In August 2006 I posted a patch to the selinux list generating a minimal
SELinux policy. This week, David P. Quigley posted an updated version
of that as a patch against the kernel. In addition to some fixes, also
had nice logic for auto-installing the policy.
I've gone ahead and hooked it into the kernel Makefile logic. The way I
have it here, doing 'make scripts' ends up compiling 'mdp', after which
you must
cd scripts/selinux
sh install_policy.sh
That isn't as nice as being able to do
make selinux_install
the way David had it, but it avoids mucking with the top-level
Makefile. Which is preferred?
In any case, this seems like a good thing to have in the kernel
tree, to facilitate simple selinux boot tests.
Following is David's original patch intro (preserved especially
bc it has stats on the generated policies):
======================================================================
For those interested in the changes there were only two significant
changes. The first is that the iteration through the list of classes
used NULL as a sentinel value. The problem with this is that the
class_to_string array actually has NULL entries in its table as place
holders for the user space object classes.
The second change was that it would seem at some point the initial sids
table was NULL terminated. This is no longer the case so that iteration
has to be done on array length instead of looking for NULL.
Some statistics on the policy that it generates:
The policy consists of 523 lines which contain no blank lines. Of those
523 lines 453 of them are class, permission, and initial sid
definitions. These lines are usually little to no concern to the policy
developer since they will not be adding object classes or permissions.
Of the remaining 70 lines there is one type, one role, and one user
statement. The remaining lines are broken into three portions. The first
group are TE allow rules which make up 29 of the remaining lines, the
second is assignment of labels to the initial sids which consist of 27
lines, and file system labeling statements which are the remaining 11.
In addition to the policy.conf generated there is a single file_contexts
file containing two lines which labels the entire system with base_t.
This policy generates a policy.23 binary that is 7920 bytes.
======================================================================
(then a few versions later...):
======================================================================
The new policy is 587 lines (stripped of blank lines) with 476 of those
lines being the boilerplate that I mentioned last time. The remaining
111 lines have the 3 lines for type, user, and role, 70 lines for the
allow rules (one for each object class including user space object
classes), 27 lines to assign types to the initial sids, and 11 lines for
file system labeling. The policy binary is 9194 bytes.
======================================================================
Signed-off-by: Serge Hallyn <[email protected]>
---
scripts/Makefile | 1 +
scripts/selinux/Makefile | 1 +
scripts/selinux/install_policy.sh | 49 ++++++++
scripts/selinux/mdp/Makefile | 4 +
scripts/selinux/mdp/dbus_contexts | 6 +
scripts/selinux/mdp/mdp.c | 242 +++++++++++++++++++++++++++++++++++++
6 files changed, 303 insertions(+), 0 deletions(-)
create mode 100644 scripts/selinux/Makefile
create mode 100644 scripts/selinux/install_policy.sh
create mode 100644 scripts/selinux/mdp/Makefile
create mode 100644 scripts/selinux/mdp/dbus_contexts
create mode 100644 scripts/selinux/mdp/mdp.c
diff --git a/scripts/Makefile b/scripts/Makefile
index 1c73c5a..0741e9e 100644
--- a/scripts/Makefile
+++ b/scripts/Makefile
@@ -20,6 +20,7 @@ hostprogs-y += unifdef
subdir-$(CONFIG_MODVERSIONS) += genksyms
subdir-y += mod
+subdir-$(CONFIG_SECURITY_SELINUX) += selinux
# Let clean descend into subdirs
subdir- += basic kconfig package
diff --git a/scripts/selinux/Makefile b/scripts/selinux/Makefile
new file mode 100644
index 0000000..5660bb8
--- /dev/null
+++ b/scripts/selinux/Makefile
@@ -0,0 +1 @@
+subdir-y := mdp
diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh
new file mode 100644
index 0000000..4b64642
--- /dev/null
+++ b/scripts/selinux/install_policy.sh
@@ -0,0 +1,49 @@
+#!/bin/sh
+if [ `id -u` -ne 0 ]; then
+ echo "$0: must be root to install the selinux policy"
+ exit 1
+fi
+SF=`which setfiles`
+if [ $? -eq 1 ]; then
+ if [ -f /usr/sbin/setfiles ]; then
+ SF="/usr/sbin/setfiles"
+ else
+ echo "no selinux tools installed: setfiles"
+ exit 1
+ fi
+fi
+
+cd mdp
+
+CP=`which checkpolicy`
+./mdp policy.conf file_contexts
+$CP -o policy.`checkpolicy -V | awk '{print $1}'` policy.conf
+
+mkdir -p /etc/selinux/dummy/policy
+mkdir -p /etc/selinux/dummy/contexts/files
+
+cp file_contexts /etc/selinux/dummy/contexts/files
+cp dbus_contexts /etc/selinux/dummy/contexts
+cp policy.`checkpolicy -V | awk '{print $1}'` /etc/selinux/dummy/policy
+FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
+if [ ! -f $FC_FILE ]; then
+ echo "no file contests file. Please run"
+ echo "make selinux_policy_install"
+ exit 1
+fi
+
+cd /etc/selinux/dummy/contexts/files
+$SF file_contexts /
+
+mounts=`cat /proc/$$/mounts | egrep "ext2|ext3|xfs|jfs" | awk '{ print $2 '}`
+for line in $mounts; do
+ $SF file_contexts $line
+done
+
+dodev=`cat /proc/$$/mounts | grep "/dev "`
+if [ "eq$dodev" != "eq" ]; then
+ mount --move /dev /mnt
+ $SF file_contexts /dev
+ mount --move /mnt /dev
+fi
+
diff --git a/scripts/selinux/mdp/Makefile b/scripts/selinux/mdp/Makefile
new file mode 100644
index 0000000..b55b2fe
--- /dev/null
+++ b/scripts/selinux/mdp/Makefile
@@ -0,0 +1,4 @@
+hostprogs-y := mdp
+HOST_EXTRACFLAGS += -Isecurity/selinux/include
