selinux-0.10/0000775000000000000000000000000011731542110010004 5ustar selinux-0.10/mounted-dev.upstart0000664000000000000000000000043611364161162013670 0ustar # selinux-mounted-dev - Run restorecon on /dev directory description "Run restorecon on newly mounted /dev directory" start on mounted MOUNTPOINT=/dev env MOUNTPOINT=/dev task script if [ -x /sbin/restorecon ]; then /sbin/restorecon -R "${MOUNTPOINT}" fi end script selinux-0.10/Makefile0000664000000000000000000000162211364165503011456 0ustar INIT_BOTTOM = $(DESTDIR)/usr/share/initramfs-tools/scripts/init-bottom/ all: # prepend an underscore to the target name, to [hopefully] cause policy # loading to occur as early as possible install: install -m644 -D etc.selinux.config $(DESTDIR)/usr/share/selinux/config.example install -m755 -D load_policy $(INIT_BOTTOM)/_load_selinux_policy install -m755 -D update-selinux-policy $(DESTDIR)/usr/sbin/update-selinux-policy install -m755 -D update-selinux-config $(DESTDIR)/usr/sbin/update-selinux-config install -m644 -D mounted-tmp.upstart $(DESTDIR)/etc/init/selinux-mounted-tmp.conf install -m644 -D mounted-dev.upstart $(DESTDIR)/etc/init/selinux-mounted-dev.conf install -m644 -D mounted-varlock.upstart $(DESTDIR)/etc/init/selinux-mounted-varlock.conf install -m644 -D mounted-varrun.upstart $(DESTDIR)/etc/init/selinux-mounted-varrun.conf clean: distclean: .PHONY: all install clean distclean selinux-0.10/mounted-varlock.upstart0000664000000000000000000000046611364161203014552 0ustar # selinux-mounted-varlock - Run restorecon on /var/lock directory description "Run restorecon on newly mounted /var/lock directory" start on mounted MOUNTPOINT=/var/lock env MOUNTPOINT=/var/lock task script if [ -x /sbin/restorecon ]; then /sbin/restorecon -R "${MOUNTPOINT}" fi end script selinux-0.10/mounted-varrun.upstart0000664000000000000000000000046111364161211014420 0ustar # selinux-mounted-varrun - Run restorecon on /var/run directory description "Run restorecon on newly mounted /var/run directory" start on mounted MOUNTPOINT=/var/run env MOUNTPOINT=/var/run task script if [ -x /sbin/restorecon ]; then /sbin/restorecon -R "${MOUNTPOINT}" fi end script selinux-0.10/update-selinux-config0000664000000000000000000000225110754577435014167 0ustar #!/bin/sh -e # # update-selinux-config # # Modifies the system's SELinux configuration file to point to the # given policy. # # Copyright (C) 2008 Tresys Technology # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; version 2 dated June, 1991. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; see the file COPYING. If not, write to the # Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, # Boston, MA 02110-1301 USA. set -e configfile=/etc/selinux/config if [ -z "$1" ]; then echo "Usage: update-selinux-config " exit 1 fi echo "Updating $configfile." if [ ! -e $configfile ] ; then /usr/bin/install -m644 -D /usr/share/selinux/config.example $configfile fi /bin/sed -i "s/^SELINUXTYPE=.*/SELINUXTYPE=$1/" $configfile selinux-0.10/update-selinux-policy0000664000000000000000000001024611731542102014177 0ustar #!/bin/sh # # Update Security Enhanced Linux Policy # Copyright (C) 2008 Tresys Technology # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as # published by the Free Software Foundation; either version 2 of # the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA # 02111-1307 USA # # Authors: # Caleb Case # # # Policy modules which are intended to be loaded are stored in /etc/selinux.d. # Typically this would be done via a symlink to the module (e.g. # /etc/selinux.d/refpolicy/init.pp -> /usr/share/selinux/refpolicy/init.pp). # # /etc/selinux.d (and its