selinux-basics-0.5.2/0000755000000000000000000000000012217047741011342 5ustar selinux-basics-0.5.2/postfix-nochroot0000755000000000000000000000244512217047741014622 0ustar #!/usr/bin/perl # this script configures Postfix to not use chroot, restarts Postfix to apply # the change, and removes the chroot files. See the man page or the # following blog post for more details: # http://etbe.coker.com.au/2008/08/02/postfix-and-chroot/ use strict; my $file = "/etc/postfix/master.cf"; if(-e "$file.bak") { print "\"$file.bak\" already exists, aborting\n"; exit(1); } open(MAIN, "<$file") or die "Can't open \"$file\""; open(NEW, ">$file.new") or die "Can't open \"$file.new\""; while(
) { if($_ =~ /^#/) { print NEW $_; next; } chomp; if($_ =~ /(^([^\s]+\s+){4})-(.*)$/) { print NEW "# modified to disable chroot\n"; print NEW "$1n$3\n"; } else { print NEW "$_\n"; } } close(NEW); close(MAIN); rename("$file","$file.bak") or die "Can't rename \"$file\" to \"$file.bak\", aborting\n"; rename("$file.new", "$file") or die "Can't rename \"$file.new\" to \"$file\", inconsistent state\n"; my $script = "/etc/init.d/postfix"; open(STATUS,"$script status|") or die "Can't check postfix status\n"; my $status = ; if($status =~ /postfix is running/) { system("$script stop"); } system("rm -rf /var/spool/postfix/etc /var/spool/postfix/lib /var/spool/postfix/usr"); if($status =~ /postfix is running/) { system("$script start"); } selinux-basics-0.5.2/debian/0000755000000000000000000000000012217047741012564 5ustar selinux-basics-0.5.2/debian/docs0000644000000000000000000000001612217047741013434 0ustar debian/README selinux-basics-0.5.2/debian/selinux-basics.init0000644000000000000000000000666612217047741016420 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: selinux-basics # Required-Start: $remote_fs # Required-Stop: # Default-Start: S # Default-Stop: # Short-Description: Basic SELinux management # Description: Prepare system for SELinux usage, e.g. relabeling the fs. ### END INIT INFO # # Author: Erich Schubert # set -e PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin DESC="SELinux contexts" NAME=selinux-basics SCRIPTNAME=/etc/init.d/$NAME # Read config file if it is present. #if [ -r /etc/default/$NAME ] #then # . /etc/default/$NAME #fi selinuxfs=`LC_ALL=C awk '/ selinuxfs / { print $2 }' /proc/mounts` selinuxenabled= # is selinux enabled? if [ -n "$selinuxfs" -a "`cat /proc/self/attr/current 2>/dev/null`" ]; then if [ -r $selinuxfs/enforce ]; then selinuxenabled=`cat $selinuxfs/enforce 2>/dev/null` else # we can't read /selinux/enforce, so we assume it's enforced... selinuxenabled=1 fi fi # Relabel /dev and /etc/mtab relabel_minimal() { # when selinux is enabled, relabel /dev if [ -n "$selinuxenabled" -a -x /sbin/restorecon ]; then /sbin/restorecon -R /dev /etc/mtab 2>/dev/null fi } # Do a complete relabel when requested selinux_complete_relabel() { # tell user what is going on log_action_begin_msg "Relabeling your filesystems for SELinux..." # disable selinux echo 0 > $selinuxfs/enforce # fix file labels using fixfiles /sbin/fixfiles -f -F relabel > /dev/null || true # unset relabling flag, if present if [ -e /.autorelabel ]; then rm -f /.autorelabel || \ log_failure_msg "Warning, couldn't remove autorelabel flag!" fi # re-enable SELinux if enabled before if [ ! -f /.autorelabel ]; then echo "Relabeled, now reboot" umount -a || true sync reboot fi } # Check whether we should relabel selinux_relabel() { if [ -n "$selinuxenabled" ]; then if [ -f /.autorelabel ] || grep -q '\' /proc/cmdline ; then selinux_complete_relabel else # full relabelling not requested relabel_minimal fi else # now this is a bit hackish, we should discuss it maybe # when selinux is not enabled, but installed, we set the # autorelabel flag for the next boot... if [ -e /etc/selinux ]; then if [ ! -f /.autorelabel ]; then touch /.autorelabel; fi fi fi } # # Function that starts the daemon/service. # d_start() { # consider relabeling the filesystem selinux_relabel if [ -n "$selinuxfs" -a -r /proc/self/attr/current ]; then if grep -q kernel_t /proc/self/attr/current; then log_failure_msg "selinux contexts incorrect, please try relabeling and a reboot (init should not be running as kernel_t)" fi if grep -q init_t /proc/self/attr/current; then log_failure_msg "init script running as init_t, not