veilor-os/scripts/selinux/build-policy.sh

#!/usr/bin/env bash
# Build + load veilor-os SELinux policy modules.
#
# Modules:
#   veilor-systemd    — capabilities for systemd-modules-load (post-boot lock)
#   veilor-firstboot  — confine /usr/local/bin/veilor-firstboot one-shot
#
# Usage:
#   sudo ./build-policy.sh           # build + install all
#   sudo ./build-policy.sh <name>    # build + install one module
set -euo pipefail

cd "$(dirname "$0")"

MODULES=(veilor-systemd veilor-firstboot)
if [[ $# -gt 0 ]]; then
    MODULES=("$@")
fi

for m in "${MODULES[@]}"; do
    if [[ ! -f "$m.te" ]]; then
        echo "[ERR] $m.te not found" >&2
        exit 1
    fi
    echo "[*] Building $m ..."
    checkmodule -M -m -o "$m.mod" "$m.te"
    semodule_package -o "$m.pp" -m "$m.mod"
    semodule -i "$m.pp"
    echo "[OK] $m loaded"
done

# Apply file context for veilor-firstboot if module just loaded.
if printf '%s\n' "${MODULES[@]}" | grep -qx veilor-firstboot; then
    if command -v restorecon >/dev/null 2>&1; then
        # Mark the binary + state file with the right types.
        semanage fcontext -a -t veilor_firstboot_exec_t  '/usr/local/bin/veilor-firstboot' 2>/dev/null || true
        semanage fcontext -a -t veilor_firstboot_state_t '/var/lib/veilor-firstboot\.done' 2>/dev/null || true
        restorecon -v /usr/local/bin/veilor-firstboot 2>/dev/null || true
        [[ -e /var/lib/veilor-firstboot.done ]] && restorecon -v /var/lib/veilor-firstboot.done 2>/dev/null || true
    fi
fi

echo "[done] all modules loaded"
veilor-os v0.1 scaffold — kickstart + hardening + 3-mode power + DuckSans-ready KDE black theme 2026-04-30 03:43:33 +01:00			`#!/usr/bin/env bash`
sec: AppArmor profile skeletons + audit shipping draft + veilor-firstboot SELinux module (#3) Co-authored-by: veilor-org <admin@veilor.org> 2026-05-02 04:39:39 +01:00			`# Build + load veilor-os SELinux policy modules.`
			`#`
			`# Modules:`
			`# veilor-systemd — capabilities for systemd-modules-load (post-boot lock)`
v0.5.2: move veilor-installer + veilor-firstboot to /usr/local/bin QEMU boot test of v0.5.1 (commit 1c99ae0) revealed both scripts missing from /usr/local/sbin/ on running system, despite being in overlay/usr/local/sbin/ in the source tree. Root cause: Fedora's filesystem package (or post-install scriptlet) rewrites /usr/local/sbin → /usr/local/bin symlink AFTER kickstart %post --nochroot's overlay copy runs. The cp -a placed files in /usr/local/sbin/ as a real directory; the symlink replacement deleted them. Confirmed via tty diagnostic: `ls -la /usr/local` shows `lrwxrwxrwx ... sbin -> bin` with bin mtime predating sbin symlink ctime by ~5min — overlay copy ran first, scriptlet rewrote sbin second. Fix: move both binaries to overlay/usr/local/bin/ where they're safe from the symlink rewrite. Update all references: - kickstart/veilor-os.ks chmod path + chown + diagnostic ls - overlay/etc/systemd/system/getty@tty1.service.d/veilor-installer.conf ExecStart - overlay/etc/systemd/system/veilor-firstboot.service ExecStart - scripts/selinux/build-policy.sh fcontext + restorecon paths - generated install ks template inside veilor-installer Service drop-in stays at /etc/systemd/system/getty@tty1.service.d/ unchanged. The veilor-installer binary in /usr/local/bin/ is discoverable via $PATH same as before. 2026-05-02 05:33:22 +01:00			`# veilor-firstboot — confine /usr/local/bin/veilor-firstboot one-shot`
sec: AppArmor profile skeletons + audit shipping draft + veilor-firstboot SELinux module (#3) Co-authored-by: veilor-org <admin@veilor.org> 2026-05-02 04:39:39 +01:00			`#`
			`# Usage:`
			`# sudo ./build-policy.sh # build + install all`
			`# sudo ./build-policy.sh <name> # build + install one module`
veilor-os v0.1 scaffold — kickstart + hardening + 3-mode power + DuckSans-ready KDE black theme 2026-04-30 03:43:33 +01:00			`set -euo pipefail`

			`cd "$(dirname "$0")"`

sec: AppArmor profile skeletons + audit shipping draft + veilor-firstboot SELinux module (#3) Co-authored-by: veilor-org <admin@veilor.org> 2026-05-02 04:39:39 +01:00			`MODULES=(veilor-systemd veilor-firstboot)`
			`if [[ $# -gt 0 ]]; then`
			`MODULES=("$@")`
			`fi`

