Increase selinux coverage of the host system

.github/workflows/portage-stable-packages-list

@@ -73,6 +73,7 @@ acct-user/tss
 app-admin/eselect
 app-admin/logrotate
 app-admin/perl-cleaner
+app-admin/setools
 app-admin/sudo
 
 app-alternatives/awk
@@ -335,6 +336,7 @@ dev-python/markupsafe
 dev-python/mdurl
 dev-python/more-itertools
 dev-python/msgpack
+dev-python/networkx
 dev-python/olefile
 dev-python/packaging
 dev-python/pathspec
@@ -569,13 +571,48 @@ scripts
 
 sec-keys/openpgp-keys-gentoo-release
 
+sec-policy/selinux-apache
+sec-policy/selinux-apm
 sec-policy/selinux-base
 sec-policy/selinux-base-policy
+sec-policy/selinux-bind
+sec-policy/selinux-brctl
+sec-policy/selinux-cdrecord
+sec-policy/selinux-chronyd
 sec-policy/selinux-container
 sec-policy/selinux-dbus
+sec-policy/selinux-dirmngr
+sec-policy/selinux-dnsmasq
+sec-policy/selinux-docker
+sec-policy/selinux-dracut
+sec-policy/selinux-git
+sec-policy/selinux-gpg
+sec-policy/selinux-kdump
+sec-policy/selinux-kerberos
+sec-policy/selinux-ldap
+sec-policy/selinux-loadkeys
+sec-policy/selinux-logrotate
+sec-policy/selinux-makewhatis
+sec-policy/selinux-mandb
+sec-policy/selinux-ntp
+sec-policy/selinux-pcscd
+sec-policy/selinux-podman
 sec-policy/selinux-policykit
+sec-policy/selinux-qemu
+sec-policy/selinux-quota
+sec-policy/selinux-rpc
+sec-policy/selinux-rpcbind
+sec-policy/selinux-samba
+sec-policy/selinux-sasl
+sec-policy/selinux-smartmon
 sec-policy/selinux-sssd
+sec-policy/selinux-sudo
+sec-policy/selinux-tcsd
 sec-policy/selinux-unconfined
+sec-policy/selinux-virt
+sec-policy/selinux-wireguard
+sec-policy/selinux-xfs
+sec-policy/selinux-zfs
 
 sys-apps/acl
 sys-apps/attr
@@ -617,10 +654,12 @@ sys-apps/nvme-cli
 sys-apps/pciutils
 sys-apps/pcsc-lite
 sys-apps/pkgcore
+sys-apps/policycoreutils
 sys-apps/portage
 sys-apps/pv
 sys-apps/sandbox
 sys-apps/sed
+sys-apps/selinux-python
 sys-apps/semodule-utils
 sys-apps/shadow
 sys-apps/smartmontools
@@ -697,6 +736,7 @@ sys-libs/libcap-ng
 sys-libs/libnvme
 sys-libs/libseccomp
 sys-libs/libselinux
+sys-libs/libsemanage
 sys-libs/libsepol
 sys-libs/libunwind
 sys-libs/liburing

build_library/board_options.sh

@@ -16,13 +16,19 @@ ARCH=$(get_board_arch ${BOARD})
 
 # check if any of the given use flags are enabled for a pkg
 pkg_use_enabled() {
-  local pkg="$1"
-  shift
-  # for every flag argument, turn it into `-e ^+flag` for grep
-  local grep_args="${@/#/-e ^+}"
+  local pkg="${1}"; shift
 
-  equery-"${BOARD}" -q uses "${pkg}" | grep -q ${grep_args}
-  return $?
+  # for every flag argument, turn it into a regexp that matches it as
+  # either '+${flag}' or '(+${flag})'
+  local -a grep_args=()
+  local flag
+  for flag; do
+      grep_args+=( -e '^(\?+'"${flag}"')\?$' )
+  done
+  local -i rv=0
+
+  equery-"${BOARD}" --quiet uses --forced-masked "${pkg}" | grep --quiet "${grep_args[@]}" || rv=$?
+  return ${rv}
 }
 
