From ce550930d01836e40073314b5a013999783ec711 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Thu, 5 May 2016 13:27:07 +0100
Subject: [PATCH] sec-policy: Permit execmem in selinux policy

polkit is failing when selinux is enforcing as it is attempting to mmap
pages as both writable and executable and selinux is forbidding this.
Since we want selinux for container isolation rather than general system
confinement, the easiest fix for now is to just add the selinux boolean
to permit execmem.

The selinux eclass is modified to hardcode the gentoo patchset that we're
basing our policy on - otherwise bumping the revision for our local
builds tries to pull down versions that don't exist.
---
 .../third_party/coreos-overlay/eclass/selinux-policy-2.eclass  | 2 +-
 ...203-r9.ebuild => selinux-base-policy-2.20141203-r10.ebuild} | 2 +-
 .../coreos-overlay/sec-policy/selinux-base/files/booleans      | 1 +
 ...2.20141203-r9.ebuild => selinux-base-2.20141203-r10.ebuild} | 3 ++-
 ...1203-r9.ebuild => selinux-unconfined-2.20141203-r10.ebuild} | 0
 ...2.20141203-r9.ebuild => selinux-virt-2.20141203-r10.ebuild} | 0
 6 files changed, 5 insertions(+), 3 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/{selinux-base-policy-2.20141203-r9.ebuild => selinux-base-policy-2.20141203-r10.ebuild} (99%)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans
 rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/{selinux-base-2.20141203-r9.ebuild => selinux-base-2.20141203-r10.ebuild} (97%)
 rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/{selinux-unconfined-2.20141203-r9.ebuild => selinux-unconfined-2.20141203-r10.ebuild} (100%)
 rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/{selinux-virt-2.20141203-r9.ebuild => selinux-virt-2.20141203-r10.ebuild} (100%)

diff --git a/sdk_container/src/third_party/coreos-overlay/eclass/selinux-policy-2.eclass b/sdk_container/src/third_party/coreos-overlay/eclass/selinux-policy-2.eclass
index 8a7821ea3f..8327c71399 100644
--- a/sdk_container/src/third_party/coreos-overlay/eclass/selinux-policy-2.eclass
+++ b/sdk_container/src/third_party/coreos-overlay/eclass/selinux-policy-2.eclass
@@ -90,7 +90,7 @@ HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
 if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
 then
 	SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2
-		http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
+		http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-2.20141203-r9.tar.bz2"
 elif [[ "${BASEPOL}" != "9999" ]];
 then
 	SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2"
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r9.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r10.ebuild
similarity index 99%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r9.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r10.ebuild
index 6e0b7b78db..0d1dab10a2 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r9.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r10.ebuild
@@ -15,7 +15,7 @@ if [[ ${PV} == 9999* ]]; then
 	KEYWORDS=""
 else
 	SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2
-			http://dev.gentoo.org/~swift/patches/${PN}/patchbundle-${PN}-${PVR}.tar.bz2"
+			http://dev.gentoo.org/~swift/patches/${PN}/patchbundle-${PN}-2.20141203-r9.tar.bz2"
 	KEYWORDS="amd64 x86"
 fi
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans
new file mode 100644
index 0000000000..c12771d473
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans
@@ -0,0 +1 @@
+allow_execmem = true
\ No newline at end of file
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r9.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r10.ebuild
similarity index 97%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r9.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r10.ebuild
index 9142047e87..3661151504 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r9.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r10.ebuild
@@ -15,7 +15,7 @@ if [[ ${PV} == 9999* ]]; then
 	KEYWORDS=""
 else
 	SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2
-			http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2"
+			http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-2.20141203-r9.tar.bz2"
 
 	KEYWORDS="amd64 x86"
 fi
@@ -148,6 +148,7 @@ src_install() {
 		echo "run_init_t" > "${D}/etc/selinux/${i}/contexts/run_init_type"
 
 		echo "textrel_shlib_t" >> "${D}/etc/selinux/${i}/contexts/customizable_types"
+		cp "${FILESDIR}/booleans" "${D}/etc/selinux/${i}/booleans"
 
 		# libsemanage won't make this on its own
 		keepdir "/etc/selinux/${i}/policy"
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r9.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r10.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r9.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r10.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r9.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r10.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r9.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r10.ebuild