+
+always := $(hostprogs-y)
diff --git a/scripts/selinux/mdp/dbus_contexts b/scripts/selinux/mdp/dbus_contexts
new file mode 100644
index 0000000..116e684
--- /dev/null
+++ b/scripts/selinux/mdp/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <selinux>
+ </selinux>
+</busconfig>
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
new file mode 100644
index 0000000..e2a73c9
--- /dev/null
+++ b/scripts/selinux/mdp/mdp.c
@@ -0,0 +1,242 @@
+/*
+ *
+ * mdp - make dummy policy
+ *
+ * When pointed at a kernel tree, builds a dummy policy for that kernel
+ * with exactly one type with full rights to itself.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Copyright (C) IBM Corporation, 2006
+ *
+ * Authors: Serge E. Hallyn <[email protected]>
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+
+#include "flask.h"
+
+void usage(char *name)
+{
+ printf("usage: %s [-m] policy_file context_file\n", name);
+ exit(1);
+}
+
+void find_common_name(char *cname, char *dest, int len)
+{
+ char *start, *end;
+
+ start = strchr(cname, '_')+1;
+ end = strchr(start, '_');
+ if (!start || !end || start-cname > len || end-start > len) {
+ printf("Error with commons defines\n");
+ exit(1);
+ }
+ strncpy(dest, start, end-start);
+ dest[end-start] = '\0';
+}
+
+#define S_(x) x,
+static char *classlist[] = {
+#include "class_to_string.h"
+ NULL
+};
+#undef S_
+
+#include "initial_sid_to_string.h"
+
+#define TB_(x) char *x[] = {
+#define TE_(x) NULL };
+#define S_(x) x,
+#include "common_perm_to_string.h"
+#undef TB_
+#undef TE_
+#undef S_
+
+struct common {
+ char *cname;
+ char **perms;
+};
+struct common common[] = {
+#define TB_(x) { #x, x },
+#define S_(x)
+#define TE_(x)
+#include "common_perm_to_string.h"
+#undef TB_
+#undef TE_
+#undef S_
+};
+
+#define S_(x, y, z) {x, #y},
+struct av_inherit {
+ int class;
+ char *common;
+};
+struct av_inherit av_inherit[] = {
+#include "av_inherit.h"
+};
+#undef S_
+
+#include "av_permissions.h"
+#define S_(x, y, z) {x, y, z},
+struct av_perms {
+ int class;
+ int perm_i;
+ char *perm_s;
+};
+struct av_perms av_perms[] = {
+#include "av_perm_to_string.h"
+};
+#undef S_
+
+int main(int argc, char *argv[])
+{
+ int i, j, mls = 0;
+ char **arg, *polout, *ctxout;
+ int classlist_len, initial_sid_to_string_len;
+ FILE *fout;
+
+ if (argc < 3)
+ usage(argv[0]);
+ arg = argv+1;
+ if (argc==4 && strcmp(argv[1], "-m") == 0) {
+ mls = 1;
+ arg++;
+ }
+ polout = *arg++;
+ ctxout = *arg;
+
+ fout = fopen(polout, "w");
+ if (!fout) {
+ printf("Could not open %s for writing\n", polout);
+ usage(argv[0]);
+ }
+
+ classlist_len = sizeof(classlist) / sizeof(char *);
+ /* print out the classes */
+ for (i=1; i < classlist_len; i++) {
+ if(classlist[i])
+ fprintf(fout, "class %s\n", classlist[i]);
+ else
+ fprintf(fout, "class user%d\n", i);
+ }
+ fprintf(fout, "\n");
+
+ initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);
+ /* print out the sids */
+ for (i=1; i < initial_sid_to_string_len; i++)
+ fprintf(fout, "sid %s\n", initial_sid_to_string[i]);
+ fprintf(fout, "\n");
+
+ /* print out the commons */
+ for (i=0; i< sizeof(common)/sizeof(struct common); i++) {
+ char cname[101];
+ find_common_name(common[i].cname, cname, 100);
+ cname[100] = '\0';
+ fprintf(fout, "common %s\n{\n", cname);
+ for (j=0; common[i].perms[j]; j++)
+ fprintf(fout, "\t%s\n", common[i].perms[j]);
+ fprintf(fout, "}\n\n");
+ }
+ fprintf(fout, "\n");
+
+ /* print out the class permissions */
+ for (i=1; i < classlist_len; i++) {
+ if (classlist[i]) {
+ int firstperm = -1, numperms = 0;
+
+ fprintf(fout, "class %s\n", classlist[i]);
+ /* does it inherit from a common? */
+ for (j=0; j < sizeof(av_inherit)/sizeof(struct av_inherit); j++)
+ if (av_inherit[j].class == i)
+ fprintf(fout, "inherits %s\n", av_inherit[j].common);
+
+ for (j=0; j < sizeof(av_perms)/sizeof(struct av_perms); j++) {
+ if (av_perms[j].class == i) {
+ if (firstperm == -1)
+ firstperm = j;
+ numperms++;
+ }
+ }
+ if (!numperms) {
+ fprintf(fout, "\n");
+ continue;
+ }
+
+ fprintf(fout, "{\n");
+ /* print out the av_perms */
+ for (j=0; j < numperms; j++) {
+ fprintf(fout, "\t%s\n", av_perms[firstperm+j].perm_s);
+ }
+ fprintf(fout, "}\n\n");
+ }
+ }
+ fprintf(fout, "\n");
+
+ /* NOW PRINT OUT MLS STUFF */
+ if (mls) {
+ printf("MLS not yet implemented\n");
+ exit(1);
+ }
+
+ /* types, roles, and allows */
+ fprintf(fout, "type base_t;\n");
+ fprintf(fout, "role base_r types { base_t };\n");
+ for (i=1; i < classlist_len; i++) {
+ if (classlist[i])
+ fprintf(fout, "allow base_t base_t:%s *;\n", classlist[i]);
+ else
+ fprintf(fout, "allow base_t base_t:user%d *;\n", i);
+ }
+ fprintf(fout, "user user_u roles { base_r };\n");
+ fprintf(fout, "\n");
+
+ /* default sids */
+ for (i=1; i < initial_sid_to_string_len; i++)
+ fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
+ fprintf(fout, "\n");
+
+
+ fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
+
+ fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
+
+ fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
+
+ fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
+
+ fclose(fout);
+
+ fout = fopen(ctxout, "w");
+ if (!fout) {
+ printf("Wrote policy, but cannot open %s for writing\n", ctxout);
+ usage(argv[0]);
+ }
+ fprintf(fout, "/ user_u:base_r:base_t\n");
+ fprintf(fout, "/.* user_u:base_r:base_t\n");
+ fclose(fout);
+
+ return 0;
+}
--
1.5.4.3
On Fri, 22 Aug 2008, Serge E. Hallyn wrote:
> In August 2006 I posted a patch to the selinux list generating a minimal
> SELinux policy. This week, David P. Quigley posted an updated version
> of that as a patch against the kernel. In addition to some fixes, also
> had nice logic for auto-installing the policy.
