sec-policy/selinux-base-policy: sync with upstream

Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
2025-08-18 02:16:59 +02:00 · 2021-06-02 15:44:15 +02:00 · 2021-06-02 15:44:15 +02:00 · d819e2afa4
commit d819e2afa4
parent e472af562e
9 changed files with 312 additions and 1278 deletions
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/ChangeLog
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/ChangeLog
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/Manifest
@ -1,2 +1,4 @@
-DIST patchbundle-selinux-base-policy-2.20141203-r9.tar.bz2 299602 SHA256 e8518004942a6c57170a609683e22b1410c93a2a195829c41dc8fbc703d941b5 SHA512 ce6484fbca1d2d074e50d1a3953392bd3ce0a4617df98fbac37747b469b4f160a9331586dfe1c3ddccb1ccbee24876a2f05ab49e37c8492a48baf83c2d01d140 WHIRLPOOL 1fd7b956e98e95a64c3a713a944d4531259bd156a7feabf6a89c4b5f33ac846377730eede97889e85183be086f282ebd18e860214f6ca3f01b40f2323470ee04
-DIST refpolicy-2.20141203.tar.bz2 680243 SHA256 f438209c430d8a2d4ddcbe4bdd3edb46f6af7dc4913637af0b73c635e40c1522 SHA512 682e4280c5799e4c12ec7594afc1389f67be35055748d2e0dbdc3419159a16c96d4946ca6178daee8370515951f8653b2e452efe8c962b8d7f9bc192f0b15a0c WHIRLPOOL 74bca232534e7af9051bb1ab9f77c1ff6c425781cf4561f781d6e9a40cc5ca0d9add540249ea5493e8782a9372aea296ead6c165c6c440ae1509eb319d151ee5
+DIST patchbundle-selinux-base-policy-2.20200818-r2.tar.bz2 433623 BLAKE2B f0655c45c50347faf1217e5861298dce822e4b726c0b4489d4c70c4815842f7c17ac1b0a302ae5482a3ad25d1d5b6c4c3b6395194e79005f31560d103ad0fce6 SHA512 9fd22683ecd602a429b2d489f7b8c2936409fa060046255b72a4b95c9fdefa2455ba7655945278dc972c22f3ade6617898ed169e22001aaaaded4b47ca51b0c3
+DIST patchbundle-selinux-base-policy-2.20210203-r1.tar.bz2 298116 BLAKE2B 50c5523a8b758652af6aa59d548e9499b899898b58f52f74f1667a0c552f2b2d0ed5a44352e59245c7f0ebd199e2391400168d6ab27b4160d726fccded0c56f2 SHA512 ddb877ec3e2883f57e54e7380dd449d4d89a0769a1fb87141786e5de741ac21b2ead60362fd17c25888eb1334c68f71da561f4f29f406f0d4b5d13d378f6baff
+DIST refpolicy-2.20200818.tar.bz2 570896 BLAKE2B 502c00fec39e1b81e42de3f7f942623f8b3fbdeac19f9f01126722a368b7d4f70427d6e4a574754c4f2fa551e4bc75c912dbc515c004f0dcd5eb28ab416498f6 SHA512 e4b527bb7a87b9359fc42eb111d5008103f57c37128998ea0e21ec7b0b8607ffe3f67697450e4c51a0db172ece69083335b279bacef4b1bd0b7748b58caa99a7
+DIST refpolicy-2.20210203.tar.bz2 564099 BLAKE2B a94a11ebb78890ba2c98714be2fe9054fdb8ccaf5154f47b881a9575a4a6865e8df475805550d7bba8039b4230c6a0c9f5c6130bf8c35a26bc7c473d550fb40d SHA512 a6ffe718626dd6121023b4cbc424c933d44ca8b662bd708baad307cf6284be0d80fef40cdc8b37f6f17ecb3636fd8d6c1d5d4072c17d835b7f500e17a3acd9fc
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/config
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/config
@ -1,15 +0,0 @@
-# This file controls the state of SELinux on the system on boot.
-
-# SELINUX can take one of these three values:
-#	enforcing - SELinux security policy is enforced.
-#	permissive - SELinux prints warnings instead of enforcing.
-#	disabled - No SELinux policy is loaded.
-SELINUX=permissive
-
-# SELINUXTYPE can take one of these four values:
-#	targeted - Only targeted network daemons are protected.
-#	strict   - Full SELinux protection.
-#	mls      - Full SELinux protection with Multi-Level Security
-#	mcs      - Full SELinux protection with Multi-Category Security 
-#	           (mls, but only one sensitivity level)
-SELINUXTYPE=strict
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/modules.conf
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/modules.conf
@ -1,50 +0,0 @@
-application = base
-authlogin = base
-bootloader = base
-clock = base
-consoletype = base
-corecommands = base
-corenetwork = base
-cron = base
-devices = base
-dmesg = base
-domain = base
-files = base
-filesystem = base
-fstools = base
-getty = base
-hostname = base
-hotplug = base
-init = base
-iptables = base
-kernel = base
-libraries = base
-locallogin = base
-logging = base
-lvm = base
-miscfiles = base
-mcs = base
-mls = base
-modutils = base
-mount = base
-mta = base
