From patchwork Wed Feb 20 12:33:54 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dominick Grift <dominick.grift@defensec.nl>
X-Patchwork-Id: 10822093
Return-Path: <selinux-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5F6751575
	for <patchwork-selinux@patchwork.kernel.org>;
 Wed, 20 Feb 2019 12:43:22 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 488492E098
	for <patchwork-selinux@patchwork.kernel.org>;
 Wed, 20 Feb 2019 12:43:22 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 3C5DB2E0B4; Wed, 20 Feb 2019 12:43:22 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1F4B12E0B2
	for <patchwork-selinux@patchwork.kernel.org>;
 Wed, 20 Feb 2019 12:43:21 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727613AbfBTMnU (ORCPT
        <rfc822;patchwork-selinux@patchwork.kernel.org>);
        Wed, 20 Feb 2019 07:43:20 -0500
Received: from dgrift.xs4all.space ([80.100.19.56]:49932 "EHLO
        agnus.defensec.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726469AbfBTMnU (ORCPT
        <rfc822;selinux@vger.kernel.org>); Wed, 20 Feb 2019 07:43:20 -0500
X-Greylist: delayed 558 seconds by postgrey-1.27 at vger.kernel.org;
 Wed, 20 Feb 2019 07:43:19 EST
Received: from localhost (localhost [127.0.0.1])
        by agnus.defensec.nl (Postfix) with ESMTP id B68872E0566;
        Wed, 20 Feb 2019 13:34:00 +0100 (CET)
X-Virus-Scanned: amavisd-new at defensec.nl
Received: from agnus.defensec.nl ([127.0.0.1])
        by localhost (agnus.defensec.nl [127.0.0.1]) (amavisd-new, port 10024)
        with LMTP id hBQYemNEqiup; Wed, 20 Feb 2019 13:34:00 +0100 (CET)
Received: from localhost.localdomain (myguest.lan [IPv6:2001:985:d55d::ef8])
        by agnus.defensec.nl (Postfix) with ESMTPSA id 21E0A2E0165;
        Wed, 20 Feb 2019 13:34:00 +0100 (CET)
From: Dominick Grift <dominick.grift@defensec.nl>
To: selinux@vger.kernel.org
Cc: Dominick Grift <dominick.grift@defensec.nl>
Subject: [PATCH] scripts/selinux: modernize mdp
Date: Wed, 20 Feb 2019 13:33:54 +0100
Message-Id: <20190220123354.1589-1-dominick.grift@defensec.nl>
X-Mailer: git-send-email 2.21.0.rc1
MIME-Version: 1.0
Sender: selinux-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The MDP example no longer works on modern systems.

Add support for devtmpfs. This is required by login programs to relabel terminals.
Compile the policy with deny_unknown allow status to anticipate user space object managers in core components such as systemd.
Add default seusers mapping and failsafe context for the SELinux PAM module.

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
---
 scripts/selinux/install_policy.sh | 6 +++++-
 scripts/selinux/mdp/mdp.c         | 1 +
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh
index 0b86c47baf7d..334fcf8903d5 100755
--- a/scripts/selinux/install_policy.sh
+++ b/scripts/selinux/install_policy.sh
@@ -20,14 +20,18 @@ CP=`which checkpolicy`
 VERS=`$CP -V | awk '{print $1}'`
 
 ./mdp policy.conf file_contexts
-$CP -o policy.$VERS policy.conf
+$CP -U allow -o policy.$VERS policy.conf
 
 mkdir -p /etc/selinux/dummy/policy
 mkdir -p /etc/selinux/dummy/contexts/files
 
+echo "__default__:user_u" > /etc/selinux/dummy/seusers
+echo "base_r:base_t" > /etc/selinux/dummy/contexts/failsafe_context
+
 cp file_contexts /etc/selinux/dummy/contexts/files
 cp dbus_contexts /etc/selinux/dummy/contexts
 cp policy.$VERS /etc/selinux/dummy/policy
+
 FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
 
 if [ ! -d /etc/selinux ]; then
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
index 073fe7537f6c..cf06d5694cbc 100644
--- a/scripts/selinux/mdp/mdp.c
+++ b/scripts/selinux/mdp/mdp.c
@@ -131,6 +131,7 @@ int main(int argc, char *argv[])
 
 	fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
+	fprintf(fout, "fs_use_trans devtmpfs user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");