flatcar-archive · tormath1 · Jun 28, 2022 · Jun 28, 2022 · Jun 28, 2022 · Jun 28, 2022
diff --git a/app-emulation/containerd/files/containerd-1.0.0.service b/app-emulation/containerd/files/containerd-1.0.0.service
@@ -8,6 +8,7 @@ Delegate=yes
 Environment=CONTAINERD_CONFIG=/usr/share/containerd/config.toml
 ExecStartPre=mkdir -p /run/docker/libcontainerd
 ExecStartPre=ln -fs /run/containerd/containerd.sock /run/docker/libcontainerd/docker-containerd.sock
+ExecStartPre=restorecon -Rv /var/run/docker
 ExecStart=/usr/bin/containerd --config ${TORCX_UNPACKDIR}${TORCX_IMAGEDIR}${CONTAINERD_CONFIG}
 KillMode=process
 Type=notify

diff --git a/changelog/updates/2022-06-29-selinux.md b/changelog/updates/2022-06-29-selinux.md
@@ -0,0 +1,2 @@
+- selinux-base-policy([20220106](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20220106))
+- selinux-base([20220106](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20220106))
diff --git a/coreos-base/coreos/coreos-0.0.1.ebuild b/coreos-base/coreos/coreos-0.0.1.ebuild
@@ -139,9 +139,11 @@ RDEPEND="${RDEPEND}
 	net-misc/wget
 	net-misc/whois
 	net-vpn/wireguard-tools
-	sec-policy/selinux-virt
 	sec-policy/selinux-base
 	sec-policy/selinux-base-policy
+	sec-policy/selinux-container
+	sec-policy/selinux-dbus
+	sec-policy/selinux-docker
 	sec-policy/selinux-unconfined
 	sys-apps/acl
 	sys-apps/attr

diff --git a/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild b/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild
@@ -127,3 +127,8 @@ RDEPEND="${RDEPEND}
 RDEPEND="${RDEPEND}
 	!coreos-base/google-breakpad
 	"
+
+# required for squashFS relabelling
+RDEPEND="${RDEPEND}
+	sys-fs/squashfs-tools-ng
+	"
diff --git a/profiles/coreos/base/package.use b/profiles/coreos/base/package.use
@@ -153,3 +153,6 @@ dev-libs/libpcre2 -pcre16
 # enabled by upstream. Samba was enabled to make some tests pass. But
 # smi and ssl, no clue.
 net-analyzer/tcpdump -ssl -smi -samba
+
+# selinux: to find files with a particular SElinux label
+sys-apps/findutils selinux
diff --git a/profiles/coreos/targets/sdk/package.use b/profiles/coreos/targets/sdk/package.use
@@ -28,3 +28,6 @@ x11-libs/pixman static-libs
 
