Fix MCS configuration in base policy

Permit contexts with mcswriteall permissions to create files and
directories in confined domains (mcs_create.diff) and default to
creating files with the categories provided by the target directory
(mcs_range_target.diff)

sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs_create.diff

@@ -0,0 +1,20 @@
+diff -ur refpolicy.orig/policy/mcs refpolicy/policy/mcs
+--- refpolicy.orig/policy/mcs	2014-06-16 10:44:12.000000000 -0700
++++ refpolicy/policy/mcs	2015-09-09 16:40:55.212940234 -0700
+@@ -99,14 +99,14 @@
+ # New filesystem object labels must be dominated by the relabeling subject
+ # clearance, also the objects are single-level.
+ mlsconstrain file { create relabelto }
+-	(( h1 dom h2 ) and ( l2 eq h2 ));
++	((( h1 dom h2 ) and ( l2 eq h2 )) or (t1 == mcswriteall));
+ 
+ # new file labels must be dominated by the relabeling subject clearance
+ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
+ 	( h1 dom h2 );
+ 
+ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
+-	(( h1 dom h2 ) and ( l2 eq h2 ));
++	((( h1 dom h2 ) and ( l2 eq h2 )) or (t1 == mcswriteall));
+ 
+ mlsconstrain process { transition dyntransition }
+ 	(( h1 dom h2 ) or ( t1 == mcssetcats ));

sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs_range_target.diff

@@ -0,0 +1,9 @@
+diff -ur mcs.orig/policy/mcs mcs/policy/mcs
+--- refpolicy.orig/policy/mcs	2015-09-14 11:32:38.155721902 -0700
++++ refpolicy/policy/mcs	2015-09-14 11:36:08.055490569 -0700
+@@ -1,4 +1,5 @@
+ ifdef(`enable_mcs',`
++default_range dir_file_class_set target low-high;
+ #
+ # Define sensitivities 
+ #

sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r7.ebuild

@@ -52,6 +52,8 @@ src_prepare() {
 	fi
 
 	epatch "${FILESDIR}/kernel_mcs.diff"
+	epatch "${FILESDIR}/mcs_create.diff"
+	epatch "${FILESDIR}/mcs_range_target.diff"
 
 	cd "${S}/refpolicy"
 	make bare