Accepting request 145303 from home:vitezslav_cizek:branches:security:SELinux
- update selinux-ready script * use -L when stat()ing /etc/selinux/config * make sure that SELINUX isn't disabled in /etc/selinux/config * look for either of /sys/fs/selinux and /selinux directory * use systemctl to check for restorecond * don't look for booleans file (deprecated) OBS-URL: https://build.opensuse.org/request/show/145303 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=57
This commit is contained in:
parent
a3f964e427
commit
f023200040
@ -1,3 +1,13 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Dec 11 16:15:52 UTC 2012 - vcizek@suse.com
|
||||||
|
|
||||||
|
- update selinux-ready script
|
||||||
|
* use -L when stat()ing /etc/selinux/config
|
||||||
|
* make sure that SELINUX isn't disabled in /etc/selinux/config
|
||||||
|
* look for either of /sys/fs/selinux and /selinux directory
|
||||||
|
* use systemctl to check for restorecond
|
||||||
|
* don't look for booleans file (deprecated)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Nov 27 12:38:29 UTC 2012 - vcizek@suse.com
|
Tue Nov 27 12:38:29 UTC 2012 - vcizek@suse.com
|
||||||
|
|
||||||
|
@ -8,13 +8,20 @@ TD=""
|
|||||||
# init needs /selinux to be there
|
# init needs /selinux to be there
|
||||||
check_dir()
|
check_dir()
|
||||||
{
|
{
|
||||||
SLDIR="/selinux"
|
SLDIRS="/selinux /sys/fs/selinux"
|
||||||
|
FOUND="no"
|
||||||
|
|
||||||
if [ -d $SLDIR ];then
|
for DIR in $SLDIRS; do
|
||||||
printf "\tcheck_dir: OK. $SLDIR exists.\n"
|
if [ -d $DIR ]; then
|
||||||
|
printf "\tcheck_dir: OK. $DIR exists.\n"
|
||||||
|
FOUND="yes"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ $FOUND == "yes" ]; then
|
||||||
return 0
|
return 0
|
||||||
else
|
else
|
||||||
printf "\tcheck_dir: ERR. $SLDIR does not exists, please execute 'mkdir $SLDIR' as root.\n"
|
printf "\tcheck_dir: ERR. Neither of $SLDIRS does exist. Please execute 'mkdir /sys/fs/selinux' as root\n"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
@ -58,7 +65,7 @@ check_boot()
|
|||||||
K=$(echo $BLINE | awk -F' ' '{print $2}')
|
K=$(echo $BLINE | awk -F' ' '{print $2}')
|
||||||
KERNEL=$(basename $K)
|
KERNEL=$(basename $K)
|
||||||
K=$(echo $KERNEL | sed s/vmlinuz-//)
|
K=$(echo $KERNEL | sed s/vmlinuz-//)
|
||||||
|
|
||||||
if [ "$K" == "$CURRENT_KERNEL" ]; then
|
if [ "$K" == "$CURRENT_KERNEL" ]; then
|
||||||
INITRD=initrd-$K
|
INITRD=initrd-$K
|
||||||
RETVAL="OK"
|
RETVAL="OK"
|
||||||
@ -80,6 +87,9 @@ check_boot()
|
|||||||
|
|
||||||
check_mkinitrd()
|
check_mkinitrd()
|
||||||
{
|
{
|
||||||
|
if [ "$INITRD" == "unknown" ]; then
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
MCMD="mount.*/root/proc.*"
|
MCMD="mount.*/root/proc.*"
|
||||||
|
|
||||||
if ! [ -f "/boot/$INITRD" ];then
|
if ! [ -f "/boot/$INITRD" ];then
|
||||||
@ -161,33 +171,12 @@ check_initupstart()
|
|||||||
printf "\tcheck_initupstart: ERR. $CFGFILE does not exist.\n"
|
printf "\tcheck_initupstart: ERR. $CFGFILE does not exist.\n"
|
||||||
return 1;
|
return 1;
