From e2afa149cbde3664bbdfe36aa7b947546cae85b1 Mon Sep 17 00:00:00 2001
From: Mathieu Tortuyaux <mathieu@kinvolk.io>
Date: Fri, 4 Jun 2021 17:08:45 +0200
Subject: [PATCH] sec-policy/selinux-virt: apply flatcar changes

Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
---
 .../sec-policy/selinux-virt/files/virt.patch  | 39 +++++++++++++++++++
 .../selinux-virt-2.20200818-r2.ebuild         |  3 ++
 2 files changed, 42 insertions(+)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch

diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch
new file mode 100644
index 0000000000..1fd778db48
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch
@@ -0,0 +1,39 @@
+index 256ea58..f72fbba 100644
+--- services/virt.te
++++ services/virt.te
+@@ -1378,3 +1378,35 @@ sysnet_dns_name_resolve(virtlogd_t)
+ 
+ virt_manage_log(virtlogd_t)
+ virt_read_config(virtlogd_t)
++
++require {
++	type kernel_t;
++	type tmpfs_t;
++	type var_lib_t;
++}
++allow kernel_t svirt_lxc_net_t:process transition;
++allow initrc_t svirt_lxc_net_t:process transition;
++allow kernel_t svirt_lxc_net_t:process2 nnp_transition;
++fs_manage_tmpfs_chr_files(svirt_lxc_net_t)
++fs_manage_tmpfs_dirs(svirt_lxc_net_t)
++fs_manage_tmpfs_files(svirt_lxc_net_t)
++fs_manage_tmpfs_sockets(svirt_lxc_net_t)
++fs_manage_tmpfs_symlinks(svirt_lxc_net_t)
++fs_remount_tmpfs(svirt_lxc_net_t)
++kernel_read_messages(svirt_lxc_net_t)
++kernel_sigchld(svirt_lxc_net_t)
++kernel_use_fds(svirt_lxc_net_t)
++allow svirt_lxc_net_t self:process getcap;
++files_read_var_lib_files(svirt_lxc_net_t)
++files_read_var_lib_symlinks(svirt_lxc_net_t)
++term_use_generic_ptys(svirt_lxc_net_t)
++term_setattr_generic_ptys(svirt_lxc_net_t)
++allow svirt_lxc_net_t tmpfs_t:chr_file { read write open };
++allow svirt_lxc_net_t svirt_lxc_file_t:chr_file { manage_file_perms };
++allow svirt_lxc_net_t self:capability sys_chroot;
++allow svirt_lxc_net_t self:process getpgid;
++allow svirt_lxc_net_t svirt_lxc_file_t:file { entrypoint mounton };
++allow svirt_lxc_net_t var_lib_t:file { entrypoint execute execute_no_trans };
++allow svirt_lxc_net_t kernel_t:fifo_file { getattr ioctl read write open append };
++allow svirt_lxc_net_t initrc_t:fifo_file { getattr ioctl read write open append };
++
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20200818-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20200818-r2.ebuild
index e1f07cc7c4..64e118aaf9 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20200818-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20200818-r2.ebuild
@@ -10,6 +10,9 @@ inherit selinux-policy-2
 
 DESCRIPTION="SELinux policy for virt"
 
+# flatcar changes
+POLICY_PATCH="${FILESDIR}/virt.patch"
+
 if [[ ${PV} != 9999* ]] ; then
 	KEYWORDS="amd64 -arm ~arm64 ~mips x86"
 fi