-netutils = base
-nscd = base
-portage = base
-raid = base
-rsync = base
-selinux = base
-selinuxutil = base
-ssh = base
-staff = base
-storage = base
-su = base
-sysadm = base
-sysnetwork = base
-terminal = base
-ubac = base
-udev = base
-userdomain = base
-usermanage = base
-unprivuser = base
-xdg = base
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/metadata.xml
@ -1,12 +1,15 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
-	<herd>selinux</herd>
+	<maintainer type="project">
+		<email>selinux@gentoo.org</email>
+		<name>SELinux Team</name>
+	</maintainer>
 	<longdescription>
 		Gentoo SELinux base policy.  This contains policy for a system at the end of system installation.
 		There is no extra policy in this package.
 	</longdescription>
 	<use>
-		<flag name='unconfined'>Enable support for the unconfined SELinux policy module</flag>
+		<flag name="unconfined">Enable support for the unconfined SELinux policy module</flag>
 	</use>
 </pkgmetadata>
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r14.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r14.ebuild
@ -1,117 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r5.ebuild,v 1.3 2015/06/05 16:10:32 perfinion Exp $
-EAPI="5"
-
-inherit eutils
-
-if [[ ${PV} == 9999* ]]; then
-	EGIT_REPO_URI="${SELINUX_GIT_REPO:-git://anongit.gentoo.org/proj/hardened-refpolicy.git https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
-	EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}"
-	EGIT_SOURCEDIR="${WORKDIR}/refpolicy"
-
-	inherit git-2
-
-	KEYWORDS=""
-else
-	SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2
-			http://dev.gentoo.org/~swift/patches/${PN}/patchbundle-${PN}-2.20141203-r9.tar.bz2"
-	KEYWORDS="amd64 x86"
-fi
-
-HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
-DESCRIPTION="SELinux policy for core modules"
-
-IUSE="+unconfined"
-
-RDEPEND="=sec-policy/selinux-base-${PVR}"
-PDEPEND="unconfined? ( sec-policy/selinux-unconfined )"
-DEPEND=""
-
-MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname hotplug init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork tmpfiles udev userdomain usermanage unprivuser xdg"
-LICENSE="GPL-2"
-SLOT="0"
-S="${WORKDIR}/"
-
-# Code entirely copied from selinux-eclass (cannot inherit due to dependency on
-# itself), when reworked reinclude it. Only postinstall (where -b base.pp is
-# added) needs to remain then.
-
-pkg_pretend() {
-	for i in ${POLICY_TYPES}; do
-		if [[ "${i}" == "targeted" ]] && ! use unconfined; then
-			die "If you use POLICY_TYPES=targeted, then USE=unconfined is mandatory."
-		fi
-	done
-}
-
-src_prepare() {
-	local modfiles
-
-	if [[ ${PV} != 9999* ]]; then
-		# Patch the source with the base patchbundle
-		cd "${S}"
-		EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \
-		EPATCH_SUFFIX="patch" \
-		EPATCH_SOURCE="${WORKDIR}" \
-		EPATCH_FORCE="yes" \
-		epatch
-	fi
-
-	# Apply the additional patches refered to by the module ebuild.
-	# But first some magic to differentiate between bash arrays and strings
-	if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]];
-	then
-		cd "${S}/refpolicy/policy/modules"
-		for POLPATCH in "${POLICY_PATCH[@]}";
-		do
-			epatch "${POLPATCH}"
-		done
-	else
-		if [[ -n ${POLICY_PATCH} ]];
-		then
-			cd "${S}/refpolicy/policy/modules"
-			for POLPATCH in ${POLICY_PATCH};
-			do
-				epatch "${POLPATCH}"
-			done
-		fi
-	fi
-
-	# Calling user patches
-	epatch_user
-
-	# Collect only those files needed for this particular module
-	for i in ${MODS}; do
-		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
-		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
-	done
-
-	for i in ${POLICY_TYPES}; do
-		mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
-		cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
-			|| die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
-
-		cp ${modfiles} "${S}"/${i} \
-			|| die "Failed to copy the module files to ${S}/${i}"
-	done
-}
-
-src_compile() {
-	for i in ${POLICY_TYPES}; do