sub directories) may contain any number of policy # modules (*.pp files). However, only _ONE_ base.pp is allowed to exist. # # The list of modules found will be compared against the list of loaded modules # and changes (installed/removed) commited via /usr/sbin/semodule set -e # load the selinux configuration if [ -e /etc/selinux/config ] then . /etc/selinux/config else echo >&2 "Error: /etc/selinux/config does not exist! SELinux policy cannot be updated." exit 1 fi SEMODULE=/usr/sbin/semodule # module configuration dir MODS_D=/etc/selinux.d # get list of module paths that should be loaded ON_P=`/usr/bin/find $MODS_D -iregex '^.*\.pp$'` # trim to just base module BASE_P=`/bin/echo "$ON_P" | /bin/grep -ie '^.*base\.pp$'` # get the base module name BASE_N=`/bin/echo "$BASE_P" | /usr/bin/xargs -I{} /usr/bin/basename {} | /usr/bin/cut -d \. -f 1` # determine how many base modules we have BASE_LINES=`/bin/echo "$BASE_N" | /usr/bin/wc -w` if [ $BASE_LINES = 0 ] then echo >&2 "Error: No base module enabled! A base module 'base.pp' must be present in /etc/selinux.d" exit 1 fi if [ $BASE_LINES != 1 ] then echo >&2 "Error: Too many base modules! Only one base module is allowed." echo >&2 $BASE_P exit 1 fi # trim to list of modules (without base) ON_MODS_P=`/bin/echo "$ON_P" | /bin/grep -v "$BASE_P"` || true #echo ON_MODS_P #echo $ON_MODS_P # get list of module names that should be loaded ON_MODS_N=`/bin/echo "$ON_MODS_P" | /usr/bin/xargs -I{} /usr/bin/basename {} | /usr/bin/cut -d \. -f 1` #echo ON_MODS_N #echo $ON_MODS_N # check that there aren't any duplicate modules ON_MODS_C=`/bin/echo "$ON_MODS_N" | /usr/bin/wc -w` ON_MODS_CU=`/bin/echo "$ON_MODS_N" | /usr/bin/sort -u | /usr/bin/wc -w` #echo $ON_MODS_C #echo $ON_MODS_CU if [ $ON_MODS_C != $ON_MODS_CU ] then echo >&2 "Error: There are duplicate modules in /etc/selinux.d! Module names must be unique. Please examine the modules in /etc/selinux.d." exit 1 fi # get list of loaded modules MODS_L=`$SEMODULE -l || /bin/echo ""` LOAD_MODS="" if [ "$MODS_L" != "No modules." ] then LOAD_MODS=`/bin/echo "$MODS_L" | /usr/bin/cut -f 1` fi #echo LOAD_MODS #echo $LOAD_MODS # list of modules that need to be -i # It is important that all the modules in /etc/selinux.d are listed here # if they are not, then it is possible to remove modules which are # required for modules that are currently installed. IN_MODS="" for i in $ON_MODS_P do IN_MODS="$IN_MODS -i$i" done #echo $IN_MODS # list of modules that need to be -r RM_MODS="" FOUND=0 for i in $LOAD_MODS do FOUND=0 for j in $ON_MODS do if [ $i = $j ] then #echo "$i: ON LOADED" FOUND=1 fi done if [ $FOUND -eq 0 ] then #echo "$i: OFF LOADED" RM_MODS="$RM_MODS -r$i" fi done #echo $RM_MODS # determine if selinux is enabled # if it is disabled, then we should not # reload the policy after committing if ! selinuxenabled then RELOAD="-n" fi #echo "$SEMODULE -b $BASE_P $RM_MODS $IN_MODS" $SEMODULE $RELOAD -s $SELINUXTYPE -b $BASE_P $RM_MODS $IN_MODS # schedule a relabel /etc/init.d/selinux relabel exit 0 selinux-0.10/load_policy0000664000000000000000000000167611356720056012251 0ustar #! /bin/sh set -e PREREQ="framebuffer console_setup" prereqs () { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac . /scripts/functions # Mount the selinux directory in both the ramdisk's root as well as in # the real root directory. mkdir -p /selinux mkdir -p ${rootmnt}/selinux # Temporarily pivot to the real root directory, loading the policy # from that disk. Normally this process will occur by init, but kinit # is not compiled against libselinux. Therefore use load_policy to # perform the same initialization. set +e chroot ${rootmnt} /sbin/load_policy -i RET=$? if [ $RET -eq 3 ]; then panic "SELinux policy load failed and enforcing mode requested, halting now" kill -INT 1 elif [ $RET -ne 0 ]; then log_warning_msg "SELinux policy load failed, continuing" else log_success_msg "SELinux policy was loaded" fi mount -t selinuxfs none /selinux || \ log_warning_msg "Unable to mount /selinux" exit 0 selinux-0.10/etc.selinux.config0000664000000000000000000000150610754542350013450 0ustar # This example is the file that controls the state of SELinux on the # system. It normally resides at /etc/selinux/config and must be # updated whenever the policy changes. Use the script # /usr/sbin/update-selinux-config to change the policy type, and then # reload the policy for changes to go into effect. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # refpolicy-targeted - Only targeted network daemons are protected. # refpolicy-strict - Full SELinux protection. # refpolicy-src - Custom policy built from source SELINUXTYPE=refpolicy # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0 selinux-0.10/debian/0000775000000000000000000000000011731542072011235 5ustar selinux-0.10/debian/selinux.triggers0000664000000000000000000000002210754413223014465 0ustar interest semodule selinux-0.10/debian/selinux.postinst0000664000000000000000000000372011356717410014536 0ustar #!/bin/sh # postinst script for myq # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-remove' # * `abort-deconfigure' `in-favour' # `removing' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package . /usr/share/debconf/confmodule # Remove a no-longer used conffile rm_conffile() { CONFFILE="$1" if [ -e "$CONFFILE".dpkg-obsolete ]; then echo "Removing obsolete conffile $CONFFILE" >&2 rm -f "$CONFFILE".dpkg-obsolete fi } case "$1" in configure) if dpkg --compare-versions "$2" lt 1:0.8; then rm_conffile /etc/initramfs-tools/scripts/init-bottom/_load_policy rm_conffile /etc/initramfs-tools/scripts/init-bottom/_restorecon fi db_get selinux/updategrub || true if [ "x$RET" = xtrue ]; then db_get selinux/grub grub="$RET" db_get selinux/defopt defopt="$RET" /bin/cp "$grub" "$grub"~ set +e /bin/sed -i -e "s/^GRUB_CMDLINE_LINUX_DEFAULT=.*$/GRUB_CMDLINE_LINUX_DEFAULT=\"$defopt\"/" "$grub" if [ $? != 0 ] then /bin/cp "$grub"~ "$grub" echo >&2 "Error: Unable to replace defoptions in menu.lst; changes reverted."; exit 1 fi set -e /usr/sbin/update-grub fi /usr/bin/dpkg-trigger update-initramfs ;; abort-upgrade|abort-remove|abort-deconfigure) ;; triggered) echo "semodule deferred processing now taking place" /usr/sbin/update-selinux-policy ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 selinux-0.10/debian/selinux.config0000775000000000000000000000210611253511235014111 0ustar #!/bin/sh -e . /usr/share/debconf/confmodule db_input medium selinux/updategrub || true db_go db_get selinux/updategrub if [ "x$RET" = xfalse ]; then db_input critical selinux/install || true db_go exit 0 fi grub_file="/etc/default/grub" if [ -z "$grub_file" ] ; then echo "GRUB configuration file not found." exit 1 fi db_set selinux/grub "$grub_file" db_input low selinux/enforcement || true db_input low selinux/grub || true db_go defopt_trim=`/bin/grep "^GRUB_CMDLINE_LINUX_DEFAULT" $grub_file | /bin/sed -r -e 's/GRUB_CMDLINE_LINUX_DEFAULT="(\s+)?//' -e 's/security=\w+(\s+)?//' -e 's/selinux=[01](\s+)?//' -e 's/(\s+)?"$(\s+)?