From f0f961731652a6856cabd0fabb0eb00ab9375157 Mon Sep 17 00:00:00 2001
From: Kai Lueke <kailuke@microsoft.com>
Date: Wed, 1 Sep 2021 14:50:43 +0200
Subject: [PATCH] profiles: Enable selinux for all targets

Move the USE options out of the amd64 path, specify selinux
packages as explicit dependency, and add accept keywords.
---
 .../coreos-base/coreos/coreos-0.0.1.ebuild         | 12 ++++++++----
 .../profiles/coreos/amd64/generic/package.use      | 14 --------------
 .../profiles/coreos/amd64/generic/use.mask         |  2 --
 .../profiles/coreos/amd64/sdk/package.use          |  5 -----
 .../profiles/coreos/amd64/sdk/use.mask             |  2 --
 .../profiles/coreos/arm64/package.use              |  2 --
 .../profiles/coreos/base/package.accept_keywords   |  5 +++++
 .../profiles/coreos/base/package.use               | 14 ++++++++++++++
 .../coreos-overlay/profiles/coreos/base/use.mask   |  3 +++
 9 files changed, 30 insertions(+), 29 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
index acac5e1000..9235e6d9ea 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
@@ -65,13 +65,11 @@ IUSE="selinux"
 
 RDEPEND=">=sys-apps/baselayout-3.0.0"
 
-# Optionally enable SELinux and pull in policy for containers
+# Optionally enable SELinux for dbus and systemd (but always install packages and pull in the SELinux policy for containers)
 RDEPEND="${RDEPEND}
 	sys-apps/dbus[selinux?]
 	sys-apps/systemd[selinux?]
-	selinux? (
-		sec-policy/selinux-virt
-	)"
+	"
 
 # Only applicable or available on amd64
 RDEPEND="${RDEPEND}
@@ -141,9 +139,14 @@ RDEPEND="${RDEPEND}
 	net-misc/wget
 	net-misc/whois
 	net-vpn/wireguard-tools
+	sec-policy/selinux-virt
+	sec-policy/selinux-base
+	sec-policy/selinux-base-policy
+	sec-policy/selinux-unconfined
 	sys-apps/acl
 	sys-apps/attr
 	sys-apps/coreutils
+	sys-apps/checkpolicy
 	sys-apps/dbus
 	sys-apps/diffutils
 	sys-apps/ethtool
@@ -163,6 +166,7 @@ RDEPEND="${RDEPEND}
 	sys-apps/rng-tools
 	sys-apps/sed
 	sys-apps/seismograph
+	sys-apps/semodule-utils
 	sys-apps/shadow
 	sys-apps/usbutils
 	sys-apps/util-linux
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/package.use
index c2227d4ed1..d71d119c57 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/package.use
@@ -1,17 +1,3 @@
-# Enable SELinux for amd64 targets
-coreos-base/coreos	    selinux
-sys-apps/dbus               selinux
-sys-apps/systemd            selinux
-
-# Enable SELinux for coreutils
-sys-apps/coreutils	    selinux
-
-# Enable SELinux for tar
-app-arch/tar                selinux
-
-# Enable SELinux for docker-runc
-app-emulation/docker-runc selinux
-
 # Only ship microcode currently distributed by Intel
 # See https://bugs.gentoo.org/654638#c11 by iucode-tool maintainer
 sys-firmware/intel-microcode vanilla
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/use.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/use.mask
index a24662d0ea..e69de29bb2 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/use.mask
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/use.mask
@@ -1,2 +0,0 @@
-# Unmask selinux so it can be enabled selectively in package.use
--selinux
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/sdk/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/sdk/package.use
index 337d8426c1..e69de29bb2 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/sdk/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/sdk/package.use
@@ -1,5 +0,0 @@
-# Enable SELinux for amd64 targets
-app-arch/tar                selinux
-sys-apps/coreutils          selinux
-coreos-base/coreos          selinux
-
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/sdk/use.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/sdk/use.mask
index a24662d0ea..e69de29bb2 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/sdk/use.mask
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/sdk/use.mask
@@ -1,2 +0,0 @@
-# Unmask selinux so it can be enabled selectively in package.use
--selinux
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use
index dedfdcde32..6e5cf08154 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use
@@ -6,6 +6,4 @@ net-dns/bind-tools -gssapi
 # FIXME: why isn't this set by default???
 sys-libs/ncurses unicode
 
-sys-apps/systemd -selinux
-
 sys-auth/polkit -introspection
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
index d6e85cd49f..a9ab6cc8e8 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -70,6 +70,11 @@ dev-util/checkbashisms
 
 =sys-libs/libsepol-2.4 **
 =sys-libs/libselinux-2.4 **
+=sys-apps/checkpolicy-3.1 **
+=sec-policy/selinux-base-2.20200818-r2 **
+=sec-policy/selinux-base-policy-2.20200818-r2 **
+=sec-policy/selinux-unconfined-2.20200818-r2 **
+=sec-policy/selinux-virt-2.20200818-r2 **
 
 =net-misc/openssh-8.6_p1-r1 ~amd64 ~arm64
 
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
index cc4fa1f843..fcc37c7231 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
@@ -100,6 +100,20 @@ sys-apps/man-db -nls
 # Disable zstd to avoid adding it to prod images until something needs it
 sys-fs/btrfs-progs -zstd
 
+# Enable SELinux for all targets
+coreos-base/coreos          selinux
+sys-apps/dbus               selinux
+sys-apps/systemd            selinux
+
+# Enable SELinux for coreutils
+sys-apps/coreutils          selinux
+
+# Enable SELinux for tar
+app-arch/tar                selinux
+
+# Enable SELinux for docker-runc
+app-emulation/docker-runc selinux
+
 # enable regular expression processing in jq
 app-misc/jq oniguruma
 
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask
index 765a2a06db..cd9bf3524b 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask
@@ -4,3 +4,6 @@ kdbus
 # We default to python 3.6 for now
 python_targets_python3_7
 python_single_target_python3_7
+
+# Unmask selinux so it can be enabled selectively in package.use
+-selinux