From f023200040cf857d85162e2ad998bef7acf5ad0d3662bc7ec18035114bc4dd79 Mon Sep 17 00:00:00 2001 From: Thomas Biege Date: Fri, 14 Dec 2012 14:01:01 +0000 Subject: [PATCH] Accepting request 145303 from home:vitezslav_cizek:branches:security:SELinux - update selinux-ready script * use -L when stat()ing /etc/selinux/config * make sure that SELINUX isn't disabled in /etc/selinux/config * look for either of /sys/fs/selinux and /selinux directory * use systemctl to check for restorecond * don't look for booleans file (deprecated) OBS-URL: https://build.opensuse.org/request/show/145303 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=57 --- libselinux.changes | 10 ++++++++ selinux-ready | 63 +++++++++++++++++++++++----------------------- 2 files changed, 42 insertions(+), 31 deletions(-) diff --git a/libselinux.changes b/libselinux.changes index 985d442..2b0749d 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Tue Dec 11 16:15:52 UTC 2012 - vcizek@suse.com + +- update selinux-ready script + * use -L when stat()ing /etc/selinux/config + * make sure that SELINUX isn't disabled in /etc/selinux/config + * look for either of /sys/fs/selinux and /selinux directory + * use systemctl to check for restorecond + * don't look for booleans file (deprecated) + ------------------------------------------------------------------- Tue Nov 27 12:38:29 UTC 2012 - vcizek@suse.com diff --git a/selinux-ready b/selinux-ready index 8c202c7..278276d 100644 --- a/selinux-ready +++ b/selinux-ready @@ -8,13 +8,20 @@ TD="" # init needs /selinux to be there check_dir() { - SLDIR="/selinux" + SLDIRS="/selinux /sys/fs/selinux" + FOUND="no" - if [ -d $SLDIR ];then - printf "\tcheck_dir: OK. $SLDIR exists.\n" + for DIR in $SLDIRS; do + if [ -d $DIR ]; then + printf "\tcheck_dir: OK. $DIR exists.\n" + FOUND="yes" + fi + done + + if [ $FOUND == "yes" ]; then return 0 else - printf "\tcheck_dir: ERR. $SLDIR does not exists, please execute 'mkdir $SLDIR' as root.\n" + printf "\tcheck_dir: ERR. Neither of $SLDIRS does exist. Please execute 'mkdir /sys/fs/selinux' as root\n" return 1 fi } @@ -58,7 +65,7 @@ check_boot() K=$(echo $BLINE | awk -F' ' '{print $2}') KERNEL=$(basename $K) K=$(echo $KERNEL | sed s/vmlinuz-//) - + if [ "$K" == "$CURRENT_KERNEL" ]; then INITRD=initrd-$K RETVAL="OK" @@ -80,6 +87,9 @@ check_boot() check_mkinitrd() { + if [ "$INITRD" == "unknown" ]; then + return 1 + fi MCMD="mount.*/root/proc.*" if ! [ -f "/boot/$INITRD" ];then @@ -161,33 +171,12 @@ check_initupstart() printf "\tcheck_initupstart: ERR. $CFGFILE does not exist.\n" return 1; fi - - POL=$(grep "^\s*SELINUXTYPE" $CFGFILE | sed "s/SELINUXTYPE\s*=\(\S*\)\s*"/\\1/) - - if ! [ -f /etc/selinux/$POL/booleans ]; then - printf "\tcheck_initupstart: ERR. booleans file for policy $POL does not exist.\n" - return 1 - fi - - INITUS=$(grep init_upstart /etc/selinux/$POL/booleans | sed "s/.*init_upstart\s*=\s*//") - - if [ "$INITUS" == 1 ]; then - printf "\tcheck_initupstart: OK. init_upstart in $POL/booleans is set to 1.\n" - return 0 - else - printf "\tcheck_initupstart: ERR. init_upstart in $POL/booleans is NOT set to 1 ($INITUS).\n" - return 1 - fi - } check_runlevel() { - #ls -q /etc/rc.d/rc[35].d/S*restorecond 1>&2 >/dev/null - - #if [ $? == 0 ]; then - if [ -x /etc/rc.d/rc3.d/S*restorecond ] || [ -x /etc/rc.d/rc5.d/S*restorecond ]; then - printf "\tcheck_runlevel: OK. your system is using restorecond in runlevel 3 and/or 5.\n" + if [ "$(systemctl is-enabled restorecond.service)" == "enabled" ]; then + printf "\tcheck_runlevel: OK. restorecond is enabled on your system\n" return 0; fi printf "\tcheck_runlevel: ERR. please execute 'yast2 runlevel' and enable restorecond.\n" @@ -220,14 +209,26 @@ check_config() { CF="/etc/selinux/config" - if [ -f $CF ];then printf "\tcheck_config: OK. Config file seems to be there.\n" - if ! [ $(stat --printf=%a $CF) -eq "644" ]; then + # with -L because /etc/selinux/config is now a link to /etc/sysconfig/selinux-policy + if ! [ $(stat -L --printf=%a $CF) -eq "644" ]; then printf "\tcheck_config: ERR. Config file '$CF' has wrong permissions.\n" return 1 fi - return 0 + + # check that SELINUX is not disabled there + SELINUX_MODE=$(grep "^\s*SELINUX\s*=" $CF | sed "s/SELINUX\s*=\(\S*\)\s*"/\\1/) + case "$SELINUX_MODE" in + permissive | enforcing ) + printf "\tcheck_config: OK. SELINUX is set to '$SELINUX_MODE'.\n" + return 0 + ;; + * ) + printf "\tcheck_config: ERR. SELINUX is set to '$SELINUX_MODE' in '$CF'. Should be either 'permissive' or 'enforcing'\n" + return 1 + ;; + esac else printf "\tcheck_config: ERR. Config file '$CF' is missing.\n" return 1