From 832bdb51fca75ffdef3045b95679d47ac71f7a62 Mon Sep 17 00:00:00 2001
From: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Date: Thu, 13 Jan 2022 16:48:00 +0100
Subject: [PATCH] sys-apps/policycoreutils: fix policy root path

root needs to be specified with -p instead of -S.
The policy dir (-S) defaults to (-p) + /var/lib/selinux/ + (-s).

Picked from upstream: https://github.com/gentoo/gentoo/commit/54a8322d1885f7f1bfe2718fb731d6e195f86466

Closes: https://github.com/flatcar-linux/Flatcar/issues/596
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
---
 .../bugfixes/2022-01-13-policycoreutils-fix-root-path.md        | 1 +
 .../sys-apps/policycoreutils/policycoreutils-3.1-r3.ebuild      | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/changelog/bugfixes/2022-01-13-policycoreutils-fix-root-path.md

diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/bugfixes/2022-01-13-policycoreutils-fix-root-path.md b/sdk_container/src/third_party/coreos-overlay/changelog/bugfixes/2022-01-13-policycoreutils-fix-root-path.md
new file mode 100644
index 0000000000..77fb882557
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/changelog/bugfixes/2022-01-13-policycoreutils-fix-root-path.md
@@ -0,0 +1 @@
+- Fixed leak of SELinux policy store to the root filesystem top directory due to wrong store path in `policycoreutils` instead of `/var/lib/selinux` ([flatcar-linux/Flatcar#596](https://github.com/flatcar-linux/Flatcar/issues/596))
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r3.ebuild
index 949fd35c8c..ca31fa2cea 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r3.ebuild
@@ -220,6 +220,6 @@ pkg_postinst() {
 		# There have been some changes to the policy store, rebuilding now.
 		# https://marc.info/?l=selinux&m=143757277819717&w=2
 		einfo "Rebuilding store ${POLICY_TYPE} in '${ROOT:-/}' (without re-loading)."
-		semodule -S "${ROOT:-/}" -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}"
+		semodule -p "${ROOT:-/}" -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}"
 	done
 }