>
> I've gone ahead and hooked it into the kernel Makefile logic. The way I
> have it here, doing 'make scripts' ends up compiling 'mdp', after which
> you must
> cd scripts/selinux
> sh install_policy.sh
>
> That isn't as nice as being able to do
> make selinux_install
> the way David had it, but it avoids mucking with the top-level
> Makefile. Which is preferred?
I think leaving out of the top level makefile is preferred, as there are
no other subsystem targets there.
Please make sure 'make distclean' cleans up properly. These are
currently left behind:
# scripts/selinux/mdp/file_contexts
# scripts/selinux/mdp/policy.23
# scripts/selinux/mdp/policy.conf
Please also provide documentation on how to boot the system up with this
policy.
> + echo "no file contests file. Please run"
ITYM contexts :-)
- James
--
James Morris
<[email protected]>
Quoting James Morris ([email protected]):
> On Fri, 22 Aug 2008, Serge E. Hallyn wrote:
>
> > In August 2006 I posted a patch to the selinux list generating a minimal
> > SELinux policy. This week, David P. Quigley posted an updated version
> > of that as a patch against the kernel. In addition to some fixes, also
> > had nice logic for auto-installing the policy.
> >
> > I've gone ahead and hooked it into the kernel Makefile logic. The way I
> > have it here, doing 'make scripts' ends up compiling 'mdp', after which
> > you must
> > cd scripts/selinux
> > sh install_policy.sh
> >
> > That isn't as nice as being able to do
> > make selinux_install
> > the way David had it, but it avoids mucking with the top-level
> > Makefile. Which is preferred?
>
> I think leaving out of the top level makefile is preferred, as there are
> no other subsystem targets there.
>
> Please make sure 'make distclean' cleans up properly. These are
> currently left behind:
Oops, thanks. Updated patched appended.
> # scripts/selinux/mdp/file_contexts
> # scripts/selinux/mdp/policy.23
> # scripts/selinux/mdp/policy.conf
>
> Please also provide documentation on how to boot the system up with this
> policy.
Good point. Where would people who'd want to use this be most
likely to look, in a scripts/selinux/README, or in
Documentation/selinux or Documentation/security/selinux or
somesuch?
> > + echo "no file contests file. Please run"
>
> ITYM contexts :-)
Oops again - that whole block should be removed as it was there
because the contexts file was created in a different step, which
it isn't any more.
thanks,
-serge
>From 04d2ff138858dd997ec521ca6c74493259045bcc Mon Sep 17 00:00:00 2001
From: Serge Hallyn <[email protected]>
Date: Fri, 22 Aug 2008 13:38:13 -0500
Subject: [PATCH 1/1] selinux: add support for installing a dummy policy
In August 2006 I posted a patch generating a minimal SELinux policy. This
week, David P. Quigley posted an updated version of that as a patch against
the kernel. It also had nice logic for auto-installing the policy.
I've gone ahead and hooked it into the kernel Makefile logic. The way I
have it here, doing 'make scripts' ends up compiling 'mdp', after which
you must
cd scripts/selinux
sh install_policy.sh
That isn't as nice as being able to do
make selinux_install
the way David had it, but it avoids mucking with the top-level
Makefile. Which is preferred?
Following is David's original patch intro (preserved especially
bc it has stats on the generated policies):
se interested in the changes there were only two significant
changes. The first is that the iteration through the list of classes
used NULL as a sentinel value. The problem with this is that the
class_to_string array actually has NULL entries in its table as place
holders for the user space object classes.
The second change was that it would seem at some point the initial sids
table was NULL terminated. This is no longer the case so that iteration
has to be done on array length instead of looking for NULL.
Some statistics on the policy that it generates:
The policy consists of 523 lines which contain no blank lines. Of those
523 lines 453 of them are class, permission, and initial sid
definitions. These lines are usually little to no concern to the policy
developer since they will not be adding object classes or permissions.
Of the remaining 70 lines there is one type, one role, and one user
statement. The remaining lines are broken into three portions. The first
group are TE allow rules which make up 29 of the remaining lines, the
second is assignment of labels to the initial sids which consist of 27
lines, and file system labeling statements which are the remaining 11.
In addition to the policy.conf generated there is a single file_contexts
file containing two lines which labels the entire system with base_t.
This policy generates a policy.23 binary that is 7920 bytes.
(then a few versions later...):
The new policy is 587 lines (stripped of blank lines) with 476 of those
lines being the boilerplate that I mentioned last time. The remaining
111 lines have the 3 lines for type, user, and role, 70 lines for the
allow rules (one for each object class including user space object
classes), 27 lines to assign types to the initial sids, and 11 lines for
file system labeling. The policy binary is 9194 bytes.
