#!/bin/bash KERNEL="unknown" INITRD="unknown" TD="" # init needs /selinux to be there check_dir() { SLDIR="/selinux" if [ -d $SLDIR ];then printf "\tcheck_dir: OK. $SLDIR exists.\n" return 0 else printf "\tcheck_dir: ERR. $SLDIR does not exists, please execute 'mkdir $SLDIR' as root.\n" return 1 fi } check_filesystem() { FSPATH="/proc/filesystems" FSNAME="securityfs" grep -w $FSNAME $FSPATH 1>&2 >/dev/null if [ $? == 0 ]; then printf "\tcheck_filesystem: OK. Filesystem '$FSNAME' exists.\n" return 0 else printf "\tcheck_filesystem: ERR. Filesystem '$FSNAME' is missing. Please enable SELinux while compiling the kernel.\n" return 0 fi } check_boot() { BPARAM="selinux=1" printf "\tcheck_boot: Assuming GRUB as bootloader.\n" BLINE=$(grep -- $BPARAM /boot/grub/menu.lst 2>/dev/null) # XXX check for multiple lines in config if [ $? == 0 ]; then K=$(echo $BLINE | awk -F' ' '{print $2}') KERNEL=$(basename $K) K=$(echo $KERNEL | sed s/vmlinuz-//) INITRD=initrd-$K printf "\tcheck_boot: OK. Kernel '$KERNEL' has boot-parameter '$BPARAM'\n" return 0 else printf "\tcheck_boot: ERR. Boot-parameter missing for booting the kernel.\n" printf "\t Please use YaST2 to add 'selinux=1' to the kernel boot-parameter list.\n" return 1 fi } check_mkinitrd() { MCMD="mount.*/root/proc.*" if ! [ -f "/boot/$INITRD" ];then printf "\tcheck_mkinitrd: ERR. Unable to locate '/boot/$INITRD'\n" return 2 fi cp /boot/$INITRD $TD/i.cpio.gz 2>/dev/null if ! [ -f "$TD/i.cpio.gz" ];then printf "\tcheck_mkinitrd: ERR. Error while copying initrd file.'\n" return 2 fi pushd . 2>&1>/dev/null cd $TD mkdir initrd-extracted cd initrd-extracted gunzip -c $TD/i.cpio.gz | cpio -i --force-local --no-absolute-filenames 2>/dev/null grep -E -- $MCMD boot/* 2>&1 >/dev/null FLG=$? popd 2>&1>/dev/null if [ $FLG == 0 ];then printf "\tcheck_mkinitrd: OK. Your initrd seems to be correct.\n" return 0 else printf "\tcheck_mkinitrd: ERR. Your initrd seems not to mount /proc of\n" printf "\t the root filesystem during boot, this may be a\n" printf "\t reason for SELinux not working.\n" return 1 fi } check_packages() { PKGLST="checkpolicy policycoreutils selinux-tools libselinux1 libsepol1 libsemanage1 selinux-policy" FAIL=0 for i in $PKGLST do rpm -q $i 1>&2 >/dev/null if [ $? == 1 ];then printf "\tcheck_packages: ERR. Package '$i' not installed, please run 'zypper in $i' as root\n" FAIL=1 fi done if [ $FAIL == 0 ]; then printf "\tcheck_packages: OK. All essential packages are installed\n" return 0 else return 1 fi } check_config() { CF="/etc/selinux/config" if [ -f $CF ];then printf "\tcheck_config: OK. Config file seems to be there.\n" return 0 else printf "\tcheck_config: ERR. Config file '$CF' is missing.\n" return 1 fi } TD=$(mktemp -q -d /tmp/selinux-ready.XXXXXX) echo "Start checking your system if it is selinux-ready or not:" check_dir check_filesystem check_boot check_mkinitrd check_packages check_config rm -rf $TD