initrc_t please try relabeling and a reboot" fi fi } # # Function that stops the daemon/service. # d_stop() { # 1 if daemon was already stopped return 1 } . /lib/lsb/init-functions case "$1" in start) if [ -n "$selinuxfs" -o -e /etc/selinux ]; then log_daemon_msg "Checking SELinux contexts" "$NAME" echo "" d_start case "$?" in 0|1) log_end_msg 0 ;; 2) log_end_msg 1 ;; esac fi ;; stop) ;; restart|force-reload) if [ -n "$selinuxfs" -o -e /etc/selinux ]; then log_daemon_msg "Checking SELinux contexts" "$NAME" echo "" d_start case "$?" in 0|1) log_end_msg 0 ;; 2) log_end_msg 1 ;; esac fi ;; *) echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2 exit 3 ;; esac exit 0 selinux-basics-0.5.2/debian/changelog0000644000000000000000000002073112217047741014441 0ustar selinux-basics (0.5.2) unstable; urgency=low [ Mika Pflüger ] * Team upload. * selinux-policy-upgrade: Support bz2-encrypted binary policy modules. * selinux-policy-upgrade: Remove the addition of milter.pp when dkim.pp is loaded, it is not necessary anymore. [ Laurent Bigonville ] * debian/control: - Bump Standards-Version to 3.9.4 (no further changes) - Use canonical URL for Vcs-Svn field -- Laurent Bigonville Fri, 20 Sep 2013 15:37:27 +0200 selinux-basics (0.5.1) experimental; urgency=low * Team upload. * Switch to dpkg-source 3.0 (native) format * Switch to dh sequence and dh_python2 * debian/control: - Bump Standards-Version to 3.9.3 (no further changes) - Add ${misc:Depends} to the dependencies - Update Vcs-* fields - Add X-Python-Version field - Put under the Debian SELinux team maintenance - Use a Breaks instead of a versionized Conflicts * Remove udev rules, legacy ptys are not enabled in the kernel since squeeze (Closes: #622563) * tests/21_pam.py: Fix detection whether selinux pam module is called from login service (Closes: #531660) * Fix python 2.6 deprecations in several tests, thanks to Robert Bihlmeyer for the patches (Closes: #585354, #654608) * Add debian/gbp.conf file * tests/21_pam.py: Fix path of the pam service file * tests/02_verify_slash_selinux.py: Add support for /sys/fs/selinux directory * debian/selinux-basics.postinst: Only run update-grub if a configuration has been modified * selinux-activate: wdm PAM service now contains the required calls to the Selinux PAM modules -- Laurent Bigonville Sat, 15 Dec 2012 13:09:23 +0100 selinux-basics (0.5.0) unstable; urgency=low * Support the security=selinux command line option in selinux-activate and add it on package upgrade if selinux=1 is being used. -- Russell Coker Wed, 25 Jan 2012 19:35:31 +1100 selinux-basics (0.3.8) unstable; urgency=low * Made selinux-policy-upgrade load milter.pp when dkim.pp is loaded, needed for a clean upgrade from Lenny. -- Russell Coker Sun, 23 Jan 2011 14:53:56 +1100 selinux-basics (0.3.7) unstable; urgency=low * Made selinux-policy-upgrade remove the obsolete modules procmail and tmpreaper. Also made it conflict with old versions of policy that might contain such modules. Closes: #584782 * Use "set -e" instead of "#!/bin/sh -e" on scripts. -- Russell Coker Fri, 07 Jan 2011 09:32:22 +1100 selinux-basics (0.3.6) unstable; urgency=low * selinux-activate no longer touches /etc/pam.d/login - the default should be OK. Also made it update the configuration of grub2. -- Russell Coker Fri, 16 Apr 2010 15:58:52 +1000 selinux-basics (0.3.5+nmu2) unstable; urgency=low * Non-maintainer upload. * Fix "fails to install" by calling dh_installdirs in debian/rules, otherwise the directory for the symlink is missing (closes: #566576). -- gregor herrmann Sat, 13 Feb 2010 16:41:47 +0100 selinux-basics (0.3.5+nmu1) unstable; urgency=low * Non-maintainer upload to fix release goal. * Add $remote_fs as init.d script dependency (Closes: #541765). -- Petter Reinholdtsen Sat, 10 Oct 2009 23:00:06 +0200 selinux-basics (0.3.5) unstable; urgency=low * Added selinux-config-enforcing to set enforcing mode. Closes: #498973 * Only recommend selinux-policy-default, no other policy. * Updated the man pages to refer to each other. -- Russell Coker Mon, 15 Sep 2008 11:46:00 +1000 selinux-basics (0.3.4) unstable; urgency=low * Take ownership of the package (temporarily at least). * Made selinux-activate work on systems without GRUB. Closes: #498324 * Made selinux-policy-upgrade work when there are local modules. Closes: #498323 -- Russell Coker Tue, 09 Sep 2008 17:04:00 +1000 selinux-basics (0.3.3+nmu4) unstable; urgency=high * Change "reboot -f" to "reboot" to avoid possible data corruption. -- Russell Coker Tue, 05 Aug 2008 06:44:37 +1000 selinux-basics (0.3.3+nmu3) unstable; urgency=low * The last version didn't include the selinux-policy-upgrade script -- Russell Coker Mon, 04 Aug 2008 13:49:30 +1000 selinux-basics (0.3.3+nmu2) unstable; urgency=high * gdm doesn't need pam_selinux.so, but wdm does. * Added selinux-policy-upgrade script * Added postfix-nochroot script -- Russell Coker Mon, 04 Aug 2008 07:20:18 +1000 selinux-basics (0.3.3+nmu1) unstable; urgency=high * Non-maintainer upload. * Added selinux-activate script to handle all aspects of configuring systems to run SE Linux. * Made /etc/init.d/selinux-basics reboot after performing an autorelabel operation, also made it relabel /etc/mtab unconditionally as it often gets mislabeled. * Added an extra new-line for readability when relabeling. -- Russell Coker Fri, 01 Aug 2008 09:31:04 +1000 selinux-basics (0.3.3) unstable; urgency=low * Adopted by Ulisses Castro. (Closes: #476192) * Update policy version to 3.7.3. * Added man page to check-selinux-installation. * Added in control file line Build-Depends-Indep, Vcs-Svn and Vcs-Browser. -- Ulisses Castro Mon, 28 Apr 2008 20:26:10 -0200 selinux-basics (0.3.2) unstable; urgency=low * Orphan this package. Opens: 476192 * Build package with changes that have been sitting in SVN for a long time + MOTD check is gone (Closes: #438604) * Update policy version to 3.6.3.0 (No changes) -- Erich Schubert Tue, 15 Apr 2008 02:00:10 +0200 selinux-basics (0.3.1) unstable; urgency=low * Fix debian/README - refpolicy has been in Debian for quite some time now... (Closes: #387434) Since I'm currently not working actively on SELinux, this package might need some reviews on which of the tests and workaround are still needed, and which other stuff needs to be added. -- Erich Schubert Sun, 15 Jul 2007 15:31:11 +0200 selinux-basics (0.3.0) unstable; urgency=low * Rewritten tests in python. Sorry, not as useful yet as before. * Small tweaks to init script. * Don't start init script on install/upgrade, it's a rcS script. -- Erich Schubert Mon, 11 Sep 2006 18:06:43 +0200 selinux-basics (0.2.6) unstable; urgency=low * Make package arch:all, thanks, tbm. (Closes: #357612) -- Erich Schubert Sun, 19 Mar 2006 15:12:06 +0100 selinux-basics (0.2.5) unstable; urgency=low * check init.d/sysklogd for xconsole, too. * As advised by Md, install only a symlink of the udev rule into /etc/udev/rules.d, the actual file lives in /etc/udev now * renamed the rule to "no-legacy-ptys", too. * Adopted postinst/postrm from eciadsl for that. -- Erich Schubert Fri, 10 Mar 2006 21:14:31 +0100 selinux-basics (0.2.4) unstable; urgency=low * To become the first version uploaded to Debian main * Added handling for /var/run/motd and suggest FSCKFIX=yes * Added xconsole check and suggest removal * Move initscript to S 36, just after all filesystems have been mounted * Init script will now try to relabel when /.autorelabel was set -- Erich Schubert Fri, 17 Feb 2006 04:19:14 +0100 selinux-basics (0.2.3) unstable; urgency=low * Don't remove /dev/xconsole (and don't fail), since it might be recreated by sysklogd anyway - relabel it like others -- Erich Schubert Mon, 13 Feb 2006 03:08:39 +0100 selinux-basics (0.2.2) unstable; urgency=low * this time, really really install udev and check-selinux -- Erich Schubert Mon, 13 Feb 2006 03:05:44 +0100 selinux-basics (0.2.1) unstable; urgency=low * Actually install check-selinux-installation -- Erich Schubert Mon, 13 Feb 2006 02:21:24 +0100 selinux-basics (0.2) unstable; urgency=low * Hopefully /var/log/wtmp will no longer be "frequently mislabeled" now that the logrotate backports is properly selinux enabled. * remove /dev/xconsole on startup, created by syslog * added check-selinux-installation * added udev rules to not create /dev/pty* (use unix98 /dev/pts) -- Erich Schubert Mon, 13 Feb 2006 00:51:05 +0100 selinux-basics (0.1) unstable; urgency=low * Initial Release. -- Erich Schubert Thu, 5 Jan 2006 02:49:45 +0100 selinux-basics-0.5.2/debian/selinux-basics.maintscript0000644000000000000000000000006212217047741017772 0ustar rm_conffile /etc/udev/no-legacy-ptys.rules 