/usr/sbin/selinux-activate is in selinux-basics 0.5.0.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 | #!/bin/sh
set -e
GRUB_CONF=/boot/grub/menu.lst
GRUB2_CONF=/etc/default/grub
if [ "$1" != "disable" ]; then
echo "Activating SE Linux"
if [ -e $GRUB_CONF ]; then
if ! grep -q selinux $GRUB_CONF ; then
sed -e "s/\(^# kopt=.*$\)/\1 selinux=1 security=selinux/" < $GRUB_CONF > $GRUB_CONF.new
mv $GRUB_CONF.new $GRUB_CONF
update-grub
fi
fi
if [ -e $GRUB2_CONF ]; then
sed -e "s/ \?selinux=1//g" -e "s/ security=selinux//g" -e "s/\(^GRUB_CMDLINE_LINUX=.*\)\"$/\1 selinux=1 security=selinux\"/" < $GRUB2_CONF > $GRUB2_CONF.new
mv $GRUB2_CONF.new $GRUB2_CONF
update-grub
fi
for n in kdm wdm ; do
FILE=/etc/pam.d/$n
if [ -e $FILE ]; then
echo "session required pam_selinux.so" >> $FILE
fi
done
touch /.autorelabel
echo "SE Linux is activated. You may need to reboot now."
else
echo "Deactivating SE Linux"
# we assume that EPERM on /selinux/enforce means that
# all subsequent operations get EPERM
if grep -q 1 /selinux/enforce 2> /dev/null ; then
echo "You should be in permissive mode to disable SE Linux."
echo "Run \"setenforce 0\" first if you really want to do this."
exit 1
fi
if [ -e $GRUB_CONF ]; then
sed -e "s/ selinux=1//" -e "s/ security=selinux//" < $GRUB_CONF > $GRUB_CONF.new
mv $GRUB_CONF.new $GRUB_CONF
fi
if [ -e $GRUB2_CONF ]; then
if grep -q selinux $GRUB2_CONF 2> /dev/null ; then
sed -e "s/ \?selinux=1//" -e "s/ security=selinux//" < $GRUB2_CONF > $GRUB2_CONF.new
mv $GRUB2_CONF.new $GRUB2_CONF
update-grub
fi
fi
for n in gdm kdm ; do
FILE=/etc/pam.d/$n
if grep -q selinux $FILE 2> /dev/null ; then
grep -v selinux $FILE > $FILE.new
mv $FILE.new $FILE
fi
done
rm -f /.autorelabel
echo "SE Linux is deactivated. You may need to reboot now."
fi
|