-		emake BINDIR="${ROOT}/usr/bin" SHAREDIR="${ROOT}/usr/share/selinux" NAME=$i -C "${S}"/${i} || die "${i} compile failed"
-	done
-}
-
-src_install() {
-	local BASEDIR="/usr/share/selinux"
-
-	for i in ${POLICY_TYPES}; do
-		for j in ${MODS}; do
-			einfo "Installing ${i} ${j} policy package"
-			insinto ${BASEDIR}/${i}
-			doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
-		done
-	done
-}
-
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r2.ebuild
@ -0,0 +1,129 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+if [[ ${PV} == 9999* ]]; then
+	EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
+	EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}"
+	EGIT_CHECKOUT_DIR="${WORKDIR}/refpolicy"
+
+	inherit git-r3
+else
+	SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2
+			https://dev.gentoo.org/~perfinion/patches/${PN}/patchbundle-${PN}-${PVR}.tar.bz2"
+	KEYWORDS="amd64 -arm ~arm64 ~mips x86"
+fi
+
+HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
+DESCRIPTION="SELinux policy for core modules"
+
+IUSE="systemd +unconfined"
+
+PDEPEND="unconfined? ( sec-policy/selinux-unconfined )"
+DEPEND="=sec-policy/selinux-base-${PVR}[systemd?]"
+RDEPEND="${DEPEND}"
+BDEPEND="
+	sys-apps/checkpolicy
+	sys-devel/m4"
+
+MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname hotplug init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork systemd tmpfiles udev userdomain usermanage unprivuser xdg"
+LICENSE="GPL-2"
+SLOT="0"
+S="${WORKDIR}/"
+
+# Code entirely copied from selinux-eclass (cannot inherit due to dependency on
+# itself), when reworked reinclude it. Only postinstall (where -b base.pp is
+# added) needs to remain then.
+
+pkg_pretend() {
+	for i in ${POLICY_TYPES}; do
+		if [[ "${i}" == "targeted" ]] && ! use unconfined; then
+			die "If you use POLICY_TYPES=targeted, then USE=unconfined is mandatory."
+		fi
+	done
+}
+
+src_prepare() {
+	local modfiles
+
+	if [[ ${PV} != 9999* ]]; then
+		einfo "Applying SELinux policy updates ... "
+		eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
+	fi
+
+	eapply_user
+
+	# Collect only those files needed for this particular module
+	for i in ${MODS}; do
+		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
+		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
+	done
+
+	for i in ${POLICY_TYPES}; do
+		mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
+		cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
+			|| die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
+
+		cp ${modfiles} "${S}"/${i} \
+			|| die "Failed to copy the module files to ${S}/${i}"
+	done
+}
+
+src_compile() {
+	for i in ${POLICY_TYPES}; do
+		emake NAME=$i SHAREDIR="${ROOT}"/usr/share/selinux -C "${S}"/${i}
+	done
+}
+
+src_install() {
+	local BASEDIR="/usr/share/selinux"
+
+	for i in ${POLICY_TYPES}; do
+		for j in ${MODS}; do
+			einfo "Installing ${i} ${j} policy package"
+			insinto ${BASEDIR}/${i}
+			doins "${S}"/${i}/${j}.pp
+		done
+	done
+}
+
+pkg_postinst() {
+	# Set root path and don't load policy into the kernel when cross compiling
+	local root_opts=""
+	if [[ "${ROOT}" != "" ]]; then
+		root_opts="-p ${ROOT} -n"
+	fi
+
+	# Override the command from the eclass, we need to load in base as well here
+	local COMMAND="-i base.pp"
+	if has_version "<sys-apps/policycoreutils-2.5"; then
+		COMMAND="-b base.pp"
+	fi
+
+	for i in ${MODS}; do
+		COMMAND="${COMMAND} -i ${i}.pp"
+	done
+
+	for i in ${POLICY_TYPES}; do
+		einfo "Inserting the following modules, with base, into the $i module store: ${MODS}"
+
+		cd "${ROOT}/usr/share/selinux/${i}"
+
+		semodule ${root_opts} -s ${i} ${COMMAND}
+	done
+
+	# Don't relabel when cross compiling
+	if [[ "${ROOT}" == "" ]]; then
+		# Relabel depending packages
+		local PKGSET="";
+		if [[ -x /usr/bin/qdepends ]] ; then
+			PKGSET=$(/usr/bin/qdepends -Cq -r -Q ${CATEGORY}/${PN} | grep -v 'sec-policy/selinux-');
+		elif [[ -x /usr/bin/equery ]] ; then
+			PKGSET=$(/usr/bin/equery -Cq depends ${CATEGORY}/${PN} | grep -v 'sec-policy/selinux-');
+		fi
+		if [[ -n "${PKGSET}" ]] ; then