Changelog:
Aug 22: As per JMorris comments, made sure make distclean
cleans up the mdp directory.
Removed a check for file_contexts which is now
created in the same file as the check, making it
superfluous.
Signed-off-by: Serge Hallyn <[email protected]>
---
scripts/Makefile | 3 +-
scripts/selinux/Makefile | 2 +
scripts/selinux/install_policy.sh | 44 +++++++
scripts/selinux/mdp/Makefile | 5 +
scripts/selinux/mdp/dbus_contexts | 6 +
scripts/selinux/mdp/mdp.c | 242 +++++++++++++++++++++++++++++++++++++
6 files changed, 301 insertions(+), 1 deletions(-)
create mode 100644 scripts/selinux/Makefile
create mode 100644 scripts/selinux/install_policy.sh
create mode 100644 scripts/selinux/mdp/Makefile
create mode 100644 scripts/selinux/mdp/dbus_contexts
create mode 100644 scripts/selinux/mdp/mdp.c
diff --git a/scripts/Makefile b/scripts/Makefile
index 1c73c5a..aafdf06 100644
--- a/scripts/Makefile
+++ b/scripts/Makefile
@@ -20,6 +20,7 @@ hostprogs-y += unifdef
subdir-$(CONFIG_MODVERSIONS) += genksyms
subdir-y += mod
+subdir-$(CONFIG_SECURITY_SELINUX) += selinux
# Let clean descend into subdirs
-subdir- += basic kconfig package
+subdir- += basic kconfig package selinux
diff --git a/scripts/selinux/Makefile b/scripts/selinux/Makefile
new file mode 100644
index 0000000..ca4b1ec
--- /dev/null
+++ b/scripts/selinux/Makefile
@@ -0,0 +1,2 @@
+subdir-y := mdp
+subdir- += mdp
diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh
new file mode 100644
index 0000000..4280069
--- /dev/null
+++ b/scripts/selinux/install_policy.sh
@@ -0,0 +1,44 @@
+#!/bin/sh
+if [ `id -u` -ne 0 ]; then
+ echo "$0: must be root to install the selinux policy"
+ exit 1
+fi
+SF=`which setfiles`
+if [ $? -eq 1 ]; then
+ if [ -f /usr/sbin/setfiles ]; then
+ SF="/usr/sbin/setfiles"
+ else
+ echo "no selinux tools installed: setfiles"
+ exit 1
+ fi
+fi
+
+cd mdp
+
+CP=`which checkpolicy`
+./mdp policy.conf file_contexts
+$CP -o policy.`checkpolicy -V | awk '{print $1}'` policy.conf
+
+mkdir -p /etc/selinux/dummy/policy
+mkdir -p /etc/selinux/dummy/contexts/files
+
+cp file_contexts /etc/selinux/dummy/contexts/files
+cp dbus_contexts /etc/selinux/dummy/contexts
+cp policy.`checkpolicy -V | awk '{print $1}'` /etc/selinux/dummy/policy
+FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
+
+cd /etc/selinux/dummy/contexts/files
+$SF file_contexts /
+
+mounts=`cat /proc/$$/mounts | egrep "ext2|ext3|xfs|jfs" | awk '{ print $2 '}`
+for line in $mounts; do
+ $SF file_contexts $line
+done
+
+dodev=`cat /proc/$$/mounts | grep "/dev "`
+if [ "eq$dodev" != "eq" ]; then
+ mount --move /dev /mnt
+ $SF file_contexts /dev
+ mount --move /mnt /dev
+fi
+
diff --git a/scripts/selinux/mdp/Makefile b/scripts/selinux/mdp/Makefile
new file mode 100644
index 0000000..eb365b3
--- /dev/null
+++ b/scripts/selinux/mdp/Makefile
@@ -0,0 +1,5 @@
+hostprogs-y := mdp
+HOST_EXTRACFLAGS += -Isecurity/selinux/include
+
+always := $(hostprogs-y)
+clean-files := $(hostprogs-y) policy.* file_contexts
diff --git a/scripts/selinux/mdp/dbus_contexts b/scripts/selinux/mdp/dbus_contexts
new file mode 100644
index 0000000..116e684
--- /dev/null
+++ b/scripts/selinux/mdp/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <selinux>
+ </selinux>
+</busconfig>
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
new file mode 100644
index 0000000..e2a73c9
--- /dev/null
+++ b/scripts/selinux/mdp/mdp.c
@@ -0,0 +1,242 @@
+/*
+ *
+ * mdp - make dummy policy
+ *
+ * When pointed at a kernel tree, builds a dummy policy for that kernel
+ * with exactly one type with full rights to itself.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Copyright (C) IBM Corporation, 2006
+ *
+ * Authors: Serge E. Hallyn <[email protected]>
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+
+#include "flask.h"
+
+void usage(char *name)
+{
+ printf("usage: %s [-m] policy_file context_file\n", name);
+ exit(1);
+}
+
+void find_common_name(char *cname, char *dest, int len)
+{
+ char *start, *end;
+
+ start = strchr(cname, '_')+1;
+ end = strchr(start, '_');
+ if (!start || !end || start-cname > len || end-start > len) {
+ printf("Error with commons defines\n");
+ exit(1);
+ }
+ strncpy(dest, start, end-start);
+ dest[end-start] = '\0';
+}
+
+#define S_(x) x,
+static char *classlist[] = {
+#include "class_to_string.h"
+ NULL
+};
+#undef S_
+
+#include "initial_sid_to_string.h"
+
+#define TB_(x) char *x[] = {
+#define TE_(x) NULL };
+#define S_(x) x,
+#include "common_perm_to_string.h"
+#undef TB_
+#undef TE_
+#undef S_
+
+struct common {
+ char *cname;
+ char **perms;
+};
+struct common common[] = {
+#define TB_(x) { #x, x },
