Add selinux-policy-automotive sub-package

The package is modeled after selinux-policy-minimum in that it contains
all the modules that are present in selinux-policy-targeted, but most of
them are disabled (content of module-automotive-contrib.conf).
The rest of the configuration files is copied from targeted, only
booleans-automotive.conf and users-automotive are missing booleans and
users defined in disabled modules.

Resolves: RHEL-69666

booleans-automotive.conf

@@ -0,0 +1,15 @@
+gssd_read_tmp = true
+httpd_builtin_scripting = true
+httpd_enable_cgi = true
+kerberos_enabled = true
+mount_anyfile = true
+nfs_export_all_ro = true
+nfs_export_all_rw = true
+pppd_can_insmod = false
+selinuxuser_direct_dri_enabled = true
+selinuxuser_execstack = true
+selinuxuser_rw_noexattrfile=true
+selinuxuser_ping = true
+unconfined_chrome_sandbox_transition=true
+unconfined_mozilla_plugin_transition=true
+use_virtualbox = true

modules-automotive-base.conf

@@ -0,0 +1,604 @@
+# Layer: admin
+# Module: anaconda
+#
+# Policy for the Anaconda installer.
+#
+anaconda = module
+
+# Layer: services
+# Module: apache
+#
+# Apache web server
+#
+apache = module
+
+# Module: application
+# Required in base
+#
+# Defines attributs and interfaces for all user applications
+#
+application = module
+
+# Layer: role
+# Module: auditadm
+#
+# auditadm account on tty logins
+#
+auditadm = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+#
+authlogin = module
+
+# Layer: services
+# Module: bluetooth
+#
+# Bluetooth tools and system services.
+#
+bluetooth = module
+
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+#
+bootloader = module
+
+# Layer: services
+# Module: chronyd
+#
+# Daemon for maintaining clock time
+#
+chronyd = module
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+#
+clock = module
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+#
+corecommands = base
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+#
+corenetwork = base
+
+# Layer: services
+# Module: cpucontrol
+#
+# Services for loading CPU microcode and CPU frequency scaling.
+#
+cpucontrol = module
+
+# Layer: system
+# Module: daemontools
+#
+# Collection of tools for managing UNIX services
+#
+daemontools = module
+
+# Layer: services
+# Module: dbus
+#
+# Desktop messaging bus
+#
+dbus = module
+
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+#
+devices = base
+
+# Layer: services
+# Module: dhcp
+#
+# Dynamic host configuration protocol (DHCP) server
+#
+dhcp = module
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+#
+dmesg = module
+
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+#
+domain = base
+
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+#
+files = base
+
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+#
+filesystem = base
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+#
+fstools = module
+
+# Layer: contrib
+# Module: fwupd
+#
+# fwupd is a daemon to allow session software to update device firmware.
+#
+fwupd = module
+
+# Layer: apps
+# Module: games
+#
+# The Open Group Pegasus CIM/WBEM Server.
+#
+games = module
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+#
+getty = module
+
+# Layer: apps
+# Module: gnome
+#
+# gnome session and gconf
+#
+gnome = module
+
+# Layer: apps
+# Module: gpg
+#
+# Policy for GNU Privacy Guard and related programs.
+#
+gpg = module
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+#
+hostname = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+#
+init = module
+
+# Layer: system
+# Module: ipsec
+#
+# TCP/IP encryption
+#
+ipsec = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+#
+iptables = module
+
+# Layer: contrib
+# Module: journalctl
+#
+# journalctl policy
+#
+journalctl = module
+
+# Layer: services
+# Module: kerberos
+#
+# MIT Kerberos admin and KDC
+#
+kerberos = module
+
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
+#
+kernel = base
+
+# Layer: services
+# Module: ldap
+#
+# OpenLDAP directory server
+#
+ldap = module
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+#
+libraries = module
+
+# Layer: apps
+# Module: loadkeys
+#
+# Load keyboard mappings.
+#
+loadkeys = module
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+#
+locallogin = module
+
+# Layer: role
+# Module: logadm
+#