+			rlpkg ${PKGSET};
+		fi
+	fi
+}
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20210203-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20210203-r1.ebuild
@ -0,0 +1,129 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+if [[ ${PV} == 9999* ]]; then
+	EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
+	EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}"
+	EGIT_CHECKOUT_DIR="${WORKDIR}/refpolicy"
+
+	inherit git-r3
+else
+	SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2
+			https://dev.gentoo.org/~perfinion/patches/${PN}/patchbundle-${PN}-${PVR}.tar.bz2"
+	KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
+fi
+
+HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
+DESCRIPTION="SELinux policy for core modules"
+
+IUSE="systemd +unconfined"
+
+PDEPEND="unconfined? ( sec-policy/selinux-unconfined )"
+DEPEND="=sec-policy/selinux-base-${PVR}[systemd?]"
+RDEPEND="${DEPEND}"
+BDEPEND="
+	sys-apps/checkpolicy
+	sys-devel/m4"
+
+MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork systemd tmpfiles udev userdomain usermanage unprivuser xdg"
+LICENSE="GPL-2"
+SLOT="0"
+S="${WORKDIR}/"
+
+# Code entirely copied from selinux-eclass (cannot inherit due to dependency on
+# itself), when reworked reinclude it. Only postinstall (where -b base.pp is
+# added) needs to remain then.
+
+pkg_pretend() {
+	for i in ${POLICY_TYPES}; do
+		if [[ "${i}" == "targeted" ]] && ! use unconfined; then
+			die "If you use POLICY_TYPES=targeted, then USE=unconfined is mandatory."
+		fi
+	done
+}
+
+src_prepare() {
+	local modfiles
+
+	if [[ ${PV} != 9999* ]]; then
+		einfo "Applying SELinux policy updates ... "
+		eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
+	fi
+
+	eapply_user
+
+	# Collect only those files needed for this particular module
+	for i in ${MODS}; do
+		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
+		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
+	done
+
+	for i in ${POLICY_TYPES}; do
+		mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
+		cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
+			|| die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
+
+		cp ${modfiles} "${S}"/${i} \
+			|| die "Failed to copy the module files to ${S}/${i}"
+	done
+}
+
+src_compile() {
+	for i in ${POLICY_TYPES}; do
+		emake NAME=$i SHAREDIR="${ROOT}"/usr/share/selinux -C "${S}"/${i}
+	done
+}
+
+src_install() {
+	local BASEDIR="/usr/share/selinux"
+
+	for i in ${POLICY_TYPES}; do
+		for j in ${MODS}; do
+			einfo "Installing ${i} ${j} policy package"
+			insinto ${BASEDIR}/${i}
+			doins "${S}"/${i}/${j}.pp
+		done
+	done
+}
+
+pkg_postinst() {
+	# Set root path and don't load policy into the kernel when cross compiling
+	local root_opts=""
+	if [[ "${ROOT}" != "" ]]; then
+		root_opts="-p ${ROOT} -n"
+	fi
+
+	# Override the command from the eclass, we need to load in base as well here
+	local COMMAND="-i base.pp"
+	if has_version "<sys-apps/policycoreutils-2.5"; then
+		COMMAND="-b base.pp"
+	fi
+
+	for i in ${MODS}; do
+		COMMAND="${COMMAND} -i ${i}.pp"
+	done
+
+	for i in ${POLICY_TYPES}; do
+		einfo "Inserting the following modules, with base, into the $i module store: ${MODS}"
+
+		cd "${ROOT}/usr/share/selinux/${i}"
+
+		semodule ${root_opts} -s ${i} ${COMMAND}
+	done
+
+	# Don't relabel when cross compiling
+	if [[ "${ROOT}" == "" ]]; then
+		# Relabel depending packages
+		local PKGSET="";
+		if [[ -x /usr/bin/qdepends ]] ; then
+			PKGSET=$(/usr/bin/qdepends -Cq -r -Q ${CATEGORY}/${PN} | grep -v 'sec-policy/selinux-');
+		elif [[ -x /usr/bin/equery ]] ; then
+			PKGSET=$(/usr/bin/equery -Cq depends ${CATEGORY}/${PN} | grep -v 'sec-policy/selinux-');
+		fi
+		if [[ -n "${PKGSET}" ]] ; then
+			rlpkg ${PKGSET};
+		fi
+	fi
+}
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-9999.ebuild
@ -1,34 +1,33 @@
-# Copyright 1999-2015 Gentoo Foundation
+# Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base-policy/selinux-base-policy-9999.ebuild,v 1.23 2015/04/21 10:33:02 perfinion Exp $
-EAPI="5"