+#define S_(x)
+#define TE_(x)
+#include "common_perm_to_string.h"
+#undef TB_
+#undef TE_
+#undef S_
+};
+
+#define S_(x, y, z) {x, #y},
+struct av_inherit {
+ int class;
+ char *common;
+};
+struct av_inherit av_inherit[] = {
+#include "av_inherit.h"
+};
+#undef S_
+
+#include "av_permissions.h"
+#define S_(x, y, z) {x, y, z},
+struct av_perms {
+ int class;
+ int perm_i;
+ char *perm_s;
+};
+struct av_perms av_perms[] = {
+#include "av_perm_to_string.h"
+};
+#undef S_
+
+int main(int argc, char *argv[])
+{
+ int i, j, mls = 0;
+ char **arg, *polout, *ctxout;
+ int classlist_len, initial_sid_to_string_len;
+ FILE *fout;
+
+ if (argc < 3)
+ usage(argv[0]);
+ arg = argv+1;
+ if (argc==4 && strcmp(argv[1], "-m") == 0) {
+ mls = 1;
+ arg++;
+ }
+ polout = *arg++;
+ ctxout = *arg;
+
+ fout = fopen(polout, "w");
+ if (!fout) {
+ printf("Could not open %s for writing\n", polout);
+ usage(argv[0]);
+ }
+
+ classlist_len = sizeof(classlist) / sizeof(char *);
+ /* print out the classes */
+ for (i=1; i < classlist_len; i++) {
+ if(classlist[i])
+ fprintf(fout, "class %s\n", classlist[i]);
+ else
+ fprintf(fout, "class user%d\n", i);
+ }
+ fprintf(fout, "\n");
+
+ initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);
+ /* print out the sids */
+ for (i=1; i < initial_sid_to_string_len; i++)
+ fprintf(fout, "sid %s\n", initial_sid_to_string[i]);
+ fprintf(fout, "\n");
+
+ /* print out the commons */
+ for (i=0; i< sizeof(common)/sizeof(struct common); i++) {
+ char cname[101];
+ find_common_name(common[i].cname, cname, 100);
+ cname[100] = '\0';
+ fprintf(fout, "common %s\n{\n", cname);
+ for (j=0; common[i].perms[j]; j++)
+ fprintf(fout, "\t%s\n", common[i].perms[j]);
+ fprintf(fout, "}\n\n");
+ }
+ fprintf(fout, "\n");
+
+ /* print out the class permissions */
+ for (i=1; i < classlist_len; i++) {
+ if (classlist[i]) {
+ int firstperm = -1, numperms = 0;
+
+ fprintf(fout, "class %s\n", classlist[i]);
+ /* does it inherit from a common? */
+ for (j=0; j < sizeof(av_inherit)/sizeof(struct av_inherit); j++)
+ if (av_inherit[j].class == i)
+ fprintf(fout, "inherits %s\n", av_inherit[j].common);
+
+ for (j=0; j < sizeof(av_perms)/sizeof(struct av_perms); j++) {
+ if (av_perms[j].class == i) {
+ if (firstperm == -1)
+ firstperm = j;
+ numperms++;
+ }
+ }
+ if (!numperms) {
+ fprintf(fout, "\n");
+ continue;
+ }
+
+ fprintf(fout, "{\n");
+ /* print out the av_perms */
+ for (j=0; j < numperms; j++) {
+ fprintf(fout, "\t%s\n", av_perms[firstperm+j].perm_s);
+ }
+ fprintf(fout, "}\n\n");
+ }
+ }
+ fprintf(fout, "\n");
+
+ /* NOW PRINT OUT MLS STUFF */
+ if (mls) {
+ printf("MLS not yet implemented\n");
+ exit(1);
+ }
+
+ /* types, roles, and allows */
+ fprintf(fout, "type base_t;\n");
+ fprintf(fout, "role base_r types { base_t };\n");
+ for (i=1; i < classlist_len; i++) {
+ if (classlist[i])
+ fprintf(fout, "allow base_t base_t:%s *;\n", classlist[i]);
+ else
+ fprintf(fout, "allow base_t base_t:user%d *;\n", i);
+ }
+ fprintf(fout, "user user_u roles { base_r };\n");
+ fprintf(fout, "\n");
+
+ /* default sids */
+ for (i=1; i < initial_sid_to_string_len; i++)
+ fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
+ fprintf(fout, "\n");
+
+
+ fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
+
+ fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
+
+ fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
+ fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
+
+ fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
+
+ fclose(fout);
+
+ fout = fopen(ctxout, "w");
+ if (!fout) {
+ printf("Wrote policy, but cannot open %s for writing\n", ctxout);
+ usage(argv[0]);
+ }
+ fprintf(fout, "/ user_u:base_r:base_t\n");
+ fprintf(fout, "/.* user_u:base_r:base_t\n");
+ fclose(fout);
+
+ return 0;
+}
--
1.5.4.3
On Fri, 22 Aug 2008, Serge E. Hallyn wrote:
> Good point. Where would people who'd want to use this be most
> likely to look, in a scripts/selinux/README, or in
> Documentation/selinux or Documentation/security/selinux or
> somesuch?
There's Smack documentation under Documentation/, so perhaps next to that,
with a pointer to it in scripts/selinux/README.
- James
--
James Morris
<[email protected]>
On Fri, 2008-08-22 at 21:38 -0500, Serge E. Hallyn wrote:
> --- /dev/null
> +++ b/scripts/selinux/install_policy.sh
> @@ -0,0 +1,44 @@
> +#!/bin/sh
> +if [ `id -u` -ne 0 ]; then
> + echo "$0: must be root to install the selinux policy"
> + exit 1
> +fi
> +SF=`which setfiles`
> +if [ $? -eq 1 ]; then
> + if [ -f /usr/sbin/setfiles ]; then
> + SF="/usr/sbin/setfiles"
/sbin/setfiles on modern Fedora releases.
