demon selinux

1. #!/bin/sh
2.  
3. ### BEGIN INIT INFO
4. # Provides:        selinux
5. # Required-Start:
6. # Required-Stop:
7. # Default-Start:   2 3 4 5
8. # Default-Stop:    0 6
9. # Short-Description: Relabel the filesystem before reboot
10. ### END INIT INFO
11.  
12. # Name of the file to create if requesting relabeling
13. statusfile=/.autorelabel
14. switchfile=/.switchpolicy
15.  
16. # Source function library
17. . /lib/lsb/init-functions
18.  
19. # Get the selinux configuration variables
20. SELINUXTYPE=""
21. if [ -e $switchfile ]; then
22.     . $switchfile
23. elif [ -e /etc/selinux/config ]; then
24.     . /etc/selinux/config
25. fi
26.  
27. SETFILES=/sbin/setfiles
28. LOAD_POLICY=/usr/sbin/load_policy
29.  
30. # From fixfiles - determine what filesystems can be relabeled
31. FILESYSTEMSRW=`/bin/mount | /bin/grep -v "context=" | /bin/egrep -v '\((|.*,)bind(,.*|)\)' | /usr/bin/awk '/(ext[234]| xfs | jfs ).*\(rw/{print $3}';`
32. FILESYSTEMSRO=`/bin/mount | /bin/grep -v "context=" | /bin/egrep -v '\((|.*,)bind(,.*|)\)' | /usr/bin/awk '/(ext[234]| xfs | jfs ).*\(ro/{print $3}';`
33. FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO"
34.  
35. lockdir=/var/lock/selinux-relabel
36.  
37. # Start only creates the lock
38. start() {
39.     log_daemon_msg "Starting SELinux autorelabel"
40.     if [ -e $statusfile ]; then
41.         log_warning_msg "A relabel has already been requested. Please reboot to finish relabeling your system."
42.         log_end_msg 0
43.     else
44.         mkdir $lockdir 2>/dev/null || true
45.         log_end_msg 0
46.     fi
47. }
48.  
49. # Stop performs the relabeling and removes the request to relabel
50. stop() {
51.     if [ -e $statusfile ]; then
52.         if [ "x${SELINUXTYPE}" = "x" ]; then
53.             log_failure_msg "No SELinux policy found"
54.             /bin/rmdir $lockdir
55.             exit 5  # LSB defines this as 'program is not installed'
56.         fi
57.         if [ `/usr/sbin/getenforce` != "Disabled" ]; then
58.             echo "0" > /selinux/enforce
59.         fi
60.         log_warning_msg "If you are not already running SELinux, then you can"
61.         log_warning_msg "safely ignore the following error message."
62.         ${LOAD_POLICY} && log_action_msg "Policy loaded successfully"
63.         log_warning_msg "SELinux ${SELINUXTYPE} policy relabel is required."
64.         log_warning_msg "Relabeling could take a very long time, depending"
65.         log_warning_msg "on file system size and speed of hard drives."
66.         /bin/sed -i -f $statusfile /etc/selinux/config
67.         log_action_begin_msg "Relabeling files"
68.         ${SETFILES} /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts ${FILESYSTEMS}
69.         log_action_end_msg $?
70.         /bin/rm -f $statusfile $switchfile
71.     fi
72.     /bin/rmdir $lockdir
73. }
74.  
75. # Restart does nothing
76. restart() {
77.     start
78. }
79.  
80. # Determine if relabel has been requested
81. status() {
82.     if [ -d $lockdir ] ; then
83.         if [ -e $statusfile ]; then
84.             echo "Filesystem will be relabeled using policy ${SELINUXTYPE}."
85.         else
86.             echo "No relabeling requested."
87.         fi
88.         exit 0
89.     else
90.         echo "Not started"
91.         exit 3   # LSB defines this as 'program is not running'
92.     fi
93. }
94.  
95. # This creates the file
96. relabel() {
97.     log_success_msg "File relabel will occur upon next shutdown/reboot."
98.     /usr/bin/touch $statusfile
99. }
100.  
101. # This causes the policy to change before relabeling
102. switch() {
103.     if [ ! -z $1 ]; then
104.         relabel
105.         echo "s/^SELINUXTYPE=.*/SELINUXTYPE=$1/" > $statusfile
106.         echo "SELINUXTYPE=$1" > $switchfile
107.         if [ ! -z $2 ]; then
108.             echo "s/^SELINUX=.*/SELINUX=$2/" >> $statusfile
109.             echo "SELINUX=$2" >> $switchfile
110.         fi
111.     else
112.         echo "No policy specified"
113.         exit 1
114.     fi
115. }
116.  
117. cancel() {
118.     /bin/rm -f $statusfile $switchfile
119. }
120.  
121. help() {
122.     echo
123.     echo "$0: Automatic relabel on reboot."
124.     echo
125.     echo "This script will cause automatic relabeling of the filesystem before"
126.     echo "a reboot upon request."
127.     echo
128.     echo "Options:"
129.     echo
130.     echo "   status   Check if relabeling has been requested"
131.     echo
132.     echo "   relabel  Request that the filesystem be relabeled"
133.     echo
134.     echo "   switch POLICY [ENFORCING]"
135.     echo "            Request to switch to POLICY and set to ENFORCING (implies relabel)"
136.     echo
137.     echo "   cancel   Cancel a previous request to relabel"
138.     echo "            If no request exists, this option does nothing"
139.     echo
140.     echo "   help     Display this help message"
141.     echo
142. }
143.  
144. case "$1" in
145.     start)
146.         start
147.         ;;
148.     stop)
149.         stop
150.         ;;
151.     status)
152.         status
153.         ;;
154.     restart|try-restart|reload|force-reload)
155.         restart
156.         ;;
157.     relabel)
158.         relabel
159.         ;;
160.     switch)
161.         # syntax: selinux switch <new_policy_name> <"enforcing"|"permissive">
162.         switch $2 $3
163.         ;;
164.     cancel)
165.         cancel
166.         ;;
167.     help)
168.         help
169.         ;;
170.     *)
171.         log_failure_msg "Usage: $0 (status|relabel|switch|cancel|help)"
172.         exit 2  # LSB defines this as 'invalid argument'
173. esac
174.  
175. exit 0