linux/scripts
Stephen Smalley e37c1877ba scripts/selinux: modernize mdp
Derived in part from a patch by Dominick Grift.

The MDP example no longer works on modern systems.  Fix it.
While we are at it, add MLS support and enable it.

NB This still does not work on systems using dbus-daemon instead of
dbus-broker because dbus-daemon does not yet gracefully handle unknown
classes/permissions.  This appears to be a deficiency in libselinux's
selinux_set_mapping() interface and underlying implementation,
which was never fully updated to deal with unknown classes/permissions
unlike the kernel.  The same problem also occurs with XSELinux.
Programs that instead use selinux_check_access() like dbus-broker
should not have this problem.

Changes to mdp:
Add support for devtmpfs, required by modern Linux distributions.
Add MLS support, with sample sensitivities, categories, and constraints.
Generate fs_use and genfscon rules based on kernel configuration.
Update list of filesystem types for fs_use and genfscon rules.
Use object_r for object contexts.

Changes to install_policy.sh:
Bail immediately on any errors.
Provide more helpful error messages when unable to find userspace tools.
Refuse to run if SELinux is already enabled.
Unconditionally move aside /etc/selinux/config and create a new one.
Build policy with -U allow so that userspace object managers do not break.
Build policy with MLS enabled by default.
Create seusers, failsafe_context, and default_contexts for use by
pam_selinux / libselinux.
Create x_contexts for the SELinux X extension.
Create virtual_domain_context and virtual_image_context for libvirtd.
Set to permissive mode rather than enforcing to permit initial autorelabel.
Update the list of filesystem types to be relabeled.
Write -F to /.autorelabel to cause a forced autorelabel on reboot.
Drop broken attempt to relabel the /dev mountpoint directory.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Dominick Grift <dominick.grift@defensec.nl>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2019-03-18 18:38:28 -04:00
..
atomic locking/atomics: Check atomic headers with sha1sum 2019-02-13 08:07:31 +01:00
basic kbuild: simplify dependency generation for CONFIG_TRIM_UNUSED_KSYMS 2018-12-01 23:13:14 +09:00
coccinelle coccinelle: semantic code search for missing put_device() 2019-03-17 12:55:45 +09:00
dtc of: add dtc annotations functionality to dtx_diff 2019-02-28 11:40:48 -06:00
gcc-plugins increased structleak coverage 2019-03-09 09:06:15 -08:00
gdb Kbuild updates for v5.1 2019-03-10 17:48:21 -07:00
genksyms genksyms: remove symbol prefix support 2018-05-17 22:43:35 +09:00
kconfig kconfig: remove stale lxdialog/.gitignore 2019-03-17 15:47:02 +09:00
ksymoops
mod modpost: always show verbose warning for section mismatch 2019-03-14 02:39:09 +09:00
package kbuild: deb-pkg: avoid implicit effects 2019-03-17 12:56:23 +09:00
selinux scripts/selinux: modernize mdp 2019-03-18 18:38:28 -04:00
tracing scripts: Add Python 3 support to tracing/draw_functrace.py 2018-07-29 11:08:38 +09:00
.gitignore scripts: remove unnecessary ihex2fw and check-lc_ctypes from .gitignore 2018-12-22 00:37:52 +09:00
adjust_autoksyms.sh kbuild: source include/config/auto.conf instead of ${KCONFIG_CONFIG} 2019-03-14 02:39:11 +09:00
asn1_compiler.c ASN.1: Remove unnecessary shadowed local variable 2018-10-29 00:19:41 +09:00
