Increase selinux coverage of the host system

.github/workflows/portage-stable-packages-list

@@ -555,13 +555,48 @@ scripts
 
 sec-keys/openpgp-keys-gentoo-release
 
+sec-policy/selinux-apache
+sec-policy/selinux-apm
 sec-policy/selinux-base
 sec-policy/selinux-base-policy
+sec-policy/selinux-bind
+sec-policy/selinux-brctl
+sec-policy/selinux-cdrecord
+sec-policy/selinux-chronyd
 sec-policy/selinux-container
 sec-policy/selinux-dbus
+sec-policy/selinux-dirmngr
+sec-policy/selinux-dnsmasq
+sec-policy/selinux-docker
+sec-policy/selinux-dracut
+sec-policy/selinux-git
+sec-policy/selinux-gpg
+sec-policy/selinux-kdump
+sec-policy/selinux-kerberos
+sec-policy/selinux-ldap
+sec-policy/selinux-loadkeys
+sec-policy/selinux-logrotate
+sec-policy/selinux-makewhatis
+sec-policy/selinux-mandb
+sec-policy/selinux-ntp
+sec-policy/selinux-pcscd
+sec-policy/selinux-podman
 sec-policy/selinux-policykit
+sec-policy/selinux-qemu
+sec-policy/selinux-quota
+sec-policy/selinux-rpc
+sec-policy/selinux-rpcbind
+sec-policy/selinux-samba
+sec-policy/selinux-sasl
+sec-policy/selinux-smartmon
 sec-policy/selinux-sssd
+sec-policy/selinux-sudo
+sec-policy/selinux-tcsd
 sec-policy/selinux-unconfined
+sec-policy/selinux-virt
+sec-policy/selinux-wireguard
+sec-policy/selinux-xfs
+sec-policy/selinux-zfs
 
 sys-apps/acl
 sys-apps/attr
@@ -603,6 +638,7 @@ sys-apps/nvme-cli
 sys-apps/pciutils
 sys-apps/pcsc-lite
 sys-apps/pkgcore
+sys-apps/policycoreutils
 sys-apps/portage
 sys-apps/pv
 sys-apps/sandbox
@@ -681,6 +717,7 @@ sys-libs/libcap-ng
 sys-libs/libnvme
 sys-libs/libseccomp
 sys-libs/libselinux
+sys-libs/libsemanage
 sys-libs/libsepol
 sys-libs/libunwind
 sys-libs/liburing

sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-libs/libsemanage

@@ -0,0 +1,12 @@
+# A hack to modify semanage.conf before it gets copied by
+# multilib_copy_sources.
+if ! declare -pf flatcar_hacked_multilib_copy_sources >/dev/null 2>&1; then
+    eval "$(echo 'flatcar_hacked_multilib_copy_sources()'; declare -pf multilib_copy_sources | tail -n +2)"
+fi
+multilib_copy_sources() {
+    # Enable compression in semanage.conf
+    sed -i \
+        -e 's/^\(bzip-blocksize\)=0/\1=1/' \
+        "${S}/src/semanage.conf"
+    flatcar_hacked_multilib_copy_sources "${@}"
+}

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-apache

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-apm

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-bind

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-brctl

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-cdrecord

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-chronyd

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-dirmngr

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-dnsmasq

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-docker

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-dracut

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-git

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-gpg

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-kdump

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-kerberos

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-ldap

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-loadkeys

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-logrotate

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-makewhatis

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-mandb

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-ntp

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-pcscd

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-podman

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-qemu

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-quota

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-rpc

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-rpcbind

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-samba

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-sasl

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-smartmon

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-sudo

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-tcsd

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-virt

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-wireguard

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-xfs

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-zfs

@@ -0,0 +1 @@
+flatcar-selinux-patches

sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/parent

@@ -1,2 +1,2 @@
-portage-stable:default/linux/amd64/23.0/no-multilib/hardened/systemd
+portage-stable:default/linux/amd64/23.0/no-multilib/hardened/selinux/systemd
 :coreos/base

sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/parent

@@ -1,3 +1,2 @@
-portage-stable:default/linux/arm64/23.0/hardened
-portage-stable:targets/systemd
+portage-stable:default/linux/arm64/23.0/hardened/selinux/systemd
 :coreos/base

