diff options
Diffstat (limited to 'scripts/selinux')
-rw-r--r-- | scripts/selinux/Makefile | 2 | ||||
-rw-r--r-- | scripts/selinux/README | 2 | ||||
-rw-r--r-- | scripts/selinux/install_policy.sh | 69 | ||||
-rw-r--r-- | scripts/selinux/mdp/Makefile | 5 | ||||
-rw-r--r-- | scripts/selinux/mdp/dbus_contexts | 6 | ||||
-rw-r--r-- | scripts/selinux/mdp/mdp.c | 242 |
6 files changed, 326 insertions, 0 deletions
diff --git a/scripts/selinux/Makefile b/scripts/selinux/Makefile new file mode 100644 index 000000000000..ca4b1ec01822 --- /dev/null +++ b/scripts/selinux/Makefile | |||
@@ -0,0 +1,2 @@ | |||
1 | subdir-y := mdp | ||
2 | subdir- += mdp | ||
diff --git a/scripts/selinux/README b/scripts/selinux/README new file mode 100644 index 000000000000..a936315ba2c8 --- /dev/null +++ b/scripts/selinux/README | |||
@@ -0,0 +1,2 @@ | |||
1 | Please see Documentation/SELinux.txt for information on | ||
2 | installing a dummy SELinux policy. | ||
diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh new file mode 100644 index 000000000000..7b9ccf61f8f9 --- /dev/null +++ b/scripts/selinux/install_policy.sh | |||
@@ -0,0 +1,69 @@ | |||
1 | #!/bin/sh | ||
2 | if [ `id -u` -ne 0 ]; then | ||
3 | echo "$0: must be root to install the selinux policy" | ||
4 | exit 1 | ||
5 | fi | ||
6 | SF=`which setfiles` | ||
7 | if [ $? -eq 1 ]; then | ||
8 | if [ -f /sbin/setfiles ]; then | ||
9 | SF="/usr/setfiles" | ||
10 | else | ||
11 | echo "no selinux tools installed: setfiles" | ||
12 | exit 1 | ||
13 | fi | ||
14 | fi | ||
15 | |||
16 | cd mdp | ||
17 | |||
18 | CP=`which checkpolicy` | ||
19 | VERS=`$CP -V | awk '{print $1}'` | ||
20 | |||
21 | ./mdp policy.conf file_contexts | ||
22 | $CP -o policy.$VERS policy.conf | ||
23 | |||
24 | mkdir -p /etc/selinux/dummy/policy | ||
25 | mkdir -p /etc/selinux/dummy/contexts/files | ||
26 | |||
27 | cp file_contexts /etc/selinux/dummy/contexts/files | ||
28 | cp dbus_contexts /etc/selinux/dummy/contexts | ||
29 | cp policy.$VERS /etc/selinux/dummy/policy | ||
30 | FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts | ||
31 | |||
32 | if [ ! -d /etc/selinux ]; then | ||
33 | mkdir -p /etc/selinux | ||
34 | fi | ||
35 | if [ ! -f /etc/selinux/config ]; then | ||
36 | cat > /etc/selinux/config << EOF | ||
37 | SELINUX=enforcing | ||
38 | SELINUXTYPE=dummy | ||
39 | EOF | ||
40 | else | ||
41 | TYPE=`cat /etc/selinux/config | grep "^SELINUXTYPE" | tail -1 | awk -F= '{ print $2 '}` | ||
42 | if [ "eq$TYPE" != "eqdummy" ]; then | ||
43 | selinuxenabled | ||
44 | if [ $? -eq 0 ]; then | ||
45 | echo "SELinux already enabled with a non-dummy policy." | ||
46 | echo "Exiting. Please install policy by hand if that" | ||
47 | echo "is what you REALLY want." | ||
48 | exit 1 | ||
49 | fi | ||
50 | mv /etc/selinux/config /etc/selinux/config.mdpbak | ||
51 | grep -v "^SELINUXTYPE" /etc/selinux/config.mdpbak >> /etc/selinux/config | ||
52 | echo "SELINUXTYPE=dummy" >> /etc/selinux/config | ||
53 | fi | ||
54 | fi | ||
55 | |||
56 | cd /etc/selinux/dummy/contexts/files | ||
57 | $SF file_contexts / | ||
58 | |||
