sec-policy/selinux-docker: add flatcar patch

- drop useless ebuilds - add torcx docker patch Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
flatcar-archive · Oct 5, 2022 · 8b278e9 · 8b278e9
1 parent e301f44
commit 8b278e9
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 46 deletions.
diff --git a/sec-policy/selinux-docker/Manifest b/sec-policy/selinux-docker/Manifest
@@ -1,4 +1,2 @@
-DIST patchbundle-selinux-base-policy-2.20220106-r1.tar.bz2 299683 BLAKE2B 9e48733878e2f809b8634a1e96a4b1bb2fc3e866e562a6ac9449da8d4af591cbe7de380384fabec50c7a7c67733253f82024ce62dee51fc73e35e0653626ff6c SHA512 314c639e08b15a94656e467e81857241b242020884c0e40272cfb422cccc35f2d4a5f067dc6ebdf8926335a65d737c233d1df75f69b356509e07fd60b46b07bf
-DIST patchbundle-selinux-base-policy-2.20220106-r2.tar.bz2 436316 BLAKE2B 07d6ba7a5fa8e8213e922bfd4c698b73c1cdf598ceaa5efe98be095b51aafa446af8ea7217dcc2bc001bfadaa250bfcc8b8dea3d9aa630384f8cdf139512170d SHA512 68a71d098ae09b034cb57f8e38c06b23a6584f5538b94a44fb1e48e48c718f2b37eb5e38931e55e8769481ebf0ed8c8642cfa85a45ac23a71be31cc35380fbad
 DIST patchbundle-selinux-base-policy-2.20220106-r3.tar.bz2 309416 BLAKE2B 89852cce079300edcb00da41cfe42ea5041507f7d0a2a9897a4bd14f3ac68edfcc40ef49320e5ab826b1abb7fe7fc7ca4268042bbc019b3c76a58b9e112601c3 SHA512 4e23ad5e83df6c3501f0ac0a7201786d9f00809bedef248ae3a4b6af994e0006aaf70151c29ca21bb1c9c8887cc5bfeb18389d4f8e3bd3861c61d2d95d3a4e75
 DIST refpolicy-2.20220106.tar.bz2 560342 BLAKE2B bc0e65466333e02acb48adbb28b8176d3c8e508b2ff97d4f8a876d7c0a65534a62d86c9816ac59f6eed583f4b5c51cf432643edd2dad24dd51eb3cf22e2b75ac SHA512 794327d2dd07196b5f36771f9a961cdf294cf68f690735418d6bdd859499b7007c518cc022ccca9c245a5266b85bdb7cacdcaeefee14e4800937c9101476b373
diff --git a/sec-policy/selinux-docker/files/docker.patch b/sec-policy/selinux-docker/files/docker.patch
@@ -0,0 +1,41 @@
+diff --git a/policy/modules/services/docker.fc b/policy/modules/services/docker.fc
+index a5d0868e4..b7dcb0309 100644
+--- a/services/docker.fc
++++ b/services/docker.fc
+@@ -1,4 +1,5 @@
+ /usr/bin/docker	--	gen_context(system_u:object_r:dockerc_exec_t,s0)
++/usr/bin/tini --	gen_context(system_u:object_r:dockerc_exec_t,s0)
+ /usr/bin/dockerd	--	gen_context(system_u:object_r:dockerd_exec_t,s0)
+ /usr/bin/docker-proxy	--	gen_context(system_u:object_r:dockerd_exec_t,s0)
+ /usr/bin/containerd	--	gen_context(system_u:object_r:dockerd_exec_t,s0)
+diff --git a/policy/modules/services/docker.te b/policy/modules/services/docker.te
+index ffaacff0b..d576e6c9a 100644
+--- a/services/docker.te
++++ b/services/docker.te
+@@ -168,3 +168,23 @@ userdom_search_user_runtime(dockerc_user_t)
+ xdg_search_data_dirs(dockerc_user_t)
+
+ container_stream_connect_user_containers(dockerc_user_t)
++
++optional_policy(`
++	gen_require(`
++		type proc_kcore_t;
++	')
++
++	allow dockerd_t proc_kcore_t:file mounton;
++')
++
++# required for socket activation
++allow dockerd_t initrc_t:unix_stream_socket { accept getattr getopt read shutdown write };
++
++# required for using Docker from Torcx ('unpack' is labelled as user_tmpfs_t)
++optional_policy(`
++	gen_require(`
++		type user_tmpfs_t;
++	')
++
++	allow dockerd_t user_tmpfs_t:dir { search };
++')
+-- 
+2.35.1
+
diff --git a/sec-policy/selinux-docker/selinux-docker-2.20220106-r1.ebuild b/sec-policy/selinux-docker/selinux-docker-2.20220106-r1.ebuild
diff --git a/sec-policy/selinux-docker/selinux-docker-2.20220106-r2.ebuild b/sec-policy/selinux-docker/selinux-docker-2.20220106-r2.ebuild
diff --git a/sec-policy/selinux-docker/selinux-docker-2.20220106-r3.ebuild b/sec-policy/selinux-docker/selinux-docker-2.20220106-r3.ebuild
@@ -8,6 +8,10 @@ MODS="docker"
 
 inherit selinux-policy-2
 
+POLICY_PATCH=(
+	"${FILESDIR}/docker.patch"
+)
+
 DESCRIPTION="SELinux policy for docker"
 
 if [[ ${PV} != 9999* ]] ; then