移去rt

hc

2023-12-08 01573e231f18eb2d99162747186f59511f56b64d

 kernel/scripts/selinux/install_policy.sh
..
..
@@ -1,29 +1,60 @@
1
1
 #!/bin/sh
2
2
 # SPDX-License-Identifier: GPL-2.0
3
+set -e
3
4
 if [ `id -u` -ne 0 ]; then
4
5
 	echo "$0: must be root to install the selinux policy"
5
6
 	exit 1
6
7
 fi
8
+
7
9
 SF=`which setfiles`
8
10
 if [ $? -eq 1 ]; then
9
-	if [ -f /sbin/setfiles ]; then
10
-		SF="/usr/setfiles"
11
-	else
12
-		echo "no selinux tools installed: setfiles"
13
-		exit 1
14
-	fi
11
+	echo "Could not find setfiles"
12
+	echo "Do you have policycoreutils installed?"
13
+	exit 1
14
+fi
15
+
16
+CP=`which checkpolicy`
17
+if [ $? -eq 1 ]; then
18
+	echo "Could not find checkpolicy"
19
+	echo "Do you have checkpolicy installed?"
20
+	exit 1
21
+fi
22
+VERS=`$CP -V | awk '{print $1}'`
23
+
24
+ENABLED=`which selinuxenabled`
25
+if [ $? -eq 1 ]; then
26
+	echo "Could not find selinuxenabled"
27
+	echo "Do you have libselinux-utils installed?"
28
+	exit 1
29
+fi
30
+
31
+if selinuxenabled; then
32
+    echo "SELinux is already enabled"
33
+    echo "This prevents safely relabeling all files."
34
+    echo "Boot with selinux=0 on the kernel command-line or"
35
+    echo "SELINUX=disabled in /etc/selinux/config."
36
+    exit 1
15
37
 fi
16
38
 
17
39
 cd mdp
18
-
19
-CP=`which checkpolicy`
20
-VERS=`$CP -V | awk '{print $1}'`
21
-
22
-./mdp policy.conf file_contexts
23
-$CP -o policy.$VERS policy.conf
40
+./mdp -m policy.conf file_contexts
41
+$CP -U allow -M -o policy.$VERS policy.conf
24
42
 
25
43
 mkdir -p /etc/selinux/dummy/policy
26
44
 mkdir -p /etc/selinux/dummy/contexts/files
45
+
46
+echo "__default__:user_u:s0" > /etc/selinux/dummy/seusers
47
+echo "base_r:base_t:s0" > /etc/selinux/dummy/contexts/failsafe_context
48
+echo "base_r:base_t:s0 base_r:base_t:s0" > /etc/selinux/dummy/default_contexts
49
+cat > /etc/selinux/dummy/contexts/x_contexts <<EOF
50
+client * user_u:base_r:base_t:s0
51
+property * user_u:object_r:base_t:s0
52
+extension * user_u:object_r:base_t:s0
53
+selection * user_u:object_r:base_t:s0
54
+event * user_u:object_r:base_t:s0
55
+EOF
56
+touch /etc/selinux/dummy/contexts/virtual_domain_context
57
+touch /etc/selinux/dummy/contexts/virtual_image_context
27
58
 
28
59
 cp file_contexts /etc/selinux/dummy/contexts/files
29
60
 cp dbus_contexts /etc/selinux/dummy/contexts
..
..
@@ -33,37 +64,22 @@
33
64
 if [ ! -d /etc/selinux ]; then
34
65
 	mkdir -p /etc/selinux
35
66
 fi
36
-if [ ! -f /etc/selinux/config ]; then
37
-	cat > /etc/selinux/config << EOF
38
-SELINUX=enforcing
67
+if [ -f /etc/selinux/config ]; then
68
+    echo "/etc/selinux/config exists, moving to /etc/selinux/config.bak."
69
+    mv /etc/selinux/config /etc/selinux/config.bak
70
+fi
71
+echo "Creating new /etc/selinux/config for dummy policy."
72
+cat > /etc/selinux/config << EOF
73
+SELINUX=permissive
39
74
 SELINUXTYPE=dummy
40
75
 EOF
41
-else
42
-	TYPE=`cat /etc/selinux/config | grep "^SELINUXTYPE" | tail -1 | awk -F= '{ print $2 '}`
43
-	if [ "eq$TYPE" != "eqdummy" ]; then
44
-		selinuxenabled
45
-		if [ $? -eq 0 ]; then
46
-			echo "SELinux already enabled with a non-dummy policy."
47
-			echo "Exiting.  Please install policy by hand if that"
48
-			echo "is what you REALLY want."
49
-			exit 1
50
-		fi
51
-		mv /etc/selinux/config /etc/selinux/config.mdpbak
52
-		grep -v "^SELINUXTYPE" /etc/selinux/config.mdpbak >> /etc/selinux/config
53
-		echo "SELINUXTYPE=dummy" >> /etc/selinux/config
54
-	fi
55
-fi
56
76
 
57
77
 cd /etc/selinux/dummy/contexts/files
58
-$SF file_contexts /
78
+$SF -F file_contexts /
59
79
 
60
-mounts=`cat /proc/$$/mounts | egrep "ext2|ext3|xfs|jfs|ext4|ext4dev|gfs2" | awk '{ print $2 '}`
61
-$SF file_contexts $mounts
80
+mounts=`cat /proc/$$/mounts | \
81
+	grep -E "ext[234]|jfs|xfs|reiserfs|jffs2|gfs2|btrfs|f2fs|ocfs2" | \
82
+	awk '{ print $2 '}`
83
+$SF -F file_contexts $mounts
62
84
 
63
-
64
-dodev=`cat /proc/$$/mounts | grep "/dev "`
65
-if [ "eq$dodev" != "eq" ]; then
66
-	mount --move /dev /mnt
67
-	$SF file_contexts /dev
68
-	mount --move /mnt /dev
69
-fi
85
+echo "-F" > /.autorelabel