examples: [selinux hacks intensify]

We need to avoid https://bugzilla.redhat.com/show_bug.cgi?id=2374928 but
`semanage` seems to have a bug when invoked more than once in a
container build, so we can't just add another invocation.  Use a module
instead, to workaround both issues in one go.

Signed-off-by: Allison Karlitskaya <[email protected]>

Author: allisonkarlitskaya

examples/uki/Containerfile

@@ -44,7 +44,11 @@ RUN <<EOF
     set -eux
 
     systemctl enable systemd-networkd
-    semanage permissive -a systemd_gpt_generator_t  # for volatile-root workaround
+
+    checkmodule -M -m -o /etc/composefs_workarounds.mod /etc/composefs_workarounds.te
+    semodule_package -o /etc/composefs_workarounds.pp -m /etc/composefs_workarounds.mod
+    semodule -i /etc/composefs_workarounds.pp
+
     passwd -d root
     mkdir /sysroot
 EOF

examples/uki/extra/etc/composefs_workarounds.te

@@ -0,0 +1,20 @@
+module composefs_workarounds 1.0;
+
+require {
+    type sshd_t;
+    type tmpfs_t;
+    type systemd_gpt_generator_t;
+    type init_var_run_t;
+    class file read;
+    class file open;
+    class file getattr;
+    class lnk_file read;
+}
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=2374928
+allow sshd_t tmpfs_t:file open;
+allow sshd_t tmpfs_t:file getattr;
+allow sshd_t tmpfs_t:file read;
+
+# for volatile-root workaround
+allow systemd_gpt_generator_t init_var_run_t:lnk_file read;

examples/unified-secureboot/Containerfile

@@ -28,7 +28,11 @@ RUN <<EOF
     set -eux
 
     systemctl enable systemd-networkd
-    semanage permissive -a systemd_gpt_generator_t  # for volatile-root workaround
+
+    checkmodule -M -m -o /etc/composefs_workarounds.mod /etc/composefs_workarounds.te
+    semodule_package -o /etc/composefs_workarounds.pp -m /etc/composefs_workarounds.mod
+    semodule -i /etc/composefs_workarounds.pp
+
     passwd -d root
     mkdir /sysroot
 EOF

examples/unified-secureboot/extra/etc/composefs_workarounds.te

@@ -0,0 +1,20 @@
+module composefs_workarounds 1.0;
+
+require {
+    type sshd_t;
+    type tmpfs_t;
+    type systemd_gpt_generator_t;
+    type init_var_run_t;
+    class file read;
+    class file open;
+    class file getattr;
+    class lnk_file read;
+}
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=2374928
+allow sshd_t tmpfs_t:file open;
+allow sshd_t tmpfs_t:file getattr;
+allow sshd_t tmpfs_t:file read;
+
+# for volatile-root workaround
+allow systemd_gpt_generator_t init_var_run_t:lnk_file read;

examples/unified/Containerfile

@@ -26,7 +26,11 @@ RUN <<EOF
     set -eux
 
     systemctl enable systemd-networkd
-    semanage permissive -a systemd_gpt_generator_t  # for volatile-root workaround
+
+    checkmodule -M -m -o /etc/composefs_workarounds.mod /etc/composefs_workarounds.te
+    semodule_package -o /etc/composefs_workarounds.pp -m /etc/composefs_workarounds.mod
+    semodule -i /etc/composefs_workarounds.pp
+
     passwd -d root
     mkdir /sysroot
 EOF

examples/unified/extra/etc/composefs_workarounds.te

@@ -0,0 +1,20 @@
+module composefs_workarounds 1.0;
+
+require {
+    type sshd_t;
+    type tmpfs_t;
+    type systemd_gpt_generator_t;
+    type init_var_run_t;
+    class file read;
+    class file open;
+    class file getattr;
+    class lnk_file read;
+}
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=2374928
+allow sshd_t tmpfs_t:file open;
+allow sshd_t tmpfs_t:file getattr;
+allow sshd_t tmpfs_t:file read;
+
+# for volatile-root workaround
+allow systemd_gpt_generator_t init_var_run_t:lnk_file read;