install_policy.sh 2.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081
  1. #!/bin/sh
  2. # SPDX-License-Identifier: GPL-2.0
  3. set -e
  4. if [ `id -u` -ne 0 ]; then
  5. echo "$0: must be root to install the selinux policy"
  6. exit 1
  7. fi
  8. SF=`which setfiles` || {
  9. echo "Could not find setfiles"
  10. echo "Do you have policycoreutils installed?"
  11. exit 1
  12. }
  13. CP=`which checkpolicy` || {
  14. echo "Could not find checkpolicy"
  15. echo "Do you have checkpolicy installed?"
  16. exit 1
  17. }
  18. VERS=`$CP -V | awk '{print $1}'`
  19. ENABLED=`which selinuxenabled` || {
  20. echo "Could not find selinuxenabled"
  21. echo "Do you have libselinux-utils installed?"
  22. exit 1
  23. }
  24. if selinuxenabled; then
  25. echo "SELinux is already enabled"
  26. echo "This prevents safely relabeling all files."
  27. echo "Boot with selinux=0 on the kernel command-line."
  28. exit 1
  29. fi
  30. cd mdp
  31. ./mdp -m policy.conf file_contexts
  32. $CP -U allow -M -o policy.$VERS policy.conf
  33. mkdir -p /etc/selinux/dummy/policy
  34. mkdir -p /etc/selinux/dummy/contexts/files
  35. echo "__default__:user_u:s0" > /etc/selinux/dummy/seusers
  36. echo "base_r:base_t:s0" > /etc/selinux/dummy/contexts/failsafe_context
  37. echo "base_r:base_t:s0 base_r:base_t:s0" > /etc/selinux/dummy/default_contexts
  38. cat > /etc/selinux/dummy/contexts/x_contexts <<EOF
  39. client * user_u:base_r:base_t:s0
  40. property * user_u:object_r:base_t:s0
  41. extension * user_u:object_r:base_t:s0
  42. selection * user_u:object_r:base_t:s0
  43. event * user_u:object_r:base_t:s0
  44. EOF
  45. touch /etc/selinux/dummy/contexts/virtual_domain_context
  46. touch /etc/selinux/dummy/contexts/virtual_image_context
  47. cp file_contexts /etc/selinux/dummy/contexts/files
  48. cp dbus_contexts /etc/selinux/dummy/contexts
  49. cp policy.$VERS /etc/selinux/dummy/policy
  50. FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
  51. if [ ! -d /etc/selinux ]; then
  52. mkdir -p /etc/selinux
  53. fi
  54. if [ -f /etc/selinux/config ]; then
  55. echo "/etc/selinux/config exists, moving to /etc/selinux/config.bak."
  56. mv /etc/selinux/config /etc/selinux/config.bak
  57. fi
  58. echo "Creating new /etc/selinux/config for dummy policy."
  59. cat > /etc/selinux/config << EOF
  60. SELINUX=permissive
  61. SELINUXTYPE=dummy
  62. EOF
  63. cd /etc/selinux/dummy/contexts/files
  64. $SF -F file_contexts /
  65. mounts=`cat /proc/$$/mounts | \
  66. grep -E "ext[234]|jfs|xfs|jffs2|gfs2|btrfs|f2fs|ocfs2" | \
  67. awk '{ print $2 '}`
  68. $SF -F file_contexts $mounts
  69. echo "-F" > /.autorelabel