SELinux: Label /usr and sysext image contents

.github/workflows/portage-stable-packages-list

@@ -559,6 +559,7 @@ sec-policy/selinux-base
 sec-policy/selinux-base-policy
 sec-policy/selinux-container
 sec-policy/selinux-dbus
+sec-policy/selinux-docker
 sec-policy/selinux-policykit
 sec-policy/selinux-sssd
 sec-policy/selinux-unconfined

build_library/build_image_util.sh

@@ -580,6 +580,30 @@ start_image() {
     --board="${BOARD}"
 }
 
+# Actions common to the dev container and the image
+# but which should be run before the image branches off
+# the base squashfs (used for systemd-sysext image building)
+finish_image_common() {
+  local image_name="$1"
+  local disk_layout="$2"
+  local root_fs_dir="$3"
+  local image_contents="$4"
+  local image_contents_wtd="$5"
+  local image_kernel="$6"
+  local pcr_policy="$7"
+  local image_grub="$8"
+  local image_shim="$9"
+  local image_kconfig="${10}"
+  local image_initrd_contents="${11}"
+  local image_initrd_contents_wtd="${12}"
+  local image_disk_space_usage="${13}"
+
+  # Build the selinux policy
+  if pkg_use_enabled coreos-base/coreos selinux; then
+      sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
+  fi
+}
+
 finish_image() {
   local image_name="$1"
   local disk_layout="$2"
@@ -694,11 +718,6 @@ EOF
         "${BUILD_DIR}/${image_kconfig}"
   fi
 
-  # Build the selinux policy
-  if pkg_use_enabled coreos-base/coreos selinux; then
-      sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
-  fi
-
   # Run tmpfiles once to make sure that /etc has everything in place before
   # we freeze it in /usr/share/flatcar/etc as lowerdir in the overlayfs.
 
@@ -731,10 +750,8 @@ EOF
   # The labeling has to be done before moving /etc to /usr/share/flatcar/etc to prevent wrong labels for these files and as
   # the relabeling on boot would cause upcopies in the overlay.
   if pkg_use_enabled coreos-base/coreos selinux; then
-    # TODO: Breaks the system:
-    # sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"
-    # sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/usr
-    # For now we only try it with /etc
+    sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"
+    sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/usr
     sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/etc
   fi
 

build_library/dev_container_util.sh

@@ -112,6 +112,8 @@ create_dev_container() {
   # The remount services are provided by coreos-base/coreos-init
   systemd_enable "${root_fs_dir}" "multi-user.target" "remount-usr.service"
 
+  finish_image_common "${image_name}" "${disk_layout}" "${root_fs_dir}" "${image_contents}" "${image_contents_wtd}"
+
   finish_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${image_contents}" "${image_contents_wtd}"
 
   declare -a files_to_evaluate

build_library/prod_image_util.sh

@@ -92,6 +92,21 @@ create_prod_image() {
   run_ldconfig "${root_fs_dir}"
   run_localedef "${root_fs_dir}"
 
+  finish_image_common \
+      "${image_name}" \
+      "${disk_layout}" \
+      "${root_fs_dir}" \
+      "${image_contents}" \
+      "${image_contents_wtd}" \
+      "${image_kernel}" \
+      "${image_pcr_policy}" \
+      "${image_grub}" \
+      "${image_shim}" \
+      "${image_kconfig}" \
+      "${image_initrd_contents}" \
+      "${image_initrd_contents_wtd}" \
+      "${image_disk_usage}"
+
   local root_with_everything="${root_fs_dir}"
 
   # Call helper script for adding sysexts to the base OS.

build_sysext

@@ -237,6 +237,7 @@ export SOURCE_DATE_EPOCH=$(stat -c '%Y' "${BUILD_DIR}/fs-root/usr/lib/os-release
 