59 | mounts=`cat /proc/$$/mounts | egrep "ext2|ext3|xfs|jfs|ext4|ext4dev|gfs2" | awk '{ print $2 '}` | ||
60 | $SF file_contexts $mounts | ||
61 | |||
62 | |||
63 | dodev=`cat /proc/$$/mounts | grep "/dev "` | ||
64 | if [ "eq$dodev" != "eq" ]; then | ||
65 | mount --move /dev /mnt | ||
66 | $SF file_contexts /dev | ||
67 | mount --move /mnt /dev | ||
68 | fi | ||
69 | |||
diff --git a/scripts/selinux/mdp/Makefile b/scripts/selinux/mdp/Makefile new file mode 100644 index 000000000000..eb365b333441 --- /dev/null +++ b/scripts/selinux/mdp/Makefile | |||
@@ -0,0 +1,5 @@ | |||
1 | hostprogs-y := mdp | ||
2 | HOST_EXTRACFLAGS += -Isecurity/selinux/include | ||
3 | |||
4 | always := $(hostprogs-y) | ||
5 | clean-files := $(hostprogs-y) policy.* file_contexts | ||
diff --git a/scripts/selinux/mdp/dbus_contexts b/scripts/selinux/mdp/dbus_contexts new file mode 100644 index 000000000000..116e684f9fc1 --- /dev/null +++ b/scripts/selinux/mdp/dbus_contexts | |||
@@ -0,0 +1,6 @@ | |||
1 | <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" | ||
2 | "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> | ||
3 | <busconfig> | ||
4 | <selinux> | ||
5 | </selinux> | ||
6 | </busconfig> | ||
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c new file mode 100644 index 000000000000..ca757d486187 --- /dev/null +++ b/scripts/selinux/mdp/mdp.c | |||
@@ -0,0 +1,242 @@ | |||
1 | /* | ||
2 | * | ||
3 | * mdp - make dummy policy | ||
4 | * | ||
5 | * When pointed at a kernel tree, builds a dummy policy for that kernel | ||
6 | * with exactly one type with full rights to itself. | ||
7 | * | ||
8 | * This program is free software; you can redistribute it and/or modify | ||
9 | * it under the terms of the GNU General Public License as published by | ||
10 | * the Free Software Foundation; either version 2 of the License, or | ||
11 | * (at your option) any later version. | ||
12 | * | ||
13 | * This program is distributed in the hope that it will be useful, | ||
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
16 | * GNU General Public License for more details. | ||
17 | * | ||
18 | * You should have received a copy of the GNU General Public License | ||
19 | * along with this program; if not, write to the Free Software | ||
20 | * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | ||
21 | * | ||
22 | * Copyright (C) IBM Corporation, 2006 | ||
23 | * | ||
24 | * Authors: Serge E. Hallyn <serue@us.ibm.com> | ||
25 | */ | ||
26 | |||
27 | #include <stdio.h> | ||
28 | #include <stdlib.h> | ||
29 | #include <unistd.h> | ||
30 | #include <string.h> | ||
31 | |||
32 | #include "flask.h" | ||
33 | |||
34 | void usage(char *name) | ||
35 | { | ||
36 | printf("usage: %s [-m] policy_file context_file\n", name); | ||
37 | exit(1); | ||
38 | } | ||
39 | |||
40 | void find_common_name(char *cname, char *dest, int len) | ||
41 | { | ||
42 | char *start, *end; | ||
43 | |||
44 | start = strchr(cname, '_')+1; | ||
45 | end = strchr(start, '_'); | ||
46 | if (!start || !end || start-cname > len || end-start > len) { | ||
47 | printf("Error with commons defines\n"); | ||
48 | exit(1); | ||
49 | } | ||
50 | strncpy(dest, start, end-start); | ||
