sec-policy/*: sync with gentoo

[tormath1]

In this PR, we upgrade selinux-{base,base-policy} to a more recent version (2022-01-06) and we drop selinux-virt. Two new policy modules have been added: selinux-docker and selinux-container.

We tried to align on the upstream but we still have some divergences:

• torcx does run as unconfined (don't want to bother to write a custom module for it... as it might be soon deprecated)
• added missing file contexts to the torcx image files
• since Flatcar overuses systemd-tmpfiles, we're still missing some interfaces (see PRs)

• selinux: sync with the upstream portage-stable#339
• build_library: set correct SELinux contexts in final images flatcar/scripts#368
• tmpfiles.d: add relabel option flatcar/baselayout#24
• test/selinux: update boolean name and added back enforced Selinux Cilium tests flatcar/mantle#344
• systemd: add new permissions SELinuxProject/refpolicy#516
• systemd: extend systemd_tmpfiles_manage_all tunable policy SELinuxProject/refpolicy#515
• Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)
• CI: http://jenkins.infra.kinvolk.io:8080/job/container/job/packages_all_arches/467/cldsv/

---

Result from moving from selinux-virt to selinux-container:

• docker process are running fine without patches
• processes are labelled with spc_t for --privileged containers (TODO: add a test for it)

Closes: flatcar/Flatcar#479, flatcar/Flatcar#695

The system is now fully labeled:

Process contexts:
Current context:                system_u:system_r:unconfined_t:s0
Init context:                   system_u:system_r:init_t:s0

File contexts:
Controlling terminal:           system_u:object_r:user_devpts_t:s0
/etc/passwd                     system_u:object_r:etc_t:s0
/etc/shadow                     system_u:object_r:shadow_t:s0
/bin/bash                       system_u:object_r:shell_exec_t:s0
/bin/login                      system_u:object_r:login_exec_t:s0
/bin/sh                         system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/agetty                    system_u:object_r:getty_exec_t:s0
/sbin/init                      system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0
/usr/sbin/sshd                  system_u:object_r:unconfined_exec_t:s0

in contrast with current stable:

Process contexts:
Current context:                system_u:system_r:kernel_t:s0
Init context:                   system_u:system_r:kernel_t:s0

File contexts:
Controlling terminal:           system_u:object_r:devpts_t:s0
/etc/passwd                     system_u:object_r:unlabeled_t:s0
/etc/shadow                     system_u:object_r:unlabeled_t:s0
/bin/bash                       system_u:object_r:unlabeled_t:s0
/bin/login                      system_u:object_r:unlabeled_t:s0
/bin/sh                         system_u:object_r:unlabeled_t:s0 -> system_u:object_r:unlabeled_t:s0
/sbin/agetty                    system_u:object_r:unlabeled_t:s0
/sbin/init                      system_u:object_r:unlabeled_t:s0 -> system_u:object_r:unlabeled_t:s0
/usr/sbin/sshd                  system_u:object_r:unlabeled_t:s0

Containerd and Docker are running with the correct labels:

core@localhost ~ $ ps auxZ | grep container
system_u:system_r:dockerd_t:s0  root         828  0.7  4.5 1421368 44856 ?       Ssl  08:45   0:00 /run/torcx/bin/containerd --config /run/torcx/unpack/docker/usr/share/containerd/config.toml
system_u:system_r:dockerd_t:s0  root         924  3.6  8.6 1456640 85892 ?       Ssl  08:45   0:00 /run/torcx/bin/dockerd --host=fd:// --containerd=/var/run/docker/libcontainerd/docker-containerd.sock --selinux-enabled=true

Correct processes labelling from inside a container:

core@localhost ~ $ docker run --privileged --rm -ti -d alpine sleep infinity
core@localhost ~ $ docker run --rm -ti -d alpine sleep infinity
core@localhost ~ $ ps auxZ | grep infinity
system_u:system_r:container_t:s0:c115,c639 root 1159 0.2  0.0 1596    4 pts/0    Ss+  08:46   0:00 sleep infinity
system_u:system_r:spc_t:s0      root        1234  0.4  0.0   1596     4 pts/0    Ss+  08:46   0:00 sleep infinity

TODO:

• regen the manifest files for the cleanup of ebuilds

[krnowak]

I would only want to ask you to keep only one ebuild per package, so it will be clear which ebuild is actually patched up by us. Thanks!

[tormath1]

I would only want to ask you to keep only one ebuild per package, so it will be clear which ebuild is actually patched up by us. Thanks!

I did or I missed one? If you just checked the Manifest that's normal, it's added in the TODO to regen the manifest otherwise it's in each "flatcar patches" commit (removed non-used ebuilds)

[krnowak]

I would only want to ask you to keep only one ebuild per package, so it will be clear which ebuild is actually patched up by us. Thanks!

I did or I missed one? If you just checked the Manifest that's normal, it's added in the TODO to regen the manifest otherwise it's in each "flatcar patches" commit (removed non-used ebuilds)

Ah, sorry. I just remembered that we used to have more ebuilds in those packages and Manifest files confused me, apparently. :) Thanks for taking care of it.

[JAORMX]

should we instead do:

Z	/etc/selinux/

?

[tormath1]

yes, we could try that.