diff options
Diffstat (limited to 'scripts/selinux/install_policy.sh')
-rwxr-xr-x | scripts/selinux/install_policy.sh | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh new file mode 100755 index 0000000000..24086793b0 --- /dev/null +++ b/scripts/selinux/install_policy.sh @@ -0,0 +1,84 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0 +set -e +if [ `id -u` -ne 0 ]; then + echo "$0: must be root to install the selinux policy" + exit 1 +fi + +SF=`which setfiles` +if [ $? -eq 1 ]; then + echo "Could not find setfiles" + echo "Do you have policycoreutils installed?" + exit 1 +fi + +CP=`which checkpolicy` +if [ $? -eq 1 ]; then + echo "Could not find checkpolicy" + echo "Do you have checkpolicy installed?" + exit 1 +fi +VERS=`$CP -V | awk '{print $1}'` + +ENABLED=`which selinuxenabled` +if [ $? -eq 1 ]; then + echo "Could not find selinuxenabled" + echo "Do you have libselinux-utils installed?" + exit 1 +fi + +if selinuxenabled; then + echo "SELinux is already enabled" + echo "This prevents safely relabeling all files." + echo "Boot with selinux=0 on the kernel command-line." + exit 1 +fi + +cd mdp +./mdp -m policy.conf file_contexts +$CP -U allow -M -o policy.$VERS policy.conf + +mkdir -p /etc/selinux/dummy/policy +mkdir -p /etc/selinux/dummy/contexts/files + +echo "__default__:user_u:s0" > /etc/selinux/dummy/seusers +echo "base_r:base_t:s0" > /etc/selinux/dummy/contexts/failsafe_context +echo "base_r:base_t:s0 base_r:base_t:s0" > /etc/selinux/dummy/default_contexts +cat > /etc/selinux/dummy/contexts/x_contexts <<EOF +client * user_u:base_r:base_t:s0 +property * user_u:object_r:base_t:s0 +extension * user_u:object_r:base_t:s0 +selection * user_u:object_r:base_t:s0 +event * user_u:object_r:base_t:s0 +EOF +touch /etc/selinux/dummy/contexts/virtual_domain_context +touch /etc/selinux/dummy/contexts/virtual_image_context + +cp file_contexts /etc/selinux/dummy/contexts/files +cp dbus_contexts /etc/selinux/dummy/contexts +cp policy.$VERS /etc/selinux/dummy/policy +FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts + +if [ ! -d /etc/selinux ]; then + mkdir -p /etc/selinux +fi +if [ -f /etc/selinux/config ]; then + echo "/etc/selinux/config exists, moving to /etc/selinux/config.bak." + mv /etc/selinux/config /etc/selinux/config.bak +fi +echo "Creating new /etc/selinux/config for dummy policy." +cat > /etc/selinux/config << EOF +SELINUX=permissive +SELINUXTYPE=dummy +EOF + +cd /etc/selinux/dummy/contexts/files +$SF -F file_contexts / + +mounts=`cat /proc/$$/mounts | \ + grep -E "ext[234]|jfs|xfs|reiserfs|jffs2|gfs2|btrfs|f2fs|ocfs2" | \ + awk '{ print $2 '}` +$SF -F file_contexts $mounts + +echo "-F" > /.autorelabel |