aboutsummaryrefslogtreecommitdiffstats
path: root/scripts/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/selinux')
-rw-r--r--scripts/selinux/Makefile2
-rw-r--r--scripts/selinux/README2
-rw-r--r--scripts/selinux/install_policy.sh69
-rw-r--r--scripts/selinux/mdp/Makefile5
-rw-r--r--scripts/selinux/mdp/dbus_contexts6
-rw-r--r--scripts/selinux/mdp/mdp.c242
6 files changed, 326 insertions, 0 deletions
diff --git a/scripts/selinux/Makefile b/scripts/selinux/Makefile
new file mode 100644
index 000000000000..ca4b1ec01822
--- /dev/null
+++ b/scripts/selinux/Makefile
@@ -0,0 +1,2 @@
1subdir-y := mdp
2subdir- += mdp
diff --git a/scripts/selinux/README b/scripts/selinux/README
new file mode 100644
index 000000000000..a936315ba2c8
--- /dev/null
+++ b/scripts/selinux/README
@@ -0,0 +1,2 @@
1Please see Documentation/SELinux.txt for information on
2installing a dummy SELinux policy.
diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh
new file mode 100644
index 000000000000..7b9ccf61f8f9
--- /dev/null
+++ b/scripts/selinux/install_policy.sh
@@ -0,0 +1,69 @@
1#!/bin/sh
2if [ `id -u` -ne 0 ]; then
3 echo "$0: must be root to install the selinux policy"
4 exit 1
5fi
6SF=`which setfiles`
7if [ $? -eq 1 ]; then
8 if [ -f /sbin/setfiles ]; then
9 SF="/usr/setfiles"
10 else
11 echo "no selinux tools installed: setfiles"
12 exit 1
13 fi
14fi
15
16cd mdp
17
18CP=`which checkpolicy`
19VERS=`$CP -V | awk '{print $1}'`
20
21./mdp policy.conf file_contexts
22$CP -o policy.$VERS policy.conf
23
24mkdir -p /etc/selinux/dummy/policy
25mkdir -p /etc/selinux/dummy/contexts/files
26
27cp file_contexts /etc/selinux/dummy/contexts/files
28cp dbus_contexts /etc/selinux/dummy/contexts
29cp policy.$VERS /etc/selinux/dummy/policy
30FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
31
32if [ ! -d /etc/selinux ]; then
33 mkdir -p /etc/selinux
34fi
35if [ ! -f /etc/selinux/config ]; then
36 cat > /etc/selinux/config << EOF
37SELINUX=enforcing
38SELINUXTYPE=dummy
39EOF
40else
41 TYPE=`cat /etc/selinux/config | grep "^SELINUXTYPE" | tail -1 | awk -F= '{ print $2 '}`
42 if [ "eq$TYPE" != "eqdummy" ]; then
43 selinuxenabled
44 if [ $? -eq 0 ]; then
45 echo "SELinux already enabled with a non-dummy policy."
46 echo "Exiting. Please install policy by hand if that"
47 echo "is what you REALLY want."
48 exit 1
49 fi
50 mv /etc/selinux/config /etc/selinux/config.mdpbak
51 grep -v "^SELINUXTYPE" /etc/selinux/config.mdpbak >> /etc/selinux/config
52 echo "SELINUXTYPE=dummy" >> /etc/selinux/config
53 fi
54fi
55
56cd /etc/selinux/dummy/contexts/files
57$SF file_contexts /
58
59mounts=`cat /proc/$$/mounts | egrep "ext2|ext3|xfs|jfs|ext4|ext4dev|gfs2" | awk '{ print $2 '}`
60$SF file_contexts $mounts
61
62
63dodev=`cat /proc/$$/mounts | grep "/dev "`
64if [ "eq$dodev" != "eq" ]; then
65 mount --move /dev /mnt
66 $SF file_contexts /dev
67 mount --move /mnt /dev
68fi
69
diff --git a/scripts/selinux/mdp/Makefile b/scripts/selinux/mdp/Makefile
new file mode 100644
index 000000000000..eb365b333441
--- /dev/null
+++ b/scripts/selinux/mdp/Makefile
@@ -0,0 +1,5 @@
1hostprogs-y := mdp
2HOST_EXTRACFLAGS += -Isecurity/selinux/include
3
4always := $(hostprogs-y)
5clean-files := $(hostprogs-y) policy.* file_contexts
diff --git a/scripts/selinux/mdp/dbus_contexts b/scripts/selinux/mdp/dbus_contexts
new file mode 100644
index 000000000000..116e684f9fc1
--- /dev/null
+++ b/scripts/selinux/mdp/dbus_contexts
@@ -0,0 +1,6 @@
1<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
2 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
3<busconfig>
4 <selinux>
5 </selinux>
6</busconfig>
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
new file mode 100644
index 000000000000..ca757d486187
--- /dev/null
+++ b/scripts/selinux/mdp/mdp.c
@@ -0,0 +1,242 @@
1/*
2 *
3 * mdp - make dummy policy
4 *
5 * When pointed at a kernel tree, builds a dummy policy for that kernel
6 * with exactly one type with full rights to itself.
