On Fri, 2008-08-22 at 21:38 -0500, Serge E. Hallyn wrote:
quoted text
> --- /dev/null
> +++ b/scripts/selinux/install_policy.sh
> @@ -0,0 +1,44 @@
> +#!/bin/sh
> +if [ `id -u` -ne 0 ]; then
> +	echo "__PLACEHOLDER__0_: must be root to install the selinux policy"
> +	exit 1
> +fi
> +SF=`which setfiles`
> +if [ $? -eq 1 ]; then
> +	if [ -f /usr/sbin/setfiles ]; then
> +		SF="/usr/sbin/setfiles"

/sbin/setfiles on modern Fedora releases.

quoted text
> +	else
> +		echo "no selinux tools installed: setfiles"
> +		exit 1
> +	fi
> +fi
> +
> +cd mdp
> +
> +CP=`which checkpolicy`
> +./mdp policy.conf file_contexts
> +$CP -o policy.`checkpolicy -V | awk '{print }'` policy.conf

Save version to a variable and reuse below.

quoted text
> +
> +mkdir -p /etc/selinux/dummy/policy
> +mkdir -p /etc/selinux/dummy/contexts/files
> +
> +cp file_contexts /etc/selinux/dummy/contexts/files
> +cp dbus_contexts /etc/selinux/dummy/contexts
> +cp policy.`checkpolicy -V | awk '{print }'` /etc/selinux/dummy/policy
> +FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
> +
> +cd /etc/selinux/dummy/contexts/files
> +$SF file_contexts /
> +
> +mounts=`cat /proc/$$/mounts | egrep "ext2|ext3|xfs|jfs" | awk '{ print  '}`

ext4, ext4dev, gfs2 too.
See /sbin/fixfiles for an example.  Or run it.

quoted text
> +for line in $mounts; do
> +	$SF file_contexts $line
> +done

You can pass them all to setfiles at once; it takes a list of mount
points after the file_contexts file. Or run fixfiles instead as it does
much the same.

However, I don't believe this step will work if you are doing this on an
existing SELinux-enabled system - the kernel will check the contexts
upon setxattr against the active policy and reject them, and you haven't
loaded the new policy yet.  Also, this is a "destructive" operation,
i.e. if they were running SELinux before, they are hereby clobbering all
their file labels.  Possibly you should bail out if selinuxenabled
(utility that can be used as a boolean in shell conditionals).
if /usr/sbin/selinuxenabled; then
	echo"SELinux already enabled with a policy loaded; exiting."
	exit 1
fi

quoted text
> +
> +dodev=`cat /proc/$$/mounts | grep "/dev "`
> +if [ "eq$dodev" != "eq" ]; then
> +	mount --move /dev /mnt
> +	$SF file_contexts /dev
> +	mount --move /mnt /dev
> +fi

Not sure what you are doing here.  If /dev is udev-managed, then it will
handle labeling at boot.  But it still shows up as a tmpfs mount
in /proc/self/mounts.

Where do you set up /etc/selinux/config to refer to this dummy policy so
it will get loaded at boot?

-- 
Stephen Smalley
National Security Agency

--
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/