Increase selinux coverage of the host system

.github/workflows/portage-stable-packages-list

@@ -3,6 +3,7 @@
 acct-group/adm
 acct-group/audio
 acct-group/cdrom
+acct-group/clock
 acct-group/cuse
 acct-group/dialout
 acct-group/disk
@@ -76,6 +77,7 @@ acct-user/tss
 app-admin/eselect
 app-admin/logrotate
 app-admin/perl-cleaner
+app-admin/setools
 app-admin/sudo
 
 app-alternatives/awk
@@ -307,6 +309,7 @@ dev-perl/File-Slurper
 dev-perl/Parse-Yapp
 
 dev-python/backports-tarfile
+dev-python/backports-zstd
 dev-python/cachecontrol
 dev-python/certifi
 dev-python/cffi
@@ -346,6 +349,7 @@ dev-python/markupsafe
 dev-python/mdurl
 dev-python/more-itertools
 dev-python/msgpack
+dev-python/networkx
 dev-python/packaging
 dev-python/pathspec
 dev-python/pefile
@@ -379,6 +383,7 @@ dev-python/wheel
 dev-util/bpftool
 dev-util/bsdiff
 dev-util/catalyst
+dev-util/debugedit
 dev-util/gdbus-codegen
 dev-util/glib-utils
 dev-util/gperf
@@ -578,13 +583,48 @@ scripts
 
 sec-keys/openpgp-keys-gentoo-release
 
+sec-policy/selinux-apache
+sec-policy/selinux-apm
 sec-policy/selinux-base
 sec-policy/selinux-base-policy
+sec-policy/selinux-bind
+sec-policy/selinux-brctl
+sec-policy/selinux-cdrecord
+sec-policy/selinux-chronyd
 sec-policy/selinux-container
 sec-policy/selinux-dbus
+sec-policy/selinux-dirmngr
+sec-policy/selinux-dnsmasq
+sec-policy/selinux-docker
+sec-policy/selinux-dracut
+sec-policy/selinux-git
+sec-policy/selinux-gpg
+sec-policy/selinux-kdump
+sec-policy/selinux-kerberos
+sec-policy/selinux-ldap
+sec-policy/selinux-loadkeys
+sec-policy/selinux-logrotate
+sec-policy/selinux-makewhatis
+sec-policy/selinux-mandb
+sec-policy/selinux-ntp
+sec-policy/selinux-pcscd
+sec-policy/selinux-podman
 sec-policy/selinux-policykit
+sec-policy/selinux-qemu
+sec-policy/selinux-quota
+sec-policy/selinux-rpc
+sec-policy/selinux-rpcbind
+sec-policy/selinux-samba
+sec-policy/selinux-sasl
+sec-policy/selinux-smartmon
 sec-policy/selinux-sssd
+sec-policy/selinux-sudo
+sec-policy/selinux-tcsd
 sec-policy/selinux-unconfined
+sec-policy/selinux-virt
+sec-policy/selinux-wireguard
+sec-policy/selinux-xfs
+sec-policy/selinux-zfs
 
 sys-apps/acl
 sys-apps/attr
@@ -627,10 +667,12 @@ sys-apps/nvme-cli
 sys-apps/pciutils
 sys-apps/pcsc-lite
 sys-apps/pkgcore
+sys-apps/policycoreutils
 sys-apps/portage
 sys-apps/pv
 sys-apps/sandbox
 sys-apps/sed
+sys-apps/selinux-python
 sys-apps/semodule-utils
 sys-apps/shadow
 sys-apps/smartmontools
@@ -660,6 +702,7 @@ sys-devel/binutils
 sys-devel/binutils-config
 sys-devel/bison
 sys-devel/crossdev
+sys-devel/dwz
 sys-devel/flex
 sys-devel/gcc
 sys-devel/gcc-config
@@ -709,6 +752,7 @@ sys-libs/libcap-ng
 sys-libs/libnvme
 sys-libs/libseccomp
 sys-libs/libselinux
+sys-libs/libsemanage
 sys-libs/libsepol
 sys-libs/libunwind
 sys-libs/liburing

bootstrap_sdk_container

@@ -11,6 +11,7 @@ source sdk_lib/sdk_container_common.sh
 
 seed_version=""
 target_version=""
+logdir=''
 
 declare -a cleanup
 
@@ -30,6 +31,7 @@ usage() {
     echo "      -x <cleanup-script> - For each resource generated during build (container etc.)"
     echo "                             add a cleanup line to <script> which, when run, will free"
     echo "                             the resource. Useful for CI."
+    echo "      -l <directory>      - Gather build logs here."
     echo "      -h                  - Print this help."
     echo
 }
@@ -38,6 +40,7 @@ usage() {
 while [ 0 -lt $# ] ; do
     case "$1" in
     -h) usage; exit 0;;
+    -l) logdir=${2}; shift 2;;
     -x) cleanup=("-x" "$2"); shift; shift;;
     *)  if [ -z "$seed_version" ] ; then
             seed_version="$1"
@@ -72,8 +75,11 @@ if $official; then
 fi
 
