scripts/selinux/install_policy.sh at v6.19 · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / scripts / selinux / install_policy.sh
at v6.19 81 lines 2.2 kB view raw
 1#!/bin/sh
 2# SPDX-License-Identifier: GPL-2.0
 3set -e
 4if [ `id -u` -ne 0 ]; then
 5	echo "$0: must be root to install the selinux policy"
 6	exit 1
 7fi
 8
 9SF=`which setfiles` || {
10	echo "Could not find setfiles"
11	echo "Do you have policycoreutils installed?"
12	exit 1
13}
14
15CP=`which checkpolicy` || {
16	echo "Could not find checkpolicy"
17	echo "Do you have checkpolicy installed?"
18	exit 1
19}
20VERS=`$CP -V | awk '{print $1}'`
21
22ENABLED=`which selinuxenabled` || {
23	echo "Could not find selinuxenabled"
24	echo "Do you have libselinux-utils installed?"
25	exit 1
26}
27
28if selinuxenabled; then
29    echo "SELinux is already enabled"
30    echo "This prevents safely relabeling all files."
31    echo "Boot with selinux=0 on the kernel command-line."
32    exit 1
33fi
34
35cd mdp
36./mdp -m policy.conf file_contexts
37$CP -U allow -M -o policy.$VERS policy.conf
38
39mkdir -p /etc/selinux/dummy/policy
40mkdir -p /etc/selinux/dummy/contexts/files
41
42echo "__default__:user_u:s0" > /etc/selinux/dummy/seusers
43echo "base_r:base_t:s0" > /etc/selinux/dummy/contexts/failsafe_context
44echo "base_r:base_t:s0 base_r:base_t:s0" > /etc/selinux/dummy/default_contexts
45cat > /etc/selinux/dummy/contexts/x_contexts <<EOF
46client * user_u:base_r:base_t:s0
47property * user_u:object_r:base_t:s0
48extension * user_u:object_r:base_t:s0
49selection * user_u:object_r:base_t:s0
50event * user_u:object_r:base_t:s0
51EOF
52touch /etc/selinux/dummy/contexts/virtual_domain_context
53touch /etc/selinux/dummy/contexts/virtual_image_context
54
55cp file_contexts /etc/selinux/dummy/contexts/files
56cp dbus_contexts /etc/selinux/dummy/contexts
57cp policy.$VERS /etc/selinux/dummy/policy
58FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
59
60if [ ! -d /etc/selinux ]; then
61	mkdir -p /etc/selinux
62fi
63if [ -f /etc/selinux/config ]; then
64    echo "/etc/selinux/config exists, moving to /etc/selinux/config.bak."
65    mv /etc/selinux/config /etc/selinux/config.bak
66fi
67echo "Creating new /etc/selinux/config for dummy policy."
68cat > /etc/selinux/config << EOF
69SELINUX=permissive
70SELINUXTYPE=dummy
71EOF
72
73cd /etc/selinux/dummy/contexts/files
74$SF -F file_contexts /
75
76mounts=`cat /proc/$$/mounts | \
77	grep -E "ext[234]|jfs|xfs|jffs2|gfs2|btrfs|f2fs|ocfs2" | \
78	awk '{ print $2 '}`
79$SF -F file_contexts $mounts
80
81echo "-F" > /.autorelabel