forked from pool/libselinux
144 lines
3.0 KiB
Plaintext
144 lines
3.0 KiB
Plaintext
|
#!/bin/bash
|
||
|
|
||
|
KERNEL="unknown"
|
||
|
INITRD="unknown"
|
||
|
TD=""
|
||
|
|
||
|
|
||
|
# init needs /selinux to be there
|
||
|
check_dir()
|
||
|
{
|
||
|
SLDIR="/selinux"
|
||
|
|
||
|
if [ -d $SLDIR ];then
|
||
|
printf "\tcheck_dir: OK. $SLDIR exists.\n"
|
||
|
return 0
|
||
|
else
|
||
|
printf "\tcheck_dir: ERR. $SLDIR does not exists, please execute 'mkdir $SLDIR' as root.\n"
|
||
|
return 1
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
check_filesystem()
|
||
|
{
|
||
|
FSPATH="/proc/filesystems"
|
||
|
FSNAME="securityfs"
|
||
|
|
||
|
grep -w $FSNAME $FSPATH 1>&2 >/dev/null
|
||
|
|
||
|
if [ $? == 0 ]; then
|
||
|
printf "\tcheck_filesystem: OK. Filesystem '$FSNAME' exists.\n"
|
||
|
return 0
|
||
|
else
|
||
|
printf "\tcheck_filesystem: ERR. Filesystem '$FSNAME' is missing. Please enable SELinux while compiling the kernel.\n"
|
||
|
return 0
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
check_boot()
|
||
|
{
|
||
|
BPARAM="selinux=1"
|
||
|
|
||
|
printf "\tcheck_boot: Assuming GRUB as bootloader.\n"
|
||
|
|
||
|
BLINE=$(grep -- $BPARAM /boot/grub/menu.lst 2>/dev/null) # XXX check for multiple lines in config
|
||
|
|
||
|
if [ $? == 0 ]; then
|
||
|
K=$(echo $BLINE | awk -F' ' '{print $2}')
|
||
|
KERNEL=$(basename $K)
|
||
|
K=$(echo $KERNEL | sed s/vmlinuz-//)
|
||
|
INITRD=initrd-$K
|
||
|
printf "\tcheck_boot: OK. Kernel '$KERNEL' has boot-parameter '$BPARAM'\n"
|
||
|
return 0
|
||
|
else
|
||
|
printf "\tcheck_boot: ERR. Boot-parameter missing for booting the kernel.\n"
|
||
|
printf "\t Please use YaST2 to add 'selinux=1' to the kernel boot-parameter list.\n"
|
||
|
return 1
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
check_mkinitrd()
|
||
|
{
|
||
|
MCMD="mount.*/root/proc.*"
|
||
|
|
||
|
if ! [ -f "/boot/$INITRD" ];then
|
||
|
printf "\tcheck_mkinitrd: ERR. Unable to locate '/boot/$INITRD'\n"
|
||
|
return 2
|
||
|
fi
|
||
|
|
||
|
cp /boot/$INITRD $TD/i.cpio.gz 2>/dev/null
|
||
|
|
||
|
if ! [ -f "$TD/i.cpio.gz" ];then
|
||
|
printf "\tcheck_mkinitrd: ERR. Error while copying initrd file.'\n"
|
||
|
return 2
|
||
|
fi
|
||
|
|
||
|
|
||
|
pushd . 2>&1>/dev/null
|
||
|
cd $TD
|
||
|
mkdir initrd-extracted
|
||
|
cd initrd-extracted
|
||
|
gunzip -c $TD/i.cpio.gz | cpio -i --force-local --no-absolute-filenames 2>/dev/null
|
||
|
grep -E -- $MCMD boot/* 2>&1 >/dev/null
|
||
|
FLG=$?
|
||
|
popd 2>&1>/dev/null
|
||
|
|
||
|
if [ $FLG == 0 ];then
|
||
|
printf "\tcheck_mkinitrd: OK. Your initrd seems to be correct.\n"
|
||
|
return 0
|
||
|
else
|
||
|
printf "\tcheck_mkinitrd: ERR. Your initrd seems not to mount /proc of\n"
|
||
|
printf "\t the root filesystem during boot, this may be a\n"
|
||
|
printf "\t reason for SELinux not working.\n"
|
||
|
return 1
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
check_packages()
|
||
|
{
|
||
|
PKGLST="checkpolicy policycoreutils selinux-tools libselinux1 libsepol1 libsemanage1 selinux-policy"
|
||
|
FAIL=0
|
||
|
|
||
|
for i in $PKGLST
|
||
|
do
|
||
|
rpm -q $i 1>&2 >/dev/null
|
||
|
if [ $? == 1 ];then
|
||
|
printf "\tcheck_packages: ERR. Package '$i' not installed, please run 'zypper in $i' as root\n"
|
||
|
FAIL=1
|
||
|
fi
|
||
|
done
|
||
|
|
||
|
if [ $FAIL == 0 ]; then
|
||
|
printf "\tcheck_packages: OK. All essential packages are installed\n"
|
||
|
return 0
|
||
|
else
|
||
|
return 1
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
check_config()
|
||
|
{
|
||
|
CF="/etc/selinux/config"
|
||
|
|
||
|
if [ -f $CF ];then
|
||
|
printf "\tcheck_config: OK. Config file seems to be there.\n"
|
||
|
return 0
|
||
|
else
|
||
|
printf "\tcheck_config: ERR. Config file '$CF' is missing.\n"
|
||
|
return 1
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
TD=$(mktemp -q -d /tmp/selinux-ready.XXXXXX)
|
||
|
|
||
|
echo "Start checking your system if it is selinux-ready or not:"
|
||
|
check_dir
|
||
|
check_filesystem
|
||
|
check_boot
|
||
|
check_mkinitrd
|
||
|
check_packages
|
||
|
check_config
|
||
|
|
||
|
rm -rf $TD
|
||
|
|