sec-policy/selinux-base: apply flatcar changes

Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>

sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch

@@ -0,0 +1,24 @@
+From 607ff9b67848aafd1bdefa6eda7ade0fd7161d04 Mon Sep 17 00:00:00 2001
+From: Mathieu Tortuyaux <mathieu@kinvolk.io>
+Date: Fri, 4 Jun 2021 13:17:44 +0200
+Subject: [PATCH] policy/modules/kernel: all more actions for kernel
+
+Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
+---
+ policy/modules/kernel/kernel.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git refpolicy/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te
+--- refpolicy/policy/modules/kernel/kernel.te
++++ refpolicy/policy/modules/kernel/kernel.te
+@@ -351,6 +351,10 @@ files_list_home(kernel_t)
+ files_read_usr_files(kernel_t)
+ 
+ mcs_process_set_categories(kernel_t)
++mcs_killall(kernel_t)
++mcs_file_read_all(kernel_t)
++mcs_file_write_all(kernel_t)
++mcs_ptrace_all(kernel_t)
+ 
+ mls_process_read_all_levels(kernel_t)
+ mls_process_write_all_levels(kernel_t)

sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch

@@ -0,0 +1,27 @@
+--- refpolicy/policy/mcs
++++ refpolicy/policy/mcs
+@@ -1,4 +1,6 @@
+ ifdef(`enable_mcs',`
++
++default_range dir_file_class_set target low-high;
+ #
+ # Define sensitivities
+ #
+@@ -99,14 +101,14 @@ mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
+ # New filesystem object labels must be dominated by the relabeling subject
+ # clearance, also the objects are single-level.
+ mlsconstrain file { create relabelto }
+-	(( h1 dom h2 ) and ( l2 eq h2 ));
++	((( h1 dom h2 ) and ( l2 eq h2 )) or (t1 == mcswriteall));
+ 
+ # new file labels must be dominated by the relabeling subject clearance
+ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
+-	( h1 dom h2 );
++	(( h1 dom h2 ) or (t1 == mcswriteall));
+ 
+ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
+-	(( h1 dom h2 ) and ( l2 eq h2 ));
++	((( h1 dom h2 ) and ( l2 eq h2 ) or (t1 == mcswriteall)));
+ 
+ mlsconstrain process { transition dyntransition }
+ 	(( h1 dom h2 ) or ( t1 == mcssetcats ));

sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans

@@ -1 +0,0 @@
-allow_execmem = true

sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config

@@ -12,4 +12,4 @@ SELINUX=permissive
 #	mls      - Full SELinux protection with Multi-Level Security
 #	mcs      - Full SELinux protection with Multi-Category Security 
 #	           (mls, but only one sensitivity level)
-SELINUXTYPE=strict
+SELINUXTYPE=mcs

sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts

@@ -0,0 +1,10 @@
+# This file is used to configure the per-instance contexts of rkt and other
+# applications that use libvirt for lxc container support.
+#
+# See:
+#    https://coreos.com/rkt/docs/latest/selinux.html
+#    https://selinuxproject.org/page/PolicyConfigurationFiles#contexts.2Flxc_contexts_File
+
+process = "system_u:system_r:svirt_lxc_net_t:s0"
+content = "system_u:object_r:virt_var_lib_t:s0"
+file = "system_u:object_r:svirt_lxc_file_t:s0"

sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs-sshd.patch

@@ -0,0 +1,22 @@
+diff --git refpolicy/policy/modules/services/ssh.fc refpolicy/policy/modules/services/ssh.fc
+index 4ac3e733..ef8c9297 100644
+--- refpolicy/policy/modules/services/ssh.fc
++++ refpolicy/policy/modules/services/ssh.fc
+@@ -6,7 +6,7 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
+ /usr/bin/ssh			--	gen_context(system_u:object_r:ssh_exec_t,s0)
+ /usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)
+ /usr/bin/ssh-keygen		--	gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
+-/usr/bin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
++/usr/bin/sshd			--	gen_context(system_u:object_r:unconfined_t,s0)
+ 
+ /usr/lib/openssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+ /usr/lib/ssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+@@ -17,7 +17,7 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
+ 
+ /usr/libexec/openssh/ssh-keysign --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+ 
+-/usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
++/usr/sbin/sshd			--	gen_context(system_u:object_r:unconfined_t,s0)
+ 
+ /run/sshd(/.*)?			gen_context(system_u:object_r:sshd_var_run_t,s0)
+ /run/sshd\.init\.pid	--	gen_context(system_u:object_r:sshd_var_run_t,s0)

sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf

@@ -0,0 +1,4 @@
+#Type	Path			Mode	UID 	GID 	Age	Argument
+d	/etc/selinux/		-	-	-	-	-
+L	/etc/selinux/config	-	-	-	-	../../usr/lib/selinux/config
+L	/etc/selinux/mcs	-	-	-	-	../../usr/lib/selinux/mcs

sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild

@@ -3,6 +3,9 @@
 
 EAPI="7"
 
+# flatcar changes
+inherit systemd
+
 if [[ ${PV} == 9999* ]]; then
 	EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
 	EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}"
@@ -23,11 +26,19 @@ HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
 LICENSE="GPL-2"
 SLOT="0"
 
-RDEPEND=">=sys-apps/policycoreutils-2.8"
-DEPEND="${RDEPEND}"
-BDEPEND="
+# flatcar changes
+RDEPEND=">=sys-apps/policycoreutils-2.8
 	>=sys-apps/checkpolicy-2.8
-	sys-devel/m4"
+"
+DEPEND="${RDEPEND}"
+BDEPEND="sys-devel/m4"
+
+
+# flatcar changes
+PATCHES=(
+	"${FILESDIR}"/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
+	"${FILESDIR}"/0001-policy-ms-MCS-restricts-relabelfrom.patch
+)
 
 S=${WORKDIR}/
 
@@ -37,6 +48,8 @@ src_prepare() {
 		eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
 	fi
 
+	# flatcar changes
+	eapply -p0 "${PATCHES[@]}"
 	eapply_user
 
 	cd "${S}/refpolicy" || die
@@ -78,6 +91,10 @@ src_configure() {
 
 		sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf" || die
 
+		# flatcar changes: it's required to run polkit without segfault
+		# we need to pass this argument now before the compilation of the policy
+		sed -i "s/allow_execmem = false/allow_execmem = true/" "${S}/${i}/policy/booleans.conf" || die
+
 		sed -i -e '/^QUIET/s/n/y/' -e "/^NAME/s/refpolicy/$i/" \
 			"${S}/${i}/build.conf" || die "build.conf setup failed."
 
@@ -107,7 +124,9 @@ src_compile() {
 
 	for i in ${POLICY_TYPES}; do
 		cd "${S}/${i}" || die
-		emake base
+		# flatcar changes
+		emake base BINDIR="${ROOT}/usr/bin" NAME=$i SHAREDIR="${ROOT%/}"/usr/share/selinux \
+			LD_LIBRARY_PATH="${ROOT}/usr/lib64:${LD_LIBRARY_PATH}" -C "${S}"/${i}
 		if use doc; then
 			emake html
 		fi
@@ -140,14 +159,29 @@ src_install() {
 
 	done
 
+	# flatcar changes
+	systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/selinux-base.conf"
+	systemd-tmpfiles --root="${D}" --create selinux-base.conf
+
 	docinto /
 	dodoc doc/Makefile.example doc/example.{te,fc,if}
 
 	doman man/man8/*.8;
 
-	insinto /etc/selinux
+	# flatcar changes
+	insinto /usr/lib/selinux
 	doins "${FILESDIR}/config"
 
+	insinto /etc/selinux/mcs/contexts
+	doins "${FILESDIR}/lxc_contexts"
+
+	# flatcar changes
+	mkdir -p "${D}/usr/lib/selinux"
+	for i in ${POLICY_TYPES}; do
+		mv "${D}/etc/selinux/${i}" "${D}/usr/lib/selinux"
+		dosym "../../usr/lib/selinux/${i}" "/etc/selinux/${i}"
+	done
+
 	insinto /usr/share/portage/config/sets
 	doins "${FILESDIR}/selinux.conf"
 }