			`for m in "${MODULES[@]}"; do`
			`if [[ ! -f "$m.te" ]]; then`
			`echo "[ERR] $m.te not found" >&2`
			`exit 1`
			`fi`
			`echo "[*] Building $m ..."`
			`checkmodule -M -m -o "$m.mod" "$m.te"`
			`semodule_package -o "$m.pp" -m "$m.mod"`
			`semodule -i "$m.pp"`
			`echo "[OK] $m loaded"`
			`done`

			`# Apply file context for veilor-firstboot if module just loaded.`
			`if printf '%s\n' "${MODULES[@]}" \| grep -qx veilor-firstboot; then`
			`if command -v restorecon >/dev/null 2>&1; then`
			`# Mark the binary + state file with the right types.`
v0.5.2: move veilor-installer + veilor-firstboot to /usr/local/bin QEMU boot test of v0.5.1 (commit 1c99ae0) revealed both scripts missing from /usr/local/sbin/ on running system, despite being in overlay/usr/local/sbin/ in the source tree. Root cause: Fedora's filesystem package (or post-install scriptlet) rewrites /usr/local/sbin → /usr/local/bin symlink AFTER kickstart %post --nochroot's overlay copy runs. The cp -a placed files in /usr/local/sbin/ as a real directory; the symlink replacement deleted them. Confirmed via tty diagnostic: `ls -la /usr/local` shows `lrwxrwxrwx ... sbin -> bin` with bin mtime predating sbin symlink ctime by ~5min — overlay copy ran first, scriptlet rewrote sbin second. Fix: move both binaries to overlay/usr/local/bin/ where they're safe from the symlink rewrite. Update all references: - kickstart/veilor-os.ks chmod path + chown + diagnostic ls - overlay/etc/systemd/system/getty@tty1.service.d/veilor-installer.conf ExecStart - overlay/etc/systemd/system/veilor-firstboot.service ExecStart - scripts/selinux/build-policy.sh fcontext + restorecon paths - generated install ks template inside veilor-installer Service drop-in stays at /etc/systemd/system/getty@tty1.service.d/ unchanged. The veilor-installer binary in /usr/local/bin/ is discoverable via $PATH same as before. 2026-05-02 05:33:22 +01:00			`semanage fcontext -a -t veilor_firstboot_exec_t '/usr/local/bin/veilor-firstboot' 2>/dev/null \|\| true`
sec: AppArmor profile skeletons + audit shipping draft + veilor-firstboot SELinux module (#3) Co-authored-by: veilor-org <admin@veilor.org> 2026-05-02 04:39:39 +01:00			`semanage fcontext -a -t veilor_firstboot_state_t '/var/lib/veilor-firstboot\.done' 2>/dev/null \|\| true`
v0.5.2: move veilor-installer + veilor-firstboot to /usr/local/bin QEMU boot test of v0.5.1 (commit 1c99ae0) revealed both scripts missing from /usr/local/sbin/ on running system, despite being in overlay/usr/local/sbin/ in the source tree. Root cause: Fedora's filesystem package (or post-install scriptlet) rewrites /usr/local/sbin → /usr/local/bin symlink AFTER kickstart %post --nochroot's overlay copy runs. The cp -a placed files in /usr/local/sbin/ as a real directory; the symlink replacement deleted them. Confirmed via tty diagnostic: `ls -la /usr/local` shows `lrwxrwxrwx ... sbin -> bin` with bin mtime predating sbin symlink ctime by ~5min — overlay copy ran first, scriptlet rewrote sbin second. Fix: move both binaries to overlay/usr/local/bin/ where they're safe from the symlink rewrite. Update all references: - kickstart/veilor-os.ks chmod path + chown + diagnostic ls - overlay/etc/systemd/system/getty@tty1.service.d/veilor-installer.conf ExecStart - overlay/etc/systemd/system/veilor-firstboot.service ExecStart - scripts/selinux/build-policy.sh fcontext + restorecon paths - generated install ks template inside veilor-installer Service drop-in stays at /etc/systemd/system/getty@tty1.service.d/ unchanged. The veilor-installer binary in /usr/local/bin/ is discoverable via $PATH same as before. 2026-05-02 05:33:22 +01:00			`restorecon -v /usr/local/bin/veilor-firstboot 2>/dev/null \|\| true`
sec: AppArmor profile skeletons + audit shipping draft + veilor-firstboot SELinux module (#3) Co-authored-by: veilor-org <admin@veilor.org> 2026-05-02 04:39:39 +01:00			`[[ -e /var/lib/veilor-firstboot.done ]] && restorecon -v /var/lib/veilor-firstboot.done 2>/dev/null \|\| true`
			`fi`
			`fi`

			`echo "[done] all modules loaded"`