Accepting request 38022 from security:SELinux
Copy from security:SELinux/libselinux based on submit request 38022 from user thomasbiege OBS-URL: https://build.opensuse.org/request/show/38022 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=16
This commit is contained in:
parent
ff92a8cd8b
commit
48ac1bce55
@ -23,7 +23,7 @@ BuildRequires: libsepol-devel-static >= %{libsepol_ver}
|
|||||||
|
|
||||||
Name: libselinux-bindings
|
Name: libselinux-bindings
|
||||||
Version: 2.0.91
|
Version: 2.0.91
|
||||||
Release: 1
|
Release: 2
|
||||||
Url: http://www.nsa.gov/selinux/
|
Url: http://www.nsa.gov/selinux/
|
||||||
License: GPLv2 ; Public Domain, Freeware
|
License: GPLv2 ; Public Domain, Freeware
|
||||||
Group: System/Libraries
|
Group: System/Libraries
|
||||||
|
@ -1,3 +1,25 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Apr 9 07:27:27 UTC 2010 - thomas@novell.com
|
||||||
|
|
||||||
|
- selinux-ready: added function to check for restorecond in
|
||||||
|
runlevel 3/5
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 8 06:37:34 UTC 2010 - thomas@novell.com
|
||||||
|
|
||||||
|
- selinux-ready: added functions for checking PAM config and
|
||||||
|
policy boolean init_upstart
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Apr 7 13:26:59 UTC 2010 - thomas@novell.com
|
||||||
|
|
||||||
|
- selinux-ready: fixed init ramfs checking
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Apr 7 12:59:41 UTC 2010 - thomas@novell.com
|
||||||
|
|
||||||
|
- added new selinux-ready script
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Feb 25 14:57:16 UTC 2010 - prusnak@suse.cz
|
Thu Feb 25 14:57:16 UTC 2010 - prusnak@suse.cz
|
||||||
|
|
||||||
|
@ -22,7 +22,7 @@ BuildRequires: libsepol-devel >= %{libsepol_ver}
|
|||||||
|
|
||||||
Name: libselinux
|
Name: libselinux
|
||||||
Version: 2.0.91
|
Version: 2.0.91
|
||||||
Release: 1
|
Release: 2
|
||||||
Url: http://www.nsa.gov/selinux/
|
Url: http://www.nsa.gov/selinux/
|
||||||
License: GPLv2 ; Public Domain, Freeware
|
License: GPLv2 ; Public Domain, Freeware
|
||||||
Group: System/Libraries
|
Group: System/Libraries
|
||||||
|
102
selinux-ready
102
selinux-ready
@ -22,7 +22,7 @@ check_dir()
|
|||||||
check_filesystem()
|
check_filesystem()
|
||||||
{
|
{
|
||||||
FSPATH="/proc/filesystems"
|
FSPATH="/proc/filesystems"
|
||||||
FSNAME="selinuxfs"
|
FSNAME="securityfs"
|
||||||
|
|
||||||
grep -w $FSNAME $FSPATH 1>&2 >/dev/null
|
grep -w $FSNAME $FSPATH 1>&2 >/dev/null
|
||||||
|
|
||||||
@ -37,11 +37,11 @@ check_filesystem()
|
|||||||
|
|
||||||
check_boot()
|
check_boot()
|
||||||
{
|
{
|
||||||
BPARAM="security=selinux.*selinux=1.*enforcing=?" # XXX order not mandatory
|
BPARAM="selinux=1"
|
||||||
|
|
||||||
printf "\tcheck_boot: Assuming GRUB as bootloader.\n"
|
printf "\tcheck_boot: Assuming GRUB as bootloader.\n"
|
||||||
|
|
||||||
BLINE=$(grep -E $BPARAM /boot/grub/menu.lst 2>/dev/null) # XXX check for multiple lines in config
|
BLINE=$(grep -- $BPARAM /boot/grub/menu.lst 2>/dev/null) # XXX check for multiple lines in config
|
||||||
|
|
||||||
if [ $? == 0 ]; then
|
if [ $? == 0 ]; then
|
||||||
K=$(echo $BLINE | awk -F' ' '{print $2}')
|
K=$(echo $BLINE | awk -F' ' '{print $2}')
|
||||||
@ -80,20 +80,99 @@ check_mkinitrd()
|
|||||||
cd initrd-extracted
|
cd initrd-extracted
|
||||||
gunzip -c $TD/i.cpio.gz | cpio -i --force-local --no-absolute-filenames 2>/dev/null
|
gunzip -c $TD/i.cpio.gz | cpio -i --force-local --no-absolute-filenames 2>/dev/null
|
||||||
grep -E -- $MCMD boot/* 2>&1 >/dev/null
|
grep -E -- $MCMD boot/* 2>&1 >/dev/null
|
||||||
FLG=$?
|
FLG1=$?
|
||||||
|
grep -E -- load_policy boot/* 2>&1 >/dev/null
|
||||||
|
FLG2=$?