0.5.1~ selinux-basics-0.5.2/debian/compat0000644000000000000000000000000212217047741013762 0ustar 6 selinux-basics-0.5.2/debian/selinux-basics.install0000644000000000000000000000031312217047741017102 0ustar check-selinux-installation /usr/sbin/ tests/*.py /usr/share/selinux-basics/tests selinux-activate /usr/sbin postfix-nochroot /usr/sbin selinux-policy-upgrade /usr/sbin selinux-config-enforcing /usr/sbin selinux-basics-0.5.2/debian/README0000644000000000000000000000055712217047741013453 0ustar The Debian Package selinux-basics --------------------------------- This package will pull in some standard SELinux stuff via dependencies as well as provide an initscript to help work around common SELinux issues. You'll still need to install a policy package such as selinux-policy-default. --- Erich Schubert , Thu, 5 Jan 2006 02:49:45 +0100 selinux-basics-0.5.2/debian/selinux-basics.manpages0000644000000000000000000000014412217047741017231 0ustar check-selinux-installation.8 postfix-nochroot.8 selinux-config-enforcing.8 selinux-policy-upgrade.8 selinux-basics-0.5.2/debian/selinux-basics.postinst0000644000000000000000000000104312217047741017320 0ustar #!/bin/sh -e case "$1" in configure) for n in /boot/grub/menu.lst /etc/default/grub ; do if [ -f $n ]; then if grep -q selinux=1 $n ; then if ! grep -q security=selinux $n ; then sed -e "s/selinux=1/selinux=1 security=selinux/" < $n > $n.new mv $n.new $n update-grub fi fi fi done ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "$0 called with unknown argument '$1'" >&2 exit 1 ;; esac #DEBHELPER# exit 0 selinux-basics-0.5.2/debian/gbp.conf0000644000000000000000000000015412217047741014203 0ustar [DEFAULT] debian-branch = debian [git-buildpackage] tarball-dir = ../tarballs/ export-dir = ../build-area/ selinux-basics-0.5.2/debian/copyright0000644000000000000000000000217712217047741014526 0ustar This is selinux-basics, written by Erich Schubert on Thu, 5 Jan 2006 02:49:45 +0100. Since April 28 2008, it is now maintained by Ulisses Castro . The original source can always be found at: ftp://ftp.debian.org/dists/unstable/main/source/ Copyright (C) 2005 Erich Schubert License: This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this package; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA On Debian systems, the complete text of the GNU General Public License can be found in `/usr/share/common-licenses/GPL'. selinux-basics-0.5.2/debian/source/0000755000000000000000000000000012217047741014064 5ustar selinux-basics-0.5.2/debian/source/format0000644000000000000000000000001512217047741015273 0ustar 3.0 (native) selinux-basics-0.5.2/debian/control0000644000000000000000000000164012217047741014170 0ustar Source: selinux-basics Section: admin Priority: optional Maintainer: Debian SELinux maintainers Uploaders: Russell Coker Build-Depends: debhelper (>= 9) Build-Depends-Indep: python (>= 2.6.6-3~) Standards-Version: 3.9.4 Vcs-Git: git://anonscm.debian.org/selinux/selinux-basics.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=selinux/selinux-basics.git;a=summary X-Python-Version: >= 2.5 Package: selinux-basics Architecture: all Depends: checkpolicy, policycoreutils, selinux-utils, ${python:Depends}, ${misc:Depends} Recommends: setools, selinux-policy-default Breaks: selinux-policy-default (<= 2:0.2.20100524-4) Pre-Depends: ${misc:Pre-Depends} Suggests: logcheck, syslog-summary Description: SELinux basic support This package will pull in basic SELinux stuff to ease installation, as well as provide scripts and helpers to work around common problems. selinux-basics-0.5.2/debian/selinux-basics.preinst0000644000000000000000000000066612217047741017133 0ustar #!/bin/sh # preinst script for selinux-basics set -e case "$1" in install|upgrade) if dpkg --compare-versions "$2" le-nl "0.5.1~"; then [ -L /etc/udev/rules.d/010-no-legacy-ptys.rules ] && \ rm -f /etc/udev/rules.d/010-no-legacy-ptys.rules fi ;; abort-upgrade) ;; *) echo "preinst called with unknown argument \`$1'" >&2 exit 1 ;; esac #DEBHELPER# exit 0 selinux-basics-0.5.2/debian/rules0000755000000000000000000000033412217047741013644 0ustar #!/usr/bin/make -f # -*- makefile -*- # # # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 %: dh $@ --with python2 override_dh_installinit: dh_installinit --update-rcd-params="start 36 S ." --no-start selinux-basics-0.5.2/selinux-activate0000755000000000000000000000344212217047741014560 0ustar #!