selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] scripts/selinux: modernize mdp
@ 2019-02-20 12:33 Dominick Grift
  2019-02-20 14:09 ` Dominick Grift
                   ` (2 more replies)
  0 siblings, 3 replies; 11+ messages in thread
From: Dominick Grift @ 2019-02-20 12:33 UTC (permalink / raw)
  To: selinux; +Cc: Dominick Grift

The MDP example no longer works on modern systems.

Add support for devtmpfs. This is required by login programs to relabel terminals.
Compile the policy with deny_unknown allow status to anticipate user space object managers in core components such as systemd.
Add default seusers mapping and failsafe context for the SELinux PAM module.

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
---
 scripts/selinux/install_policy.sh | 6 +++++-
 scripts/selinux/mdp/mdp.c         | 1 +
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh
index 0b86c47baf7d..334fcf8903d5 100755
--- a/scripts/selinux/install_policy.sh
+++ b/scripts/selinux/install_policy.sh
@@ -20,14 +20,18 @@ CP=`which checkpolicy`
 VERS=`$CP -V | awk '{print $1}'`
 
 ./mdp policy.conf file_contexts
-$CP -o policy.$VERS policy.conf
+$CP -U allow -o policy.$VERS policy.conf
 
 mkdir -p /etc/selinux/dummy/policy
 mkdir -p /etc/selinux/dummy/contexts/files
 
+echo "__default__:user_u" > /etc/selinux/dummy/seusers
+echo "base_r:base_t" > /etc/selinux/dummy/contexts/failsafe_context
+
 cp file_contexts /etc/selinux/dummy/contexts/files
 cp dbus_contexts /etc/selinux/dummy/contexts
 cp policy.$VERS /etc/selinux/dummy/policy
+
 FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
 
 if [ ! -d /etc/selinux ]; then
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
index 073fe7537f6c..cf06d5694cbc 100644
--- a/scripts/selinux/mdp/mdp.c
+++ b/scripts/selinux/mdp/mdp.c
@@ -131,6 +131,7 @@ int main(int argc, char *argv[])
 
 	fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
+	fprintf(fout, "fs_use_trans devtmpfs user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
-- 
2.21.0.rc1


^ permalink raw reply related	[flat|nested] 11+ messages in thread
end of thread, other threads:[~2019-02-20 20:25 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-20 12:33 [PATCH] scripts/selinux: modernize mdp Dominick Grift
2019-02-20 14:09 ` Dominick Grift
2019-02-20 14:47   ` Dominick Grift
2019-02-20 19:21     ` Stephen Smalley
2019-02-20 19:25       ` Stephen Smalley
2019-02-20 19:35         ` Dominick Grift
2019-02-20 15:19 ` [PATCH v2] " Dominick Grift
2019-02-20 15:34 ` [PATCH v3] " Dominick Grift
2019-02-20 19:34   ` Stephen Smalley
2019-02-20 19:36     ` Dominick Grift
2019-02-20 20:25     ` Dominick Grift

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).