//'` defopt="$defopt_trim" db_get selinux/enforcement case "$RET" in Enforcing) defopt="$defopt security=selinux selinux=1 enforcing=1" ;; Permissive) defopt="$defopt security=selinux selinux=1 enforcing=0" ;; *) defopt="$defopt security=selinux selinux=1" ;; esac db_set selinux/defopt $defopt db_input low selinux/defopt || true db_go db_input critical selinux/reboot || true db_go selinux-0.10/debian/README.Debian0000664000000000000000000000107510754542302013301 0ustar The 'selinux' package provides the basic infrastructure necessary for running SELinux. It provides a script that loads the policy at startup, and a script to relabel the system on shutdown. The system administrator is responsible for actually enabling SELinux in the kernel. Typically this involves: 1. Open the file /boot/grub/menu.lst. 2. Find the line that begins with "# defoptions". 3. Append to that line "selinux=1 enforcing=1"; this will enable SELinux in enforcing mode. 4. Run update-grub to rebuild menu.lst. 5. Reboot to make changes go into effect. selinux-0.10/debian/selinux.install0000664000000000000000000000000310754420447014312 0ustar /* selinux-0.10/debian/compat0000664000000000000000000000000210754542302012433 0ustar 5 selinux-0.10/debian/selinux.preinst0000775000000000000000000000314711356720475014352 0ustar #!/bin/sh # preinst script for selinux # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `install' # * `install' # * `upgrade' # * `abort-upgrade' # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package # Prepare to remove a no-longer used conffile prep_rm_conffile() { PKGNAME="$1" CONFFILE="$2" MD5CONF="$3" if [ -z "$MD5CONF" ]; then MD5CONF="$CONFFILE" fi if [ -e "$CONFFILE" ]; then md5sum="`md5sum \"$MD5CONF\" | sed -e \"s/ .*//\"`" old_md5sum="`dpkg-query -W -f='${Conffiles}' $PKGNAME | sed -n -e \"\\\\' $MD5CONF'{s/ obsolete$//;s/.* //p}\"`" if [ "$md5sum" != "$old_md5sum" ]; then echo "Obsolete conffile $CONFFILE has been modified by you, renaming to .dpkg-bak" mv -f "$CONFFILE" "$CONFFILE".dpkg-bak else mv -f "$CONFFILE" "$CONFFILE".dpkg-obsolete fi fi } case "$1" in install|upgrade) if dpkg --compare-versions "$2" lt 1:0.8; then prep_rm_conffile selinux /etc/initramfs-tools/scripts/init-bottom/_load_policy prep_rm_conffile selinux /etc/initramfs-tools/scripts/init-bottom/_restorecon fi ;; abort-upgrade) # Do nothing ;; *) echo "preinst called with unknown argument \`$1'" >&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. exit 0 selinux-0.10/debian/rules0000775000000000000000000000050110754542302012311 0ustar #!/usr/bin/make -f # -*- makefile -*- include /usr/share/cdbs/1/rules/debhelper.mk include /usr/share/cdbs/1/class/makefile.mk DEB_DH_INSTALL_ARGS = --sourcedir=debian/tmp DEB_BUILD_OPTIONS="nocheck" DEB_MAKE_INSTALL_TARGET=install DESTDIR=$(CURDIR)/debian/tmp DEB_UPDATE_RCD_PARAMS="start 05 2 3 4 5 . stop 95 0 6 . " selinux-0.10/debian/control0000664000000000000000000000125011267521751012643 0ustar Source: selinux Section: admin Priority: optional Maintainer: Ubuntu Hardened Developers XSBC-Original-Maintainer: J. Tang Build-Depends: debhelper (>= 5), cdbs Standards-Version: 3.7.2 Package: selinux Architecture: all Pre-Depends: grub-pc Depends: policycoreutils, ${misc:Depends}, initramfs-tools, grub-pc, selinux-utils, login (>= 4.0.18.2-1ubuntu1) Recommends: selinux-policy-ubuntu | selinux-policy Conflicts: apparmor, linux-security Provides: linux-security Description: Security-Enhanced Linux runtime support This package provides the minimal scripts necessary to run a Security-Enhanced Linux (SELinux) system. selinux-0.10/debian/selinux.prerm0000664000000000000000000000342010754566762014012 0ustar #!