1#!/bin/sh 2# SPDX-License-Identifier: GPL-2.0 3set -e 4if [ `id -u` -ne 0 ]; then 5 echo "$0: must be root to install the selinux policy" 6 exit 1 7fi 8 9SF=`which setfiles` || { 10 echo "Could not find setfiles" 11 echo "Do you have policycoreutils installed?" 12 exit 1 13} 14 15CP=`which checkpolicy` || { 16 echo "Could not find checkpolicy" 17 echo "Do you have checkpolicy installed?" 18 exit 1 19} 20VERS=`$CP -V | awk '{print $1}'` 21 22ENABLED=`which selinuxenabled` || { 23 echo "Could not find selinuxenabled" 24 echo "Do you have libselinux-utils installed?" 25 exit 1 26} 27 28if selinuxenabled; then 29 echo "SELinux is already enabled" 30 echo "This prevents safely relabeling all files." 31 echo "Boot with selinux=0 on the kernel command-line." 32 exit 1 33fi 34 35cd mdp 36./mdp -m policy.conf file_contexts 37$CP -U allow -M -o policy.$VERS policy.conf 38 39mkdir -p /etc/selinux/dummy/policy 40mkdir -p /etc/selinux/dummy/contexts/files 41 42echo "__default__:user_u:s0" > /etc/selinux/dummy/seusers 43echo "base_r:base_t:s0" > /etc/selinux/dummy/contexts/failsafe_context 44echo "base_r:base_t:s0 base_r:base_t:s0" > /etc/selinux/dummy/default_contexts 45cat > /etc/selinux/dummy/contexts/x_contexts <<EOF 46client * user_u:base_r:base_t:s0 47property * user_u:object_r:base_t:s0 48extension * user_u:object_r:base_t:s0 49selection * user_u:object_r:base_t:s0 50event * user_u:object_r:base_t:s0 51EOF 52touch /etc/selinux/dummy/contexts/virtual_domain_context 53touch /etc/selinux/dummy/contexts/virtual_image_context 54 55cp file_contexts /etc/selinux/dummy/contexts/files 56cp dbus_contexts /etc/selinux/dummy/contexts 57cp policy.$VERS /etc/selinux/dummy/policy 58FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts 59 60if [ ! -d /etc/selinux ]; then 61 mkdir -p /etc/selinux 62fi 63if [ -f /etc/selinux/config ]; then 64 echo "/etc/selinux/config exists, moving to /etc/selinux/config.bak." 65 mv /etc/selinux/config /etc/selinux/config.bak 66fi 67echo "Creating new /etc/selinux/config for dummy policy." 68cat > /etc/selinux/config << EOF 69SELINUX=permissive 70SELINUXTYPE=dummy 71EOF 72 73cd /etc/selinux/dummy/contexts/files 74$SF -F file_contexts / 75 76mounts=`cat /proc/$$/mounts | \ 77 grep -E "ext[234]|jfs|xfs|reiserfs|jffs2|gfs2|btrfs|f2fs|ocfs2" | \ 78 awk '{ print $2 '}` 79$SF -F file_contexts $mounts 80 81echo "-F" > /.autorelabel 82