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
21 *
22 * Copyright (C) IBM Corporation, 2006
23 *
24 * Authors: Serge E. Hallyn <serue@us.ibm.com>
25 */
26
27#include <stdio.h>
28#include <stdlib.h>
29#include <unistd.h>
30#include <string.h>
31
32#include "flask.h"
33
34void usage(char *name)
35{
36 printf("usage: %s [-m] policy_file context_file\n", name);
37 exit(1);
38}
39
40void find_common_name(char *cname, char *dest, int len)
41{
42 char *start, *end;
43
44 start = strchr(cname, '_')+1;
45 end = strchr(start, '_');
46 if (!start || !end || start-cname > len || end-start > len) {
47 printf("Error with commons defines\n");
48 exit(1);
49 }
50 strncpy(dest, start, end-start);
51 dest[end-start] = '\0';
52}
53
54#define S_(x) x,
55static char *classlist[] = {
56#include "class_to_string.h"
57 NULL
58};
59#undef S_
60
61#include "initial_sid_to_string.h"
62
63#define TB_(x) char *x[] = {
64#define TE_(x) NULL };
65#define S_(x) x,
66#include "common_perm_to_string.h"
67#undef TB_
68#undef TE_
69#undef S_
70
71struct common {
72 char *cname;
73 char **perms;
74};
75struct common common[] = {
76#define TB_(x) { #x, x },
77#define S_(x)
78#define TE_(x)
79#include "common_perm_to_string.h"
80#undef TB_
81#undef TE_
82#undef S_
83};
84
85#define S_(x, y, z) {x, #y},
86struct av_inherit {
87 int class;
88 char *common;
89};
90struct av_inherit av_inherit[] = {
91#include "av_inherit.h"
92};
93#undef S_
94
95#include "av_permissions.h"
96#define S_(x, y, z) {x, y, z},
97struct av_perms {
98 int class;
99 int perm_i;
100 char *perm_s;
101};
102struct av_perms av_perms[] = {
103#include "av_perm_to_string.h"
104};
105#undef S_
106
107int main(int argc, char *argv[])
108{
109 int i, j, mls = 0;
110 char **arg, *polout, *ctxout;
111 int classlist_len, initial_sid_to_string_len;
112 FILE *fout;
113
114 if (argc < 3)
115 usage(argv[0]);
116 arg = argv+1;
117 if (argc==4 && strcmp(argv[1], "-m") == 0) {
118 mls = 1;
119 arg++;
120 }
121 polout = *arg++;
122 ctxout = *arg;
123
124 fout = fopen(polout, "w");
125 if (!fout) {
126 printf("Could not open %s for writing\n", polout);
127 usage(argv[0]);
128 }
129
130 classlist_len = sizeof(classlist) / sizeof(char *);
131 /* print out the classes */
132 for (i=1; i < classlist_len; i++) {
133 if(classlist[i])
134 fprintf(fout, "class %s\n", classlist[i]);
135 else
136 fprintf(fout, "class user%d\n", i);
137 }
138 fprintf(fout, "\n");
139
140 initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);
141 /* print out the sids */
142 for (i=1; i < initial_sid_to_string_len; i++)
143 fprintf(fout, "sid %s\n", initial_sid_to_string[i]);
144 fprintf(fout, "\n");
145
146 /* print out the commons */
147 for (i=0; i< sizeof(common)/sizeof(struct common); i++) {
148 char cname[101];
149 find_common_name(common[i].cname, cname, 100);
150 cname[100] = '\0';
151 fprintf(fout, "common %s\n{\n", cname);
152 for (j=0; common[i].perms[j]; j++)
153 fprintf(fout, "\t%s\n", common[i].perms[j]);
154 fprintf(fout, "}\n\n");
155 }
156 fprintf(fout, "\n");
157
158 /* print out the class permissions */
159 for (i=1; i < classlist_len; i++) {
160 if (classlist[i]) {
161 int firstperm = -1, numperms = 0;
162
163 fprintf(fout, "class %s\n", classlist[i]);
164 /* does it inherit from a common? */
165 for (j=0; j < sizeof(av_inherit)/sizeof(struct av_inherit); j++)
166 if (av_inherit[j].class == i)
167 fprintf(fout, "inherits %s\n", av_inherit[j].common);
168
169 for (j=0; j < sizeof(av_perms)/sizeof(struct av_perms); j++) {
170 if (av_perms[j].class == i) {
171 if (firstperm == -1)
172 firstperm = j;
173 numperms++;
174 }
175 }
176 if (!numperms) {
177 fprintf(fout, "\n");
178 continue;
179 }
180
181 fprintf(fout, "{\n");
182 /* print out the av_perms */
183 for (j=0; j < numperms; j++) {
184 fprintf(fout, "\t%s\n", av_perms[firstperm+j].perm_s);
185 }
186 fprintf(fout, "}\n\n");
187 }
188 }
189 fprintf(fout, "\n");
190
191 /* NOW PRINT OUT MLS STUFF */
192 if (mls) {
193 printf("MLS not yet implemented\n");
194 exit(1);
195 }
196
197 /* types, roles, and allows */
198 fprintf(fout, "type base_t;\n");
199 fprintf(fout, "role base_r types { base_t };\n");
200 for (i=1; i < classlist_len; i++) {
201 if (classlist[i])
202 fprintf(fout, "allow base_t base_t:%s *;\n", classlist[i]);
203 else
204 fprintf(fout, "allow base_t base_t:user%d *;\n", i);
205 }
206 fprintf(fout, "user user_u roles { base_r };\n");
207 fprintf(fout, "\n");
208
209 /* default sids */
210 for (i=1; i < initial_sid_to_string_len; i++)
211 fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
212 fprintf(fout, "\n");
213
214
215 fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
216 fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
217 fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
218 fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
219 fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
220
221 fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
222 fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
223
224 fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
225 fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
226 fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
227
228 fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
229
230 fclose(fout);
231
232 fout = fopen(ctxout, "w");
233 if (!fout) {
234 printf("Wrote policy, but cannot open %s for writing\n", ctxout);
235 usage(argv[0]);
236 }
237 fprintf(fout, "/ user_u:base_r:base_t\n");
238 fprintf(fout, "/.* user_u:base_r:base_t\n");
239 fclose(fout);
240
241 return 0;
242}