Support semanage.mods

Aimee OS variants can now supply a `semange.mods` file in their
configuration directories.  This file contains SELinux customizations,
in the format produced by `semanage export`.  Variants can use this
mechanism to set SELinux booleans, change user/login mappings, and other
SELinux policy customization.  At build time, the base `selinux.mods`
file in the source directory is combined with the variant's file, if it
exists, and the resultant customizations are applied in a single
transaction.

Makefile

@@ -39,6 +39,11 @@ $(O)/.built: \
 	./build.sh
 	touch $(O)/.built
 
+$(O)/semanage.mods: \
+		semanage.mods \
+		$(wildcard $(CONFIGDIR)/semanage.mods)
+	cat $^ > $@
+
 $(O)/.ready: \
 		build-rootfs.sh \
 		install.packages \
@@ -46,11 +51,12 @@ $(O)/.ready: \
 		$(CONFIGDIR)/installonly.packages \
 		$(CONFIGDIR)/busybox.symlinks \
 		$(O)/linux/arch/arm64/boot/Image.gz \
+		$(O)/semanage.mods \
 		$(shell find overlay -type f) \
 		$(shell find $(CONFIGDIR)/overlay -type f 2>/dev/null) \
 		$(O)/.host-tools \
 		$(O)/.built
-	./build-rootfs.sh
+	./build-rootfs.sh "$(O)"
 	touch $(O)/.ready
 
 $(O)/squashfs.exclude: \

build-rootfs.sh

@@ -5,6 +5,8 @@ set -e
 
 . "${CONFIGDIR:=${PWD}}"/config
 
+O="${1}"
+
 mkdir -p \
     /mnt/gentoo/usr/bin \
     /mnt/gentoo/usr/lib \
@@ -97,10 +99,7 @@ fi
 unshare -m sh -e <<EOF
 mount -o bind /mnt/gentoo/var/lib/selinux /var/lib/selinux
 mount -o bind /mnt/gentoo/etc/selinux /etc/selinux
-semanage boolean -N -m --on systemd_tmpfiles_manage_all
-semanage boolean -N -m --on ssh_sysadm_login
-semanage login -N -m -s root root
-semanage user -N -m -R sysadm_r root
+semanage import -N -f "${O}"/semanage.mods
 EOF
 
 setfiles \

semanage.mods

@@ -0,0 +1,15 @@
+boolean -D
+login -D
+interface -D
+user -D
+port -D
+node -D
+fcontext -D
+module -D
+ibendport -D
+ibpkey -D
+permissive -D
+boolean -m -1 ssh_sysadm_login
+boolean -m -1 systemd_tmpfiles_manage_all
+login -m -s root -r 's0-s0:c0.c1023' root
+user -m -L s0 -r s0-s0:c0.c1023 -R 'sysadm_r' root