Merge pull request #1426 from flatcar-linux/tormath1/selinux

sec-policy/selinux-base-policy: add capability to unlabeled_t
2025-08-17 18:06:59 +02:00 · 2021-11-18 16:57:53 +01:00 · 2021-11-18 16:57:53 +01:00 · 46edd14fad
commit 46edd14fad
parent c7acab5ccc 5c25c3835c
2 changed files with 15 additions and 0 deletions
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/unlabeled.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/unlabeled.patch
@ -0,0 +1,11 @@
+index 7c60eda2c..736187b7a 100644
+--- refpolicy/policy/modules/kernel/kernel.te
+++ refpolicy/policy/modules/kernel/kernel.te
+@@ -191,6 +191,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+ type unlabeled_t;
+ kernel_rootfs_mountpoint(unlabeled_t)
+ fs_associate(unlabeled_t)
+fs_associate_tmpfs(unlabeled_t)
+ sid file gen_context(system_u:object_r:unlabeled_t,s0)
+ sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+ neverallow * unlabeled_t:file entrypoint;
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r2.ebuild
@ -39,6 +39,10 @@ PATCHES=(
 	"${FILESDIR}/init.patch"
 	"${FILESDIR}/locallogin.patch"
 	"${FILESDIR}/logging.patch"
+	# this patch is required to prevent `torcx-generator`
+	# to fail if SELinux is enforced in early boot.
+	# It can be removed once we drop torcx support.
+	"${FILESDIR}/unlabeled.patch"
 )

 # Code entirely copied from selinux-eclass (cannot inherit due to dependency on