From f6598dea746742eb9f3088f0551a48faa8620663 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 26 Mar 2024 11:56:16 +0100 Subject: [PATCH] overlay user-patches: Regenerate our patch for SELinux refpolicy --- .../0001-Flatcar-modifications.patch | 22 +++++++++---------- .../flatcar-selinux-patches/README.md | 4 +++- 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/0001-Flatcar-modifications.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/0001-Flatcar-modifications.patch index 29cd63e12d..55422df4ad 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/0001-Flatcar-modifications.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/0001-Flatcar-modifications.patch @@ -1,4 +1,4 @@ -From 5293e66fafd5f5cf2872abc03d8b49ed5bc81b9a Mon Sep 17 00:00:00 2001 +From 8cd5a793c84ec75233a30517c77c26eb4203b1c7 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 4 Dec 2023 12:17:25 +0100 Subject: [PATCH] Flatcar modifications @@ -115,10 +115,10 @@ index 53bf7849c..9edac05e8 100644 # Infiniband corenet_ib_access_all_pkeys(corenet_unconfined_type) diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if -index 370ac0931..098d0cd6c 100644 +index e0337d044..ffd6a25bf 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if -@@ -7911,3 +7911,48 @@ interface(`files_relabel_all_pidfiles',` +@@ -8004,3 +8004,48 @@ interface(`files_relabel_all_pidfiles',` relabel_files_pattern($1, pidfile, pidfile) relabel_lnk_files_pattern($1, pidfile, pidfile) ') @@ -168,10 +168,10 @@ index 370ac0931..098d0cd6c 100644 + relabelfrom_chr_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 }) +') diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te -index 8156ac087..72a07e753 100644 +index a3dbeeeda..b68686bc1 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te -@@ -369,6 +369,79 @@ files_mounton_default(kernel_t) +@@ -376,6 +376,79 @@ files_mounton_default(kernel_t) mcs_process_set_categories(kernel_t) @@ -252,7 +252,7 @@ index 8156ac087..72a07e753 100644 mls_process_write_all_levels(kernel_t) mls_file_write_all_levels(kernel_t) diff --git a/refpolicy/policy/modules/services/container.fc b/refpolicy/policy/modules/services/container.fc -index 49e5d59bb..3769ad311 100644 +index f98e68ba0..045b1b5b2 100644 --- a/refpolicy/policy/modules/services/container.fc +++ b/refpolicy/policy/modules/services/container.fc @@ -38,6 +38,12 @@ HOME_DIR/\.docker(/.*)? gen_context(system_u:object_r:container_conf_home_t,s0) @@ -267,9 +267,9 @@ index 49e5d59bb..3769ad311 100644 +/usr/share/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0) /run/containers(/.*)? gen_context(system_u:object_r:container_runtime_t,s0) - /run/libpod(/.*)? gen_context(system_u:object_r:container_runtime_t,s0) + /run/crun(/.*)? gen_context(system_u:object_r:container_runtime_t,s0) diff --git a/refpolicy/policy/modules/services/container.te b/refpolicy/policy/modules/services/container.te -index a5ad4686d..ceaeb2dfc 100644 +index 096d6c23d..ea1c11852 100644 --- a/refpolicy/policy/modules/services/container.te +++ b/refpolicy/policy/modules/services/container.te @@ -58,6 +58,52 @@ gen_tunable(container_use_dri, false) @@ -334,7 +334,7 @@ index a5ad4686d..ceaeb2dfc 100644 ## ##

-@@ -1088,3 +1134,105 @@ optional_policy(` +@@ -1191,3 +1237,105 @@ optional_policy(` unconfined_domain_noaudit(spc_user_t) domain_ptrace_all_domains(spc_user_t) ') @@ -441,10 +441,10 @@ index a5ad4686d..ceaeb2dfc 100644 +# +allow container_t usr_t:file { execute execute_no_trans map }; diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te -index c83d88b74..b55afabc0 100644 +index 8f3772dcb..435f62db6 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te -@@ -1658,3 +1658,11 @@ optional_policy(` +@@ -1674,3 +1674,11 @@ optional_policy(` userdom_dontaudit_rw_all_users_stream_sockets(systemprocess) userdom_dontaudit_write_user_tmp_files(systemprocess) ') diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/README.md index 26a0617e7f..a7cb18f164 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/README.md +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/README.md @@ -7,7 +7,9 @@ The following steps were needed to make these patches: - Apply the Gentoo patch: - See the sec-policy/selinux-base ebuild in portage-stable for the patch tarball URL. -- Apply our changes. +- Apply our changes: + - `git am -p2 ` should do the trick. Try adding `-3` flag + in case of conflicts. - Generate the patch: - Since sec-policy/selinux- packages set their source directory to work directory (in Gentooese: `S=${WORKDIR}/`), the user patches