 # Usage: pkg_version [installed|binary|ebuild] some-pkg/name

build_library/break_dep_loop.sh

@@ -0,0 +1,137 @@
+# Goo to attempt to resolve dependency loops on individual packages.
+# If this becomes insufficient we will need to move to a full multi-stage
+# bootstrap process like we do with the SDK via catalyst.
+#
+# Called like:
+#
+#     break_dep_loop [-v] [PKG_USE_PAIR]…
+#
+# Pass -v for verbose output.
+#
+# PKG_USE_PAIR consists of two arguments: a package name (for example:
+# sys-fs/lvm2), and a comma-separated list of USE flags to clear (for
+# example: udev,systemd).
+#
+# Env vars:
+#
+# BDL_ROOT, BDL_PORTAGEQ, BDL_EQUERY, BDL_EMERGE, BDL_INFO
+break_dep_loop() {
+    local bdl_root=${BDL_ROOT:-/}
+    local bdl_portageq=${BDL_PORTAGEQ:-portageq}
+    local bdl_equery=${BDL_EQUERY:-equery}
+    local bdl_emerge=${BDL_EMERGE:-emerge}
+    local bdl_info=${BDL_INFO:-echo}
+    local conf_dir="${bdl_root%/}/etc/portage"
+    local flag_file="${conf_dir}/package.use/break_dep_loop"
+    local force_flag_file="${conf_dir}/profile/package.use.force/break_dep_loop"
+
+    local verbose=
+    if [[ ${1:-} = '-v' ]]; then
+        verbose=x
+        shift
+    fi
+
+    # Be sure to clean up use flag hackery from previous failed runs
+    sudo rm -f "${flag_file}" "${force_flag_file}"
+
+    if [[ ${#} -eq 0 ]]; then
+        return 0
+    fi
+
+    function bdl_call() {
+        local output_var_name=${1}; shift
+        if [[ ${output_var_name} = '-' ]]; then
+            local throw_away
+            output_var_name=throw_away
+        fi
+        local -n output_ref=${output_var_name}
+        if [[ -n ${verbose} ]]; then
+            "${bdl_info}" "${*@Q}"
+        fi
+        local -i rv=0
+        output_ref=$("${@}") || rv=${?}
+        if [[ -n ${verbose} ]]; then
+            "${bdl_info}" "output: ${output_ref}"
+            "${bdl_info}" "exit status: ${rv}"
+        fi
+        return ${rv}
+    }
+
+    # Temporarily compile/install packages with flags disabled. If a binary
+    # package is available use it regardless of its version or use flags.
+    local pkg use_flags disabled_flags
+    local -a flags
+    local -a pkgs args flag_file_entries pkg_summaries
+    local -A per_pkg_flags=()
+    while [[ $# -gt 1 ]]; do
+        pkg=${1}
+        use_flags=${2}
+        shift 2
+
+        mapfile -t flags <<<"${use_flags//,/$'\n'}"
+        disabled_flags="${flags[*]/#/-}"
+
+        pkgs+=( "${pkg}" )
+        per_pkg_flags["${pkg}"]=${use_flags}
+        flag_file_entries+=( "${pkg} ${disabled_flags}" )
+        args+=( "--buildpkg-exclude=${pkg}" )
+        pkg_summaries+=( "${pkg}[${disabled_flags}]" )
+    done
+    unset pkg use_flags disabled_flags flags
+
+    # If packages are already installed we have nothing to do
+    local pkg any_package_uninstalled=
+    for pkg in "${pkgs[@]}"; do
+        if ! bdl_call - "${bdl_portageq}" has_version "${bdl_root}" "${pkg}"; then
+            any_package_uninstalled=x
+            break
+        fi
+    done
+    if [[ -z ${any_package_uninstalled} ]]; then
+        if [[ -n ${verbose} ]]; then
+            "${bdl_info}" "all packages (${pkgs[*]}) are installed already, skipping"
+        fi
+        return 0
+    fi
+    unset pkg any_package_uninstalled
+
+    # Likewise, nothing to do if the flags aren't actually enabled.
+    local pkg any_flag_enabled= equery_output flag flags_str
+    local -a flags grep_args
+    for pkg in "${pkgs[@]}"; do
+        bdl_call equery_output "${bdl_equery}" -q uses "${pkg}"
+        flags_str=${per_pkg_flags["${pkg}"]}
+        mapfile -t flags <<<"${flags_str//,/$'\n'}"
+        for flag in "${flags[@]}"; do
+            grep_args+=( -e "${flag/#/+}" )
+        done
+        if bdl_call - grep --quiet --line-regexp --fixed-strings "${grep_args[@]}" <<<"${equery_output}"; then
+            any_flag_enabled=x
+            break
+        fi
+    done
+    if [[ -z ${any_flag_enabled} ]]; then
+        if [[ -n ${verbose} ]]; then
+            "${bdl_info}" "all packages (${pkgs[*]}) has all the desired USE flags already disabled, skipping"
+        fi
+        return 0
+    fi
+    unset pkg any_flag_enabled equery_output flag flags_str flags grep_args
+
+    "${bdl_info}" "Merging ${pkg_summaries[*]}"
+    sudo mkdir -p "${flag_file%/*}" "${force_flag_file%/*}"
+    printf '%s\n' "${flag_file_entries[@]}" | sudo tee "${flag_file}" >/dev/null
+    cp -a "${flag_file}" "${force_flag_file}"
+    if [[ -n ${verbose} ]]; then
+        "${bdl_info}" "contents of ${flag_file@Q}:"
+        "${bdl_info}" "$(<"${flag_file}")"
+        "${bdl_info}" "${bdl_emerge}" --rebuild-if-unbuilt=n "${args[@]}" "${pkgs[@]}"
+    fi
+    # rebuild-if-unbuilt is disabled to prevent portage from needlessly
+    # rebuilding zlib for some unknown reason, in turn triggering more rebuilds.
+    "${bdl_emerge}" \
+         --rebuild-if-unbuilt=n \
+         "${args[@]}" "${pkgs[@]}"
+    sudo rm -f "${flag_file}" "${force_flag_file}"
+    unset bdl_call
+}