/bin/sh set -e # summary of how this script can be called: # * `remove' # * `upgrade' # * `failed-upgrade' # * `remove' `in-favour' # * `deconfigure' `in-favour' # `removing' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in remove|upgrade|deconfigure) /etc/init.d/selinux cancel if [ -e /usr/share/debconf/confmodule ]; then . /usr/share/debconf/confmodule db_get selinux/updategrub || true if [ "x$RET" = xtrue ]; then db_get selinux/grub grub="$RET" defopt_trim=`/bin/grep "^# defoptions" $grub | /bin/sed -r -e 's/# defoptions=(\s+)?//' -e 's/selinux=[01](\s+)?//' -e 's/apparmor.enabled=[01](\s+)?//' -e 's/enforcing=[01](\s+?)//' -e 's/\s+$//'` /bin/cp "$grub" "$grub"~ set +e /bin/sed -i -e "s/^# defoptions=.*$/# defoptions=$defopt_trim/" "$grub" if [ $? != 0 ] then /bin/cp "$grub"~ "$grub" echo >&2 "Error: Unable to replace defoptions in menu.lst; changes reverted."; exit 1 fi set -e /usr/bin/dpkg-trigger update-grub db_input critical selinux/reboot || true else db_input critical selinux/uninstall || true fi db_go fi ;; failed-upgrade) ;; *) echo "prerm called with unknown argument \`$1'" >&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 selinux-0.10/debian/changelog0000664000000000000000000000526311731542072013115 0ustar selinux (1:0.11) precise; urgency=low * Make update-selinux-policy work when only a base policy module is used. (LP: #955426) -- Tim Tickel Wed, 14 Mar 2012 13:06:49 -0700 selinux (1:0.10) precise; urgency=low * Fix unsafe lockfile creation. The scope of this is limited by when this script is run. On Ubuntu 10.10 and higher, Yama blocks exploitation of this issue, but we want to fix this on Ubuntu 10.04 LTS (which doesn't have Yama) and so this package is provided for upgrades. (LP: #876994) -- Jamie Strandboge Wed, 21 Dec 2011 12:20:37 -0600 selinux (1:0.9) lucid; urgency=low * mounted-var{run,lock}.upstart, Makefile: add more restorecon calls for tmpfs filesystems, thanks to Stephen Lawrence (LP: #568744). -- Kees Cook Thu, 22 Apr 2010 16:58:14 -0700 selinux (1:0.8) lucid; urgency=low * debian/selinux.{preinst,postinst}, Makefile: move /etc/initramfs-tools scripts to /usr/share/initramfs-tools. * load_policy: source functions only in initramfs. * mounted-dev.upstart, Makefile: move restorecon for /dev to upstart job (LP: #556823). -- Kees Cook Tue, 06 Apr 2010 13:57:28 -0700 selinux (1:0.7) lucid; urgency=low * Move restorecon for /tmp to an upstart job. -- Kees Cook Fri, 22 Jan 2010 12:33:04 -0800 selinux (1:0.6) karmic; urgency=low * Recommend policy packages instead of depends to prevent circular dependencies. -- Caleb Case Mon, 19 Oct 2009 17:25:39 -0400 selinux (1:0.5) karmic; urgency=low * GRUB 2 support, new LSM switching via 'security=' (LP: #428007). * Added ext4 as a valid fs to relabeling script (LP: #371075). -- Caleb Case Wed, 09 Sep 2009 14:58:21 -0400 selinux (1:0.4) jaunty; urgency=low * Adjusted depends to reflect package rename of selinux-policy-refpolicy to selinux-policy-ubuntu (LP: #352771). -- Caleb Case Mon, 23 Mar 2009 04:55:47 -0400 selinux (1:0.3) intrepid; urgency=low * Bump epoch to avoid old Debian "selinux" Conflict in policycoreutils to make selinux installable in Intrepid again. -- Kees Cook Thu, 17 Jul 2008 12:18:37 -0700 selinux (0.2) hardy; urgency=low * load_policy: - Use load_policy in /sbin instead of /usr/sbin (which may not be mounted yet) (LP: #126415). * update-selinux-policy: - If selinux isn't enabled then do not reload the policy. -- Caleb Case Fri, 29 Feb 2008 12:33:43 -0500 selinux (0.1) hardy; urgency=low * Initial Release. The package supersedes selinux-basics. -- J. Tang Tue, 29 Jan 2008 12:00:00 +0000 selinux-0.10/debian/selinux.init0000775000000000000000000001045111674421540013617 0ustar #!