bin2c.c kbuild: move bin2c back to scripts/ from scripts/basic/ 2018-07-18 01:18:05 +09:00
bloat-o-meter bloat-o-meter: ignore __addressable_ symbols 2018-12-28 12:11:44 -08:00
bootgraph.pl
bpf_helpers_doc.py bpf: change eBPF helper doc parsing script to allow for smaller indent 2018-05-17 17:34:43 +02:00
cc-can-link.sh bpfilter: check compiler capability in Kconfig 2018-06-28 13:36:39 +09:00
check_extable.sh
checkincludes.pl
checkkconfigsymbols.py
checkpatch.pl A fairly routine cycle for docs - lots of typo fixes, some new documents, 2019-03-09 09:56:17 -08:00
checkstack.pl scripts/checkstack.pl: dynamic stack growth for aarch64 2018-12-28 12:11:44 -08:00
checksyscalls.sh checksyscalls: fix up mq_timedreceive and stat exceptions 2019-02-19 21:27:53 +01:00
checkversion.pl
clang-version.sh kbuild: update comment block of scripts/clang-version.sh 2019-03-04 22:34:54 +09:00
cleanfile
cleanpatch
coccicheck coccicheck: return proper error code on fail 2018-08-14 08:58:56 +09:00
config
conmakehash.c
const_structs.checkpatch
decode_stacktrace.sh scripts/decode_stacktrace.sh: handle RIP address with segment 2019-03-05 21:07:13 -08:00
decodecode scripts/decodecode: set ARCH when running natively on arm/arm64 2018-12-28 12:11:44 -08:00
depmod.sh kbuild: modules_install: warn when missing System.map file 2018-09-09 09:14:07 +09:00
diffconfig
documentation-file-ref-check scripts/documentation-file-ref-check: ignore sched-pelt false positive 2018-07-02 11:25:00 -06:00
export_report.pl
extract_xc3028.pl MAINTAINERS & files: Canonize the e-mails I use at files 2018-05-04 06:21:06 -04:00
extract-cert.c
extract-ikconfig
extract-module-sig.pl
extract-sys-certs.pl
extract-vmlinux extract-vmlinux: Check for uncompressed image as fallback 2018-10-17 08:18:01 +02:00
faddr2line scripts/faddr2line: fix location of start_kernel in comment 2018-11-18 10:15:09 -08:00
file-size.sh kbuild: Use ls(1) instead of stat(1) to obtain file size 2018-03-26 02:01:24 +09:00
find-unused-docs.sh
gcc-goto.sh jump_label: move 'asm goto' support test to Kconfig 2019-01-06 09:46:51 +09:00
gcc-ld
gcc-plugin.sh
gcc-version.sh kbuild: clean up scripts/gcc-version.sh 2019-03-04 22:35:04 +09:00
gcc-x86_32-has-stack-protector.sh stack-protector: test compiler capability in Kconfig and drop AUTO mode 2018-06-08 18:56:00 +09:00
gcc-x86_64-has-stack-protector.sh stack-protector: Fix test with 32-bit userland and CONFIG_64BIT=y 2018-06-25 23:21:13 +09:00
gen_compile_commands.py scripts: add a tool to produce a compile_commands.json file 2018-12-19 23:41:36 +09:00
gen_ksymdeps.sh kbuild: simplify dependency generation for CONFIG_TRIM_UNUSED_KSYMS 2018-12-01 23:13:14 +09:00
get_dvb_firmware
get_maintainer.pl get_maintainer: allow option --mpath <directory> to read all files in <directory> 2018-08-22 10:52:48 -07:00
gfp-translate
headerdep.pl
headers_check.pl
headers_install.sh kbuild: Improve portability of some sed invocations 2018-03-26 02:01:18 +09:00
headers.sh
insert-sys-cert.c
kallsyms.c Kbuild updates for v5.1 2019-03-10 17:48:21 -07:00
Kbuild.include kbuild: remove cc-version macro 2019-03-04 22:34:59 +09:00
Kconfig.include kbuild: clean up scripts/gcc-version.sh 2019-03-04 22:35:04 +09:00
kernel-doc kernel-doc: suppress 'not described' warnings for embedded struct fields 2019-01-16 15:04:01 -07:00
ld-version.sh
leaking_addresses.pl leaking_addresses: Completely remove --version flag 2019-03-07 08:53:18 +11:00
Lindent