/bin/sh set -e GRUB_CONF=/boot/grub/menu.lst GRUB2_CONF=/etc/default/grub if [ "$1" != "disable" ]; then echo "Activating SE Linux" if [ -e $GRUB_CONF ]; then if ! grep -q selinux $GRUB_CONF ; then sed -e "s/\(^# kopt=.*$\)/\1 selinux=1 security=selinux/" < $GRUB_CONF > $GRUB_CONF.new mv $GRUB_CONF.new $GRUB_CONF update-grub fi fi if [ -e $GRUB2_CONF ]; then sed -e "s/ \?selinux=1//g" -e "s/ security=selinux//g" -e "s/\(^GRUB_CMDLINE_LINUX=.*\)\"$/\1 selinux=1 security=selinux\"/" < $GRUB2_CONF > $GRUB2_CONF.new mv $GRUB2_CONF.new $GRUB2_CONF update-grub fi for n in kdm ; do FILE=/etc/pam.d/$n if [ -e $FILE ]; then echo "session required pam_selinux.so" >> $FILE fi done touch /.autorelabel echo "SE Linux is activated. You may need to reboot now." else echo "Deactivating SE Linux" # we assume that EPERM on /selinux/enforce means that # all subsequent operations get EPERM if grep -q 1 /selinux/enforce 2> /dev/null ; then echo "You should be in permissive mode to disable SE Linux." echo "Run \"setenforce 0\" first if you really want to do this." exit 1 fi if [ -e $GRUB_CONF ]; then sed -e "s/ selinux=1//" -e "s/ security=selinux//" < $GRUB_CONF > $GRUB_CONF.new mv $GRUB_CONF.new $GRUB_CONF fi if [ -e $GRUB2_CONF ]; then if grep -q selinux $GRUB2_CONF 2> /dev/null ; then sed -e "s/ \?selinux=1//" -e "s/ security=selinux//" < $GRUB2_CONF > $GRUB2_CONF.new mv $GRUB2_CONF.new $GRUB2_CONF update-grub fi fi for n in kdm ; do FILE=/etc/pam.d/$n if grep -q selinux $FILE 2> /dev/null ; then grep -v selinux $FILE > $FILE.new mv $FILE.new $FILE fi done rm -f /.autorelabel echo "SE Linux is deactivated. You may need to reboot now." fi selinux-basics-0.5.2/selinux-config-enforcing.80000644000000000000000000000261112217047741016335 0ustar .TH "selinux-config-enforcing" "8" .SH "NAME" selinux-config-enforcing \- change /etc/selinux/config to set enforcing or permissive modes .SH "SYNOPSIS" .PP \fBselinux-config-enforcing\fR [permissive] .SH "DESCRIPTION" .PP \fBselinux-config-enforcing\fR this command will modify /etc/selinux/config to specify whether SE Linux should be in enforcing or permissive mode on boot. This may be overridden by the "enforcing=" kernel command-line option (which takes the value 0 for permissive and 1 for enforcing). The parameter "0" or "permissive" will cause it to set permissive mode, any other parameter will result in enforcing mode being set. .SH "SEE ALSO" .BR selinux (8), .BR sestatus(8), .BR selinuxenabled (1), .BR load_policy(8), .BR semodule(8), .BR postfix-nochroot(8), .BR check-selinux-installation(8), .BR selinux-policy-upgrade(8), http://wiki.debian.org/SELinux \- More about SELinux Debian install, http://etbe.coker.com.au/tag/selinux/ \- Russell's SE Linux blog posts. .SH "AUTHOR" .PP This program and it's man page was written by Russell Coker for the \fBDebian\fP system (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 3. .PP On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL-3. selinux-basics-0.5.2/check-selinux-installation.80000644000000000000000000000212212217047741016671 0ustar .TH "CHECK-SELINUX-INSTALLATION" "8" .SH "NAME" check-selinux-installation \(em perform configuration checks in SELinux installation .SH "SYNOPSIS" .PP \fBcheck-selinux-installation\fR .SH "DESCRIPTION" .PP \fBcheck-selinux-installation\fR this command will run scripts to pull in some standard SELinux stuff via dependencies. .SH "SEE ALSO" .PP selinux (8), sestatus(8), selinuxenabled (1), .BR postfix-nochroot(8), .BR selinux-config-enforcing(8), .BR selinux-policy-upgrade(8), .PP http://wiki.debian.org/SELinux \- More about SELinux Debian install .SH "AUTHOR" .PP This manual page was written by Ulisses Castro for the \fBDebian\fP system (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 any later version published by the Free Software Foundation. .PP On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. .\" created by instant / docbook-to-man, Mon 28 Apr 2008, 19:49 selinux-basics-0.5.2/selinux-config-enforcing0000755000000000000000000000107212217047741016172 0ustar #!/bin/sh set -e MODE=$1 test "$MODE" = "0" && MODE=permissive CONF=/etc/selinux/config if [ "$MODE" = "permissive" ]; then sed -e "s/^SELINUX=.