SHA256
1
0
forked from pool/libselinux
libselinux/selinux-ready

251 lines
5.6 KiB
Bash

#!/bin/bash
KERNEL="unknown"
INITRD="unknown"
TD=""
# init needs /selinux to be there
check_dir()
{
SLDIR="/selinux"
if [ -d $SLDIR ];then
printf "\tcheck_dir: OK. $SLDIR exists.\n"
return 0
else
printf "\tcheck_dir: ERR. $SLDIR does not exists, please execute 'mkdir $SLDIR' as root.\n"
return 1
fi
}
check_filesystem()
{
FSPATH="/proc/filesystems"
FSNAMES="securityfs selinuxfs"
OK="O"
for FSNAME in $FSNAMES; do
grep -w $FSNAME $FSPATH 1>&2 >/dev/null
if [ $? == 0 ]; then
printf "\tcheck_filesystem: OK. Filesystem '$FSNAME' exists.\n"
else
printf "\tcheck_filesystem: ERR. Filesystem '$FSNAME' is missing. Please enable SELinux while compiling the kernel.\n"
OK="1"
fi
done
if [ "$OK" == "0" ]; then
return 0;
else
return 1;
fi
}
check_boot()
{
BPARAM1="security=selinux"
BPARAM2="selinux=1"
printf "\tcheck_boot: Assuming GRUB2 as bootloader.\n"
# look for parameters of the current kernel
CURRENT_KERNEL=$(uname -r)
OTHERS=""
RETVAL="FAIL"
while read BLINE
do
K=$(echo $BLINE | awk -F' ' '{print $2}')
KERNEL=$(basename $K)
K=$(echo $KERNEL | sed s/vmlinuz-//)
if [ "$K" == "$CURRENT_KERNEL" ]; then
INITRD=initrd-$K
RETVAL="OK"
else
OTHERS="$KERNEL $OTHERS"
fi
done < <(grep -- $BPARAM1 /boot/grub2/grub.cfg 2>/dev/null | grep -- $BPARAM2)
if [ "$RETVAL" == OK ]; then
printf "\tcheck_boot: OK. Current kernel '$KERNEL' has boot-parameters '$BPARAM1 $BPARAM2'\n"
printf "\tcheck_boot: OK. Other kernels with correct parameters: $OTHERS\n"
return 0
else
printf "\tcheck_boot: ERR. Boot-parameter missing for booting the kernel.\n"
printf "\t Please use YaST2 to add 'security=selinux selinux=1' to the kernel boot-parameter list.\n"
return 1
fi
}
check_mkinitrd()
{
MCMD="mount.*/root/proc.*"
if ! [ -f "/boot/$INITRD" ];then
printf "\tcheck_mkinitrd: ERR. Unable to locate '/boot/$INITRD'\n"
return 2
fi
cp /boot/$INITRD $TD/i.cpio.gz 2>/dev/null
if ! [ -f "$TD/i.cpio.gz" ];then
printf "\tcheck_mkinitrd: ERR. Error while copying initrd file.'\n"
return 2
fi
pushd . 2>&1>/dev/null
cd $TD
mkdir initrd-extracted
cd initrd-extracted
gunzip -c $TD/i.cpio.gz | cpio -i --force-local --no-absolute-filenames 2>/dev/null
grep -E -- $MCMD boot/* 2>&1 >/dev/null
FLG1=$?
grep -E -- load_policy boot/* 2>&1 >/dev/null
FLG2=$?
popd 2>&1>/dev/null
if [ $FLG1 == 0 -a $FLG2 == 0 ];then
printf "\tcheck_mkinitrd: OK. Your initrd seems to be correct.\n"
return 0
else
printf "\tcheck_mkinitrd: ERR. Your initrd seems not to mount /proc of\n"
printf "\t the root filesystem during boot and/or load_policy\n"
printf "\t is missing,\n"
printf "\t this may be a reason for SELinux not working.\n"
return 1
fi
}
check_pam()
{
AA_PAM=0
SE_PAM=0
# test for AA pam module
grep apparmor /etc/pam.d/* 2>&1 >/dev/null
FLG=$?