 # Enable gssapi for SDK
 net-dns/bind-tools           gssapi
+
+# Enable SELinux for relabelling with gensquashfs
+sys-fs/squashfs-tools-ng selinux
diff --git a/sec-policy/selinux-base-policy/Manifest b/sec-policy/selinux-base-policy/Manifest
@@ -1,4 +1,4 @@
-DIST patchbundle-selinux-base-policy-2.20200818-r2.tar.bz2 433623 BLAKE2B f0655c45c50347faf1217e5861298dce822e4b726c0b4489d4c70c4815842f7c17ac1b0a302ae5482a3ad25d1d5b6c4c3b6395194e79005f31560d103ad0fce6 SHA512 9fd22683ecd602a429b2d489f7b8c2936409fa060046255b72a4b95c9fdefa2455ba7655945278dc972c22f3ade6617898ed169e22001aaaaded4b47ca51b0c3
-DIST patchbundle-selinux-base-policy-2.20210203-r1.tar.bz2 298116 BLAKE2B 50c5523a8b758652af6aa59d548e9499b899898b58f52f74f1667a0c552f2b2d0ed5a44352e59245c7f0ebd199e2391400168d6ab27b4160d726fccded0c56f2 SHA512 ddb877ec3e2883f57e54e7380dd449d4d89a0769a1fb87141786e5de741ac21b2ead60362fd17c25888eb1334c68f71da561f4f29f406f0d4b5d13d378f6baff
-DIST refpolicy-2.20200818.tar.bz2 570896 BLAKE2B 502c00fec39e1b81e42de3f7f942623f8b3fbdeac19f9f01126722a368b7d4f70427d6e4a574754c4f2fa551e4bc75c912dbc515c004f0dcd5eb28ab416498f6 SHA512 e4b527bb7a87b9359fc42eb111d5008103f57c37128998ea0e21ec7b0b8607ffe3f67697450e4c51a0db172ece69083335b279bacef4b1bd0b7748b58caa99a7
-DIST refpolicy-2.20210203.tar.bz2 564099 BLAKE2B a94a11ebb78890ba2c98714be2fe9054fdb8ccaf5154f47b881a9575a4a6865e8df475805550d7bba8039b4230c6a0c9f5c6130bf8c35a26bc7c473d550fb40d SHA512 a6ffe718626dd6121023b4cbc424c933d44ca8b662bd708baad307cf6284be0d80fef40cdc8b37f6f17ecb3636fd8d6c1d5d4072c17d835b7f500e17a3acd9fc
+DIST patchbundle-selinux-base-policy-2.20220106-r1.tar.bz2 299683 BLAKE2B 9e48733878e2f809b8634a1e96a4b1bb2fc3e866e562a6ac9449da8d4af591cbe7de380384fabec50c7a7c67733253f82024ce62dee51fc73e35e0653626ff6c SHA512 314c639e08b15a94656e467e81857241b242020884c0e40272cfb422cccc35f2d4a5f067dc6ebdf8926335a65d737c233d1df75f69b356509e07fd60b46b07bf
+DIST patchbundle-selinux-base-policy-2.20220106-r2.tar.bz2 436316 BLAKE2B 07d6ba7a5fa8e8213e922bfd4c698b73c1cdf598ceaa5efe98be095b51aafa446af8ea7217dcc2bc001bfadaa250bfcc8b8dea3d9aa630384f8cdf139512170d SHA512 68a71d098ae09b034cb57f8e38c06b23a6584f5538b94a44fb1e48e48c718f2b37eb5e38931e55e8769481ebf0ed8c8642cfa85a45ac23a71be31cc35380fbad
+DIST patchbundle-selinux-base-policy-2.20220106-r3.tar.bz2 309416 BLAKE2B 89852cce079300edcb00da41cfe42ea5041507f7d0a2a9897a4bd14f3ac68edfcc40ef49320e5ab826b1abb7fe7fc7ca4268042bbc019b3c76a58b9e112601c3 SHA512 4e23ad5e83df6c3501f0ac0a7201786d9f00809bedef248ae3a4b6af994e0006aaf70151c29ca21bb1c9c8887cc5bfeb18389d4f8e3bd3861c61d2d95d3a4e75
+DIST refpolicy-2.20220106.tar.bz2 560342 BLAKE2B bc0e65466333e02acb48adbb28b8176d3c8e508b2ff97d4f8a876d7c0a65534a62d86c9816ac59f6eed583f4b5c51cf432643edd2dad24dd51eb3cf22e2b75ac SHA512 794327d2dd07196b5f36771f9a961cdf294cf68f690735418d6bdd859499b7007c518cc022ccca9c245a5266b85bdb7cacdcaeefee14e4800937c9101476b373
diff --git a/...selinux-base-policy/files/0001-tormath1-selinux-systemd-upstream-patch-rebased-on-G.patch b/...selinux-base-policy/files/0001-tormath1-selinux-systemd-upstream-patch-rebased-on-G.patch
@@ -0,0 +1,116 @@
+From 20950a4d2d6236c5aa430a9044da197cb51db714 Mon Sep 17 00:00:00 2001
+From: Mathieu Tortuyaux <[email protected]>
+Date: Mon, 18 Jul 2022 11:01:13 +0200
+Subject: [PATCH] tormath1/selinux+systemd: upstream patch rebased on Gentoo
+ patches
+
+Signed-off-by: Mathieu Tortuyaux <[email protected]>
+---
+ policy/modules/kernel/files.if       | 36 ++++++++++++++++++++++++++++
+ policy/modules/services/container.fc |  4 ++++
+ policy/modules/services/container.te |  2 ++
+ policy/modules/system/systemd.te     | 11 ++++++++-
+ 4 files changed, 52 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index baedb52e9..e0942bf50 100644
+--- refpolicy/policy/modules/kernel/files.if
++++ refpolicy/policy/modules/kernel/files.if
+@@ -8151,3 +8151,39 @@ interface(`files_relabel_all_pidfiles',`
+ 	relabel_files_pattern($1, pidfile, pidfile)
+ 	relabel_lnk_files_pattern($1, pidfile, pidfile)
+ ')
++
++########################################
++## <summary>