> + else
> + echo "no selinux tools installed: setfiles"
> + exit 1
> + fi
> +fi
> +
> +cd mdp
> +
> +CP=`which checkpolicy`
> +./mdp policy.conf file_contexts
> +$CP -o policy.`checkpolicy -V | awk '{print $1}'` policy.conf
Save version to a variable and reuse below.
> +
> +mkdir -p /etc/selinux/dummy/policy
> +mkdir -p /etc/selinux/dummy/contexts/files
> +
> +cp file_contexts /etc/selinux/dummy/contexts/files
> +cp dbus_contexts /etc/selinux/dummy/contexts
> +cp policy.`checkpolicy -V | awk '{print $1}'` /etc/selinux/dummy/policy
> +FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
> +
> +cd /etc/selinux/dummy/contexts/files
> +$SF file_contexts /
> +
> +mounts=`cat /proc/$$/mounts | egrep "ext2|ext3|xfs|jfs" | awk '{ print $2 '}`
ext4, ext4dev, gfs2 too.
See /sbin/fixfiles for an example. Or run it.
> +for line in $mounts; do
> + $SF file_contexts $line
> +done
You can pass them all to setfiles at once; it takes a list of mount
points after the file_contexts file. Or run fixfiles instead as it does
much the same.
However, I don't believe this step will work if you are doing this on an
existing SELinux-enabled system - the kernel will check the contexts
upon setxattr against the active policy and reject them, and you haven't
loaded the new policy yet. Also, this is a "destructive" operation,
i.e. if they were running SELinux before, they are hereby clobbering all
their file labels. Possibly you should bail out if selinuxenabled
(utility that can be used as a boolean in shell conditionals).
if /usr/sbin/selinuxenabled; then
echo"SELinux already enabled with a policy loaded; exiting."
exit 1
fi
> +
> +dodev=`cat /proc/$$/mounts | grep "/dev "`
> +if [ "eq$dodev" != "eq" ]; then
> + mount --move /dev /mnt
> + $SF file_contexts /dev
> + mount --move /mnt /dev
> +fi
Not sure what you are doing here. If /dev is udev-managed, then it will
handle labeling at boot. But it still shows up as a tmpfs mount
in /proc/self/mounts.
Where do you set up /etc/selinux/config to refer to this dummy policy so
it will get loaded at boot?
--
Stephen Smalley
National Security Agency
On Mon, 2008-08-25 at 19:12 +1000, James Morris wrote:
> On Fri, 22 Aug 2008, Serge E. Hallyn wrote:
>
> > Good point. Where would people who'd want to use this be most
> > likely to look, in a scripts/selinux/README, or in
> > Documentation/selinux or Documentation/security/selinux or
> > somesuch?
>
> There's Smack documentation under Documentation/, so perhaps next to that,
> with a pointer to it in scripts/selinux/README.
In that case, we really ought to have a general introduction to SELinux
there first, and then include description of this dummy policy and a
pointer to the reference policy as part of that text.
--
Stephen Smalley
National Security Agency
On Fri, 2008-08-22 at 14:34 -0500, Serge E. Hallyn wrote:
> In August 2006 I posted a patch to the selinux list generating a minimal
> SELinux policy. This week, David P. Quigley posted an updated version
> of that as a patch against the kernel. In addition to some fixes, also
> had nice logic for auto-installing the policy.
>
> I've gone ahead and hooked it into the kernel Makefile logic. The way I
> have it here, doing 'make scripts' ends up compiling 'mdp', after which
> you must
> cd scripts/selinux
> sh install_policy.sh
>
> That isn't as nice as being able to do
> make selinux_install
> the way David had it, but it avoids mucking with the top-level
> Makefile. Which is preferred?
>
> In any case, this seems like a good thing to have in the kernel
> tree, to facilitate simple selinux boot tests.
>
> Following is David's original patch intro (preserved especially
> bc it has stats on the generated policies):
>
> ======================================================================
> For those interested in the changes there were only two significant
> changes. The first is that the iteration through the list of classes
> used NULL as a sentinel value. The problem with this is that the
> class_to_string array actually has NULL entries in its table as place
> holders for the user space object classes.
>
> The second change was that it would seem at some point the initial sids
> table was NULL terminated. This is no longer the case so that iteration
> has to be done on array length instead of looking for NULL.
>
> Some statistics on the policy that it generates:
>
> The policy consists of 523 lines which contain no blank lines. Of those
> 523 lines 453 of them are class, permission, and initial sid
> definitions. These lines are usually little to no concern to the policy
> developer since they will not be adding object classes or permissions.
> Of the remaining 70 lines there is one type, one role, and one user
> statement. The remaining lines are broken into three portions. The first
> group are TE allow rules which make up 29 of the remaining lines, the
> second is assignment of labels to the initial sids which consist of 27
> lines, and file system labeling statements which are the remaining 11.
>
> In addition to the policy.conf generated there is a single file_contexts
> file containing two lines which labels the entire system with base_t.
>
> This policy generates a policy.23 binary that is 7920 bytes.
> ======================================================================
> (then a few versions later...):
> ======================================================================
> The new policy is 587 lines (stripped of blank lines) with 476 of those
> lines being the boilerplate that I mentioned last time. The remaining
> 111 lines have the 3 lines for type, user, and role, 70 lines for the
> allow rules (one for each object class including user space object
> classes), 27 lines to assign types to the initial sids, and 11 lines for
> file system labeling. The policy binary is 9194 bytes.
> ======================================================================
>
> Signed-off-by: Serge Hallyn <[email protected]>
[Snip...]
I'm not sure if I have to sign off on this but just in case.
