mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-09 14:06:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

overlay user-patches: Regenerate our patch for SELinux refpolicy

Browse Source
This commit is contained in:
Krzesimir Nowak 2024-03-26 11:56:16 +01:00
parent f568f7f9c6
commit f6598dea74
2 changed files with 14 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/0001-Flatcar-modifications.patch vendored
View File

@ -1,4 +1,4 @@
From 5293e66fafd5f5cf2872abc03d8b49ed5bc81b9a Mon Sep 17 00:00:00 2001
From 8cd5a793c84ec75233a30517c77c26eb4203b1c7 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Mon, 4 Dec 2023 12:17:25 +0100
Subject: [PATCH] Flatcar modifications
@ -115,10 +115,10 @@ index 53bf7849c..9edac05e8 100644
# Infiniband
corenet_ib_access_all_pkeys(corenet_unconfined_type)
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index 370ac0931..098d0cd6c 100644
index e0337d044..ffd6a25bf 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -7911,3 +7911,48 @@ interface(`files_relabel_all_pidfiles',`
@@ -8004,3 +8004,48 @@ interface(`files_relabel_all_pidfiles',`
relabel_files_pattern($1, pidfile, pidfile)
relabel_lnk_files_pattern($1, pidfile, pidfile)
')
@ -168,10 +168,10 @@ index 370ac0931..098d0cd6c 100644
+ relabelfrom_chr_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
+')
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 8156ac087..72a07e753 100644
index a3dbeeeda..b68686bc1 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -369,6 +369,79 @@ files_mounton_default(kernel_t)
@@ -376,6 +376,79 @@ files_mounton_default(kernel_t)
mcs_process_set_categories(kernel_t)
@ -252,7 +252,7 @@ index 8156ac087..72a07e753 100644
mls_process_write_all_levels(kernel_t)
mls_file_write_all_levels(kernel_t)
diff --git a/refpolicy/policy/modules/services/container.fc b/refpolicy/policy/modules/services/container.fc
index 49e5d59bb..3769ad311 100644
index f98e68ba0..045b1b5b2 100644
--- a/refpolicy/policy/modules/services/container.fc
+++ b/refpolicy/policy/modules/services/container.fc
@@ -38,6 +38,12 @@ HOME_DIR/\.docker(/.*)? gen_context(system_u:object_r:container_conf_home_t,s0)
@ -267,9 +267,9 @@ index 49e5d59bb..3769ad311 100644
+/usr/share/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0)
/run/containers(/.*)? gen_context(system_u:object_r:container_runtime_t,s0)
/run/libpod(/.*)? gen_context(system_u:object_r:container_runtime_t,s0)
/run/crun(/.*)? gen_context(system_u:object_r:container_runtime_t,s0)
diff --git a/refpolicy/policy/modules/services/container.te b/refpolicy/policy/modules/services/container.te
index a5ad4686d..ceaeb2dfc 100644
index 096d6c23d..ea1c11852 100644
--- a/refpolicy/policy/modules/services/container.te
+++ b/refpolicy/policy/modules/services/container.te
@@ -58,6 +58,52 @@ gen_tunable(container_use_dri, false)
@ -334,7 +334,7 @@ index a5ad4686d..ceaeb2dfc 100644
## <desc>
## <p>
@@ -1088,3 +1134,105 @@ optional_policy(`
@@ -1191,3 +1237,105 @@ optional_policy(`
unconfined_domain_noaudit(spc_user_t)
domain_ptrace_all_domains(spc_user_t)
')
@ -441,10 +441,10 @@ index a5ad4686d..ceaeb2dfc 100644
+#
+allow container_t usr_t:file { execute execute_no_trans map };
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index c83d88b74..b55afabc0 100644
index 8f3772dcb..435f62db6 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1658,3 +1658,11 @@ optional_policy(`
@@ -1674,3 +1674,11 @@ optional_policy(`
userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
userdom_dontaudit_write_user_tmp_files(systemprocess)
')

4
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/README.md vendored
View File

@ -7,7 +7,9 @@ The following steps were needed to make these patches:
- Apply the Gentoo patch:
- See the sec-policy/selinux-base ebuild in portage-stable for the
patch tarball URL.
- Apply our changes.
- Apply our changes:
- `git am -p2 <OUR_PATCH>` should do the trick. Try adding `-3` flag
in case of conflicts.
- Generate the patch:
- Since sec-policy/selinux- packages set their source directory to
work directory (in Gentooese: `S=${WORKDIR}/`), the user patches