summaryrefslogtreecommitdiffstats
path: root/scripts/selinux/install_policy.sh
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/selinux/install_policy.sh')
-rwxr-xr-xscripts/selinux/install_policy.sh84
1 files changed, 84 insertions, 0 deletions
diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh
new file mode 100755
index 0000000000..24086793b0
--- /dev/null
+++ b/scripts/selinux/install_policy.sh
@@ -0,0 +1,84 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0
+set -e
+if [ `id -u` -ne 0 ]; then
+ echo "$0: must be root to install the selinux policy"
+ exit 1
+fi
+
+SF=`which setfiles`
+if [ $? -eq 1 ]; then
+ echo "Could not find setfiles"
+ echo "Do you have policycoreutils installed?"
+ exit 1
+fi
+
+CP=`which checkpolicy`
+if [ $? -eq 1 ]; then
+ echo "Could not find checkpolicy"
+ echo "Do you have checkpolicy installed?"
+ exit 1
+fi
+VERS=`$CP -V | awk '{print $1}'`
+
+ENABLED=`which selinuxenabled`
+if [ $? -eq 1 ]; then
+ echo "Could not find selinuxenabled"
+ echo "Do you have libselinux-utils installed?"
+ exit 1
+fi
+
+if selinuxenabled; then
+ echo "SELinux is already enabled"
+ echo "This prevents safely relabeling all files."
+ echo "Boot with selinux=0 on the kernel command-line."
+ exit 1
+fi
+
+cd mdp
+./mdp -m policy.conf file_contexts
+$CP -U allow -M -o policy.$VERS policy.conf
+
+mkdir -p /etc/selinux/dummy/policy
+mkdir -p /etc/selinux/dummy/contexts/files
+
+echo "__default__:user_u:s0" > /etc/selinux/dummy/seusers
+echo "base_r:base_t:s0" > /etc/selinux/dummy/contexts/failsafe_context
+echo "base_r:base_t:s0 base_r:base_t:s0" > /etc/selinux/dummy/default_contexts
+cat > /etc/selinux/dummy/contexts/x_contexts <<EOF
+client * user_u:base_r:base_t:s0
+property * user_u:object_r:base_t:s0
+extension * user_u:object_r:base_t:s0
+selection * user_u:object_r:base_t:s0
+event * user_u:object_r:base_t:s0
+EOF
+touch /etc/selinux/dummy/contexts/virtual_domain_context
+touch /etc/selinux/dummy/contexts/virtual_image_context
+
+cp file_contexts /etc/selinux/dummy/contexts/files
+cp dbus_contexts /etc/selinux/dummy/contexts
+cp policy.$VERS /etc/selinux/dummy/policy
+FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
+
+if [ ! -d /etc/selinux ]; then
+ mkdir -p /etc/selinux
+fi
+if [ -f /etc/selinux/config ]; then
+ echo "/etc/selinux/config exists, moving to /etc/selinux/config.bak."
+ mv /etc/selinux/config /etc/selinux/config.bak
+fi
+echo "Creating new /etc/selinux/config for dummy policy."
+cat > /etc/selinux/config << EOF
+SELINUX=permissive
+SELINUXTYPE=dummy
+EOF
+
+cd /etc/selinux/dummy/contexts/files
+$SF -F file_contexts /
+
+mounts=`cat /proc/$$/mounts | \
+ grep -E "ext[234]|jfs|xfs|reiserfs|jffs2|gfs2|btrfs|f2fs|ocfs2" | \
+ awk '{ print $2 '}`
+$SF -F file_contexts $mounts
+
+echo "-F" > /.autorelabel