1 files changed, 54 insertions, 38 deletions
diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh
index 0b86c47baf7d..2dccf141241d 100755
--- a/scripts/selinux/install_policy.sh
+++ b/scripts/selinux/install_policy.sh
@@ -1,30 +1,61 @@
 #!/bin/sh
 # SPDX-License-Identifier: GPL-2.0
+set -e
 if [ `id -u` -ne 0 ]; then
        echo "$0: must be root to install the selinux policy"
        exit 1
 fi
 SF=`which setfiles`
 if [ $? -eq 1 ]; then
-        if [ -f /sbin/setfiles ]; then
+        echo "Could not find setfiles"
-                SF="/usr/setfiles"
+        echo "Do you have policycoreutils installed?"
-        else
+        exit 1
-                echo "no selinux tools installed: setfiles"
-                exit 1
-        fi
 fi
-cd mdp
 CP=`which checkpolicy`
+if [ $? -eq 1 ]; then
+        echo "Could not find checkpolicy"
+        echo "Do you have checkpolicy installed?"
+        exit 1
+fi
 VERS=`$CP -V | awk '{print $1}'`
-./mdp policy.conf file_contexts
+ENABLED=`which selinuxenabled`
-$CP -o policy.$VERS policy.conf
+if [ $? -eq 1 ]; then
+        echo "Could not find selinuxenabled"
+        echo "Do you have libselinux-utils installed?"
+        exit 1
+fi
+if selinuxenabled; then
+    echo "SELinux is already enabled"
+    echo "This prevents safely relabeling all files."
+    echo "Boot with selinux=0 on the kernel command-line or"
+    echo "SELINUX=disabled in /etc/selinux/config."
+    exit 1
+fi
+cd mdp
+./mdp -m policy.conf file_contexts
+$CP -U allow -M -o policy.$VERS policy.conf
 mkdir -p /etc/selinux/dummy/policy
 mkdir -p /etc/selinux/dummy/contexts/files
+echo "__default__:user_u:s0" > /etc/selinux/dummy/seusers
+echo "base_r:base_t:s0" > /etc/selinux/dummy/contexts/failsafe_context
+echo "base_r:base_t:s0 base_r:base_t:s0" > /etc/selinux/dummy/default_contexts
+cat > /etc/selinux/dummy/contexts/x_contexts <<EOF
+client * user_u:base_r:base_t:s0
+property * user_u:object_r:base_t:s0
+extension * user_u:object_r:base_t:s0
+selection * user_u:object_r:base_t:s0
+event * user_u:object_r:base_t:s0
+EOF
+touch /etc/selinux/dummy/contexts/virtual_domain_context
+touch /etc/selinux/dummy/contexts/virtual_image_context
 cp file_contexts /etc/selinux/dummy/contexts/files
 cp dbus_contexts /etc/selinux/dummy/contexts
 cp policy.$VERS /etc/selinux/dummy/policy
@@ -33,37 +64,22 @@ FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
 if [ ! -d /etc/selinux ]; then
        mkdir -p /etc/selinux
 fi
-if [ ! -f /etc/selinux/config ]; then
+if [ -f /etc/selinux/config ]; then
-        cat > /etc/selinux/config << EOF
+    echo "/etc/selinux/config exists, moving to /etc/selinux/config.bak."
-SELINUX=enforcing
+    mv /etc/selinux/config /etc/selinux/config.bak
+fi
+echo "Creating new /etc/selinux/config for dummy policy."
+cat > /etc/selinux/config << EOF
+SELINUX=permissive
 SELINUXTYPE=dummy
 EOF
-else
-        TYPE=`cat /etc/selinux/config | grep "^SELINUXTYPE" | tail -1 | awk -F= '{ print $2 '}`
-        if [ "eq$TYPE" != "eqdummy" ]; then
-                selinuxenabled
-                if [ $? -eq 0 ]; then
-                        echo "SELinux already enabled with a non-dummy policy."