/bin/sh ### BEGIN INIT INFO # Provides: selinux # Required-Start: # Required-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 6 # Short-Description: Relabel the filesystem before reboot ### END INIT INFO # Name of the file to create if requesting relabeling statusfile=/.autorelabel switchfile=/.switchpolicy # Source function library . /lib/lsb/init-functions # Get the selinux configuration variables SELINUXTYPE="" if [ -e $switchfile ]; then . $switchfile elif [ -e /etc/selinux/config ]; then . /etc/selinux/config fi SETFILES=/sbin/setfiles LOAD_POLICY=/usr/sbin/load_policy # From fixfiles - determine what filesystems can be relabeled FILESYSTEMSRW=`/bin/mount | /bin/grep -v "context=" | /bin/egrep -v '\((|.*,)bind(,.*|)\)' | /usr/bin/awk '/(ext[234]| xfs | jfs ).*\(rw/{print $3}';` FILESYSTEMSRO=`/bin/mount | /bin/grep -v "context=" | /bin/egrep -v '\((|.*,)bind(,.*|)\)' | /usr/bin/awk '/(ext[234]| xfs | jfs ).*\(ro/{print $3}';` FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO" lockdir=/var/lock/selinux-relabel # Start only creates the lock start() { log_daemon_msg "Starting SELinux autorelabel" if [ -e $statusfile ]; then log_warning_msg "A relabel has already been requested. Please reboot to finish relabeling your system." log_end_msg 0 else mkdir $lockdir 2>/dev/null || true log_end_msg 0 fi } # Stop performs the relabeling and removes the request to relabel stop() { if [ -e $statusfile ]; then if [ "x${SELINUXTYPE}" = "x" ]; then log_failure_msg "No SELinux policy found" /bin/rmdir $lockdir exit 5 # LSB defines this as 'program is not installed' fi if [ `/usr/sbin/getenforce` != "Disabled" ]; then echo "0" > /selinux/enforce fi log_warning_msg "If you are not already running SELinux, then you can" log_warning_msg "safely ignore the following error message." ${LOAD_POLICY} && log_action_msg "Policy loaded successfully" log_warning_msg "SELinux ${SELINUXTYPE} policy relabel is required." log_warning_msg "Relabeling could take a very long time, depending" log_warning_msg "on file system size and speed of hard drives." /bin/sed -i -f $statusfile /etc/selinux/config log_action_begin_msg "Relabeling files" ${SETFILES} /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts ${FILESYSTEMS} log_action_end_msg $? /bin/rm -f $statusfile $switchfile fi /bin/rmdir $lockdir } # Restart does nothing restart() { start } # Determine if relabel has been requested status() { if [ -d $lockdir ] ; then if [ -e $statusfile ]; then echo "Filesystem will be relabeled using policy ${SELINUXTYPE}." else echo "No relabeling requested." fi exit 0 else echo "Not started" exit 3 # LSB defines this as 'program is not running' fi } # This creates the file relabel() { log_success_msg "File relabel will occur upon next shutdown/reboot." /usr/bin/touch $statusfile } # This causes the policy to change before relabeling switch() { if [ ! -z $1 ]; then relabel echo "s/^SELINUXTYPE=.*/SELINUXTYPE=$1/" > $statusfile echo "SELINUXTYPE=$1" > $switchfile if [ ! -z $2 ]; then echo "s/^SELINUX=.*/SELINUX=$2/" >> $statusfile echo "SELINUX=$2" >> $switchfile fi else echo "No policy specified" exit 1 fi } cancel() { /bin/rm -f $statusfile $switchfile } help() { echo echo "$0: Automatic relabel on reboot." echo echo "This script will cause automatic relabeling of the filesystem before" echo "a reboot upon request." echo echo "Options:" echo echo " status Check if relabeling has been requested" echo echo " relabel Request that the filesystem be relabeled" echo echo " switch POLICY [ENFORCING]" echo " Request to switch to POLICY and set to ENFORCING (implies relabel)" echo echo " cancel Cancel a previous request to relabel" echo " If no request exists, this option does nothing" echo echo " help Display this help message" echo } case "$1" in start) start ;; stop) stop ;; status) status ;; restart|try-restart|reload|force-reload) restart ;; relabel) relabel ;; switch) # syntax: selinux switch <"enforcing"|"permissive"> switch $2 $3 ;; cancel) cancel ;; help) help ;; *) log_failure_msg "Usage: $0 (status|relabel|switch|cancel|help)" exit 2 # LSB defines this as 'invalid argument' esac exit 0 selinux-0.10/debian/selinux.postrm0000664000000000000000000000176310754566526014217 0ustar #!