From 1e43d1ce2a23fc96e4a786161d73449fb0cf3761 Mon Sep 17 00:00:00 2001
From: Michael Armijo <marmijo@redhat.com>
Date: Tue, 3 Sep 2024 12:50:29 -0600
Subject: [PATCH] manifests: add selinux-workaround.yaml for >= F41

Recent changes in the SELinux policy have broken a lot of our code.
Revert the affected domains back to permissive mode so we can
continue to build and test `releasever >= 41` until
https://github.com/fedora-selinux/selinux-policy/pull/2257 merges
and the domains are reverted upstream or until the issue is resolved
altogether.

Add the workaround for `afterburn_t` as well so we can unblock
https://github.com/coreos/fedora-coreos-tracker/issues/1784
---
 manifests/fedora-coreos.yaml      |  2 ++
 manifests/selinux-workaround.yaml | 23 +++++++++++++++++++++++
 2 files changed, 25 insertions(+)
 create mode 100644 manifests/selinux-workaround.yaml

diff --git a/manifests/fedora-coreos.yaml b/manifests/fedora-coreos.yaml
index 7cfe12eb2b..047f86292a 100644
--- a/manifests/fedora-coreos.yaml
+++ b/manifests/fedora-coreos.yaml
@@ -32,6 +32,8 @@ conditional-include:
     include: wifi-firmwares.yaml
   - if: releasever >= 41
     include: composefs.yaml
+  - if: releasever >= 41
+    include: selinux-workaround.yaml
 
 ostree-layers:
   - overlay/15fcos
diff --git a/manifests/selinux-workaround.yaml b/manifests/selinux-workaround.yaml
new file mode 100644
index 0000000000..391e784e36
--- /dev/null
+++ b/manifests/selinux-workaround.yaml
@@ -0,0 +1,23 @@
+# Recent changes in the SELinux policy have broken a lot of our code.
+# Revert the affected domains back to permissive mode so we can
+# continue to build and test `releasever >= 41` until
+# https://github.com/fedora-selinux/selinux-policy/pull/2257 merges
+# and the domains are reverted upstream or until the issue is resolved
+# altogether
+postprocess:
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    cat > /tmp/fcos-workarounds.cil << EOF
+    ; https://bugzilla.redhat.com/show_bug.cgi?id=2300306
+    (typeattributeset cil_gen_require bootupd_t)
+    (typepermissive bootupd_t)
+    ; https://bugzilla.redhat.com/show_bug.cgi?id=2305385
+    (typeattributeset cil_gen_require coreos_installer_t)
+    (typepermissive coreos_installer_t)
+    ; https://bugzilla.redhat.com/show_bug.cgi?id=2306352
+    (typeattributeset cil_gen_require afterburn_t)
+    (typepermissive afterburn_t)
+    EOF
+    /usr/sbin/semodule -i /tmp/fcos-workarounds.cil
+    rm /tmp/fcos-workarounds.cil