-                        echo "Exiting.  Please install policy by hand if that"
-                        echo "is what you REALLY want."
-                        exit 1
-                fi
-                mv /etc/selinux/config /etc/selinux/config.mdpbak
-                grep -v "^SELINUXTYPE" /etc/selinux/config.mdpbak >> /etc/selinux/config
-                echo "SELINUXTYPE=dummy" >> /etc/selinux/config
-        fi
-fi
 cd /etc/selinux/dummy/contexts/files
-$SF file_contexts /
+$SF -F file_contexts /
-mounts=`cat /proc/$$/mounts | egrep "ext2|ext3|xfs|jfs|ext4|ext4dev|gfs2" | awk '{ print $2 '}`
+mounts=`cat /proc/$$/mounts | \
-$SF file_contexts $mounts
+        egrep "ext[234]|jfs|xfs|reiserfs|jffs2|gfs2|btrfs|f2fs|ocfs2" | \
+        awk '{ print $2 '}`
+$SF -F file_contexts $mounts
+echo "-F" > /.autorelabel
-dodev=`cat /proc/$$/mounts | grep "/dev "`
-if [ "eq$dodev" != "eq" ]; then
-        mount --move /dev /mnt
-        $SF file_contexts /dev
-        mount --move /mnt /dev
-fi

diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh index 0b86c47baf7d..2dccf141241d 100755 --- a/scripts/selinux/install_policy.sh +++ b/scripts/selinux/install_policy.sh
@@ -1,30 +1,61 @@
1	#!/bin/sh	1	#!/bin/sh
2	# SPDX-License-Identifier: GPL-2.0	2	# SPDX-License-Identifier: GPL-2.0
		3	set -e
3	if [ `id -u` -ne 0 ]; then	4	if [ `id -u` -ne 0 ]; then
4	echo "$0: must be root to install the selinux policy"	5	echo "$0: must be root to install the selinux policy"
5	exit 1	6	exit 1
6	fi	7	fi
		8
7	SF=`which setfiles`	9	SF=`which setfiles`
8	if [ $? -eq 1 ]; then	10	if [ $? -eq 1 ]; then
9	if [ -f /sbin/setfiles ]; then	11	echo "Could not find setfiles"
10	SF="/usr/setfiles"	12	echo "Do you have policycoreutils installed?"
11	else	13	exit 1
12	echo "no selinux tools installed: setfiles"
13	exit 1
14	fi
15	fi	14	fi
16		15
17	cd mdp
18
19	CP=`which checkpolicy`	16	CP=`which checkpolicy`
		17	if [ $? -eq 1 ]; then
		18	echo "Could not find checkpolicy"
		19	echo "Do you have checkpolicy installed?"
		20	exit 1
		21	fi
20	VERS=`$CP -V \| awk '{print $1}'`	22	VERS=`$CP -V \| awk '{print $1}'`
21		23
22	./mdp policy.conf file_contexts	24	ENABLED=`which selinuxenabled`
23	$CP -o policy.$VERS policy.conf	25	if [ $? -eq 1 ]; then
		26	echo "Could not find selinuxenabled"
		27	echo "Do you have libselinux-utils installed?"
		28	exit 1
		29	fi
		30
		31	if selinuxenabled; then
		32	echo "SELinux is already enabled"
		33	echo "This prevents safely relabeling all files."
		34	echo "Boot with selinux=0 on the kernel command-line or"
		35	echo "SELINUX=disabled in /etc/selinux/config."
