1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
|
#!/bin/sh -e
GRUB_CONF=/boot/grub/menu.lst
PAM_LOGIN=/etc/pam.d/login
if [ "$1" != "disable" ]; then
echo "Activating SE Linux"
if [ -e $GRUB_CONF ]; then
if ! grep -q selinux $GRUB_CONF ; then
sed -e "s/\(^# kopt=.*$\)/\1 selinux=1/" < $GRUB_CONF > $GRUB_CONF.new
mv $GRUB_CONF.new $GRUB_CONF
update-grub
fi
fi
sed -e "s/^# \(.*selinux.*$\)/\1/" < $PAM_LOGIN > $PAM_LOGIN.new
mv $PAM_LOGIN.new $PAM_LOGIN
for n in kdm wdm ; do
FILE=/etc/pam.d/$n
if [ -e $FILE ]; then
echo "session required pam_selinux.so" >> $FILE
fi
done
touch /.autorelabel
echo "SE Linux is activated. You may need to reboot now."
else
echo "Deactivating SE Linux"
# we assume that EPERM on /selinux/enforce means that
# all subsequent operations get EPERM
if grep -q 1 /selinux/enforce 2> /dev/null ; then
echo "You should be in permissive mode to disable SE Linux."
echo "Run \"setenforce 0\" first if you really want to do this."
exit 1
fi
if [ -e $GRUB_CONF ]; then
sed -e "s/ selinux=1//" < $GRUB_CONF > $GRUB_CONF.new
mv $GRUB_CONF.new $GRUB_CONF
fi
sed -e "s/\(^.*selinux.*$\)/# \1/" < $PAM_LOGIN > $PAM_LOGIN.new
mv $PAM_LOGIN.new $PAM_LOGIN
for n in gdm kdm ; do
FILE=/etc/pam.d/$n
if grep -q selinux $FILE 2> /dev/null ; then
grep -v selinux $FILE > $FILE.new
mv $FILE.new $FILE
fi
done
rm -f /.autorelabel
echo "SE Linux is deactivated. You may need to reboot now."
fi
|