	doins "${FILESDIR}/config"
 }
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r5.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r6.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r5.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r6.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r5.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r6.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r5.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r6.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/tmpfiles.d/libsemanage.conf b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/tmpfiles.d/libsemanage.conf
new file mode 100644
index 0000000000..32f68ae9dd
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/tmpfiles.d/libsemanage.conf
@@ -0,0 +1 @@
+L	/etc/selinux/semanage.conf	-	-	-	-	../../usr/lib/selinux/semanage.conf
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-2.4-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-2.4-r2.ebuild
similarity index 96%
rename from sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-2.4-r1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-2.4-r2.ebuild
index 1a0c7f54a4..58a907baad 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-2.4-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-2.4-r2.ebuild
@@ -5,7 +5,7 @@
 EAPI="5"
 PYTHON_COMPAT=( python2_7 python3_3 python3_4 )
 
-inherit multilib python-r1 toolchain-funcs eutils multilib-minimal
+inherit multilib python-r1 toolchain-funcs eutils multilib-minimal systemd
 
 MY_P="${P//_/-}"
 
@@ -92,6 +92,7 @@ multilib_src_compile() {
 
 multilib_src_install() {
 	emake \
+		DEFAULT_SEMANAGE_CONF_LOCATION="${ED}/usr/lib/selinux/semanage.conf" \
 		LIBDIR="${ED}/usr/$(get_libdir)" \
 		SHLIBDIR="${ED}/usr/$(get_libdir)" \
 		DESTDIR="${ED}" install
@@ -104,4 +105,5 @@ multilib_src_install() {
 		}
 		python_foreach_impl installation_py
 	fi
+	systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/libsemanage.conf"
 }
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild
index 08d20dae86..e6f61bd637 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild
@@ -5,7 +5,7 @@
 EAPI="5"
 PYTHON_COMPAT=( python2_7 python3_3 python3_4 )
 
-inherit multilib python-r1 toolchain-funcs eutils multilib-minimal
+inherit multilib python-r1 toolchain-funcs eutils multilib-minimal systemd
 
 MY_P="${P//_/-}"
 MY_RELEASEDATE="20150202"
@@ -102,6 +102,7 @@ multilib_src_compile() {
 
 multilib_src_install() {
 	emake \
+		DEFAULT_SEMANAGE_CONF_LOCATION="${ED}/usr/lib/selinux/semanage.conf" \
 		LIBDIR="${ED}/usr/$(get_libdir)" \
 		SHLIBDIR="${ED}/usr/$(get_libdir)" \
 		DESTDIR="${ED}" install
@@ -114,4 +115,5 @@ multilib_src_install() {
 		}
 		python_foreach_impl installation_py
 	fi
+        systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/libsemanage.conf"
 }