*$/SELINUX=permissive/" < $CONF > $CONF.new echo "Configured permissive mode in $CONF for the next boot." echo "This can be overridden by \"enforcing=1\" on the kernel command line." else sed -e "s/^SELINUX=.*$/SELINUX=enforcing/" < $CONF > $CONF.new echo "Configured enforcing mode in $CONF for the next boot." echo "This can be overridden by \"enforcing=0\" on the kernel command line." fi mv $CONF.new $CONF selinux-basics-0.5.2/selinux-policy-upgrade0000755000000000000000000000104012217047741015674 0ustar #!/bin/sh set -e if [ "$1" != "" ]; then SELINUXTYPE="$1" else . /etc/selinux/config fi cd /usr/share/selinux/${SELINUXTYPE} echo "Updating \"${SELINUXTYPE}\" policy" # remove obsolete modules for n in procmail tmpreaper ; do semodule -l |grep -q $n && semodule -r $n done semodule -b $(test -e base.pp && echo base.pp || echo base.pp.bz2) $(for n in $(semodule -s ${SELINUXTYPE} -l | cut -f1); do if [ -e $n.pp ]; then echo -n " -i $n.pp" else if [ -e $n.pp.bz2 ]; then echo -n " -i $n.pp.bz2" fi fi done ) selinux-basics-0.5.2/postfix-nochroot.80000755000000000000000000000272012217047741014764 0ustar .TH "postfix-nochroot" "8" .SH "NAME" postfix-nochroot \- change /etc/postfix/master.cf to not use chroot .SH "SYNOPSIS" .PP \fBpostfix-nochroot\fR .SH "DESCRIPTION" .PP Renames /etc/postfix/master.cf to /etc/postfix/master.cf.bak and creates a new /etc/postfix/master.cf file with every service configured to not use chroot. Every modified line is commented. It also restarts Postfix (to apply the change) and rmoves the unused chroot directories /var/spool/postfix/{etc,lib,usr} . .PP Using a chroot environment makes upgrades more difficult and gets in the way when running SE Linux (without actually providing any security benefit in a SE Linux system). .SH "SEE ALSO" .BR selinux (8), .BR sestatus(8), .BR selinuxenabled (1), .BR check-selinux-installation(8), .BR selinux-config-enforcing(8), .BR selinux-policy-upgrade(8), http://wiki.debian.org/SELinux \- More about SELinux Debian install, http://etbe.coker.com.au/tag/selinux/ \- Russell's SE Linux blog posts, http://etbe.coker.com.au/2008/08/02/postfix-and-chroot/ \- post about this script. .SH "AUTHOR" .PP This program and it's man page was written by Russell Coker for the \fBDebian\fP system (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 3. .PP On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL-3. selinux-basics-0.5.2/selinux-policy-upgrade.80000644000000000000000000000220612217047741016044 0ustar .TH "selinux-policy-upgrade" "8" .SH "NAME" selinux-policy-upgrade \- upgrade the modules in the SE Linux policy database from a policy package .SH "SYNOPSIS" .PP \fBselinux-policy-upgrade\fR .SH "DESCRIPTION" .PP \fBselinux-policy-upgrade\fR this command will upgrade all policy modules (including the base modules) for to the versions that are under /usr/share/selinux/SELINUXTYPE .SH "SEE ALSO" .BR selinux (8), .BR sestatus(8), .BR selinuxenabled (1), .BR load_policy(8), .BR semodule(8), .BR postfix-nochroot(8), .BR check-selinux-installation(8), .BR selinux-config-enforcing(8), http://wiki.debian.org/SELinux \- More about SELinux Debian install, http://etbe.coker.com.au/tag/selinux/ \- Russell's SE Linux blog posts. .SH "AUTHOR" .PP This program and it's man page was written by Russell Coker for the \fBDebian\fP system (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 3. .PP On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL-3. selinux-basics-0.5.2/check-selinux-installation0000755000000000000000000000116112217047741016530 0ustar #!/usr/bin/python import os, glob testsdir="/usr/share/selinux-basics/tests" tests = [] def register_test(test): tests.append(test) class ErrorBase: def __str__(self): raise NotImplementedError("Error with no description found. Class: %s" % self.