 # bootstrap_sdk needs FLATCAR_SDK_VERSION set to the seed version
+failed=''
 ./run_sdk_container "${cleanup[@]}" -V "$seed_version" -v "$target_version" \
-          sudo -E ./bootstrap_sdk
+          sudo -E ./bootstrap_sdk || failed=x
 
 # Update versionfile to the actual SDK version
 create_versionfile "${target_version}"
+
+if [[ -n ${failed} ]]; then exit 1; fi

build_library/board_options.sh

@@ -14,17 +14,6 @@ ARCH=$(get_board_arch ${BOARD})
 # What cross-build are we targeting?
 . "${BOARD_ROOT}/etc/portage/make.conf" || die
 
-# check if any of the given use flags are enabled for a pkg
-pkg_use_enabled() {
-  local pkg="$1"
-  shift
-  # for every flag argument, turn it into `-e ^+flag` for grep
-  local grep_args="${@/#/-e ^+}"
-
-  equery-"${BOARD}" -q uses "${pkg}" | grep -q ${grep_args}
-  return $?
-}
-
 # Usage: pkg_version [installed|binary|ebuild] some-pkg/name
 # Prints: some-pkg/name-1.2.3
 # Note: returns 0 even if the package was not found.

build_library/break_dep_loop.sh

@@ -0,0 +1,137 @@
+# Goo to attempt to resolve dependency loops on individual packages.
+# If this becomes insufficient we will need to move to a full multi-stage
+# bootstrap process like we do with the SDK via catalyst.
+#
+# Called like:
+#
+#     break_dep_loop [-v] [PKG_USE_PAIR]…
+#
+# Pass -v for verbose output.
+#
+# PKG_USE_PAIR consists of two arguments: a package name (for example:
+# sys-fs/lvm2), and a comma-separated list of USE flags to clear (for
+# example: udev,systemd).
+#
+# Env vars:
+#
+# BDL_ROOT, BDL_PORTAGEQ, BDL_EQUERY, BDL_EMERGE, BDL_INFO
+break_dep_loop() {
+    local bdl_root=${BDL_ROOT:-/}
+    local bdl_portageq=${BDL_PORTAGEQ:-portageq}
+    local bdl_equery=${BDL_EQUERY:-equery}
+    local bdl_emerge=${BDL_EMERGE:-emerge}
+    local bdl_info=${BDL_INFO:-echo}
+    local conf_dir="${bdl_root%/}/etc/portage"
+    local flag_file="${conf_dir}/package.use/break_dep_loop"
+    local force_flag_file="${conf_dir}/profile/package.use.force/break_dep_loop"
+
+    local verbose=
+    if [[ ${1:-} = '-v' ]]; then
+        verbose=x
+        shift
+    fi
+
+    # Be sure to clean up use flag hackery from previous failed runs
+    sudo rm -f "${flag_file}" "${force_flag_file}"
+
+    if [[ ${#} -eq 0 ]]; then
+        return 0
+    fi
+
+    function bdl_call() {
+        local output_var_name=${1}; shift
+        if [[ ${output_var_name} = '-' ]]; then
+            local throw_away
+            output_var_name=throw_away
+        fi
+        local -n output_ref=${output_var_name}
+        if [[ -n ${verbose} ]]; then
+            "${bdl_info}" "${*@Q}"
+        fi
+        local -i rv=0
+        output_ref=$("${@}") || rv=${?}
+        if [[ -n ${verbose} ]]; then
+            "${bdl_info}" "output: ${output_ref}"
+            "${bdl_info}" "exit status: ${rv}"
+        fi
+        return ${rv}
+    }
+
+    # Temporarily compile/install packages with flags disabled. If a binary
+    # package is available use it regardless of its version or use flags.
+    local pkg use_flags disabled_flags
+    local -a flags
+    local -a pkgs args flag_file_entries pkg_summaries
+    local -A per_pkg_flags=()
+    while [[ $# -gt 1 ]]; do
+        pkg=${1}
+        use_flags=${2}
+        shift 2
+
+        mapfile -t flags <<<"${use_flags//,/$'\n'}"
+        disabled_flags="${flags[*]/#/-}"
+
+        pkgs+=( "${pkg}" )
+        per_pkg_flags["${pkg}"]=${use_flags}
+        flag_file_entries+=( "${pkg} ${disabled_flags}" )
+        args+=( "--buildpkg-exclude=${pkg}" )
+        pkg_summaries+=( "${pkg}[${disabled_flags}]" )
+    done
+    unset pkg use_flags disabled_flags flags
+
+    # If packages are already installed we have nothing to do
+    local pkg any_package_uninstalled=
+    for pkg in "${pkgs[@]}"; do
+        if ! bdl_call - "${bdl_portageq}" has_version "${bdl_root}" "${pkg}"; then
+            any_package_uninstalled=x
+            break
+        fi
+    done
+    if [[ -z ${any_package_uninstalled} ]]; then
+        if [[ -n ${verbose} ]]; then
+            "${bdl_info}" "all packages (${pkgs[*]}) are installed already, skipping"
+        fi
+        return 0
+    fi
+    unset pkg any_package_uninstalled
+
+    # Likewise, nothing to do if the flags aren't actually enabled.
+    local pkg any_flag_enabled= equery_output flag flags_str
+    local -a flags grep_args
+    for pkg in "${pkgs[@]}"; do
+        bdl_call equery_output "${bdl_equery}" -q uses "${pkg}"
+        flags_str=${per_pkg_flags["${pkg}"]}
+        mapfile -t flags <<<"${flags_str//,/$'\n'}"
+        for flag in "${flags[@]}"; do
+            grep_args+=( -e "${flag/#/+}" )
+        done
+        if bdl_call - grep --quiet --line-regexp --fixed-strings "${grep_args[@]}" <<<"${equery_output}"; then
+            any_flag_enabled=x
+            break
+        fi
+    done
+    if [[ -z ${any_flag_enabled} ]]; then
+        if [[ -n ${verbose} ]]; then
+            "${bdl_info}" "all packages (${pkgs[*]}) has all the desired USE flags already disabled, skipping"
+        fi
+        return 0
+    fi
+    unset pkg any_flag_enabled equery_output flag flags_str flags grep_args
+
+    "${bdl_info}" "Merging ${pkg_summaries[*]}"
+    sudo mkdir -p "${flag_file%/*}" "${force_flag_file%/*}"
+    printf '%s\n' "${flag_file_entries[@]}" | sudo tee "${flag_file}" >/dev/null
+    cp -a "${flag_file}" "${force_flag_file}"
+    if [[ -n ${verbose} ]]; then
+        "${bdl_info}" "contents of ${flag_file@Q}:"
+        "${bdl_info}" "$(<"${flag_file}")"
+        "${bdl_info}" "${bdl_emerge}" --rebuild-if-unbuilt=n "${args[@]}" "${pkgs[@]}"
+    fi
+    # rebuild-if-unbuilt is disabled to prevent portage from needlessly
+    # rebuilding zlib for some unknown reason, in turn triggering more rebuilds.
+    "${bdl_emerge}" \
+         --rebuild-if-unbuilt=n \
+         "${args[@]}" "${pkgs[@]}"
+    sudo rm -f "${flag_file}" "${force_flag_file}"
+    unset bdl_call
+}

