#!/bin/sh
#
#############################################################################
#                                                                           #
# This script will build an SELinux monolithic or base policy file suitable #
# for building test policy for use in the SELinux Notebook. The Reference   #
# Policy must be available for this script to build the policy.             #
#                                                                           #
# A full description of its use is in the SELinux Notebook                  #
#                                                                           #
# Copyright (C) 2009  Richard Haines                                        #
#                                                                           #
# This program is free software: you can redistribute it and/or modify      #
# it under the terms of the GNU General Public License as published by      #
# the Free Software Foundation, either version 3 of the License, or         #
# (at your option) any later version.                                       #
#                                                                           #
# This program is distributed in the hope that it will be useful,           #
# but WITHOUT ANY WARRANTY; without even the implied warranty of            #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the             #
# GNU General Public License for more details.                              #
#                                                                           #
# You should have received a copy of the GNU General Public License         #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.     #
#                                                                           #
#############################################################################
#                                                                           #

usage()	{
	echo "Command format is: ./buildpolicy <policy_name> <ref_policy_root_dir>"
	echo "Examples:"
	echo "buildpolicy base.conf ."
	echo "Or:"
	echo "./buildpolicy policy.conf $HOME/rpmbuild/SOURCES/serefpolicy-3.5.13"
	exit 1
}

if test "$1" = ""
then echo "Need policy file name"
	usage
fi

if test ! -f "$2/policy/flask/security_classes"
then echo "Not a valid Reference Policy source tree"
	usage
fi

echo -e "#\\n# ****** WARNING - THIS POLICY MUST NOT BE USED IN LIVE **************\\n# ******************* IT IS FOR TESTING ONLY *************************\\n#" > $1

echo -e "##################### START OF POLICY BUILD #######################\\n#" >> $1

echo -e "#\\n#################### Start of FLASK Entries #######################\\n#" >> $1
echo -e "#\\n# ./policy/flask/security_classes file entries\\n#" >> $1
cat "$2/policy/flask/security_classes" >> $1

echo -e "#\\n# ./policy/flask/initial_sids file entries\\n#" >> $1
cat "$2/policy/flask/initial_sids" >> $1

echo -e "#\\n# ./policy/flask/access_vectors file entries\\n#" >> $1
cat "$2/policy/flask/access_vectors" >> $1

echo -e "\\n#\\n###################### End of FLASK Entries #######################\\n#\\n" >> $1

echo -e "#\\n# This policycap statement will be used in a netlabel module exercise\\n# to show network_peer_controls. For now comment out:\\n# policycap network_peer_controls;\\n" >> $1

echo -e "# The only type defined for this policy:" >> $1
echo -e "type unconfined_t;\\n " >> $1

echo -e "# The only role defined for this policy:" >> $1
echo -e "role unconfined_r types { unconfined_t };\\n" >> $1

echo -e "#\\n# These allow rules enable all of the objects to access all of their\\n# permissions. This effectively gives access to everything.\\n#" >> $1
awk '$1 == "class" {print "allow unconfined_t self:"$2 " *;"}' "$2/policy/flask/security_classes" >> $1

echo -e "\\n# The only real SELinux user defined for this policy:" >> $1
echo -e "user user_u roles { unconfined_r };\\n" >> $1

echo -e "#\\n# The system_u user is defined so that objects can be labeled with" >> $1
echo -e "# system_u:object_r as in standard policies, also so that semanage can add" >> $1
echo -e "# ports etc. as it requires a system_u user for adding these type of objects." >> $1
echo -e "user system_u roles { unconfined_r };\\n" >> $1

echo -e "#\\n# This role constraint statement will be used to show limiting\\n# a role transition in the external gateway. For now comment out:\\n# constrain process transition ( r1 == r2 );\\n" >> $1

echo -e "#\\n# These are the default labeling operations for these objects.\\n# Note that the kernel entry is unconfined_r not object_r\\n#" >> $1
awk '$1 == "sid" {if ($2 == "kernel") print $1 " " $2 " system_u:unconfined_r:unconfined_t"}' "$2/policy/flask/initial_sids" >> $1
awk '$1 == "sid" {if ($2 != "kernel") print $1 " " $2 " system_u:object_r:unconfined_t"}' "$2/policy/flask/initial_sids" >> $1

echo -e "\\n#\\n# These are the default file labeling routines.\\n#" >> $1
echo "fs_use_xattr ext3 system_u:object_r:unconfined_t;" >> $1
echo "fs_use_xattr ext4 system_u:object_r:unconfined_t;" >> $1

echo "fs_use_task eventpollfs system_u:object_r:unconfined_t;" >> $1
echo "fs_use_task pipefs system_u:object_r:unconfined_t;" >> $1
echo "fs_use_task sockfs system_u:object_r:unconfined_t;" >> $1

echo "fs_use_trans mqueue system_u:object_r:unconfined_t;" >> $1
echo "fs_use_trans shm system_u:object_r:unconfined_t;" >> $1
echo "fs_use_trans tmpfs system_u:object_r:unconfined_t;" >> $1
echo "fs_use_trans devpts system_u:object_r:unconfined_t;" >> $1

echo "genfscon proc / system_u:object_r:unconfined_t" >> $1
echo "genfscon sysfs / system_u:object_r:unconfined_t" >> $1
echo "genfscon selinuxfs / system_u:object_r:unconfined_t" >> $1
echo "genfscon securityfs / system_u:object_r:unconfined_t" >> $1

echo -e "\\n#\\n################## END OF POLICY BUILD ######################\\n#\\n" >> $1