1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
#!/bin/sh
set -e
GRUB_CONF=/boot/grub/menu.lst
GRUB2_CONF=/etc/default/grub
UBOOT_CONF=/etc/u-boot-menu/conf.d/selinux.conf
if [ "$1" != "disable" ]; then
echo "Activating SE Linux"
if [ -e $GRUB_CONF ]; then
if ! grep -q selinux $GRUB_CONF ; then
sed -i "s/\(^# kopt=.*$\)/\1 security=selinux/" $GRUB_CONF
update-grub
fi
fi
if [ -e $GRUB2_CONF ]; then
sed -i -e "s/ \?selinux=1//g" -e "s/ \?security=selinux//g" -e "s/\(^GRUB_CMDLINE_LINUX=.*\)\"$/\1 security=selinux\"/" $GRUB2_CONF
update-grub
fi
if [ -d "/usr/share/u-boot-menu" ]; then
mkdir -p $(dirname $UBOOT_CONF)
echo 'U_BOOT_PARAMETERS="security=selinux $U_BOOT_PARAMETERS"' > $UBOOT_CONF
u-boot-update
fi
touch /.autorelabel
echo "SE Linux is activated. You may need to reboot now."
else
echo "Deactivating SE Linux"
# we assume that EPERM on /sys/fs/selinux/enforce means that
# all subsequent operations get EPERM
if grep -q 1 /sys/fs/selinux/enforce 2> /dev/null ; then
echo "You should be in permissive mode to disable SE Linux."
echo "Run \"setenforce 0\" first if you really want to do this."
exit 1
fi
if [ -e $GRUB_CONF ]; then
sed -i -e "s/ selinux=1//" -e "s/ security=selinux//" $GRUB_CONF
fi
if [ -e $GRUB2_CONF ]; then
if grep -q selinux $GRUB2_CONF 2> /dev/null ; then
sed -i -e "s/ \?selinux=1//" -e "s/ \?security=selinux//" $GRUB2_CONF
update-grub
fi
fi
if [ -d "/usr/share/u-boot-menu" ]; then
rm -f $UBOOT_CONF
u-boot-update
fi
rm -f /.autorelabel
echo "SE Linux is deactivated. You may need to reboot now."
fi
|