build_library/build_image_util.sh

@@ -19,6 +19,7 @@ fi
 BUILD_DIR="${FLAGS_output_root}/${BOARD}/${IMAGE_SUBDIR}"
 OUTSIDE_OUTPUT_DIR="../build/images/${BOARD}/${IMAGE_SUBDIR}"
 
+source "${BUILD_LIBRARY_DIR}/pkg_util.sh" || exit 1
 source "${BUILD_LIBRARY_DIR}/reports_util.sh" || exit 1
 source "${BUILD_LIBRARY_DIR}/sbsign_util.sh" || exit 1
 
@@ -680,8 +681,13 @@ EOF
   fi
 
   # Build the selinux policy
-  if pkg_use_enabled coreos-base/coreos selinux; then
-      sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
+  if is_selinux_enabled "${BOARD}"; then
+    info "Building selinux mcs policy"
+    sudo chroot "${root_fs_dir}" bash -s <<'EOF'
+cd /usr/share/selinux/mcs
+set -x
+semodule -s mcs -i *.pp
+EOF
   fi
 
   # Run tmpfiles once to make sure that /etc has everything in place before
@@ -715,12 +721,20 @@ EOF
   # SELinux: Label the root filesystem for using 'file_contexts'.
   # The labeling has to be done before moving /etc to /usr/share/flatcar/etc to prevent wrong labels for these files and as
   # the relabeling on boot would cause upcopies in the overlay.
-  if pkg_use_enabled coreos-base/coreos selinux; then
-    # TODO: Breaks the system:
-    # sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"
-    # sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/usr
-    # For now we only try it with /etc
-    sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/etc
+  if is_selinux_enabled "${BOARD}"; then
+    # -D - set or update any directory SHA1 digests
+    # -E - treat conflicting specifications as errors
+    # -F - force reset of context to match file_context
+    # -r path - set root path
+    # -v - show changes in file labels
+    # -T 0 - use as many threads as there are cores
+    info "Relabeling the filesystem at ${root_fs_dir@Q}"
+    local path
+    # We do not run relabeling on /boot, it's FAT anyway, so no
+    # support for xattrs there.
+    for path in / /usr /oem; do
+      sudo setfiles -D -E -F -r "${root_fs_dir}" -v -T 0 "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}${path}"
+    done
   fi
 
   # Temporary hack: set group ownership of /etc/{g,}shadow to the