From 49fb14d782a41d2adccb48b631f6eac72b971ff7 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 21 Feb 2024 16:11:50 +0100
Subject: [PATCH] overlay coreos-base/misc-files: Recreate a symlink on
 filesystem wipe

The path where the SELinux policy modules are built is normally
/var/lib/selinux. In our case we want to have those policies to be
installed somewhere under /usr. So we have a setup where
/var/lib/selinux is a symlink to /usr/lib/selinux/policy. The
/var/lib/selinux directory is normally created by
sys-apps/policycoreutils directory and we don't want to change it in
order to pursue the goal of putting the package back to
portage-stable.

On the other hand, the override of modules directory location can't
happen in the coreos-base/misc-files package, because
sys-apps/policycoreutils needs that directory to be already set up in
the package post installation time.

The override of the SELinux policy modules directory needs to be done
in the bashrc hook unfortunately. This will come in the follow-up
commit.

So the only thing left is to set up tmpfiles configuration file to
recreate the /var/lib/selinux symlink, since it can be removed when
wiping the filesystem.
---
 .../misc-files/files/10-var-lib-selinux.conf  |  2 ++
 ...les-0-r3.ebuild => misc-files-0-r4.ebuild} | 21 ++++++++++++++-----
 2 files changed, 18 insertions(+), 5 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/10-var-lib-selinux.conf
 rename sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/{misc-files-0-r3.ebuild => misc-files-0-r4.ebuild} (90%)

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/10-var-lib-selinux.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/10-var-lib-selinux.conf
new file mode 100644
index 0000000000..f763cf3e45
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/10-var-lib-selinux.conf
@@ -0,0 +1,2 @@
+#Type	Path			Mode	UID 	GID 	Age	Argument
+L	/var/lib/selinux/	-	-	-	-	../../usr/lib/selinux/policy
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild
similarity index 90%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r3.ebuild
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild
index 79aae29e95..f282ddd6fc 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild
@@ -12,7 +12,7 @@ HOMEPAGE='https://www.flatcar.org/'
 LICENSE='Apache-2.0'
 SLOT='0'
 KEYWORDS='amd64 arm64'
-IUSE="openssh ntp"
+IUSE="openssh ntp policycoreutils"
 
 # No source directory.
 S="${WORKDIR}"
@@ -23,15 +23,16 @@ S="${WORKDIR}"
 # net-misc/openssh must be installed on host for enabling its unit to
 # work during installation.
 DEPEND="
-	openssh? ( >=net-misc/openssh-9.4_p1 )
+        openssh? ( >=net-misc/openssh-9.4_p1 )
 "
 
 # Versions listed below are version of packages that shedded the
 # modifications in their ebuilds.
 RDEPEND="
-	${DEPEND}
-	>=app-shells/bash-5.2_p15-r2
-	ntp? ( >=net-misc/ntp-4.2.8_p17 )
+        ${DEPEND}
+        >=app-shells/bash-5.2_p15-r2
+        ntp? ( >=net-misc/ntp-4.2.8_p17 )
+        policycoreutils? ( >=sys-apps/policycoreutils-3.6 )
 "
 
 declare -A CORE_BASH_SYMLINKS
@@ -171,6 +172,16 @@ src_install() {
         misc_files_install_dropin sntp.service "${FILESDIR}/ntp-environment.conf"
     fi
 
+    if use policycoreutils; then
+        # Exceptionally, the location for policy definitions is set up
+        # in profiles/coreos/base/profile.bashrc. See the comment for
+        # cros_post_src_install_set_up_var_lib_selinux for reasoning.
+        #
+        # Recreate the symlink in /var in case of wiping the root
+        # filesystem.
+        dotmpfiles "${FILESDIR}/10-var-lib-selinux.conf"
+    fi
+
     # Create a symlink for Kubernetes to redirect writes from /usr/libexec/... to /var/kubernetes/...
     # (The below keepdir will result in a tmpfiles entry in base_image_var.conf)
     keepdir /var/kubernetes/kubelet-plugins/volume/exec