coreos/user-patches: add selinux-base

* add selinux patches (icmp-bind, relabel and kernel permissions) * ship our own config file Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
2025-08-12 23:46:59 +02:00 · 2023-06-13 17:13:46 +02:00 · 2023-06-13 17:13:46 +02:00 · ac520d6588
commit ac520d6588
parent 3de5229a3c
4 changed files with 102 additions and 0 deletions
--- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sec-policy/selinux-base
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sec-policy/selinux-base
@ -0,0 +1,2 @@
+PKG_INSTALL_MASK+=" /etc/selinux/config"
+INSTALL_MASK+=" /etc/selinux/config"
--- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
@ -0,0 +1,16 @@
+diff --git refpolicy/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te
+index 56dbd5af5..b5cf0e3c0 100644
+--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
+@@ -363,6 +363,11 @@ files_list_home(kernel_t)
+ files_read_usr_files(kernel_t)
+ 
+ mcs_process_set_categories(kernel_t)
+mcs_killall(kernel_t)
+mcs_file_read_all(kernel_t)
+mcs_file_write_all(kernel_t)
+mcs_ptrace_all(kernel_t)
+allow kernel_t self:user_namespace create;
+ 
+ mls_process_read_all_levels(kernel_t)
+ mls_process_write_all_levels(kernel_t)
--- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/files-relabel.patch
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/files-relabel.patch
@ -0,0 +1,44 @@
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index 495cbe2f4..a5605f866 100644
+--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
+@@ -7892,3 +7892,39 @@ interface(`files_unconfined',`
+
+ 	typeattribute $1 files_unconfined_type;
+ ')
+
+########################################
+## <summary>
+##	Relabel all files on the filesystem, except
+##	policy_config_t and exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_all_non_policy_files',`
+	gen_require(`
+		attribute file_type;
+		type policy_config_t;
+	')
+
+	allow $1 { file_type -policy_config_t $2 }:dir list_dir_perms;
+	relabel_dirs_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
+	relabel_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
+	relabel_lnk_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
+	relabel_fifo_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
+	relabel_sock_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
+	# this is only relabelfrom since there should be no
+	# device nodes with file types.
+	relabelfrom_blk_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
+	relabelfrom_chr_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
+')
--- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/icmp-bind.patch
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/icmp-bind.patch
@ -0,0 +1,40 @@
+diff -u -r refpolicy/policy/modules/kernel/corenetwork.if.in refpolicy2/policy/modules/kernel/corenetwork.if.in
+--- a/refpolicy/policy/modules/kernel/corenetwork.if.in	2022-01-12 16:59:47.572670384 -0000
+++ b/refpolicy2/policy/modules/kernel/corenetwork.if.in	2022-01-12 17:01:54.974858982 -0000
+@@ -879,6 +879,24 @@
+
+ ########################################
+ ## <summary>
+##	Bind ICMP sockets to generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_icmp_bind_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:icmp_socket node_bind;
+')
+
+########################################
+## <summary>
+ ##	Bind TCP sockets to generic nodes.
+ ## </summary>
+ ## <desc>
+diff -u -r refpolicy/policy/modules/kernel/corenetwork.te.in refpolicy2/policy/modules/kernel/corenetwork.te.in
+--- a/refpolicy/policy/modules/kernel/corenetwork.te.in	2022-01-12 16:59:47.573670362 -0000
+++ b/refpolicy2/policy/modules/kernel/corenetwork.te.in	2022-01-12 17:03:12.754142616 -0000
+@@ -373,7 +373,7 @@
+
+ # Bind to any network address.
+ allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind;
+-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
+allow corenet_unconfined_type node_type:{ icmp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
+
+ # Infiniband
+ corenet_ib_access_all_pkeys(corenet_unconfined_type)