Signed-off-by: David Quigley <[email protected]>
Dave
David P. Quigley wrote:
> On Fri, 2008-08-22 at 14:34 -0500, Serge E. Hallyn wrote:
>> In August 2006 I posted a patch to the selinux list generating a minimal
>> SELinux policy. This week, David P. Quigley posted an updated version
>> of that as a patch against the kernel. In addition to some fixes, also
>> had nice logic for auto-installing the policy.
>>
>> I've gone ahead and hooked it into the kernel Makefile logic. The way I
>> have it here, doing 'make scripts' ends up compiling 'mdp', after which
>> you must
>> cd scripts/selinux
>> sh install_policy.sh
>>
>> That isn't as nice as being able to do
>> make selinux_install
>> the way David had it, but it avoids mucking with the top-level
>> Makefile. Which is preferred?
>>
>> In any case, this seems like a good thing to have in the kernel
>> tree, to facilitate simple selinux boot tests.
>>
>> Following is David's original patch intro (preserved especially
>> bc it has stats on the generated policies):
>>
>> ======================================================================
>> For those interested in the changes there were only two significant
>> changes. The first is that the iteration through the list of classes
>> used NULL as a sentinel value. The problem with this is that the
>> class_to_string array actually has NULL entries in its table as place
>> holders for the user space object classes.
>>
>> The second change was that it would seem at some point the initial sids
>> table was NULL terminated. This is no longer the case so that iteration
>> has to be done on array length instead of looking for NULL.
>>
>> Some statistics on the policy that it generates:
>>
>> The policy consists of 523 lines which contain no blank lines. Of those
>> 523 lines 453 of them are class, permission, and initial sid
>> definitions. These lines are usually little to no concern to the policy
>> developer since they will not be adding object classes or permissions.
>> Of the remaining 70 lines there is one type, one role, and one user
>> statement. The remaining lines are broken into three portions. The first
>> group are TE allow rules which make up 29 of the remaining lines, the
>> second is assignment of labels to the initial sids which consist of 27
>> lines, and file system labeling statements which are the remaining 11.
>>
>> In addition to the policy.conf generated there is a single file_contexts
>> file containing two lines which labels the entire system with base_t.
>>
>> This policy generates a policy.23 binary that is 7920 bytes.
>> ======================================================================
>> (then a few versions later...):
>> ======================================================================
>> The new policy is 587 lines (stripped of blank lines) with 476 of those
>> lines being the boilerplate that I mentioned last time. The remaining
>> 111 lines have the 3 lines for type, user, and role, 70 lines for the
>> allow rules (one for each object class including user space object
>> classes), 27 lines to assign types to the initial sids, and 11 lines for
>> file system labeling. The policy binary is 9194 bytes.
>> ======================================================================
>>
>> Signed-off-by: Serge Hallyn <[email protected]>
>
> [Snip...]
>
> I'm not sure if I have to sign off on this but just in case.
>
> Signed-off-by: David Quigley <[email protected]>
>
> Dave
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to [email protected] with
> the words "unsubscribe selinux" without quotes as the message.
How easy would it be to go from this dummy policy to a policy that
confined only one application? IE If I wanted to pull in the bind
policy, what would be needed.
This is a question that often comes up. I don't want anything confined
except this one app?
I would figure syslog would be a problem right off, others?
On Tue, 2008-08-26 at 11:04 -0400, Daniel J Walsh wrote:
> David P. Quigley wrote:
> > On Fri, 2008-08-22 at 14:34 -0500, Serge E. Hallyn wrote:
> >> In August 2006 I posted a patch to the selinux list generating a minimal
> >> SELinux policy. This week, David P. Quigley posted an updated version
> >> of that as a patch against the kernel. In addition to some fixes, also
> >> had nice logic for auto-installing the policy.
> >>
> >> I've gone ahead and hooked it into the kernel Makefile logic. The way I
> >> have it here, doing 'make scripts' ends up compiling 'mdp', after which
> >> you must
> >> cd scripts/selinux
> >> sh install_policy.sh
> >>
> >> That isn't as nice as being able to do
> >> make selinux_install
> >> the way David had it, but it avoids mucking with the top-level
> >> Makefile. Which is preferred?
> >>
> >> In any case, this seems like a good thing to have in the kernel
> >> tree, to facilitate simple selinux boot tests.
> >>
> >> Following is David's original patch intro (preserved especially
> >> bc it has stats on the generated policies):
> >>
> >> ======================================================================
> >> For those interested in the changes there were only two significant
> >> changes. The first is that the iteration through the list of classes
> >> used NULL as a sentinel value. The problem with this is that the
> >> class_to_string array actually has NULL entries in its table as place
> >> holders for the user space object classes.
> >>
> >> The second change was that it would seem at some point the initial sids
> >> table was NULL terminated. This is no longer the case so that iteration
> >> has to be done on array length instead of looking for NULL.
> >>
> >> Some statistics on the policy that it generates:
> >>
> >> The policy consists of 523 lines which contain no blank lines. Of those
> >> 523 lines 453 of them are class, permission, and initial sid
> >> definitions. These lines are usually little to no concern to the policy
> >> developer since they will not be adding object classes or permissions.
> >> Of the remaining 70 lines there is one type, one role, and one user
> >> statement. The remaining lines are broken into three portions. The first
> >> group are TE allow rules which make up 29 of the remaining lines, the
> >> second is assignment of labels to the initial sids which consist of 27
> >> lines, and file system labeling statements which are the remaining 11.
> >>
> >> In addition to the policy.conf generated there is a single file_contexts
> >> file containing two lines which labels the entire system with base_t.
> >>
> >> This policy generates a policy.23 binary that is 7920 bytes.