|
||||||
popd 2>&1>/dev/null
|
popd 2>&1>/dev/null
|
||||||
|
|
||||||
if [ $FLG == 0 ];then
|
if [ $FLG1 == 0 -a $FLG2 == 0 ];then
|
||||||
printf "\tcheck_mkinitrd: OK. Your initrd seems to be correct.\n"
|
printf "\tcheck_mkinitrd: OK. Your initrd seems to be correct.\n"
|
||||||
return 0
|
return 0
|
||||||
else
|
else
|
||||||
printf "\tcheck_mkinitrd: ERR. Your initrd seems not to mount /proc of\n"
|
printf "\tcheck_mkinitrd: ERR. Your initrd seems not to mount /proc of\n"
|
||||||
printf "\t the root filesystem during boot, this may be a\n"
|
printf "\t the root filesystem during boot and/or load_policy\n"
|
||||||
printf "\t reason for SELinux not working.\n"
|
printf "\t is missing,\n"
|
||||||
|
printf "\t this may be a reason for SELinux not working.\n"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
check_pam()
|
||||||
|
{
|
||||||
|
AA_PAM=0
|
||||||
|
SE_PAM=0
|
||||||
|
|
||||||
|
# test for AA pam module
|
||||||
|
grep apparmor /etc/pam.d/* 2>&1 >/dev/null
|
||||||
|
FLG=$?
|
||||||
|
if [ $FLG == 0 ]; then
|
||||||
|
AA_PAM=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# test for SELinux pam module
|
||||||
|
grep selinux /etc/pam.d/* 2>&1 >/dev/null
|
||||||
|
FLG=$?
|
||||||
|
if [ $FLG == 0 ]; then
|
||||||
|
SE_PAM=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# suggest config
|
||||||
|
if [ $SE_PAM == 1 ] && [ $AA_PAM == 0 ]; then
|
||||||
|
printf "\tcheck_pam: OK. Your PAM configuration seems to be correct.\n"
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
printf "\tcheck_pam: ERR. Your PAM configuration seems to be incorrect.\n"
|
||||||
|
if [ $AA_PAM == 1 ]; then
|
||||||
|
printf " execute 'pam-config -d --apparmor' as root\n"
|
||||||
|
fi
|
||||||
|
if [ $SE_PAM == 0 ]; then
|
||||||
|
printf " execute 'pam-config -a --selinux' as root\n"
|
||||||
|
fi
|
||||||
|
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
check_initupstart()
|
||||||
|
{
|
||||||
|
CFGFILE="/etc/selinux/config"
|
||||||
|
|
||||||
|
if ! [ -f $CFGFILE ]; then
|
||||||
|
printf "\tcheck_initupstart: ERR. $CFGFILE does not exist.\n"
|
||||||
|
return 1;
|
||||||
|
fi
|
||||||
|
|
||||||
|
POL=$(grep SELINUXTYPE $CFGFILE | sed "s/SELINUXTYPE\s*=\s*"//)
|
||||||
|
|
||||||
|
if ! [ -f /etc/selinux/$POL/booleans ]; then
|
||||||
|
printf "\tcheck_initupstart: ERR. booleans file for policy $POL does not exist.\n"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
INITUS=$(grep init_upstart /etc/selinux/$POL/booleans | sed "s/.*init_upstart\s*=\s*//")
|
||||||
|
|
||||||
|
if [ "$INITUS" == 1 ]; then
|
||||||
|
printf "\tcheck_initupstart: OK. init_upstart in $POL/booleans is set to 1.\n"
|
||||||
|
return 0
|
||||||
|
else
|
||||||
|
printf "\tcheck_initupstart: ERR. init_upstart in $POL/booleans is NOT set to 1 ($INITUS).\n"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
check_runlevel()
|
||||||
|
{
|
||||||
|
#ls -q /etc/rc.d/rc[35].d/S*restorecond 1>&2 >/dev/null
|
||||||
|
|
||||||
|
#if [ $? == 0 ]; then
|
||||||
|
if [ -x /etc/rc.d/rc3.d/S*restorecond ] || [ -x /etc/rc.d/rc5.d/S*restorecond ]; then
|
||||||
|
printf "\tcheck_runlevel: OK. your system is using restorecond in runlevel 3 and/or 5.\n"
|
||||||
|
return 0;
|
||||||
|
fi
|
||||||
|
printf "\tcheck_runlevel: ERR. please execute 'yast2 runlevel' and enable restorecond.\n"
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
check_packages()
|
check_packages()
|
||||||
{
|
{
|
||||||
PKGLST="checkpolicy policycoreutils selinux-tools libselinux1 libsepol1 libsemanage1 selinux-policy"
|
PKGLST="checkpolicy policycoreutils selinux-tools libselinux1 libsepol1 libsemanage1 selinux-policy"
|
||||||
@ -120,8 +199,13 @@ check_config()
|
|||||||
{
|
{
|
||||||
CF="/etc/selinux/config"
|
CF="/etc/selinux/config"
|
||||||
|
|
||||||
|
|
||||||
if [ -f $CF ];then
|
if [ -f $CF ];then
|
||||||
printf "\tcheck_config: OK. Config file seems to be there.\n"
|
printf "\tcheck_config: OK. Config file seems to be there.\n"
|
||||||
|
if ! [ $(stat --printf=%a $CF) -eq "644" ]; then
|
||||||
|
printf "\tcheck_config: ERR. Config file '$CF' has wrong permissions.\n"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
return 0
|
return 0
|
||||||
else
|
else
|
||||||
printf "\tcheck_config: ERR. Config file '$CF' is missing.\n"
|
printf "\tcheck_config: ERR. Config file '$CF' is missing.\n"
|
||||||
@ -138,6 +222,8 @@ check_boot
|
|||||||
check_mkinitrd
|
check_mkinitrd
|
||||||
check_packages
|
check_packages
|
||||||
check_config
|
check_config
|
||||||
|
check_initupstart
|
||||||
|
check_pam
|
||||||
|
check_runlevel
|
||||||
|
|
||||||
rm -rf $TD
|
rm -rf $TD
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user