Dne 4.5.2017 v 23:12 Christian Göttsche via Selinux napsal(a):
> Add command line tool selinuxenforced to determine the current SELinux enforced via exit code.
> Useful for script usage or monitoring.
Could the following script do the work?
case $(getenforce) in
"Permissive") exit 1
;;
"Enforcing") exit 0
;;
"Disabled") exit 2
;;
esac
> ---
> libselinux/man/man8/selinuxenforced.8 | 24 ++++++++++++++++++++++++
> libselinux/utils/.gitignore | 1 +
> libselinux/utils/selinuxenforced.c | 33 +++++++++++++++++++++++++++++++++
> 3 files changed, 58 insertions(+)
> create mode 100644 libselinux/man/man8/selinuxenforced.8
> create mode 100644 libselinux/utils/selinuxenforced.c
>
> diff --git a/libselinux/man/man8/selinuxenforced.8 b/libselinux/man/man8/selinuxenforced.8
> new file mode 100644
> index 00000000..5ef746e5
> --- /dev/null
> +++ b/libselinux/man/man8/selinuxenforced.8
> @@ -0,0 +1,24 @@
> +.TH "selinuxenforced" "8" "4 May 2017" "Security Enhanced Linux" "SELinux Command Line documentation"
> +.SH "NAME"
> +selinuxenforced \- tool to be used within shell scripts to determine if SELinux is in enforced mode
> +.
> +.SH "SYNOPSIS"
> +.B selinuxenforced
> +.
> +.SH "DESCRIPTION"
> +Indicates whether SELinux is in enforced mode or not.
> +.
> +.SH "EXIT STATUS"
> +It exits with status 0 if SELinux is in enforced mode,
> +1 if SELinux is in permissive mode,
> +2 if SELinux is disabled,
> +and 10 if a library call fails.
> +.
> +.SH AUTHOR
> +Christian Göttsche, <cgzones@xxxxxxxxxxxxxx>
> +.
> +.SH "SEE ALSO"
> +.BR selinux (8),
> +.BR setenforce (8),
> +.BR getenforce (8),
> +.BR selinuxenabled (8)
> diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore
> index 5cd01025..bc1f4327 100644
> --- a/libselinux/utils/.gitignore
> +++ b/libselinux/utils/.gitignore
> @@ -21,6 +21,7 @@ selabel_partial_match
> selinux_check_securetty_context
> selinuxenabled
> selinuxexeccon
> +selinuxenforced
> setenforce
> setfilecon
> togglesebool
> diff --git a/libselinux/utils/selinuxenforced.c b/libselinux/utils/selinuxenforced.c
> new file mode 100644
> index 00000000..b5e1c8e8
> --- /dev/null
> +++ b/libselinux/utils/selinuxenforced.c
> @@ -0,0 +1,33 @@
> +#include <unistd.h>
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <selinux/selinux.h>
> +
> +int main(void)
> +{
> + int rc;
> +
> + rc = is_selinux_enabled();
> + if (rc < 0) {
> + fputs("selinuxenforced: is_selinux_enabled() failed", stderr);
> + return 10;
> + }
> + if (rc == 1) {
> + rc = security_getenforce();
> + if (rc < 0) {
> + fputs("selinuxenforced: security_getenforce() failed", stderr);
> + return 10;
> + }
> +
> + if (rc) {
> + // enforced mode
> + return 0;
> + }
> +
> + // permissive mode
> + return 1;
> + }
> +
> + // SELinux disabled
> + return 2;
> +}
>
