sec-policy/selinux-base-policy: Sync with Gentoo

It's from Gentoo commit 93eb44523dd73a13e45dd9095692783d236f1c78.

sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/Manifest

@@ -1,3 +1,5 @@
 DIST patchbundle-selinux-base-policy-2.20240226-r1.tar.bz2 430565 BLAKE2B 2d552f868375c240e71e987542a3026970f1d375d7d1e65f11386ce1b07aae84911ded2379fc768ff4bff664eb98dc3361a7392467fed3feb4916477eb957f58 SHA512 f22245ad8759d88ddbf26b71443e4ba8c804fc80d69383120ed98b7887d08a7034b8125e4d15e695b26776ef4ac1a933e14a1a382d5be90aa942358842cc6c77
 DIST patchbundle-selinux-base-policy-2.20240226-r2.tar.bz2 442650 BLAKE2B f2f7c5e4a595afafc072fd78fc4ef3930cf739d05cbe9670f2fb2956fe84e3045518345e103bc3880603d2562f06ba0597fc005d8d394e9f8cd057363f9bf95f SHA512 2cb00d088eebdb098a6496f156eeb3dcee026fc6e53d732bac5bc8a4cfee1ce3bf2bdbbbfbbe9bba237d61c06f299d96bb9d123a57a44aaaa17cc122e15ea268
+DIST patchbundle-selinux-base-policy-2.20240916-r1.tar.bz2 274891 BLAKE2B 72b8181424450998164979ab582e8edee6d73b9110b4535e7880d1f7c989bd0ac391422872858da7bad3e3d77516996af93aa2f149f7d4a7f8fd329c481964cf SHA512 fd8259c91cc779301d6e0964827133529a9141dc235301da135210ea4359b800023848a25e33c45678477fa4f54e75da51be9ec85a3bed8b07cf5487e73b84f3
 DIST refpolicy-2.20240226.tar.bz2 610561 BLAKE2B 5dc54dcf7238776d4e4b282c1dcbc499f45c0d96676dbf931da39592854034874b5dd6197a2e2776fccec5106d5f245eea3fb9419959bd4d61e9b2c12aeaaa85 SHA512 896a57afb024bd131f25d2831a9a5ac90ee7e5d76b0565bc818c156f6c310d86758bcd4cedbd9df5b29954c9a92a42300d16685a7e07a5efd8f789320724b3f9
+DIST refpolicy-2.20240916.tar.bz2 618218 BLAKE2B d86ca75d254eef10f4aa57ef3977825211200cdf1eaa9bf9d416c9a52acee476b3f8719c3b0c8c17fdff2abc0c396989961e37e313a7b3bd3b4b0266a6280e75 SHA512 a8b6c90f8e186796b4c7db1e2d8ed3c3b8690bb5b8f180dcb6d5468ba80467e2969012c4edddf74429c0f5ce900d68fbbc0c2f8e253165af28f93f191039f064

sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/selinux-base-policy-2.20240916-r1.ebuild