51 | dest[end-start] = '\0'; | ||
52 | } | ||
53 | |||
54 | #define S_(x) x, | ||
55 | static char *classlist[] = { | ||
56 | #include "class_to_string.h" | ||
57 | NULL | ||
58 | }; | ||
59 | #undef S_ | ||
60 | |||
61 | #include "initial_sid_to_string.h" | ||
62 | |||
63 | #define TB_(x) char *x[] = { | ||
64 | #define TE_(x) NULL }; | ||
65 | #define S_(x) x, | ||
66 | #include "common_perm_to_string.h" | ||
67 | #undef TB_ | ||
68 | #undef TE_ | ||
69 | #undef S_ | ||
70 | |||
71 | struct common { | ||
72 | char *cname; | ||
73 | char **perms; | ||
74 | }; | ||
75 | struct common common[] = { | ||
76 | #define TB_(x) { #x, x }, | ||
77 | #define S_(x) | ||
78 | #define TE_(x) | ||
79 | #include "common_perm_to_string.h" | ||
80 | #undef TB_ | ||
81 | #undef TE_ | ||
82 | #undef S_ | ||
83 | }; | ||
84 | |||
85 | #define S_(x, y, z) {x, #y}, | ||
86 | struct av_inherit { | ||
87 | int class; | ||
88 | char *common; | ||
89 | }; | ||
90 | struct av_inherit av_inherit[] = { | ||
91 | #include "av_inherit.h" | ||
92 | }; | ||
93 | #undef S_ | ||
94 | |||
95 | #include "av_permissions.h" | ||
96 | #define S_(x, y, z) {x, y, z}, | ||
97 | struct av_perms { | ||
98 | int class; | ||
99 | int perm_i; | ||
100 | char *perm_s; | ||
101 | }; | ||
102 | struct av_perms av_perms[] = { | ||
103 | #include "av_perm_to_string.h" | ||
104 | }; | ||
105 | #undef S_ | ||
106 | |||
107 | int main(int argc, char *argv[]) | ||
108 | { | ||
109 | int i, j, mls = 0; | ||
110 | char **arg, *polout, *ctxout; | ||
111 | int classlist_len, initial_sid_to_string_len; | ||
112 | FILE *fout; | ||
113 | |||
114 | if (argc < 3) | ||
115 | usage(argv[0]); | ||
116 | arg = argv+1; | ||
117 | if (argc==4 && strcmp(argv[1], "-m") == 0) { | ||
118 | mls = 1; | ||
119 | arg++; | ||
120 | } | ||
121 | polout = *arg++; | ||
122 | ctxout = *arg; | ||
123 | |||
124 | fout = fopen(polout, "w"); | ||
125 | if (!fout) { | ||
126 | printf("Could not open %s for writing\n", polout); | ||
127 | usage(argv[0]); | ||
128 | } | ||
129 | |||
130 | classlist_len = sizeof(classlist) / sizeof(char *); | ||
131 | /* print out the classes */ | ||
132 | for (i=1; i < classlist_len; i++) { | ||
133 | if(classlist[i]) | ||
134 | fprintf(fout, "class %s\n", classlist[i]); | ||
135 | else | ||
136 | fprintf(fout, "class user%d\n", i); | ||
137 | } | ||
138 | fprintf(fout, "\n"); | ||
139 | |||
140 | initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *); | ||
141 | /* print out the sids */ | ||
142 | for (i=1; i < initial_sid_to_string_len; i++) | ||
143 | fprintf(fout, "sid %s\n", initial_sid_to_string[i]); | ||
144 | fprintf(fout, "\n"); | ||
145 | |||
146 | /* print out the commons */ | ||
147 | for (i=0; i< sizeof(common)/sizeof(struct common); i++) { | ||
148 | char cname[101]; | ||
149 | find_common_name(common[i].cname, cname, 100); | ||
150 | cname[100] = '\0'; | ||
151 | fprintf(fout, "common %s\n{\n", cname); | ||
152 | for (j=0; common[i].perms[j]; j++) | ||
153 | fprintf(fout, "\t%s\n", common[i].perms[j]); | ||
154 | fprintf(fout, "}\n\n"); | ||
155 | } | ||
156 | fprintf(fout, "\n"); | ||
157 | |||