++##	Relabel all files on the filesystem, except
++##	policy_config_t and exceptions.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="exception_types" optional="true">
++##	<summary>
++##	The types to be excluded.  Each type or attribute
++##	must be negated by the caller.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_relabel_all_non_policy_files',`
++	gen_require(`
++		attribute file_type;
++		type policy_config_t;
++	')
++
++	allow $1 { file_type -policy_config_t $2 }:dir list_dir_perms;
++	relabel_dirs_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	relabel_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	relabel_lnk_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	relabel_fifo_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	relabel_sock_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	# this is only relabelfrom since there should be no
++	# device nodes with file types.
++	relabelfrom_blk_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	relabelfrom_chr_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++')
+diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc
+index 63f1537df..420043652 100644
+--- refpolicy/policy/modules/services/container.fc
++++ refpolicy/policy/modules/services/container.fc
+@@ -79,3 +79,7 @@ HOME_DIR/\.local/share/docker/volumes(/.*)?		gen_context(system_u:object_r:conta
+
+ /var/log/containers(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
+ /var/log/pods(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
++
++/run/torcx/bin(/.*)? gen_context(system_u:object_r:container_engine_exec_t,s0)
++/run/torcx/unpack/docker/bin(/.*)? gen_context(system_u:object_r:container_engine_exec_t,s0)
++/run/torcx/unpack/docker/usr/share/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0)
+diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
+index a243eb4a5..c92b53471 100644
+--- refpolicy/policy/modules/services/container.te
++++ refpolicy/policy/modules/services/container.te
+@@ -762,3 +762,5 @@ optional_policy(`
+        unconfined_domain_noaudit(spc_user_t)
+        domain_ptrace_all_domains(spc_user_t)
+ ')
++
++filetrans_pattern(unconfined_exec_t, tmpfs_t, dir, container_engine_exec_t, "bin")
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 171cb5e5b..cde61d78f 100644
+--- refpolicy/policy/modules/system/systemd.te
++++ refpolicy/policy/modules/system/systemd.te
+@@ -10,7 +10,7 @@ policy_module(systemd)
+ ## Enable support for systemd-tmpfiles to manage all non-security files.
+ ## </p>
+ ## </desc>
+-gen_tunable(systemd_tmpfiles_manage_all, false)
++gen_tunable(systemd_tmpfiles_manage_all, true)
+
+ ## <desc>
+ ## <p>
+@@ -1682,6 +1682,7 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
+ 	files_manage_non_security_files(systemd_tmpfiles_t)
+ 	files_relabel_non_security_dirs(systemd_tmpfiles_t)
+ 	files_relabel_non_security_files(systemd_tmpfiles_t)
++	files_relabel_all_non_policy_files(systemd_tmpfiles_t)
+ ')
+
+ optional_policy(`
+@@ -1899,3 +1900,11 @@ userdom_relabelto_user_runtime_dirs(systemd_user_runtime_dir_t)
+ optional_policy(`
+ 	dbus_system_bus_client(systemd_user_runtime_dir_t)
+ ')
++
++selinux_getattr_fs(systemd_modules_load_t)
++files_read_etc_runtime_files(systemd_networkd_t)
++kernel_getattr_proc(systemd_modules_load_t)
++allow systemd_modules_load_t self:capability net_admin;
++seutil_read_config(systemd_modules_load_t)
++seutil_read_config(systemd_userdbd_t)
++auth_relabelto_shadow(systemd_tmpfiles_t)
+-- 
+2.35.1
+
diff --git a/sec-policy/selinux-base-policy/files/logging.patch b/sec-policy/selinux-base-policy/files/logging.patch
@@ -1,18 +1,13 @@
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 7d713540d..d6cbc654d 100644
+index 61ae572e2..a117c258f 100644
 --- refpolicy/policy/modules/system/logging.te
 +++ refpolicy/policy/modules/system/logging.te
-@@ -516,11 +516,13 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
- userdom_dontaudit_search_user_home_dirs(syslogd_t)
+@@ -134,6 +134,8 @@ logging_send_syslog_msg(auditctl_t)
+ miscfiles_read_localization(auditctl_t)
 