/bin/sh # postrm script for myq # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `purge' # * `upgrade' # * `failed-upgrade' # * `abort-install' # * `abort-install' # * `abort-upgrade' # * `disappear' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package . /usr/share/debconf/confmodule case "$1" in remove) /usr/sbin/update-initramfs -u ;; purge|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ;; *) echo "postrm called with unknown argument \`$1'" >&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 selinux-0.10/debian/copyright0000664000000000000000000000156610754542302013200 0ustar Upstream Author: Tresys Technology Copyright (C) 2008, Tresys Technology, LLC License: This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, or version 2 of the License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this package; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA On Debian systems, the complete text of the GNU General Public License can be found in `/usr/share/common-licenses/GPL'. selinux-0.10/debian/selinux.templates0000664000000000000000000000336110754435374014661 0ustar Template: selinux/install Type: note Description: SELinux install SELinux has been installed on this system, but has not been enabled. You will need to update your bootloader (probably by adding 'apparmor.enabled=0 selinux=1' to the defoptions line in /boot/grub/menu.lst, and then running update-grub) and then reboot to activate SELinux. Template: selinux/updategrub Type: boolean Default: true Description: Add SELinux to GRUB configuration? To enable SELinux, GRUB must pass the correct options to the kernel. Should this script automatically add the proper entries to your bootloader? Template: selinux/enforcement Type: select Choices: Use Config File, Enforcing, Permissive Default: Use Config File Description: Choose SELinux Enforcement. By default, SELinux enforcement is specified in /etc/selinux/config. This can be overridden by a kernel option. What enforcement behavior should be used? Template: selinux/grub Type: string Description: Select GRUB menu file Which GRUB menu file should be modified? This file will be updated with the new SELinux settings. Template: selinux/defopt Type: string Description: Review kernel options. The following string will be passed to your kernel by the bootloader. Review it and make changes as necessary before it is applied. Template: selinux/uninstall Type: note Description: SELinux uninstall SELinux has been removed from this system. Do not forget to remove it from your bootloader (probably by modifying the defoptions line in /boot/grub/menu.lst, and then running update-grub), and then reboot to deactivate SELinux. Template: selinux/reboot Type: note Description: Reboot needed to finish configuration. This system needs to be rebooted so that the changes to SELinux will go into effect. selinux-0.10/mounted-tmp.upstart0000664000000000000000000000043311364161172013710 0ustar # selinux-mounted-tmp - Run restorecon on /tmp directory description "Run restorecon on newly mounted /tmp directory" start on mounted MOUNTPOINT=/tmp env MOUNTPOINT=/tmp task script if [ -x /sbin/restorecon ]; then /sbin/restorecon "${MOUNTPOINT}" fi end script