Quoting Stephen Smalley (sds@xxxxxxxxxxxxx):
>
> On Fri, 2008-08-22 at 21:38 -0500, Serge E. Hallyn wrote:
> > --- /dev/null
> > +++ b/scripts/selinux/install_policy.sh
> > @@ -0,0 +1,44 @@
> > +#!/bin/sh
> > +if [ `id -u` -ne 0 ]; then
> > + echo "$0: must be root to install the selinux policy"
> > + exit 1
> > +fi
> > +SF=`which setfiles`
> > +if [ $? -eq 1 ]; then
> > + if [ -f /usr/sbin/setfiles ]; then
> > + SF="/usr/sbin/setfiles"
>
> /sbin/setfiles on modern Fedora releases.
Thanks for reviewing, Stephen.
Changed this to /sbin.
> > + else
> > + echo "no selinux tools installed: setfiles"
> > + exit 1
> > + fi
> > +fi
> > +
> > +cd mdp
> > +
> > +CP=`which checkpolicy`
> > +./mdp policy.conf file_contexts
> > +$CP -o policy.`checkpolicy -V | awk '{print $1}'` policy.conf
>
> Save version to a variable and reuse below.
>
> > +
> > +mkdir -p /etc/selinux/dummy/policy
> > +mkdir -p /etc/selinux/dummy/contexts/files
> > +
> > +cp file_contexts /etc/selinux/dummy/contexts/files
> > +cp dbus_contexts /etc/selinux/dummy/contexts
> > +cp policy.`checkpolicy -V | awk '{print $1}'` /etc/selinux/dummy/policy
> > +FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
> > +
> > +cd /etc/selinux/dummy/contexts/files
> > +$SF file_contexts /
> > +
> > +mounts=`cat /proc/$$/mounts | egrep "ext2|ext3|xfs|jfs" | awk '{ print $2 '}`
>
> ext4, ext4dev, gfs2 too.
> See /sbin/fixfiles for an example. Or run it.
I'm testing a version which uses fixfiles, but it complains about
the fact that selinux is not loaded. Using setfiles seemed
more robust. So I guess I'll go back to that for now. Someone
else can always update it later.
> > +for line in $mounts; do
> > + $SF file_contexts $line
> > +done
>
> You can pass them all to setfiles at once; it takes a list of mount
> points after the file_contexts file. Or run fixfiles instead as it does
> much the same.
>
> However, I don't believe this step will work if you are doing this on an
> existing SELinux-enabled system - the kernel will check the contexts
> upon setxattr against the active policy and reject them, and you haven't
> loaded the new policy yet. Also, this is a "destructive" operation,
> i.e. if they were running SELinux before, they are hereby clobbering all
> their file labels. Possibly you should bail out if selinuxenabled
> (utility that can be used as a boolean in shell conditionals).
> if /usr/sbin/selinuxenabled; then
> echo"SELinux already enabled with a policy loaded; exiting."
> exit 1
> fi
Done in my new version (which I'll send out once I re-create
it using setfiles again), along with most of your other
suggestions.
> > +
> > +dodev=`cat /proc/$$/mounts | grep "/dev "`
> > +if [ "eq$dodev" != "eq" ]; then
> > + mount --move /dev /mnt
> > + $SF file_contexts /dev
> > + mount --move /mnt /dev
> > +fi
>
> Not sure what you are doing here. If /dev is udev-managed, then it will
This (like the whole file) came from David, but nevertheless it's
something I've had to do many times to get a system booted. Maybe the
new fedora initrd way of enabling selinux changes that, but it would
still be needed for older distros.
> handle labeling at boot. But it still shows up as a tmpfs mount
> in /proc/self/mounts.
>
> Where do you set up /etc/selinux/config to refer to this dummy policy so
> it will get loaded at boot?
I was going to just explain how to do it in the documentation, but went
ahead and modified install_policy.sh to do it.
New version coming soon.
thanks,
-serge
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