__class__) def fixable(self): return False def fix(self): return False class TestBase: @staticmethod def test(): return [] def fix(): pass testfiles = glob.glob(os.path.join(testsdir,"[0-9]*.py")) testfiles.sort() for testfile in testfiles: execfile(testfile) results = [] for test in tests: results += test.test() for result in results: print result selinux-basics-0.5.2/tests/0000755000000000000000000000000012217047741012504 5ustar selinux-basics-0.5.2/tests/00_selinuxenabled.py0000644000000000000000000000115212217047741016356 0ustar class TestSELinuxEnabled(TestBase): """ Test that selinux is enabled, by calling selinuxenabled """ class ErrorNotEnabled(ErrorBase): def __str__(self): return "SELinux is not enabled." class ErrorCouldNotTest(ErrorBase): def __str__(self): return "Couldn't test if selinux is enabled." @staticmethod def test(): import os status = os.system("selinuxenabled") if not os.WIFEXITED(status): return [TestSELinuxEnabled.ErrorCouldNotTest()] exitcode = os.WEXITSTATUS(status) if exitcode != 0: return [TestSELinuxEnabled.ErrorNotEnabled()] return [] register_test(TestSELinuxEnabled) selinux-basics-0.5.2/tests/21_pam.py0000644000000000000000000000202112217047741014130 0ustar class TestPAMConfig(TestBase): """ Verify that pam is setup for SELinux """ class ErrorPAMSSH(ErrorBase): def __str__(self): return "/etc/pam.d/sshd is not SELinux enabled" class ErrorPAMLogin(ErrorBase): def __str__(self): return "/etc/pam.d/login is not SELinux enabled" @staticmethod def test(): import os, re r = re.compile(r'^\s*session\s+(required|\[success=ok\s+ignore=ignore\s+module_unknown=ignore\s+default=bad\])\s+pam_selinux.so') result = [] if os.access("/etc/pam.d/sshd", os.F_OK): selinuxon = False f = open("/etc/pam.d/sshd","r") for line in f.readlines(): if r.match(line): selinuxon = True f.close() if not selinuxon: result.append(TestPAMConfig.ErrorPAMSSH()) if os.access("/etc/pam.d/login", os.F_OK): selinuxon = False f = open("/etc/pam.d/login","r") for line in f.readlines(): if r.match(line): selinuxon = True f.close() if not selinuxon: result.append(TestPAMConfig.ErrorPAMLogin()) return result register_test(TestPAMConfig) selinux-basics-0.5.2/tests/24_fsckfix.py0000644000000000000000000000123312217047741015017 0ustar class TestFSCKFix(TestBase): """ Suggest to use FSCKFIX in /etc/default/rcS """ class ErrorFSCKFix(ErrorBase): def __str__(self): return "FSCKFIX is not enabled - not serious, but could prevent system from booting..." @staticmethod def test(): import os, re r = re.compile(r'^\s*FSCKFIX=.*yes') if os.access("/etc/default/rcS", os.F_OK): fsckfix = False f = open("/etc/default/rcS","r") for line in f.readlines(): if r.match(line): fsckfix = True f.close() if not fsckfix: return [TestFSCKFix.ErrorFSCKFix()] else: raise IOError("/etc/default/rcS not found, is this Debian?") return [] register_test(TestFSCKFix) selinux-basics-0.5.2/tests/01_verify_init.py0000644000000000000000000000214712217047741015711 0ustar class TestInitDomain(TestBase): """ Test that pid 1 (init) is running in the appropriate domain """ class ErrorGetfileconFailed(ErrorBase): def __str__(self): return "Could not read the domain of PID 1." class ErrorInitBadlyLabeled(ErrorBase): def __str__(self): return "The init process (PID 1) is running in an incorrect domain." @staticmethod def test(): from subprocess import Popen, PIPE contextok = False pipe = Popen("getfilecon /proc/1", shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE, close_fds=True) pipe.stdin.close() for line in pipe.stdout.readlines(): line = line.rstrip() if line == "": continue if line.endswith(":system_r:init_t") \ or line.find(":system_r:init_t:") >= 0: contextok = True else: print "..%s.." % line pipe.stdout.close() for line in pipe.stderr.readlines(): if line.find("failed") >= 0: contextok = "failed" pipe.stderr.close() if contextok == "failed": return [TestInitDomain.ErrorGetfileconFailed()] if not contextok: return [TestInitDomain.ErrorInitBadlyLabeled()] return [] register_test(TestInitDomain) selinux-basics-0.5.2/tests/22_postfix.py0000644000000000000000000000363412217047741015063 0ustar class TestPostfixChroot(TestBase): """ Verify that postfix is not using chroots. """ class ErrorPostfixChrootSync(ErrorBase): def __str__(self): return "Postfix init script is syncing the chroots." def fixable(self): return False def fix(self): return False class ErrorPostfixChroot(ErrorBase): def __str__(self): return "Postfix has chrooted service in master.cf" def fixable(self): return True def fix(self): return not TestPostfixChroot.process_mastercf(fix=True) @staticmethod def process_mastercf(fix=False): import re has_chroot = False split = re.compile("([^\s]+)") f = open("/etc/postfix/master.cf", "r") if fix: fixed = open("/etc/postfix/master.cf.fixed", "w") for line in f.readlines(): # ignore lines with leading whitespace (extra options) and comments if line[0].isspace() or line[0] == '#': if fix: fixed.write(line) continue col = split.split(line) # primitive check we "understand" this line... if col[3] in ["unix","inet","fifo"] \ and col[5] in ["-", "y", "n"] \ and col[7] in ["-", "y", "n"] \ and col[9] in ["-", "y"]: has_chroot = True if fix: col[9] = 'n' fixed.write("".join(col)) else: if fix: fixed.write(line) f.close() if fix: fixed.close() return has_chroot @staticmethod def test(): import os, re r = re.compile(r'^\s*SYNC_CHROOT=(.