+# Minimally prived root role for managing logging system
+#
+logadm = module
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+#
+logging = module
+
+# Layer: services
+# Module: lpd
+#
+# Line printer daemon
+#
+lpd = module
+
+# Layer: system
+# Module: lvm
+#
+# Policy for logical volume management programs.
+#
+lvm = module
+
+# Layer: contrib
+# Module: mandb
+#
+# Policy for mandb
+#
+mandb = module
+
+# Module: mcs
+# Required in base
+#
+# MultiCategory security policy
+#
+mcs = base
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+#
+miscfiles = module
+
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+#
+mls = base
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+#
+modutils = module
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+#
+mount = module
+
+# Layer: services
+# Module: mta
+#
+# Policy common to all email tranfer agents.
+#
+mta = module
+
+# Layer: apps
+# Module: namespace
+#
+# policy for namespace.init script
+#
+namespace = module
+
+# Layer: system
+# Module: netlabel
+#
+# Basic netlabel types and interfaces.
+#
+netlabel = module
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+#
+netutils = module
+
+# Layer: services
+# Module: networkmanager
+#
+# Manager for dynamically switching between networks.
+#
+networkmanager = module
+
+# Layer: services
+# Module: nis
+#
+# Policy for NIS (YP) servers and clients
+#
+nis = module
+
+# Layer: services
+# Module: oddjob
+#
+# policy for oddjob
+#
+oddjob = module
+
+# Layer: contrib
+# Module: pesign
+#
+# policy for pesign
+#
+pesign = module
+
+# Layer: services
+# Module: postgresql
+#
+# PostgreSQL relational database
+#
+postgresql = module
+
+# Layer: services
+# Module: rdisc
+#
+# Network router discovery daemon
+#
+rdisc = module
+
+# Layer: services
+# Module: rpcbind
+#
+#  universal addresses to RPC program number mapper
+#
+rpc = module
+
+# Layer: admin
+# Module: rpm
+#
+# Policy for the RPM package manager.
+#
+rpm = module
+
+# Layer: role
+# Module: secadm
+#
+# secadm account on tty logins
+#
+secadm = module
+
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+#
+selinux = base
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+#
+selinuxutil = module
+
+# Module: setrans
+# Required in base
+#
+# Policy for setrans
+#
+setrans = module
+
+# Layer: apps
+# Module: seunshare
+#
+# seunshare executable
+#
+seunshare = module
+
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+#
+ssh = module
+
+# Layer: services
+# Module: sssd
+#
+# System Security Services Daemon
+#
+sssd = module
+
+# Layer: contrib
+# Module: stalld
+#
+# stalld
+#
+stalld = module
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+#
+storage = base
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+#
+su = module
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+#
+sudo = module
+
+# Layer:role
+# Module: sysadm_secadm
+#
+# System Administrator with Security Admin rules
+#
+sysadm = module
+
+# Layer:role
+# Module: sysadm_secadm
+#
+# System Administrator with Security Admin rules
+#
+sysadm_secadm = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+#
+sysnetwork = module
+
+# Layer: system
+# Module: systemd
+#
+# Policy for systemd components
+#
+systemd = module
+
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+#
+terminal = base
+
+# Layer: kernel
+# Module: ubac
+#
+#
+#
+ubac = base
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+#
+udev = module
+
+# Layer: role
+# Module: unconfineduser
+#
+# The unconfined user domain.
+#
+unconfined = module
+
+# Layer: role
+# Module: unconfineduser
+#
+# The unconfined user domain.
+#
+unconfineduser = module
+
+# Layer: kernel
+# Module: unconfined
+#
+# The unlabelednet module.
+#
+unlabelednet = module
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+#
+userdomain = module
+
+# Layer: apps
+# Module: userhelper
+#
+# A helper interface to pam.
+#
+userhelper = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+#
+usermanage = module
+
+# Layer: services
+# Module: virt
+#
+# Virtualization libraries
+#
+virt = module
+
+# Layer: apps
+# Module: vhostmd
+#
+# vlock - Virtual Console lock program
+#
+vlock = module
+
+# Layer: services
+# Module: xserver
+#
+# X windows login display manager
+#
+xserver = module
+