-inherit eutils
+EAPI="7"

 if [[ ${PV} == 9999* ]]; then
-	EGIT_REPO_URI="${SELINUX_GIT_REPO:-git://anongit.gentoo.org/proj/hardened-refpolicy.git https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
+	EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
 	EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}"
 	EGIT_CHECKOUT_DIR="${WORKDIR}/refpolicy"

 	inherit git-r3
-
-	KEYWORDS=""
 else
-	SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2
-			http://dev.gentoo.org/~swift/patches/${PN}/patchbundle-${PN}-${PVR}.tar.bz2"
-	KEYWORDS="~amd64 ~x86"
+	SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2
+			https://dev.gentoo.org/~perfinion/patches/${PN}/patchbundle-${PN}-${PVR}.tar.bz2"
+	KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
 fi

-HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
+HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
 DESCRIPTION="SELinux policy for core modules"

-IUSE="+unconfined"
+IUSE="systemd +unconfined"

-RDEPEND="=sec-policy/selinux-base-${PVR}"
 PDEPEND="unconfined? ( sec-policy/selinux-unconfined )"
-DEPEND=""
+DEPEND="=sec-policy/selinux-base-${PVR}[systemd?]"
+RDEPEND="${DEPEND}"
+BDEPEND="
+	sys-apps/checkpolicy
+	sys-devel/m4"

-MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname hotplug init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork tmpfiles udev userdomain usermanage unprivuser xdg"
+MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork systemd tmpfiles udev userdomain usermanage unprivuser xdg"
 LICENSE="GPL-2"
 SLOT="0"
 S="${WORKDIR}/"
@ -49,37 +48,11 @@ src_prepare() {
 	local modfiles

 	if [[ ${PV} != 9999* ]]; then
-		# Patch the source with the base patchbundle
-		cd "${S}"
-		EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \
-		EPATCH_SUFFIX="patch" \
-		EPATCH_SOURCE="${WORKDIR}" \
-		EPATCH_FORCE="yes" \
-		epatch
+		einfo "Applying SELinux policy updates ... "
+		eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
 	fi