 # Unmount in order to get rid of the overlay
 umount "${BUILD_DIR}/install-root"
+sudo setfiles -Dv -r "${BUILD_DIR}/install-root" "${BUILD_DIR}/fs-root"/etc/selinux/mcs/contexts/files/file_contexts "${BUILD_DIR}/install-root"/usr
 umount "${BUILD_DIR}/fs-root"
 
 if [[ "$FLAGS_generate_pkginfo" = "${FLAGS_TRUE}" ]] ; then

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild

@@ -148,6 +148,7 @@ RDEPEND="${RDEPEND}
 	sec-policy/selinux-base-policy
 	sec-policy/selinux-container
 	sec-policy/selinux-dbus
+	sec-policy/selinux-docker
 	sec-policy/selinux-policykit
 	sec-policy/selinux-unconfined
 	sys-apps/acl

sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/Manifest

@@ -0,0 +1,4 @@
+DIST patchbundle-selinux-base-policy-2.20240226-r2.tar.bz2 442650 BLAKE2B f2f7c5e4a595afafc072fd78fc4ef3930cf739d05cbe9670f2fb2956fe84e3045518345e103bc3880603d2562f06ba0597fc005d8d394e9f8cd057363f9bf95f SHA512 2cb00d088eebdb098a6496f156eeb3dcee026fc6e53d732bac5bc8a4cfee1ce3bf2bdbbbfbbe9bba237d61c06f299d96bb9d123a57a44aaaa17cc122e15ea268
+DIST patchbundle-selinux-base-policy-2.20240916-r1.tar.bz2 274891 BLAKE2B 72b8181424450998164979ab582e8edee6d73b9110b4535e7880d1f7c989bd0ac391422872858da7bad3e3d77516996af93aa2f149f7d4a7f8fd329c481964cf SHA512 fd8259c91cc779301d6e0964827133529a9141dc235301da135210ea4359b800023848a25e33c45678477fa4f54e75da51be9ec85a3bed8b07cf5487e73b84f3
+DIST refpolicy-2.20240226.tar.bz2 610561 BLAKE2B 5dc54dcf7238776d4e4b282c1dcbc499f45c0d96676dbf931da39592854034874b5dd6197a2e2776fccec5106d5f245eea3fb9419959bd4d61e9b2c12aeaaa85 SHA512 896a57afb024bd131f25d2831a9a5ac90ee7e5d76b0565bc818c156f6c310d86758bcd4cedbd9df5b29954c9a92a42300d16685a7e07a5efd8f789320724b3f9
+DIST refpolicy-2.20240916.tar.bz2 618218 BLAKE2B d86ca75d254eef10f4aa57ef3977825211200cdf1eaa9bf9d416c9a52acee476b3f8719c3b0c8c17fdff2abc0c396989961e37e313a7b3bd3b4b0266a6280e75 SHA512 a8b6c90f8e186796b4c7db1e2d8ed3c3b8690bb5b8f180dcb6d5468ba80467e2969012c4edddf74429c0f5ce900d68fbbc0c2f8e253165af28f93f191039f064

sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/metadata.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="project">
+		<email>selinux@gentoo.org</email>
+		<name>SELinux Team</name>
+	</maintainer>
+</pkgmetadata>

sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-2.20240226-r2.ebuild

@@ -0,0 +1,21 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+MODS="docker"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for docker"
+
+if [[ ${PV} != 9999* ]] ; then
+	KEYWORDS="amd64 arm arm64 x86"
+fi
+
+DEPEND="${DEPEND}
+	sec-policy/selinux-container
+"
+RDEPEND="${RDEPEND}
+	sec-policy/selinux-container
+"

sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-2.20240916-r1.ebuild

@@ -0,0 +1,21 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+MODS="docker"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for docker"
+
+if [[ ${PV} != 9999* ]] ; then
+	KEYWORDS="amd64 arm arm64 x86"
+fi
+
+DEPEND="${DEPEND}
+	sec-policy/selinux-container
+"
+RDEPEND="${RDEPEND}
+	sec-policy/selinux-container
+"

sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-9999.ebuild

@@ -0,0 +1,21 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+MODS="docker"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for docker"
+
+if [[ ${PV} != 9999* ]] ; then
+	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
+fi
+
+DEPEND="${DEPEND}
+	sec-policy/selinux-container
+"
+RDEPEND="${RDEPEND}
+	sec-policy/selinux-container
+"