*n|\s*$|\s*""$)') result = [] if os.access("/usr/sbin/postfix", os.F_OK): sync = True if os.access("/etc/default/postfix", os.F_OK): f = open("/etc/default/postfix","r") for line in f.readlines(): if r.match(line): sync = False f.close() if sync: result.append(TestPostfixChroot.ErrorPostfixChrootSync()) if os.access("/etc/postfix/master.cf", os.F_OK): if TestPostfixChroot.process_mastercf(fix=False): result.append(TestPostfixChroot.ErrorPostfixChroot()) return result register_test(TestPostfixChroot) selinux-basics-0.5.2/tests/25_udev_relabel.py0000644000000000000000000000115512217047741016017 0ustar class TestRestoreconUdev(TestBase): """ Check that there is a restorecon call in /etc/init.d/udev """ class ErrorUdevRelabel(ErrorBase): def __str__(self): return "udev will create nodes not labeled correctly" @staticmethod def test(): import os, re r = re.compile(r'(restorecon|relabel)') if os.access("/etc/init.d/udev", os.F_OK): udevrelabel = False f = open("/etc/init.d/udev","r") for line in f.readlines(): if r.search(line): udevrelabel = True f.close() if not udevrelabel: return [TestRestoreconUdev.ErrorUdevRelabel()] return [] register_test(TestRestoreconUdev) selinux-basics-0.5.2/tests/20_old-style-ttys.py0000644000000000000000000000130712217047741016275 0ustar class TestOldTTYs(TestBase): """ Check for old-style ttys that are not supported by the policies. These are disabled in the default kernel shipped by Debian since Squeeze. """ class ErrorOldTTYs(ErrorBase): def __init__(self, oldttys): self.oldttys = oldttys def __str__(self): return "Old style ttys were found." def fixable(self): return True def fix(self): success = True for nam in self.oldttys: if not os.unlink(nam): success = False return success @staticmethod def test(): import glob oldttys = glob.glob("/dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]") if len(oldttys) > 0: return [TestOldTTYs.ErrorOldTTYs(oldttys)] return [] register_test(TestOldTTYs) selinux-basics-0.5.2/tests/10_test_kernel_processes.py0000644000000000000000000000226212217047741017765 0ustar class TestNoKernelT(TestBase): """ Test for processes running in system_u:system_r:kernel_t This type should only be used by kernel processes, which are detected by not having any maps. """ # Not sure if this test actually helps when the init test succeeded. # But it doesn't harm either class ErrorBadKernelProcesses(ErrorBase): def __init__(self, badprocs): self.badprocs = badprocs def __str__(self): return "There were %d processes found running in the kernel domain." \ % len(self.badprocs) @staticmethod def test(): from subprocess import Popen, PIPE badprocs = [] pipe = Popen("getfilecon /proc/[0-9]*", shell=True, stdin=PIPE, stdout=PIPE, close_fds=True) pipe.stdin.close() for line in pipe.stdout.readlines(): (dir, context) = line.split() components = dir.split("/") pid = components[-1] if context.find("system_r:kernel_t") >= 0: badproc = False file = open("/proc/%s/maps" % pid) if file.readlines(): badproc = True file.close() if badproc: badprocs.append(pid) pipe.stdout.close() if len(badprocs) > 0: return [TestNoKernelT.ErrorBadKernelProcesses(badprocs)] return [] register_test(TestNoKernelT) selinux-basics-0.5.2/tests/02_verify_slash_selinux.py0000644000000000000000000000104412217047741017623 0ustar class TestSlashSELinux(TestBase): """ Verify that /sys/fs/selinux or /selinux is present """ class ErrorNoSlashSELinux(ErrorBase): def __str__(self): return "The directories /sys/fs/selinux and /selinux are missing." def fixable(self): return True def fix(self): import os return os.mkdir("/selinux") @staticmethod def test(): import os if not os.access("/sys/fs/selinux",os.F_OK): if not os.access("/selinux",os.F_OK): return [TestSlashSELinux.ErrorNoSlashSELinux()] return [] register_test(TestSlashSELinux)