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use

@@ -29,8 +29,8 @@ dev-vcs/git -perl -iconv
 app-admin/sudo -sendmail
 
 # disable hybrid cgroup as we use the unified mode now
-# use lzma which is the default on non-gentoo systems, enable selinux,
-sys-apps/systemd -cgroup-hybrid curl idn lzma selinux tpm
+# use lzma which is the default on non-gentoo systems,
+sys-apps/systemd -cgroup-hybrid curl idn lzma tpm
 net-libs/libmicrohttpd -ssl
 
 # disable kernel config detection and module building
@@ -59,7 +59,7 @@ sys-libs/glibc nscd
 dev-libs/cyrus-sasl kerberos -gdbm
 
 # don't build manpages for sssd
-sys-auth/sssd -python samba kerberos gssapi ssh selinux
+sys-auth/sssd -python samba kerberos gssapi ssh
 
 # enable logging command-line options in update_engine
 dev-cpp/glog gflags
@@ -72,20 +72,7 @@ sys-fs/quota rpc
 sys-apps/portage -xattr -rsync-verify
 
 # Enable -M and -Z flags; -M is used by mayday
-sys-process/lsof rpc selinux
-
-# Enable SELinux for all targets
-coreos-base/coreos          selinux
-sys-apps/dbus               selinux
-
-# Enable SELinux for coreutils
-sys-apps/coreutils          selinux
-
-# Enable SELinux for tar
-app-arch/tar                selinux
-
-# Enable SELinux for runc
-app-containers/runc selinux
+sys-process/lsof rpc
 
 # enable regular expression processing in jq
 app-misc/jq oniguruma
@@ -139,9 +126,6 @@ dev-libs/libpcre2 -pcre16 -pcre32 unicode
 # smi and ssl, no clue.
 net-analyzer/tcpdump -ssl -smi -samba
 
-# selinux: to find files with a particular SElinux label
-sys-apps/findutils selinux
-
 # Flatcar defaults formerly defined in coreos-overlay ebuilds
 app-containers/containerd btrfs device-mapper
 app-containers/docker btrfs overlay seccomp

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask

@@ -15,9 +15,6 @@ python_single_target_python3_12
 python_targets_python3_13
 python_single_target_python3_13
 
-# Unmask selinux so it can be enabled selectively in package.use
--selinux
-
 # We don't care about i10n, takes too much space, pulls in too many
 # extra dependencies.
 nls

sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use

@@ -10,23 +10,20 @@ app-editors/vim-core	minimal
 # Install our modifications and compatibility symlinks for ssh and ntp
 #
 # Install a SELinux policy directory symlink
-coreos-base/misc-files audit ntp openssh policycoreutils
+coreos-base/misc-files ntp openssh policycoreutils
 
 dev-lang/python		gdbm
 dev-libs/dbus-glib	tools
 dev-libs/elfutils	-utils
 dev-libs/openssl	pkcs11
-dev-util/perf		-perl -python
 net-misc/dhcp	        -server
-net-misc/ntp            caps
-sys-apps/smartmontools	-daemon -update-drivedb -systemd
+sys-apps/smartmontools	-caps -daemon -update-drivedb -systemd
 sys-block/parted        device-mapper
 sys-fs/lvm2		-readline thin lvm
 sys-libs/ncurses	minimal
-sys-libs/pam		audit
 
 # enable journal gateway, bootctl and container features
-sys-apps/systemd audit elfutils gnuefi http importd iptables
+sys-apps/systemd elfutils gnuefi http importd iptables
 
 # epoll is needed for systemd-journal-remote to work. coreos/bugs#919
 net-libs/libmicrohttpd epoll

sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use.mask

@@ -1,2 +1,9 @@
-# Only needed by Catalyst in the SDK, requires dev-lang/python-exec.
-sys-apps/util-linux python
+# Selinux profile force-enables USE=caps, but we don't need it for
+# smartmontools - it is only relevant for smartd daemon, which we do
+# not build.
+sys-apps/smartmontools caps
+
+# Allow python for sys-libs/libselinux - it is needed by portage with
+# USE=selinux. For production images, we will filter these files out
+# with an install mask.
+sys-libs/libselinux -python

sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/make.defaults

@@ -52,3 +52,5 @@ INSTALL_MASK="${INSTALL_MASK}
   /sbin/ebtables-save
   /sbin/xfs_scrub_all
 "
+
+# TODO: Add libselinux python stuff to install mask here.

sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/use.mask

@@ -0,0 +1,3 @@
+# Disable anything that pulls those interpreters into generic images.
+perl
+python