Hello community, here is the log from the commit of package libselinux for openSUSE:Factory checked in at 2012-12-17 09:34:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libselinux (Old) and /work/SRC/openSUSE:Factory/.libselinux.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libselinux", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/libselinux/libselinux.changes 2012-11-28 11:07:38.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.libselinux.new/libselinux.changes 2012-12-17 09:34:49.000000000 +0100 @@ -1,0 +2,10 @@ +Tue Dec 11 16:15:52 UTC 2012 - [email protected] + +- update selinux-ready script + * use -L when stat()ing /etc/selinux/config + * make sure that SELINUX isn't disabled in /etc/selinux/config + * look for either of /sys/fs/selinux and /selinux directory + * use systemctl to check for restorecond + * don't look for booleans file (deprecated) + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ libselinux.spec: same change ++++++ selinux-ready ++++++ --- /var/tmp/diff_new_pack.0IksII/_old 2012-12-17 09:34:51.000000000 +0100 +++ /var/tmp/diff_new_pack.0IksII/_new 2012-12-17 09:34:51.000000000 +0100 @@ -8,13 +8,20 @@ # init needs /selinux to be there check_dir() { - SLDIR="/selinux" + SLDIRS="/selinux /sys/fs/selinux" + FOUND="no" - if [ -d $SLDIR ];then - printf "\tcheck_dir: OK. $SLDIR exists.\n" + for DIR in $SLDIRS; do + if [ -d $DIR ]; then + printf "\tcheck_dir: OK. $DIR exists.\n" + FOUND="yes" + fi + done + + if [ $FOUND == "yes" ]; then return 0 else - printf "\tcheck_dir: ERR. $SLDIR does not exists, please execute 'mkdir $SLDIR' as root.\n" + printf "\tcheck_dir: ERR. Neither of $SLDIRS does exist. Please execute 'mkdir /sys/fs/selinux' as root\n" return 1 fi } @@ -58,7 +65,7 @@ K=$(echo $BLINE | awk -F' ' '{print $2}') KERNEL=$(basename $K) K=$(echo $KERNEL | sed s/vmlinuz-//) - + if [ "$K" == "$CURRENT_KERNEL" ]; then INITRD=initrd-$K RETVAL="OK" @@ -80,6 +87,9 @@ check_mkinitrd() { + if [ "$INITRD" == "unknown" ]; then + return 1 + fi MCMD="mount.*/root/proc.*" if ! [ -f "/boot/$INITRD" ];then @@ -161,33 +171,12 @@ printf "\tcheck_initupstart: ERR. $CFGFILE does not exist.\n" return 1; fi - - POL=$(grep "^\s*SELINUXTYPE" $CFGFILE | sed "s/SELINUXTYPE\s*=\(\S*\)\s*"/\\1/) - - if ! [ -f /etc/selinux/$POL/booleans ]; then - printf "\tcheck_initupstart: ERR. booleans file for policy $POL does not exist.\n" - return 1 - fi - - INITUS=$(grep init_upstart /etc/selinux/$POL/booleans | sed "s/.*init_upstart\s*=\s*//") - - if [ "$INITUS" == 1 ]; then - printf "\tcheck_initupstart: OK. init_upstart in $POL/booleans is set to 1.\n" - return 0 - else - printf "\tcheck_initupstart: ERR. init_upstart in $POL/booleans is NOT set to 1 ($INITUS).\n" - return 1 - fi - } check_runlevel() { - #ls -q /etc/rc.d/rc[35].d/S*restorecond 1>&2 >/dev/null - - #if [ $? == 0 ]; then - if [ -x /etc/rc.d/rc3.d/S*restorecond ] || [ -x /etc/rc.d/rc5.d/S*restorecond ]; then - printf "\tcheck_runlevel: OK. your system is using restorecond in runlevel 3 and/or 5.\n" + if [ "$(systemctl is-enabled restorecond.service)" == "enabled" ]; then + printf "\tcheck_runlevel: OK. restorecond is enabled on your system\n" return 0; fi printf "\tcheck_runlevel: ERR. please execute 'yast2 runlevel' and enable restorecond.\n" @@ -220,14 +209,26 @@ { CF="/etc/selinux/config" - if [ -f $CF ];then printf "\tcheck_config: OK. Config file seems to be there.\n" - if ! [ $(stat --printf=%a $CF) -eq "644" ]; then + # with -L because /etc/selinux/config is now a link to /etc/sysconfig/selinux-policy + if ! [ $(stat -L --printf=%a $CF) -eq "644" ]; then printf "\tcheck_config: ERR. Config file '$CF' has wrong permissions.\n" return 1 fi - return 0 + + # check that SELINUX is not disabled there + SELINUX_MODE=$(grep "^\s*SELINUX\s*=" $CF | sed "s/SELINUX\s*=\(\S*\)\s*"/\\1/) + case "$SELINUX_MODE" in + permissive | enforcing ) + printf "\tcheck_config: OK. SELINUX is set to '$SELINUX_MODE'.\n" + return 0 + ;; + * ) + printf "\tcheck_config: ERR. SELINUX is set to '$SELINUX_MODE' in '$CF'. Should be either 'permissive' or 'enforcing'\n" + return 1 + ;; + esac else printf "\tcheck_config: ERR. Config file '$CF' is missing.\n" return 1 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