|
||||||
fi
|
fi
|
||||||
|
|
||||||
POL=$(grep "^\s*SELINUXTYPE" $CFGFILE | sed "s/SELINUXTYPE\s*=\(\S*\)\s*"/\\1/)
|
|
||||||
|
|
||||||
if ! [ -f /etc/selinux/$POL/booleans ]; then
|
|
||||||
printf "\tcheck_initupstart: ERR. booleans file for policy $POL does not exist.\n"
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
INITUS=$(grep init_upstart /etc/selinux/$POL/booleans | sed "s/.*init_upstart\s*=\s*//")
|
|
||||||
|
|
||||||
if [ "$INITUS" == 1 ]; then
|
|
||||||
printf "\tcheck_initupstart: OK. init_upstart in $POL/booleans is set to 1.\n"
|
|
||||||
return 0
|
|
||||||
else
|
|
||||||
printf "\tcheck_initupstart: ERR. init_upstart in $POL/booleans is NOT set to 1 ($INITUS).\n"
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
check_runlevel()
|
check_runlevel()
|
||||||
{
|
{
|
||||||
#ls -q /etc/rc.d/rc[35].d/S*restorecond 1>&2 >/dev/null
|
if [ "$(systemctl is-enabled restorecond.service)" == "enabled" ]; then
|
||||||
|
printf "\tcheck_runlevel: OK. restorecond is enabled on your system\n"
|
||||||
#if [ $? == 0 ]; then
|
|
||||||
if [ -x /etc/rc.d/rc3.d/S*restorecond ] || [ -x /etc/rc.d/rc5.d/S*restorecond ]; then
|
|
||||||
printf "\tcheck_runlevel: OK. your system is using restorecond in runlevel 3 and/or 5.\n"
|
|
||||||
return 0;
|
return 0;
|
||||||
fi
|
fi
|
||||||
printf "\tcheck_runlevel: ERR. please execute 'yast2 runlevel' and enable restorecond.\n"
|
printf "\tcheck_runlevel: ERR. please execute 'yast2 runlevel' and enable restorecond.\n"
|
||||||
@ -220,14 +209,26 @@ check_config()
|
|||||||
{
|
{
|
||||||
CF="/etc/selinux/config"
|
CF="/etc/selinux/config"
|
||||||
|
|
||||||
|
|
||||||
if [ -f $CF ];then
|
if [ -f $CF ];then
|
||||||
printf "\tcheck_config: OK. Config file seems to be there.\n"
|
printf "\tcheck_config: OK. Config file seems to be there.\n"
|
||||||
if ! [ $(stat --printf=%a $CF) -eq "644" ]; then
|
# with -L because /etc/selinux/config is now a link to /etc/sysconfig/selinux-policy
|
||||||
|
if ! [ $(stat -L --printf=%a $CF) -eq "644" ]; then
|
||||||
printf "\tcheck_config: ERR. Config file '$CF' has wrong permissions.\n"
|
printf "\tcheck_config: ERR. Config file '$CF' has wrong permissions.\n"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
return 0
|
|
||||||
|
# check that SELINUX is not disabled there
|
||||||
|
SELINUX_MODE=$(grep "^\s*SELINUX\s*=" $CF | sed "s/SELINUX\s*=\(\S*\)\s*"/\\1/)
|
||||||
|
case "$SELINUX_MODE" in
|
||||||
|
permissive | enforcing )
|
||||||
|
printf "\tcheck_config: OK. SELINUX is set to '$SELINUX_MODE'.\n"
|
||||||
|
return 0
|
||||||
|
;;
|
||||||
|
* )
|
||||||
|
printf "\tcheck_config: ERR. SELINUX is set to '$SELINUX_MODE' in '$CF'. Should be either 'permissive' or 'enforcing'\n"
|
||||||
|
return 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
else
|
else
|
||||||
printf "\tcheck_config: ERR. Config file '$CF' is missing.\n"
|
printf "\tcheck_config: ERR. Config file '$CF' is missing.\n"
|
||||||
return 1
|
return 1
|
||||||
|
Loading…
Reference in New Issue
Block a user