readme-automotive

@@ -0,0 +1,52 @@
+The automotive package is modeled after selinux-policy-minimum in that it
+contains all the modules that are present in selinux-policy-targeted, but most
+of them are disabled (content of module-automotive-contrib.conf).
+The rest of the configuration files is copied from targeted, only
+booleans-automotive.conf and users-automotive are missing booleans and users
+defined in disabled modules.
+
+
+The content of module-automotive-base.conf was determined as follows.
+Modules providing file context definitions related to packages in qm-minimal
+image package set [1]:
+["anaconda", "authlogin", "bluetooth", "bootloader", "clock", "cpucontrol",
+"cups", "daemontools", "dbus", "dmesg", "fstools", "fwupd", "games", "gpg",
+"hostname", "init", "iptables", "journalctl", "kerberos", "ldap", "libraries",
+"loadkeys", "locallogin", "logging", "lpd", "lvm", "miscfiles", "modutils",
+"mount", "mta", "namespace", "networkmanager", "nis", "oddjob", "rpc", "rpm",
+"selinuxutil", "stalld", "su", "sysnetwork", "systemd", "udev", "userdomain",
+"userhelper", "usermanage", "vlock"]
+
+Modules chosen based on name comparison with the qm-minimal image package set:
+["cyrus","dbus","gpg","ldap","rpm","sasl","fwupd","stalld","ssh","hostname",
+"iptables","mount","systemd","udev"]
+
+The following are additions based on qm-developer image package set:
+["netutils", "ssh", "sudo ", "chronyd", "mandb", "pesign", "rdisc", "rsync",
+"sosreport", "virt"]
+
+Dependencies of container-selinux:
+["anaconda","gnome","sssd"]
+
+Dependency of gpg:
+["apache"]
+
+systemd_logind does not work properly without:
+["dhcp"]
+
+
+All remaining modules are listed in module-automotive-contrib.conf and
+therefore disabled (modules set to "off" in modules-targeted-* where kept
+"off" in automotive as well).
+
+sandbox module was set to "off" instead of it being removed in spec file (as
+done in "minimum") to simplify the spec file.
+
+Note that DSP modules will not be installed if they follow [2], which is
+probably for the best, since they do not consistently use optional_policy
+blocks and would likely fail to install. However, container module is needed
+even for the qm-minimal image and has to be installed manually (probably in
+automotive-image-builder).
+
+[1] - https://autosd.sig.centos.org/AutoSD-9/nightly/core-rpms/autosd-core-rpms-x86_64.txt
+[2] - https://fedoraproject.org/wiki/SELinux/IndependentPolicy

securetty_types-automotive

@@ -0,0 +1,4 @@
+console_device_t
+sysadm_tty_device_t
+user_tty_device_t
+staff_tty_device_t

selinux-policy.spec

@@ -18,13 +18,16 @@
 %if %{?BUILD_MLS:0}%{!?BUILD_MLS:1}
 %define BUILD_MLS 1
 %endif
+%if %{?BUILD_AUTOMOTIVE:0}%{!?BUILD_AUTOMOTIVE:1}
+%define BUILD_AUTOMOTIVE 1
+%endif
 %define POLICYVER 33
 %define POLICYCOREUTILSVER 3.4-1
 %define CHECKPOLICYVER 3.2
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 38.1.53
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
 Source1: modules-targeted-base.conf
@@ -61,6 +64,13 @@ Source35: container-selinux.tgz
 
 Source36: selinux-check-proper-disable.service
 
+Source37: modules-automotive-base.conf
+Source38: modules-automotive-contrib.conf
+Source39: booleans-automotive.conf
+Source40: users-automotive
+Source41: setrans-automotive.conf
+Source42: securetty_types-automotive
+
 # Provide rpm macros for packages installing SELinux modules
 Source102: rpm.macros
 
@@ -408,7 +418,7 @@ end
 tar -C policy/modules/contrib -xf %{SOURCE35}
 
 mkdir selinux_config
-for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do
+for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32} %{SOURCE37} %{SOURCE38} %{SOURCE39} %{SOURCE40} %{SOURCE41} %{SOURCE42};do
  cp $i selinux_config
 done
 
@@ -425,8 +435,8 @@ mkdir -p %{buildroot}%{_bindir}
 install -m 755  %{SOURCE33} %{buildroot}%{_bindir}/
 
 # Always create policy module package directories
-mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/
-mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
+mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,automotive,modules}/
+mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,automotive,modules}/
 
 mkdir -p %{buildroot}%{_datadir}/selinux/packages
 
@@ -466,8 +476,17 @@ rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
 %nonBaseModulesList mls
 %endif
 
+%if %{BUILD_AUTOMOTIVE}
+# Build automotive policy
+%makeCmds automotive mcs allow
+%makeModulesConf automotive base contrib
+%installCmds automotive mcs allow
+%modulesList automotive
+%nonBaseModulesList automotive
+%endif
+
 # remove leftovers when save-previous=true (semanage.conf) is used
-rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous
+rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls,automotive}/previous
 
 mkdir -p %{buildroot}%{_mandir}
 cp -R  man/* %{buildroot}%{_mandir}
@@ -739,6 +758,83 @@ exit 0
 %fileList minimum
 %endif
 
