[RFE] rework SELinux patches

[tormath1]

Current situation

On Flatcar, we have SELinux patches. Some of these are quite old and could be upstreamed or purely deleted. Let's gather the feedback we had from an interesting discussion with https://wiki.gentoo.org/wiki/Project:SELinux folks:

• selinux-unconfined: no customization -> let's move it to ::portage-stable: sec-policy/selinux-unconfined: move from ::coreos-overlay flatcar-archive/portage-stable#314
• icmp-bind could be replaced with user_ping boolean? (@krnowak if you want to try it ?)
• unlabeled.patch could be upstreamed to refpolicy
• sshd.patch is broken (unconfined_t is not a file type so you cant put it on fcontexts)
• logging.patch seems fine, it has to use an interface (cant use kernel_t outside of kernel.te/if) could go upstream
• locallogin.patch could go upstream
• https://github.com/flatcar-linux/coreos-overlay/blob/main/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch could go upstream but need investigation

This is required for #673

Thanks a lot @perfinion for your time and your feedback :)

[gradientsearch]

👋 Hi @tormath1, has there been any progress on reworking these SELinux patches?

[tormath1]

Hi @angrieralien, thanks for the ping. I just checked and a few of them have been dropped. On the last three remaining, 2 of them could be upstreamed.

Do you have something in mind?