#!/bin/sh
echo Checking SELinux installation...
# is selinux enabled
if ! selinuxenabled; then
	echo WARNING: SELinux is currently not enabled. >&2
fi
# reasonable process settings?
if ! getfilecon /proc/1 | grep -q system_u:system_r:init_t; then
	echo WARNING: Your init process is running the wrong label - >&2
	echo could a proper policy be loaded on startup? >&2
fi
# check for processes running in kernel_t incorrectly
# Note that this isn't entirely reliable, no rootkit protection!
dirs=`getfilecon /proc/[0-9]* | grep system_u:system_r:kernel_t | cut -f 1`
for dir in $dirs; do
	if [ ! -z "`cat $dir/maps`" ]; then
		pid=`echo $dir | cut -f2 -d/`
		echo WARNING: Process $pid is running with kernel_t privileges\! >&2
	fi
done

# Test for old-style ttys
ttys=`ls /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f] 2>/dev/null`
if [ ! -z "$ttys" ]; then
	echo NOTICE: you still have old-style TTYs.. removing them. >&2
	rm /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]
fi
# check for /selinux
if [ ! -e /selinux ]; then
	echo WARNING: you are missing /selinux - fixing >&2
	mkdir /selinux
fi
# check for pam_selinux in /etc/pam.d/login
if ! egrep -q  "^[[:space:]]*session[[:space:]]*required[[:space:]]*pam_selinux.so" /etc/pam.d/login; then
	echo WARNING: you don\'t have pam_selinux in /etc/pam.d/login >&2
	echo TODO: you need to fix this yourself\! >&2
fi
# check for pam_selinux in /etc/pam.d/ssh
if ! egrep -q  "^[[:space:]]*session[[:space:]]*required[[:space:]]*pam_selinux.so" /etc/pam.d/ssh; then
	echo WARNING: you don\'t have pam_selinux in /etc/pam.d/ssh >&2
	echo TODO: you need to fix this yourself\! >&2
fi
# check postfix
if ! egrep -q "^[[:space:]]*SYNC_CHROOT=.*n" /etc/default/postfix; then
	echo WARNING: you are syncing the postfix chroot, but this is currently not >&2
	echo supported by the SELinux policies. Disable any chroots in postfix! >&2
fi
# check update motd
if egrep -q "^[[:space:]]*EDITMOTD=.*yes" /etc/default/rcS; then
	echo WARNING: you are updating /var/run/motd on boot >&2
	echo TODO: you can disable it by editing /etc/default/rcS >&2
fi
# check for updated motd
if [ -e /var/run/motd ]; then
	echo WARNING: you have a /var/run/motd file, which is not supported >&2
	echo Removing the file, disable creation yourself in /etc/default/rcS
	rm /var/run/motd
fi
# check fsckfix
if egrep -q "^[[:space:]]*FSCKFIX=.*no" /etc/default/rcS; then
	echo NOTICE: your system won\'t automatically correct filesystem errors >&2
	echo TODO: edit /etc/default/rcS to have them automatically fixed >&2
fi
# check xconsole
if egrep -q "^[^#]*create_xconsole\s*$" /etc/init.d/sysklogd; then
	echo WARNING: your system still has /dev/xconsole enabled in sysklogd >&2
	echo TODO: Remove the last create_xconsole line in /etc/init.d/sysklogd >&2
fi
# check xconsole
if egrep -q "^[^#]*xconsole" /etc/syslog.conf; then
	echo WARNING: your system still has /dev/xconsole enabled in syslog >&2
	echo TODO: Remove this section from /etc/syslog.conf >&2
fi
