1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
#!/bin/sh -e
GRUB_CONF=/boot/grub/menu.lst
PAM_LOGIN=/etc/pam.d/login
if [ "$1" != "disable" ]; then
echo "Activating SE Linux"
if [ -e $GRUB_CONF ]; then
if ! grep -q selinux $GRUB_CONF ; then
sed -e "s/\(^# kopt=.*$\)/\1 selinux=1/" < $GRUB_CONF > $GRUB_CONF.new
mv $GRUB_CONF.new $GRUB_CONF
update-grub
fi
fi
sed -e "s/^# \(.*selinux.*$\)/\1/" < $PAM_LOGIN > $PAM_LOGIN.new
mv $PAM_LOGIN.new $PAM_LOGIN
for n in kdm wdm ; do
FILE=/etc/pam.d/$n
if [ -e $FILE ]; then
echo "session required pam_selinux.so" >> $FILE
fi
done
touch /.autorelabel
echo "SE Linux is activated. You may need to reboot now."
else
echo "Deactivating SE Linux"
# we assume that EPERM on /selinux/enforce means that
# all subsequent operations get EPERM
if grep -q 1 /selinux/enforce 2> /dev/null ; then
echo "You should be in permissive mode to disable SE Linux."
echo "Run \"setenforce 0\" first if you really want to do this."
exit 1
fi
if [ -e $GRUB_CONF ]; then
sed -e "s/ selinux=1//" < $GRUB_CONF > $GRUB_CONF.new
mv $GRUB_CONF.new $GRUB_CONF
fi
sed -e "s/\(^.*selinux.*$\)/# \1/" < $PAM_LOGIN > $PAM_LOGIN.new
mv $PAM_LOGIN.new $PAM_LOGIN
for n in gdm kdm ; do
FILE=/etc/pam.d/$n
if grep -q selinux $FILE 2> /dev/null ; then
grep -v selinux $FILE > $FILE.new
mv $FILE.new $FILE
fi
done
rm -f /.autorelabel
echo "SE Linux is deactivated. You may need to reboot now."
fi
|