158 | /* print out the class permissions */ | ||
159 | for (i=1; i < classlist_len; i++) { | ||
160 | if (classlist[i]) { | ||
161 | int firstperm = -1, numperms = 0; | ||
162 | |||
163 | fprintf(fout, "class %s\n", classlist[i]); | ||
164 | /* does it inherit from a common? */ | ||
165 | for (j=0; j < sizeof(av_inherit)/sizeof(struct av_inherit); j++) | ||
166 | if (av_inherit[j].class == i) | ||
167 | fprintf(fout, "inherits %s\n", av_inherit[j].common); | ||
168 | |||
169 | for (j=0; j < sizeof(av_perms)/sizeof(struct av_perms); j++) { | ||
170 | if (av_perms[j].class == i) { | ||
171 | if (firstperm == -1) | ||
172 | firstperm = j; | ||
173 | numperms++; | ||
174 | } | ||
175 | } | ||
176 | if (!numperms) { | ||
177 | fprintf(fout, "\n"); | ||
178 | continue; | ||
179 | } | ||
180 | |||
181 | fprintf(fout, "{\n"); | ||
182 | /* print out the av_perms */ | ||
183 | for (j=0; j < numperms; j++) { | ||
184 | fprintf(fout, "\t%s\n", av_perms[firstperm+j].perm_s); | ||
185 | } | ||
186 | fprintf(fout, "}\n\n"); | ||
187 | } | ||
188 | } | ||
189 | fprintf(fout, "\n"); | ||
190 | |||
191 | /* NOW PRINT OUT MLS STUFF */ | ||
192 | if (mls) { | ||
193 | printf("MLS not yet implemented\n"); | ||
194 | exit(1); | ||
195 | } | ||
196 | |||
197 | /* types, roles, and allows */ | ||
198 | fprintf(fout, "type base_t;\n"); | ||
199 | fprintf(fout, "role base_r types { base_t };\n"); | ||
200 | for (i=1; i < classlist_len; i++) { | ||
201 | if (classlist[i]) | ||
202 | fprintf(fout, "allow base_t base_t:%s *;\n", classlist[i]); | ||
203 | else | ||
204 | fprintf(fout, "allow base_t base_t:user%d *;\n", i); | ||
205 | } | ||
206 | fprintf(fout, "user user_u roles { base_r };\n"); | ||
207 | fprintf(fout, "\n"); | ||
208 | |||
209 | /* default sids */ | ||
210 | for (i=1; i < initial_sid_to_string_len; i++) | ||
211 | fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]); | ||
212 | fprintf(fout, "\n"); | ||
213 | |||
214 | |||
215 | fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n"); | ||
216 | fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n"); | ||
217 | fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n"); | ||
218 | fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n"); | ||
219 | fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n"); | ||
220 | |||
221 | fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n"); | ||
222 | fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n"); | ||
223 | |||
224 | fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n"); | ||
225 | fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n"); | ||
226 | fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n"); | ||
227 | |||
228 | fprintf(fout, "genfscon proc / user_u:base_r:base_t\n"); | ||
229 | |||
230 | fclose(fout); | ||
231 | |||
232 | fout = fopen(ctxout, "w"); | ||
233 | if (!fout) { | ||
234 | printf("Wrote policy, but cannot open %s for writing\n", ctxout); | ||
235 | usage(argv[0]); | ||
236 | } | ||
237 | fprintf(fout, "/ user_u:base_r:base_t\n"); | ||
238 | fprintf(fout, "/.* user_u:base_r:base_t\n"); | ||
239 | fclose(fout); | ||
240 | |||
241 | return 0; | ||
242 | } | ||