@@ -0,0 +1,141 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+if [[ ${PV} == 9999* ]]; then
+	EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
+	EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}"
+	EGIT_CHECKOUT_DIR="${WORKDIR}/refpolicy"
+
+	inherit git-r3
+else
+	SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2
+			https://dev.gentoo.org/~perfinion/patches/${PN}/patchbundle-${PN}-${PVR}.tar.bz2"
+	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
+fi
+
+HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
+DESCRIPTION="SELinux policy for core modules"
+
+IUSE="systemd +unconfined"
+
+PDEPEND="unconfined? ( sec-policy/selinux-unconfined )"
+DEPEND="=sec-policy/selinux-base-${PVR}[systemd?]"
+RDEPEND="${DEPEND}"
+BDEPEND="
+	sys-apps/checkpolicy
+	sys-devel/m4"
+
+MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork systemd tmpfiles udev userdomain usermanage unprivuser xdg"
+DEL_MODS="hotplug"
+LICENSE="GPL-2"
+SLOT="0"
+S="${WORKDIR}/"
+
+# Code entirely copied from selinux-eclass (cannot inherit due to dependency on
+# itself), when reworked reinclude it. Only postinstall (where -b base.pp is
+# added) needs to remain then.
+
+pkg_pretend() {
+	for i in ${POLICY_TYPES}; do
+		if [[ "${i}" == "targeted" ]] && ! use unconfined; then
+			die "If you use POLICY_TYPES=targeted, then USE=unconfined is mandatory."
+		fi
+	done
+}
+
+src_prepare() {
+	local modfiles
+
+	if [[ ${PV} != 9999* ]]; then
+		einfo "Applying SELinux policy updates ... "
+		eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
+	fi
+
+	eapply_user
+
+	# Collect only those files needed for this particular module
+	for i in ${MODS}; do
+		modfiles="$(find "${S}"/refpolicy/policy/modules -iname $i.te) $modfiles"
+		modfiles="$(find "${S}"/refpolicy/policy/modules -iname $i.fc) $modfiles"
+	done
+
+	for i in ${DEL_MODS}; do
+		[[ "${MODS}" != *${i}* ]] || die "Duplicate module in MODS and DEL_MODS: ${i}"
+	done
+
+	for i in ${POLICY_TYPES}; do
+		mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
+		cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
+			|| die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
+
+		cp ${modfiles} "${S}"/${i} \
+			|| die "Failed to copy the module files to ${S}/${i}"
+	done
+}
+
+src_compile() {
+	for i in ${POLICY_TYPES}; do
+		emake NAME=$i SHAREDIR="${SYSROOT%/}/usr/share/selinux" -C "${S}"/${i}
+	done
+}
+
+src_install() {
+	local BASEDIR="/usr/share/selinux"
+
+	for i in ${POLICY_TYPES}; do
+		for j in ${MODS}; do
+			einfo "Installing ${i} ${j} policy package"
+			insinto ${BASEDIR}/${i}
+			doins "${S}"/${i}/${j}.pp
+		done
+	done
+}
+
+pkg_postinst() {
+	# Set root path and don't load policy into the kernel when cross compiling
+	local root_opts=""
+	if [[ "${ROOT}" != "" ]]; then
+		root_opts="-p ${ROOT} -n"
+	fi
+
+	# Override the command from the eclass, we need to load in base as well here
+	local COMMAND="-i base.pp"
+	if has_version "<sys-apps/policycoreutils-2.5"; then
+		COMMAND="-b base.pp"
+	fi
+
+	for i in ${MODS}; do
+		COMMAND="${COMMAND} -i ${i}.pp"
+	done
+
+	for i in ${POLICY_TYPES}; do
+		einfo "Inserting the following modules, with base, into the $i module store: ${MODS}"
+
+		cd "${ROOT}/usr/share/selinux/${i}"
+
+		semodule ${root_opts} -s ${i} ${COMMAND}
+
+		for mod in ${DEL_MODS}; do
+			if semodule ${root_opts} -s ${i} -l | grep -q "\b${mod}\b"; then
+				einfo "Removing obsolete ${i} ${mod} policy package"
+				semodule ${root_opts} -s ${i} -r ${mod}
+			fi
+		done
+	done
+
+	# Don't relabel when cross compiling
+	if [[ "${ROOT}" == "" ]]; then
+		# Relabel depending packages
+		local PKGSET="";
+		if [[ -x /usr/bin/qdepends ]] ; then
+			PKGSET=$(/usr/bin/qdepends -Cq -r -Q ${CATEGORY}/${PN} | grep -v 'sec-policy/selinux-');
+		elif [[ -x /usr/bin/equery ]] ; then
+			PKGSET=$(/usr/bin/equery -Cq depends ${CATEGORY}/${PN} | grep -v 'sec-policy/selinux-');
+		fi
+		if [[ -n "${PKGSET}" ]] ; then
+			rlpkg ${PKGSET};
+		fi
+	fi
+}