[PATCH] scripts/selinux: modernize mdp

From: Dominick Grift <dominick.grift@defensec.nl>
To: selinux@vger.kernel.org
Cc: Dominick Grift <dominick.grift@defensec.nl>
Subject: [PATCH] scripts/selinux: modernize mdp
Date: Wed, 20 Feb 2019 13:33:54 +0100	[thread overview]
Message-ID: <20190220123354.1589-1-dominick.grift@defensec.nl> (raw)

The MDP example no longer works on modern systems.

Add support for devtmpfs. This is required by login programs to relabel terminals.
Compile the policy with deny_unknown allow status to anticipate user space object managers in core components such as systemd.
Add default seusers mapping and failsafe context for the SELinux PAM module.

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
---
 scripts/selinux/install_policy.sh | 6 +++++-
 scripts/selinux/mdp/mdp.c         | 1 +
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh
index 0b86c47baf7d..334fcf8903d5 100755
--- a/scripts/selinux/install_policy.sh
+++ b/scripts/selinux/install_policy.sh
@@ -20,14 +20,18 @@ CP=`which checkpolicy`
 VERS=`$CP -V | awk '{print $1}'`
 
 ./mdp policy.conf file_contexts
-$CP -o policy.$VERS policy.conf
+$CP -U allow -o policy.$VERS policy.conf
 
 mkdir -p /etc/selinux/dummy/policy
 mkdir -p /etc/selinux/dummy/contexts/files
 
+echo "__default__:user_u" > /etc/selinux/dummy/seusers
+echo "base_r:base_t" > /etc/selinux/dummy/contexts/failsafe_context
+
 cp file_contexts /etc/selinux/dummy/contexts/files
 cp dbus_contexts /etc/selinux/dummy/contexts
 cp policy.$VERS /etc/selinux/dummy/policy
+
 FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
 
 if [ ! -d /etc/selinux ]; then
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
index 073fe7537f6c..cf06d5694cbc 100644
--- a/scripts/selinux/mdp/mdp.c
+++ b/scripts/selinux/mdp/mdp.c
@@ -131,6 +131,7 @@ int main(int argc, char *argv[])
 
 	fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
+	fprintf(fout, "fs_use_trans devtmpfs user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
-- 
2.21.0.rc1