build_library/build_image_util.sh

@@ -684,7 +684,23 @@ EOF
 
   # Build the selinux policy
   if pkg_use_enabled coreos-base/coreos selinux; then
-      sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
+      # Follow what Gentoo is doing in the selinux-policy-2.eclass -
+      # rebuilding the policy using all the files in the mcs
+      # directory, but ordering base.pp as the first file. The
+      # difference is that we also include unconfined.pp too (Gentoo
+      # omits this one for mcs policy), because our modifications to
+      # selinux policies use unconfined type too.
+      info "Building selinux mcs policy"
+      sudo chroot "${root_fs_dir}" bash -s <<'EOF'
+cd /usr/share/selinux/mcs
+pp_files=( -i base.pp )
+for f in *.pp; do
+    if [[ ${f} != 'base.pp' ]]; then
+        pp_files+=( -i "${f}" )
+    fi
+done
+semodule -s mcs "${pp_files[@]}"
+EOF
   fi
 
   # Run tmpfiles once to make sure that /etc has everything in place before
@@ -719,11 +735,13 @@ EOF
   # The labeling has to be done before moving /etc to /usr/share/flatcar/etc to prevent wrong labels for these files and as
   # the relabeling on boot would cause upcopies in the overlay.
   if pkg_use_enabled coreos-base/coreos selinux; then
-    # TODO: Breaks the system:
-    # sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"
-    # sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/usr
-    # For now we only try it with /etc
-    sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/etc
+    # -D - set or update any directory SHA1 digests
+    # -E - treat conflicting specifications as errors
+    # -F - force reset of context to match file_context
+    # -r path - set root path
+    # -v - show changes in file labels
+    # -T 0 - use as many threads as there are cores
+    sudo setfiles -D -E -F -r "${root_fs_dir}" -v -T 0 "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"
   fi
 
   # Backup the /etc contents to /usr/share/flatcar/etc to serve as

build_library/catalyst_toolchains.sh

@@ -3,6 +3,7 @@
 set -e
 source /tmp/chroot-functions.sh
 source /tmp/toolchain_util.sh
+source /tmp/break_dep_loop.sh
 
 # A note on packages:
 # The default PKGDIR is /usr/portage/packages
@@ -28,13 +29,77 @@ build_target_toolchain() {
     local ROOT="/build/${board}"
     local SYSROOT="/usr/$(get_board_chost "${board}")"
 
-    mkdir -p "${ROOT}/usr"
-    cp -at "${ROOT}" "${SYSROOT}"/lib*
-    cp -at "${ROOT}"/usr "${SYSROOT}"/usr/include "${SYSROOT}"/usr/lib*
+    function btt_emerge() {
+        # --root is required because run_merge overrides ROOT=
+        PORTAGE_CONFIGROOT="$ROOT" run_merge --root="$ROOT" --sysroot="$ROOT" "${@}"
+    }
 
