overlay sys-libs/libsemanage: ship our own semanage.conf

we ship our own 'semanage.conf' in order to customize the configuration
by adding 'remove-hll = true' for example in order to reduce the selinux
policy size.

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/semanage.conf

@@ -0,0 +1,69 @@
+# Authors: Jason Tang <jtang@tresys.com>
+#
+# Copyright (C) 2004-2005 Tresys Technology, LLC
+#
+#  This library is free software; you can redistribute it and/or
+#  modify it under the terms of the GNU Lesser General Public
+#  License as published by the Free Software Foundation; either
+#  version 2.1 of the License, or (at your option) any later version.
+#
+#  This library is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  Lesser General Public License for more details.
+#
+#  You should have received a copy of the GNU Lesser General Public
+#  License along with this library; if not, write to the Free Software
+#  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#
+# Specify how libsemanage will interact with a SELinux policy manager.
+# The four options are:
+#
+#  "source"     - libsemanage manipulates a source SELinux policy
+#  "direct"     - libsemanage will write directly to a module store.
+#  /foo/bar     - Write by way of a policy management server, whose
+#                 named socket is at /foo/bar.  The path must begin
+#                 with a '/'.
+#  example.com:4242
+#               - Establish a TCP connection to a remote policy
+#                 management server at example.com.  If there is a colon
+#                 then the remainder is interpreted as a port number;
+#                 otherwise default to port 4242.
+module-store = direct
+
+# When generating the final linked and expanded policy, by default
+# semanage will set the policy version to POLICYDB_VERSION_MAX, as
+# given in <sepol/policydb.h>.  Change this setting if a different
+# version is necessary.
+#policy-version = 19
+
+# By default, semanage will generate policies for the SELinux target.
+# To build policies for Xen, uncomment the following line.
+#target-platform = xen
+
+# Set this to true to save the linked policy.
+# This is normally only useful for analysis
+# or debugging of policy.
+save-linked=false
+
+# Set this to 0 to disable assertion checking.
+# This should speed up building the kernel policy
+# from policy modules, but may leave you open to
+# dangerous rules which assertion checking
+# would catch.
+expand-check=1
+
+# Modules in the module store can be compressed
+# with bzip2.  Set this to the bzip2 blocksize
+# 1-9 when compressing.  The higher the number,
+# the more memory is traded off for disk space.
+# Set to 0 to disable bzip2 compression.
+bzip-blocksize=0
+
+# Reduce memory usage for bzip2 compression and
+# decompression of modules in the module store.
+bzip-small=true
+
+# HLL files take a bunch of space.
+# (20mb for MCS policy type)
+remove-hll = true

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0.ebuild

@@ -81,6 +81,8 @@ src_install() {
 
     insinto '/etc/selinux/'
     newins "${FILESDIR}/selinux-config" config
+    doins "${FILESDIR}/semanage.conf"
+
 
     insinto '/etc/bash/bashrc.d'
     doins "${FILESDIR}/99-flatcar-bcc"

sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-libs/libsemanage

@@ -0,0 +1,2 @@
+PKG_INSTALL_MASK+=" /etc/selinux/semanage.conf"
+INSTALL_MASK+=" /etc/selinux/semanage.conf"