veilor-os/scripts/selinux/build-policy.sh

#!/usr/bin/env bash
# Build + load veilor-os SELinux policy modules.
#
# Modules:
#   veilor-systemd    — capabilities for systemd-modules-load (post-boot lock)
#   veilor-firstboot  — confine /usr/local/sbin/veilor-firstboot one-shot
#
# Usage:
#   sudo ./build-policy.sh           # build + install all
#   sudo ./build-policy.sh <name>    # build + install one module
set -euo pipefail

cd "$(dirname "$0")"

MODULES=(veilor-systemd veilor-firstboot)
if [[ $# -gt 0 ]]; then
    MODULES=("$@")
fi

for m in "${MODULES[@]}"; do
    if [[ ! -f "$m.te" ]]; then
        echo "[ERR] $m.te not found" >&2
        exit 1
    fi
    echo "[*] Building $m ..."
    checkmodule -M -m -o "$m.mod" "$m.te"
    semodule_package -o "$m.pp" -m "$m.mod"
    semodule -i "$m.pp"
    echo "[OK] $m loaded"
done

# Apply file context for veilor-firstboot if module just loaded.
if printf '%s\n' "${MODULES[@]}" | grep -qx veilor-firstboot; then
    if command -v restorecon >/dev/null 2>&1; then
        # Mark the binary + state file with the right types.
        semanage fcontext -a -t veilor_firstboot_exec_t  '/usr/local/sbin/veilor-firstboot' 2>/dev/null || true
        semanage fcontext -a -t veilor_firstboot_state_t '/var/lib/veilor-firstboot\.done' 2>/dev/null || true
        restorecon -v /usr/local/sbin/veilor-firstboot 2>/dev/null || true
        [[ -e /var/lib/veilor-firstboot.done ]] && restorecon -v /var/lib/veilor-firstboot.done 2>/dev/null || true
    fi
fi

echo "[done] all modules loaded"