> >> ======================================================================
> >> (then a few versions later...):
> >> ======================================================================
> >> The new policy is 587 lines (stripped of blank lines) with 476 of those
> >> lines being the boilerplate that I mentioned last time. The remaining
> >> 111 lines have the 3 lines for type, user, and role, 70 lines for the
> >> allow rules (one for each object class including user space object
> >> classes), 27 lines to assign types to the initial sids, and 11 lines for
> >> file system labeling. The policy binary is 9194 bytes.
> >> ======================================================================
> >>
> >> Signed-off-by: Serge Hallyn <[email protected]>
> >
> > [Snip...]
> >
> > I'm not sure if I have to sign off on this but just in case.
> >
> > Signed-off-by: David Quigley <[email protected]>
> >
> > Dave
> >
> >
> > --
> > This message was distributed to subscribers of the selinux mailing list.
> > If you no longer wish to subscribe, send mail to [email protected] with
> > the words "unsubscribe selinux" without quotes as the message.
> How easy would it be to go from this dummy policy to a policy that
> confined only one application? IE If I wanted to pull in the bind
> policy, what would be needed.
>
> This is a question that often comes up. I don't want anything confined
> except this one app?
>
> I would figure syslog would be a problem right off, others?
I think the answer to this is not very easy at all. If the reason for
having something like this is to use it as a starting point for very
tiny policies I'm not sure how useful it is. For example lets say you
have an application that uses tmp files and they want to have them
labeled in a way that isolates them from base_t. You now need to
label /tmp so you can have your transition rule on your process type and
tmp_t. This means you now need to grant a bunch of permissions on temp_t
for base_t just to maintain the idea that base_t is completely
unconstrained.
This may seem good enough for some people which is why I resurrected
Serge's patch. I think the better idea would be to look at the way
reference policy is structured and see if it is organized properly. It
might be useful for us to be able to say here is an absolute minimum
policy for things we think are key to a Linux system and allow people to
build their application policies on top of that. This would give the
embedded people a much smaller initial footprint for what they need and
reference or fedora policy can be a set of modules on top of this base.
I know we already have this in the form of the base.pp module and a
bunch of other modules on top of it but I don't see how base.pp is
usable without a whole slew of modules.
Dave
Quoting Stephen Smalley ([email protected]):
>
> On Fri, 2008-08-22 at 21:38 -0500, Serge E. Hallyn wrote:
> > --- /dev/null
> > +++ b/scripts/selinux/install_policy.sh
> > @@ -0,0 +1,44 @@
> > +#!/bin/sh
> > +if [ `id -u` -ne 0 ]; then
> > + echo "$0: must be root to install the selinux policy"
> > + exit 1
> > +fi
> > +SF=`which setfiles`
> > +if [ $? -eq 1 ]; then
> > + if [ -f /usr/sbin/setfiles ]; then
> > + SF="/usr/sbin/setfiles"
>
> /sbin/setfiles on modern Fedora releases.
Thanks for reviewing, Stephen.
Changed this to /sbin.
> > + else
> > + echo "no selinux tools installed: setfiles"
> > + exit 1
> > + fi
> > +fi
> > +
> > +cd mdp
> > +
> > +CP=`which checkpolicy`
> > +./mdp policy.conf file_contexts
> > +$CP -o policy.`checkpolicy -V | awk '{print $1}'` policy.conf
>
> Save version to a variable and reuse below.
>
> > +
> > +mkdir -p /etc/selinux/dummy/policy
> > +mkdir -p /etc/selinux/dummy/contexts/files
> > +
> > +cp file_contexts /etc/selinux/dummy/contexts/files
> > +cp dbus_contexts /etc/selinux/dummy/contexts
> > +cp policy.`checkpolicy -V | awk '{print $1}'` /etc/selinux/dummy/policy
> > +FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
> > +
> > +cd /etc/selinux/dummy/contexts/files
> > +$SF file_contexts /
> > +
> > +mounts=`cat /proc/$$/mounts | egrep "ext2|ext3|xfs|jfs" | awk '{ print $2 '}`
>
> ext4, ext4dev, gfs2 too.
> See /sbin/fixfiles for an example. Or run it.
I'm testing a version which uses fixfiles, but it complains about
the fact that selinux is not loaded. Using setfiles seemed
more robust. So I guess I'll go back to that for now. Someone
else can always update it later.
> > +for line in $mounts; do
> > + $SF file_contexts $line
> > +done
>
> You can pass them all to setfiles at once; it takes a list of mount
> points after the file_contexts file. Or run fixfiles instead as it does
> much the same.
>
> However, I don't believe this step will work if you are doing this on an
> existing SELinux-enabled system - the kernel will check the contexts
> upon setxattr against the active policy and reject them, and you haven't
> loaded the new policy yet. Also, this is a "destructive" operation,
> i.e. if they were running SELinux before, they are hereby clobbering all
> their file labels. Possibly you should bail out if selinuxenabled
> (utility that can be used as a boolean in shell conditionals).
> if /usr/sbin/selinuxenabled; then
> echo"SELinux already enabled with a policy loaded; exiting."
> exit 1
> fi
Done in my new version (which I'll send out once I re-create
it using setfiles again), along with most of your other
suggestions.
> > +
> > +dodev=`cat /proc/$$/mounts | grep "/dev "`
> > +if [ "eq$dodev" != "eq" ]; then
> > + mount --move /dev /mnt
> > + $SF file_contexts /dev
> > + mount --move /mnt /dev
> > +fi
>
> Not sure what you are doing here. If /dev is udev-managed, then it will
This (like the whole file) came from David, but nevertheless it's
something I've had to do many times to get a system booted. Maybe the
new fedora initrd way of enabling selinux changes that, but it would
still be needed for older distros.
> handle labeling at boot. But it still shows up as a tmpfs mount
> in /proc/self/mounts.
>
> Where do you set up /etc/selinux/config to refer to this dummy policy so
> it will get loaded at boot?
I was going to just explain how to do it in the documentation, but went
ahead and modified install_policy.sh to do it.
New version coming soon.
thanks,
-serge