		36	exit 1
		37	fi
		38
		39	cd mdp
		40	./mdp -m policy.conf file_contexts
		41	$CP -U allow -M -o policy.$VERS policy.conf
24		42
25	mkdir -p /etc/selinux/dummy/policy	43	mkdir -p /etc/selinux/dummy/policy
26	mkdir -p /etc/selinux/dummy/contexts/files	44	mkdir -p /etc/selinux/dummy/contexts/files
27		45
		46	echo "__default__:user_u:s0" > /etc/selinux/dummy/seusers
		47	echo "base_r:base_t:s0" > /etc/selinux/dummy/contexts/failsafe_context
		48	echo "base_r:base_t:s0 base_r:base_t:s0" > /etc/selinux/dummy/default_contexts
		49	cat > /etc/selinux/dummy/contexts/x_contexts <<EOF
		50	client * user_u:base_r:base_t:s0
		51	property * user_u:object_r:base_t:s0
		52	extension * user_u:object_r:base_t:s0
		53	selection * user_u:object_r:base_t:s0
		54	event * user_u:object_r:base_t:s0
		55	EOF
		56	touch /etc/selinux/dummy/contexts/virtual_domain_context
		57	touch /etc/selinux/dummy/contexts/virtual_image_context
		58
28	cp file_contexts /etc/selinux/dummy/contexts/files	59	cp file_contexts /etc/selinux/dummy/contexts/files
29	cp dbus_contexts /etc/selinux/dummy/contexts	60	cp dbus_contexts /etc/selinux/dummy/contexts
30	cp policy.$VERS /etc/selinux/dummy/policy	61	cp policy.$VERS /etc/selinux/dummy/policy
@@ -33,37 +64,22 @@ FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
33	if [ ! -d /etc/selinux ]; then	64	if [ ! -d /etc/selinux ]; then
34	mkdir -p /etc/selinux	65	mkdir -p /etc/selinux
35	fi	66	fi
36	if [ ! -f /etc/selinux/config ]; then	67	if [ -f /etc/selinux/config ]; then
37	cat > /etc/selinux/config << EOF	68	echo "/etc/selinux/config exists, moving to /etc/selinux/config.bak."
38	SELINUX=enforcing	69	mv /etc/selinux/config /etc/selinux/config.bak
		70	fi
		71	echo "Creating new /etc/selinux/config for dummy policy."
		72	cat > /etc/selinux/config << EOF
		73	SELINUX=permissive
39	SELINUXTYPE=dummy	74	SELINUXTYPE=dummy
40	EOF	75	EOF
41	else
42	TYPE=`cat /etc/selinux/config \| grep "^SELINUXTYPE" \| tail -1 \| awk -F= '{ print $2 '}`
43	if [ "eq$TYPE" != "eqdummy" ]; then
44	selinuxenabled
45	if [ $? -eq 0 ]; then
46	echo "SELinux already enabled with a non-dummy policy."
47	echo "Exiting. Please install policy by hand if that"
48	echo "is what you REALLY want."
49	exit 1
50	fi
51	mv /etc/selinux/config /etc/selinux/config.mdpbak
52	grep -v "^SELINUXTYPE" /etc/selinux/config.mdpbak >> /etc/selinux/config
53	echo "SELINUXTYPE=dummy" >> /etc/selinux/config
54	fi
55	fi
56		76
57	cd /etc/selinux/dummy/contexts/files	77	cd /etc/selinux/dummy/contexts/files
58	$SF file_contexts /	78	$SF -F file_contexts /
59		79
60	mounts=`cat /proc/$$/mounts \| egrep "ext2\|ext3\|xfs\|jfs\|ext4\|ext4dev\|gfs2" \| awk '{ print $2 '}`	80	mounts=`cat /proc/$$/mounts \| \
61	$SF file_contexts $mounts	81	egrep "ext[234]\|jfs\|xfs\|reiserfs\|jffs2\|gfs2\|btrfs\|f2fs\|ocfs2" \| \
		82	awk '{ print $2 '}`
		83	$SF -F file_contexts $mounts
62		84
63		85	echo "-F" > /.autorelabel
64	dodev=`cat /proc/$$/mounts \| grep "/dev "`
65	if [ "eq$dodev" != "eq" ]; then
66	mount --move /dev /mnt
67	$SF file_contexts /dev
68	mount --move /mnt /dev
69	fi