link-vmlinux.sh kbuild: source include/config/auto.conf instead of ${KCONFIG_CONFIG} 2019-03-14 02:39:11 +09:00
Makefile scripts/gdb: do not descend into scripts/gdb from scripts 2019-02-27 21:40:09 +09:00
Makefile.asm-generic kbuild: force all architectures except um to include mandatory-y 2019-03-17 12:56:32 +09:00
Makefile.build kbuild: move archive command to scripts/Makefile.lib 2019-03-14 02:39:10 +09:00
Makefile.clean kbuild: remove deprecated host-progs variable 2018-08-09 21:51:17 +09:00
Makefile.dtbinst
Makefile.extrawarn Kbuild updates for v4.20 (2nd) 2018-11-03 10:47:33 -07:00
Makefile.gcc-plugins gcc-plugins: structleak: Generalize to all variable types 2019-03-04 09:29:41 -08:00
Makefile.headersinst kbuild: generate asm-generic wrappers if mandatory headers are missing 2019-01-06 09:46:51 +09:00
Makefile.host kbuild: skip 'addtree' and 'flags' magic for external module build 2019-01-28 09:11:17 +09:00
Makefile.kasan kasan: remove use after scope bugs detection. 2019-03-05 21:07:13 -08:00
Makefile.kcov kcov: test compiler capability in Kconfig and correct dependency 2018-06-11 09:14:08 +09:00
Makefile.lib kbuild: move archive command to scripts/Makefile.lib 2019-03-14 02:39:10 +09:00
Makefile.modbuiltin Kbuild: Makefile.modbuiltin: include auto.conf and tristate.conf mandatory 2018-08-03 00:47:00 +09:00
Makefile.modinst Revert "modsign: Abort modules_install when signing fails" 2019-03-17 12:56:31 +09:00
Makefile.modpost modpost: always show verbose warning for section mismatch 2019-03-14 02:39:09 +09:00
Makefile.modsign kbuild: remove duplicated comments about PHONY 2018-07-06 22:04:03 +09:00
Makefile.ubsan lib/ubsan: remove null-pointer checks 2018-08-10 20:19:58 -07:00
makelst
markup_oops.pl
mkcompile_h kbuild: remove unnecessary in-subshell execution 2019-01-28 09:11:17 +09:00
mkmakefile kbuild: simplify command line creation in scripts/mkmakefile 2018-10-04 22:56:02 +09:00
mksysmap
mkuboot.sh
module-common.lds
namespace.pl kbuild: rename built-in.o to built-in.a 2018-03-26 02:01:19 +09:00
objdiff
parse-maintainers.pl
patch-kernel
pnmtologo.c
profile2linkerlist.pl
prune-kernel
recordmcount.c scripts/recordmcount.{c,pl}: support -ffunction-sections .text.* section names 2018-12-08 20:54:08 -05:00
recordmcount.h scripts: Fixed printf format mismatch 2018-05-29 22:04:12 +09:00
recordmcount.pl scripts/recordmcount.{c,pl}: support -ffunction-sections .text.* section names 2018-12-08 20:54:08 -05:00
setlocalversion scripts/setlocalversion: Improve -dirty check with git-status --no-optional-locks 2018-11-21 23:57:33 +09:00
show_delta
sign-file.c
sortextable.c
sortextable.h
spdxcheck-test.sh scripts: add spdxcheck.py self test 2018-12-28 12:11:44 -08:00
spdxcheck.py scripts/spdxcheck.py: fix C++ comment style detection 2019-02-22 08:47:05 -07:00
spelling.txt scripts/spelling.txt: add more spellings to spelling.txt 2019-03-07 18:31:59 -08:00
sphinx-pre-install
split-man.pl MAINTAINERS & files: Canonize the e-mails I use at files 2018-05-04 06:21:06 -04:00
stackdelta
stackusage
subarch.include selftests: add headers_install to lib.mk 2018-09-05 08:12:09 -06:00
tags.sh scripts/tags.sh: add more declarations 2018-12-28 12:11:44 -08:00
unifdef.c unifdef: use memcpy instead of strncpy 2018-11-30 14:45:01 -08:00
ver_linux ver_linux: Assign constant RE to variable name for clarity 2019-01-22 13:34:35 +01:00
xen-hypercalls.sh
xz_wrap.sh