-	# Apply the additional patches refered to by the module ebuild.
-	# But first some magic to differentiate between bash arrays and strings
-	if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]];
-	then
-		cd "${S}/refpolicy/policy/modules"
-		for POLPATCH in "${POLICY_PATCH[@]}";
-		do
-			epatch "${POLPATCH}"
-		done
-	else
-		if [[ -n ${POLICY_PATCH} ]];
-		then
-			cd "${S}/refpolicy/policy/modules"
-			for POLPATCH in ${POLICY_PATCH};
-			do
-				epatch "${POLPATCH}"
-			done
-		fi
-	fi
-
-	# Calling user patches
-	epatch_user
+	eapply_user

 	# Collect only those files needed for this particular module
 	for i in ${MODS}; do
@ -99,7 +72,7 @@ src_prepare() {

 src_compile() {
 	for i in ${POLICY_TYPES}; do
-		emake NAME=$i -C "${S}"/${i} || die "${i} compile failed"
+		emake NAME=$i SHAREDIR="${ROOT}"/usr/share/selinux -C "${S}"/${i}
 	done
 }

@ -110,34 +83,47 @@ src_install() {
 		for j in ${MODS}; do
 			einfo "Installing ${i} ${j} policy package"
 			insinto ${BASEDIR}/${i}
-			doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
+			doins "${S}"/${i}/${j}.pp
 		done
 	done
 }

 pkg_postinst() {
+	# Set root path and don't load policy into the kernel when cross compiling
+	local root_opts=""
+	if [[ "${ROOT}" != "" ]]; then
+		root_opts="-p ${ROOT} -n"
+	fi
+
 	# Override the command from the eclass, we need to load in base as well here
-	local COMMAND
+	local COMMAND="-i base.pp"
+	if has_version "<sys-apps/policycoreutils-2.5"; then
+		COMMAND="-b base.pp"
+	fi
+
 	for i in ${MODS}; do
-		COMMAND="-i ${i}.pp ${COMMAND}"
+		COMMAND="${COMMAND} -i ${i}.pp"
 	done

 	for i in ${POLICY_TYPES}; do
 		einfo "Inserting the following modules, with base, into the $i module store: ${MODS}"

-		cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
+		cd "${ROOT}/usr/share/selinux/${i}"

-		semodule -s ${i} -b base.pp ${COMMAND} || die "Failed to load in base and modules ${MODS} in the $i policy store"
+		semodule ${root_opts} -s ${i} ${COMMAND}
 	done

-	# Relabel depending packages
-	local PKGSET="";
-	if [ -x /usr/bin/qdepends ] ; then
-		PKGSET=$(/usr/bin/qdepends -Cq -r -Q ${CATEGORY}/${PN} | grep -v 'sec-policy/selinux-');
-	elif [ -x /usr/bin/equery ] ; then
-		PKGSET=$(/usr/bin/equery -Cq depends ${CATEGORY}/${PN} | grep -v 'sec-policy/selinux-');
-	fi
-	if [ -n "${PKGSET}" ] ; then
-		rlpkg ${PKGSET};
+	# Don't relabel when cross compiling
+	if [[ "${ROOT}" == "" ]]; then
+		# Relabel depending packages
+		local PKGSET="";
+		if [[ -x /usr/bin/qdepends ]] ; then
+			PKGSET=$(/usr/bin/qdepends -Cq -r -Q ${CATEGORY}/${PN} | grep -v 'sec-policy/selinux-');
+		elif [[ -x /usr/bin/equery ]] ; then
+			PKGSET=$(/usr/bin/equery -Cq depends ${CATEGORY}/${PN} | grep -v 'sec-policy/selinux-');
+		fi
+		if [[ -n "${PKGSET}" ]] ; then
+			rlpkg ${PKGSET};
+		fi
 	fi
 }