+%if %{BUILD_AUTOMOTIVE}
+%package automotive
+Summary: SELinux automotive policy
+Provides: selinux-policy-any = %{version}-%{release}
+Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER}
+Requires(pre): coreutils
+Requires(pre): selinux-policy = %{version}-%{release}
+Requires: selinux-policy = %{version}-%{release}
+Conflicts:  seedit
+Conflicts: container-selinux <= 1.9.0-9
+
+%description automotive
+SELinux automotive policy package.
+
+%pretrans automotive -p <lua>
+%backupConfigLua
+
+%pre automotive
+%preInstall automotive
+if [ $1 -ne 1 ]; then
+    %{_sbindir}/semodule -s automotive --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/automotive/instmodules.lst
+fi
+
+%post automotive
+%checkConfigConsistency automotive
+contribpackages=`cat %{_datadir}/selinux/automotive/modules-contrib.lst`
+basepackages=`cat %{_datadir}/selinux/automotive/modules-base.lst`
+if [ ! -d %{_sharedstatedir}/selinux/automotive/active/modules/disabled ]; then
+    mkdir %{_sharedstatedir}/selinux/automotive/active/modules/disabled
+fi
+if [ $1 -eq 1 ]; then
+for p in $contribpackages; do
+    touch %{_sharedstatedir}/selinux/automotive/active/modules/disabled/$p
+done
+for p in $basepackages apache dbus inetd kerberos mta nis; do
+    rm -f %{_sharedstatedir}/selinux/automotive/active/modules/disabled/$p
+done
+%{_sbindir}/restorecon -R /root /var/log /var/run 2> /dev/null
+%{_sbindir}/semodule -B -s automotive
+else
+instpackages=`cat %{_datadir}/selinux/automotive/instmodules.lst`
+for p in $contribpackages; do
+    touch %{_sharedstatedir}/selinux/automotive/active/modules/disabled/$p
+done
+for p in $instpackages apache dbus inetd kerberos mta nis; do
+    rm -f %{_sharedstatedir}/selinux/automotive/active/modules/disabled/$p
+done
+%{_sbindir}/semodule -B -s automotive
+%relabel automotive
+fi
+exit 0
+
+%posttrans automotive
+%checkConfigConsistency automotive
+
+%postun automotive
+if [ $1 = 0 ]; then
+    if [ -s %{_sysconfdir}/selinux/config ]; then
+        source %{_sysconfdir}/selinux/config &> /dev/null || true
+    fi
+    if [ "$SELINUXTYPE" = "automotive" ]; then
+        %{_sbindir}/setenforce 0 2> /dev/null
+        if [ ! -s %{_sysconfdir}/selinux/config ]; then
+            echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
+        else
+            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
+        fi
+    fi
+fi
+exit 0
+
+%files automotive -f %{buildroot}%{_datadir}/selinux/automotive/nonbasemodules.lst
+%config(noreplace) %{_sysconfdir}/selinux/automotive/contexts/users/unconfined_u
+%config(noreplace) %{_sysconfdir}/selinux/automotive/contexts/users/sysadm_u
+%fileList automotive
+%endif
+
 %if %{BUILD_MLS}
 %package mls
 Summary: SELinux MLS policy

setrans-automotive.conf

@@ -0,0 +1,19 @@
+#
+# Multi-Category Security translation table for SELinux
+# 
+# Uncomment the following to disable translation libary
+# disable=1
+#
+# Objects can be categorized with 0-1023 categories defined by the admin.
+# Objects can be in more than one category at a time.
+# Categories are stored in the system as c0-c1023.  Users can use this
+# table to translate the categories into a more meaningful output.
+# Examples:
+# s0:c0=CompanyConfidential
+# s0:c1=PatientRecord
+# s0:c2=Unclassified
+# s0:c3=TopSecret
+# s0:c1,c3=CompanyConfidentialRedHat
+s0=SystemLow
+s0-s0:c0.c1023=SystemLow-SystemHigh
+s0:c0.c1023=SystemHigh

users-automotive

@@ -0,0 +1,39 @@
+##################################
+#
+# Core User configuration.
+#
+
+#
+# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
+#
+# Note: Identities without a prefix will not be listed
+# in the users_extra file used by genhomedircon.
+
+#
+# system_u is the user identity for system processes and objects.
+# There should be no corresponding Unix user identity for system,
+# and a user process should never be assigned the system user
+# identity.
+#
+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+#
+# user_u is a generic user identity for Linux users who have no
+# SELinux user identity defined.  The modified daemons will use
+# this user identity in the security context if there is no matching
+# SELinux user identity for a Linux user.  If you do not want to
+# permit any access to such users, then remove this entry.
+#
+gen_user(user_u, user, user_r, s0, s0)
+gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell.  Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)