if [ $FLG == 0 ]; then
AA_PAM=1
fi
# test for SELinux pam module
grep selinux /etc/pam.d/* 2>&1 >/dev/null
FLG=$?
if [ $FLG == 0 ]; then
SE_PAM=1
fi
# suggest config
if [ $SE_PAM == 1 ] && [ $AA_PAM == 0 ]; then
printf "\tcheck_pam: OK. Your PAM configuration seems to be correct.\n"
return 0
fi
printf "\tcheck_pam: ERR. Your PAM configuration seems to be incorrect.\n"
if [ $AA_PAM == 1 ]; then
printf " execute 'pam-config -d --apparmor' as root\n"
fi
if [ $SE_PAM == 0 ]; then
printf " execute 'pam-config -a --selinux' as root\n"
fi
return 1
}
check_initupstart()
{
CFGFILE="/etc/selinux/config"
if ! [ -f $CFGFILE ]; then
printf "\tcheck_initupstart: ERR. $CFGFILE does not exist.\n"
return 1;
fi
POL=$(grep "^\s*SELINUXTYPE" $CFGFILE | sed "s/SELINUXTYPE\s*=\(\S*\)\s*"/\\1/)
if ! [ -f /etc/selinux/$POL/booleans ]; then
printf "\tcheck_initupstart: ERR. booleans file for policy $POL does not exist.\n"
return 1
fi
INITUS=$(grep init_upstart /etc/selinux/$POL/booleans | sed "s/.*init_upstart\s*=\s*//")
if [ "$INITUS" == 1 ]; then
printf "\tcheck_initupstart: OK. init_upstart in $POL/booleans is set to 1.\n"
return 0
else
printf "\tcheck_initupstart: ERR. init_upstart in $POL/booleans is NOT set to 1 ($INITUS).\n"
return 1
fi
}
check_runlevel()
{
#ls -q /etc/rc.d/rc[35].d/S*restorecond 1>&2 >/dev/null
#if [ $? == 0 ]; then
if [ -x /etc/rc.d/rc3.d/S*restorecond ] || [ -x /etc/rc.d/rc5.d/S*restorecond ]; then
printf "\tcheck_runlevel: OK. your system is using restorecond in runlevel 3 and/or 5.\n"
return 0;
fi
printf "\tcheck_runlevel: ERR. please execute 'yast2 runlevel' and enable restorecond.\n"
return 1
}
check_packages()
{
PKGLST="checkpolicy policycoreutils selinux-tools libselinux1 libsepol1 libsemanage1 selinux-policy"
FAIL=0
for i in $PKGLST
do
rpm -q $i 1>&2 >/dev/null
if [ $? == 1 ];then
printf "\tcheck_packages: ERR. Package '$i' not installed, please run 'zypper in $i' as root\n"
FAIL=1
fi
done
if [ $FAIL == 0 ]; then
printf "\tcheck_packages: OK. All essential packages are installed\n"
return 0
else
return 1
fi
}
check_config()
{
CF="/etc/selinux/config"
if [ -f $CF ];then
printf "\tcheck_config: OK. Config file seems to be there.\n"
if ! [ $(stat --printf=%a $CF) -eq "644" ]; then
printf "\tcheck_config: ERR. Config file '$CF' has wrong permissions.\n"
return 1
fi
return 0
else
printf "\tcheck_config: ERR. Config file '$CF' is missing.\n"
return 1
fi
}
TD=$(mktemp -q -d /tmp/selinux-ready.XXXXXX)
echo "Start checking your system if it is selinux-ready or not:"
check_dir
check_filesystem
check_boot
check_mkinitrd
check_packages
check_config
check_initupstart
check_pam
check_runlevel
rm -rf $TD