selinux: add support for installing a dummy policy (v2)
[linux-2.6.git] / scripts / selinux / install_policy.sh
1 #!/bin/sh
2 if [ `id -u` -ne 0 ]; then
3         echo "$0: must be root to install the selinux policy"
4         exit 1
5 fi
6 SF=`which setfiles`
7 if [ $? -eq 1 ]; then
8         if [ -f /sbin/setfiles ]; then
9                 SF="/usr/setfiles"
10         else
11                 echo "no selinux tools installed: setfiles"
12                 exit 1
13         fi
14 fi
15
16 cd mdp
17
18 CP=`which checkpolicy`
19 VERS=`$CP -V | awk '{print $1}'`
20
21 ./mdp policy.conf file_contexts
22 $CP -o policy.$VERS policy.conf
23
24 mkdir -p /etc/selinux/dummy/policy
25 mkdir -p /etc/selinux/dummy/contexts/files
26
27 cp file_contexts /etc/selinux/dummy/contexts/files
28 cp dbus_contexts /etc/selinux/dummy/contexts
29 cp policy.$VERS /etc/selinux/dummy/policy
30 FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
31
32 if [ ! -d /etc/selinux ]; then
33         mkdir -p /etc/selinux
34 fi
35 if [ ! -f /etc/selinux/config ]; then
36         cat > /etc/selinux/config << EOF
37 SELINUX=enforcing
38 SELINUXTYPE=dummy
39 EOF
40 else
41         TYPE=`cat /etc/selinux/config | grep "^SELINUXTYPE" | tail -1 | awk -F= '{ print $2 '}`
42         if [ "eq$TYPE" != "eqdummy" ]; then
43                 selinuxenabled
44                 if [ $? -eq 0 ]; then
45                         echo "SELinux already enabled with a non-dummy policy."
46                         echo "Exiting.  Please install policy by hand if that"
47                         echo "is what you REALLY want."
48                         exit 1
49                 fi
50                 mv /etc/selinux/config /etc/selinux/config.mdpbak
51                 grep -v "^SELINUXTYPE" /etc/selinux/config.mdpbak >> /etc/selinux/config
52                 echo "SELINUXTYPE=dummy" >> /etc/selinux/config
53         fi
54 fi
55
56 cd /etc/selinux/dummy/contexts/files
57 $SF file_contexts /
58
59 mounts=`cat /proc/$$/mounts | egrep "ext2|ext3|xfs|jfs|ext4|ext4dev|gfs2" | awk '{ print $2 '}`
60 $SF file_contexts $mounts
61
62
63 dodev=`cat /proc/$$/mounts | grep "/dev "`
64 if [ "eq$dodev" != "eq" ]; then
65         mount --move /dev /mnt
66         $SF file_contexts /dev
67         mount --move /mnt /dev
68 fi
69