1*4882a593Smuzhiyun#!/bin/sh 2*4882a593Smuzhiyun# SPDX-License-Identifier: GPL-2.0 3*4882a593Smuzhiyunset -e 4*4882a593Smuzhiyunif [ `id -u` -ne 0 ]; then 5*4882a593Smuzhiyun echo "$0: must be root to install the selinux policy" 6*4882a593Smuzhiyun exit 1 7*4882a593Smuzhiyunfi 8*4882a593Smuzhiyun 9*4882a593SmuzhiyunSF=`which setfiles` 10*4882a593Smuzhiyunif [ $? -eq 1 ]; then 11*4882a593Smuzhiyun echo "Could not find setfiles" 12*4882a593Smuzhiyun echo "Do you have policycoreutils installed?" 13*4882a593Smuzhiyun exit 1 14*4882a593Smuzhiyunfi 15*4882a593Smuzhiyun 16*4882a593SmuzhiyunCP=`which checkpolicy` 17*4882a593Smuzhiyunif [ $? -eq 1 ]; then 18*4882a593Smuzhiyun echo "Could not find checkpolicy" 19*4882a593Smuzhiyun echo "Do you have checkpolicy installed?" 20*4882a593Smuzhiyun exit 1 21*4882a593Smuzhiyunfi 22*4882a593SmuzhiyunVERS=`$CP -V | awk '{print $1}'` 23*4882a593Smuzhiyun 24*4882a593SmuzhiyunENABLED=`which selinuxenabled` 25*4882a593Smuzhiyunif [ $? -eq 1 ]; then 26*4882a593Smuzhiyun echo "Could not find selinuxenabled" 27*4882a593Smuzhiyun echo "Do you have libselinux-utils installed?" 28*4882a593Smuzhiyun exit 1 29*4882a593Smuzhiyunfi 30*4882a593Smuzhiyun 31*4882a593Smuzhiyunif selinuxenabled; then 32*4882a593Smuzhiyun echo "SELinux is already enabled" 33*4882a593Smuzhiyun echo "This prevents safely relabeling all files." 34*4882a593Smuzhiyun echo "Boot with selinux=0 on the kernel command-line or" 35*4882a593Smuzhiyun echo "SELINUX=disabled in /etc/selinux/config." 36*4882a593Smuzhiyun exit 1 37*4882a593Smuzhiyunfi 38*4882a593Smuzhiyun 39*4882a593Smuzhiyuncd mdp 40*4882a593Smuzhiyun./mdp -m policy.conf file_contexts 41*4882a593Smuzhiyun$CP -U allow -M -o policy.$VERS policy.conf 42*4882a593Smuzhiyun 43*4882a593Smuzhiyunmkdir -p /etc/selinux/dummy/policy 44*4882a593Smuzhiyunmkdir -p /etc/selinux/dummy/contexts/files 45*4882a593Smuzhiyun 46*4882a593Smuzhiyunecho "__default__:user_u:s0" > /etc/selinux/dummy/seusers 47*4882a593Smuzhiyunecho "base_r:base_t:s0" > /etc/selinux/dummy/contexts/failsafe_context 48*4882a593Smuzhiyunecho "base_r:base_t:s0 base_r:base_t:s0" > /etc/selinux/dummy/default_contexts 49*4882a593Smuzhiyuncat > /etc/selinux/dummy/contexts/x_contexts <<EOF 50*4882a593Smuzhiyunclient * user_u:base_r:base_t:s0 51*4882a593Smuzhiyunproperty * user_u:object_r:base_t:s0 52*4882a593Smuzhiyunextension * user_u:object_r:base_t:s0 53*4882a593Smuzhiyunselection * user_u:object_r:base_t:s0 54*4882a593Smuzhiyunevent * user_u:object_r:base_t:s0 55*4882a593SmuzhiyunEOF 56*4882a593Smuzhiyuntouch /etc/selinux/dummy/contexts/virtual_domain_context 57*4882a593Smuzhiyuntouch /etc/selinux/dummy/contexts/virtual_image_context 58*4882a593Smuzhiyun 59*4882a593Smuzhiyuncp file_contexts /etc/selinux/dummy/contexts/files 60*4882a593Smuzhiyuncp dbus_contexts /etc/selinux/dummy/contexts 61*4882a593Smuzhiyuncp policy.$VERS /etc/selinux/dummy/policy 62*4882a593SmuzhiyunFC_FILE=/etc/selinux/dummy/contexts/files/file_contexts 63*4882a593Smuzhiyun 64*4882a593Smuzhiyunif [ ! -d /etc/selinux ]; then 65*4882a593Smuzhiyun mkdir -p /etc/selinux 66*4882a593Smuzhiyunfi 67*4882a593Smuzhiyunif [ -f /etc/selinux/config ]; then 68*4882a593Smuzhiyun echo "/etc/selinux/config exists, moving to /etc/selinux/config.bak." 69*4882a593Smuzhiyun mv /etc/selinux/config /etc/selinux/config.bak 70*4882a593Smuzhiyunfi 71*4882a593Smuzhiyunecho "Creating new /etc/selinux/config for dummy policy." 72*4882a593Smuzhiyuncat > /etc/selinux/config << EOF 73*4882a593SmuzhiyunSELINUX=permissive 74*4882a593SmuzhiyunSELINUXTYPE=dummy 75*4882a593SmuzhiyunEOF 76*4882a593Smuzhiyun 77*4882a593Smuzhiyuncd /etc/selinux/dummy/contexts/files 78*4882a593Smuzhiyun$SF -F file_contexts / 79*4882a593Smuzhiyun 80*4882a593Smuzhiyunmounts=`cat /proc/$$/mounts | \ 81*4882a593Smuzhiyun grep -E "ext[234]|jfs|xfs|reiserfs|jffs2|gfs2|btrfs|f2fs|ocfs2" | \ 82*4882a593Smuzhiyun awk '{ print $2 '}` 83*4882a593Smuzhiyun$SF -F file_contexts $mounts 84*4882a593Smuzhiyun 85*4882a593Smuzhiyunecho "-F" > /.autorelabel 86