Shell script to enable selinux

Question

How can enabling selinux be done programmatically in a bash script that has root access?

I already know I can install the necessary packages like this:

if sestatus | grep -q disabled; then
    yum -y install selinux-policy selinux-policy-targeted policycoreutils-python
fi

But how do I script the following steps:

in /boot/grub/menu.lst append "selinux=1 security=selinux" to kernel line
create an empty .autorelabel file in the root directory

Is there a script someone has put together on GitHub somewhere? We are using Amazon Linux, but I think the steps are the same for CentOS or RHEL.

CentOS doesn't have `/etc/grub/`. Are you asking just how to append a line to a file? — jeremysprofile, Aug 01 '18 at 15:00
This is probably a better fit for our sister site [ServerFault](https://serverfault.com/). Questions asking for help in finding a prewritten script are explicitly off-topic here (see #4 in the "some questions are still off-topic" list at https://stackoverflow.com/help/on-topic), and the two steps you're asking about individually are from a programming perspective almost entirely unrelated to each other. — Charles Duffy, Aug 01 '18 at 16:32
Moreover, the first half is duplicative of [how to append a string at the end of a specific line in bash](https://stackoverflow.com/questions/22159044/how-to-append-a-string-at-end-of-a-specific-line-in-a-file-in-bash), and the second is duplicative of [How to create hidden file in bash](https://stackoverflow.com/questions/17361792/how-to-create-a-hidden-file-in-bash). — Charles Duffy, Aug 01 '18 at 16:34

AndreasKralj · Answer 1 · 2018-08-02T15:42:47.643

0

All right, I changed my incorrect previous script to something that should work for you. People more experienced with sed than me could probably make the addition of the selinux line a one-liner, but this is what I've got:

#!/bin/bash
if sestatus | grep -q disabled; then
    yum -y install selinux-policy selinux-policy-targeted policycoreutils-python
fi
while IFS= read -r line; do
    firstStr=$(echo $line | awk '{print $1;}')
    if [[ $firstStr = 'kernel' ]] ; then
        echo "$line selinux=1 security=selinux" >> outFile.txt
    else
        echo $line >> outFile.txt
    fi
done < /etc/grub/menu.lst
mv outFile.txt /etc/grub/menu.lst
touch /.autorelabel

This should work for you, what it will do is append the selinux line to any line that starts with kernel, then creates an empty .autorelabel file in the root directory for you. You'll need to run the script as root because it will be creating and editing files in directories owned by root, but it will do exactly what you need.

edited Aug 02 '18 at 15:42

answered Aug 01 '18 at 20:31

AndreasKralj

463
4
23

1

`>/etc/grup/menu.lst` is *overwriting* the file, not appending to it. Moreover, the OP wants to append to the specific line with the kernel command line, not at the end of the whole file (adding `selinux=1 security=selinux` at the end of the file is not valid GRUB syntax). And "the root directory" for purpose of auto-relabel support is `/`, not `/root`. – Charles Duffy Aug 01 '18 at 20:54
Wow, you're totally right. Sorry, I was going fast and didn't notice that. I'll fix my answer accordingly. Just to understand, does OP want it appended to the kernel line like `kernel /boot/vmlinuz-2.6.32.130.el6.i686 ro root=LABEL=/1 rhgb quiet` --> `kernel /boot/vmlinuz-2.6.32.130.el6.i686 ro root=LABEL=/1 rhgb quiet selinux=1 security=selinux`? – AndreasKralj Aug 02 '18 at 14:39

Lightbeard · Accepted Answer · 2018-08-02T15:39:32.863

ended up using:

if ! cat /boot/grub/menu.lst | grep -q "selinux=1 security=selinux"; then
    yum -y install selinux-policy selinux-policy-targeted policycoreutils-python
    sed -i -e 's/kernel\s[^\n]*/& selinux=1 security=selinux/g' /boot/grub/menu.lst
    yum -y update
    touch /.autorelabel
    echo "[Remediated] selinux enabled, reboot required"
else
    echo "[Skipping] selinux appears to be enabled"
fi

Shell script to enable selinux

2 Answers2