github.com/caos/orbos@v1.5.14-0.20221103111702-e6cd0cea7ad4/internal/operator/nodeagent/dep/selinux/selinux.go

github.com/caos/orbos@v1.5.14-0.20221103111702-e6cd0cea7ad4/internal/operator/nodeagent/dep/selinux/selinux.go (about)

     1  package selinux
     2  
     3  import (
     4  	"bytes"
     5  	"fmt"
     6  	"os"
     7  	"os/exec"
     8  	"strings"
     9  
    10  	"github.com/caos/orbos/internal/operator/common"
    11  	"github.com/caos/orbos/internal/operator/nodeagent/dep"
    12  	"github.com/caos/orbos/mntr"
    13  )
    14  
    15  func Current(os dep.OperatingSystem, pkg *common.Package) (err error) {
    16  
    17  	if os != dep.CentOS {
    18  		return nil
    19  	}
    20  
    21  	if path, err := exec.LookPath("sestatus"); err != nil || path == "" {
    22  		if pkg.Config == nil {
    23  			pkg.Config = make(map[string]string)
    24  		}
    25  		pkg.Config["selinux"] = "permissive"
    26  		return nil
    27  	}
    28  
    29  	buf := new(bytes.Buffer)
    30  	defer buf.Reset()
    31  
    32  	cmd := exec.Command("sestatus")
    33  	cmd.Stdout = buf
    34  	if err := cmd.Run(); err != nil {
    35  		return err
    36  	}
    37  
    38  	for err == nil {
    39  		line, err := buf.ReadString('\n')
    40  		if err != nil {
    41  			return err
    42  		}
    43  		if strings.Contains(line, "Current mode:") {
    44  			status := strings.TrimSpace(strings.Split(line, ":")[1])
    45  			if status != "permissive" {
    46  				if pkg.Config == nil {
    47  					pkg.Config = make(map[string]string)
    48  				}
    49  				pkg.Config["selinux"] = status
    50  			}
    51  			return nil
    52  		}
    53  	}
    54  	return err
    55  }
    56  
    57  func EnsurePermissive(monitor mntr.Monitor, opsys dep.OperatingSystem, remove common.Package) error {
    58  
    59  	if opsys != dep.CentOS || remove.Config["selinux"] == "permissive" {
    60  		return nil
    61  	}
    62  
    63  	errBuf := new(bytes.Buffer)
    64  	defer errBuf.Reset()
    65  
    66  	cmd := exec.Command("setenforce", "0")
    67  	cmd.Stderr = errBuf
    68  	if monitor.IsVerbose() {
    69  		fmt.Println(strings.Join(cmd.Args, " "))
    70  		cmd.Stdout = os.Stdout
    71  	}
    72  	if err := cmd.Run(); err != nil {
    73  		return fmt.Errorf("disabling SELinux failed with stderr %s: %w", errBuf.String(), err)
    74  	}
    75  	errBuf.Reset()
    76  
    77  	cmd = exec.Command("sed", "-i", "s/^SELINUX=enforcing$/SELINUX=permissive/", "/etc/selinux/config")
    78  	cmd.Stderr = errBuf
    79  	if monitor.IsVerbose() {
    80  		fmt.Println(strings.Join(cmd.Args, " "))
    81  		cmd.Stdout = os.Stdout
    82  	}
    83  	if err := cmd.Run(); err != nil {
    84  		return fmt.Errorf("disabling SELinux failed with stderr %s: %w", errBuf.String(), err)
    85  	}
    86  	return nil
    87  }