  ifdef(`init_systemd',`
 +	require { type kernel_t; }
- 	# for systemd-journal
- 	allow syslogd_t self:netlink_audit_socket connected_socket_perms;
- 	allow syslogd_t self:capability2 audit_read;
- 	allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
- 	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
-+	allow syslogd_t kernel_t:netlink_audit_socket getattr; 
++	allow syslogd_t kernel_t:netlink_audit_socket getattr;
+ 	init_rw_stream_sockets(auditctl_t)
+ ')
 
- 	# remove /run/log/journal when switching to permanent storage
- 	allow syslogd_t var_log_t:dir rmdir;
diff --git a/sec-policy/selinux-base-policy/files/sshd.patch b/sec-policy/selinux-base-policy/files/sshd.patch
@@ -7,7 +7,7 @@ index 60060c35c..8d9f5b7a6 100644
  /usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)
  /usr/bin/ssh-keygen		--	gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
 -/usr/bin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
-+/usr/bin/sshd			--	gen_context(system_u:object_r:unconfined_t,s0)
++/usr/bin/sshd			--	gen_context(system_u:object_r:unconfined_exec_t,s0)
 
  /usr/lib/openssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
  /usr/lib/ssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
@@ -16,7 +16,7 @@ index 60060c35c..8d9f5b7a6 100644
  /usr/libexec/openssh/ssh-keysign --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 
 -/usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
-+/usr/sbin/sshd			--	gen_context(system_u:object_r:unconfined_t,s0)
++/usr/sbin/sshd			--	gen_context(system_u:object_r:unconfined_exec_t,s0)
 
  /run/sshd(/.*)?			gen_context(system_u:object_r:sshd_runtime_t,s0)
  /run/sshd\.init\.pid	--	gen_context(system_u:object_r:sshd_runtime_t,s0)
diff --git a/sec-policy/selinux-base-policy/files/systemd-relabel.patch b/sec-policy/selinux-base-policy/files/systemd-relabel.patch
@@ -0,0 +1,20 @@
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 09874fcf0..a34208b8d 100644
+--- refpolicy/policy/modules/system/systemd.te
++++ refpolicy/policy/modules/system/systemd.te
+@@ -1456,6 +1456,7 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
+ 	files_manage_non_security_files(systemd_tmpfiles_t)
+ 	files_relabel_non_security_dirs(systemd_tmpfiles_t)
+ 	files_relabel_non_security_files(systemd_tmpfiles_t)
++	files_relabel_all_non_policy_files(systemd_tmpfiles_t)
+ ')
+
+ optional_policy(`
+@@ -1628,3 +1629,7 @@ userdom_relabelto_user_runtime_dirs(systemd_user_runtime_dir_t)
+ optional_policy(`
+ 	dbus_system_bus_client(systemd_user_runtime_dir_t)
+ ')
++
++# (neverallow authlogin_typeattr_3 shadow_t (file (relabelto)))
++# neverallow check failed
++auth_relabelto_shadow(systemd_tmpfiles_t)
diff --git a/sec-policy/selinux-base-policy/files/unlabeled.patch b/sec-policy/selinux-base-policy/files/unlabeled.patch
diff --git a/sec-policy/selinux-base-policy/metadata.xml b/sec-policy/selinux-base-policy/metadata.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<maintainer type="project">
 		<email>[email protected]</email>

diff --git a/sec-policy/selinux-base-policy/selinux-base-policy-2.20210203-r1.ebuild b/sec-policy/selinux-base-policy/selinux-base-policy-2.20210203-r1.ebuild
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		- selinux-base-policy([20220106](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20220106))
		- selinux-base([20220106](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20220106))