-    # --root is required because run_merge overrides ROOT=
-    PORTAGE_CONFIGROOT="$ROOT" \
-        run_merge -u --root="$ROOT" --sysroot="$ROOT" "${TOOLCHAIN_PKGS[@]}"
+    # install baselayout first - with the selinux profile, this is
+    # pulled into the dependency chain
+    btt_emerge --oneshot --nodeps sys-apps/baselayout
+
+    # copy libraries from sysroot to root - sysroot seems to be
+    # split-usr, whereas root does not, so take this into account
+    (
+        shopt -s nullglob
+        local d f
+        local -a files
+        for d in "${SYSROOT}"/lib* "${SYSROOT}"/usr/lib*; do
+            if [[ ! -d ${d} ]]; then
+                continue
+            fi
+            files=( "${d}"/* )
+            if [[ ${#files[@]} -gt 0 ]]; then
+                f=${d##*/}
+                cp -at "${ROOT}/usr/${f}" "${files[@]}"
+            fi
+        done
+    )
+    cp -at "${ROOT}"/usr "${SYSROOT}"/usr/include
+
+    local -a args_for_bdl=()
+    if [[ -n ${clst_VERBOSE} ]]; then
+        args_for_bdl+=(-v)
+    fi
+    function btt_bdl_portageq() {
+        ROOT=${ROOT} SYSROOT=${ROOT} PORTAGE_CONFIGROOT=${ROOT} portageq "${@}"
+    }
+    function btt_bdl_equery() {
+        ROOT=${ROOT} SYSROOT=${ROOT} PORTAGE_CONFIGROOT=${ROOT} equery "${@}"
+    }
+    # Breaking the following loops here:
+    #
+    # glibc[nscd] -> libcap[pam] -> sys-libs/pam -> libcrypt -> libxcrypt[system] -> glibc
+    # glibc[nscd] -> audit[python] -> python -> libcrypt -> libxcrypt[system] -> glibc
+    # glibc[selinux] -> libselinux[python] -> python -> libcrypt -> libxcrypt[system] -> glibc
+    # systemd[cryptsetup] -> cryptsetup[udev] -> libudev[systemd] -> systemd
+    # systemd[cryptsetup] -> cryptsetup -> lvm2[udev] -> libudev[systemd] -> systemd
+    # systemd[cryptsetup] -> cryptsetup -> lvm2[lvm,systemd] -> systemd
+    # systemd[cryptsetup] -> cryptsetup -> tmpfiles[systemd] -> systemd
+    # systemd[curl] -> curl -> nghttp2[systemd] -> systemd
+    #     importd requires curl, so needs to be disabled too
+    # systemd[tpm] -> tpm2-tss -> tmpfiles[systemd] -> systemd
+    # util-linux[audit] -> audit[python] -> python -> util-linux
+    # util-linux[cryptsetup] -> cryptsetup -> util-linux
+    # util-linux[pam] -> sys-libs/pam[audit] -> sys-process/audit[python] -> python -> util-linux
+    #     su requires pam, so needs to be disabled too
+    # util-linux[selinux] -> libselinux[python] -> python -> util-linux
+    # util-linux[systemd] -> systemd -> util-linux
+    # util-linux[udev] -> libudev[systemd] -> systemd -> util-linux
+    args_for_bdl+=(
+        sys-apps/systemd cryptsetup,curl,importd,tpm
+        sys-apps/util-linux audit,cryptsetup,pam,selinux,su,systemd,udev
+        sys-libs/glibc nscd,selinux
+    )
+    BDL_ROOT=${ROOT} \
+    BDL_PORTAGEQ=btt_bdl_portageq \
+    BDL_EQUERY=btt_bdl_equery \
+    BDL_EMERGE=btt_emerge \
+        break_dep_loop "${args_for_bdl[@]}"
+    unset btt_bdl_portageq btt_bdl_equery
+
+    btt_emerge --changed-use --update --deep "${TOOLCHAIN_PKGS[@]}"
+    unset btt_emerge
 }
 
 configure_crossdev_overlay / /usr/local/portage/crossdev

build_library/prod_image_util.sh

@@ -253,6 +253,7 @@ create_prod_sysexts() {
         --image_builddir="${BUILD_DIR}" \
         --install_root_basename="${name}-extra-sysext-rootfs" \
         ${mangle_script:+--manglefs_script=${mangle_script}} \
+        --forbidden_packages='sec-policy/selinux-.*;selinux policy packages must be in base image' \
         "${name}" "${pkg_array[@]}"
     delta_generator \
       -private_key "/usr/share/update_engine/update-payload-key.key.pem" \