V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4600_packages/4610_installation_security.sh

@@ -0,0 +1,102 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Installs the desired security extension framework.
+# Globals:
+#   TARGET
+#   VAR_SEC_FW
+#   VAR_SSH_PORT
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+installation_security() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_logfile="/root/.ciss/cdi/log/4610_installation_security.log"
+  declare -ar ary_apparmor=( "apparmor" "apparmor-profiles" "apparmor-profiles-extra" "apparmor-utils" )
+  declare -ar ary_selinux=( "selinux-basics" "selinux-policy-default" "selinux-utils" "setools" "semodule-utils" "sepol-utils" \
+    "policycoreutils" "policycoreutils-python-utils" "checkpolicy" "python3-setools" )
+  declare -a  ary_fw=("${ary_selinux[@]}")
+
+  chroot_logger "${TARGET}${var_logfile}"
+
+  [[ "${VAR_SEC_FW}" == "apparmor" ]] && ary_fw=("${ary_apparmor[@]}")
+  [[ "${VAR_SEC_FW}" == "selinux"  ]] && ary_fw=("${ary_selinux[@]}")
+
+  chroot_script "${TARGET}" "
+    export INITRD=No
+    apt-get install -y --no-install-recommends --no-install-suggests ${ary_fw[*]} 2>&1 | tee -a ${var_logfile}
+    echo ExitCode: \$? >> ${var_logfile}
+
+    if [[ ${VAR_SEC_FW} == apparmor ]]; then
+      systemctl enable apparmor 2>&1 | tee -a ${var_logfile} || true
+    fi
+  "
+
+  if [[ "${VAR_SEC_FW}" == "selinux" ]]; then
+
+    mkdir -p "${TARGET}/etc/selinux" "${TARGET}/root/.ciss/cdi/backup/etc/selinux"
+
+    [[ -f "${TARGET}/etc/selinux/config" ]] && mv "${TARGET}/etc/selinux/config" "${TARGET}/root/.ciss/cdi/backup/etc/selinux"
+
+    insert_header   "${TARGET}/etc/selinux/config"
+    insert_comments "${TARGET}/etc/selinux/config"
+    cat << 'EOF' >> "${TARGET}/etc/selinux/config"
+# This file controls the state of SELinux on the system.
+
+# SELINUX= can take one of these three values:
+#   enforcing : SELinux security policy is enforced.
+#   permissive: SELinux prints warnings instead of enforcing.
+#   disabled  : SELinux policy is not loaded.
+SELINUX=permissive
+
+# SELINUXTYPE= can take one of these two values:
+#   default: equivalent to the old strict and targeted policies.
+#   mls    : Multi-Level Security (for military and educational use).
+#   src    : Custom policy built from source.
+SELINUXTYPE=default
+
+# SETLOCALDEFS= Check local definition changes
+SETLOCALDEFS=0
+
+EOF
+
+    ### Trigger a full relabeling on the first boot of the target.
+    touch "${TARGET}/.autorelabel"
+
+    chroot_script "${TARGET}" "
+      semanage port -a -t ssh_port_t -p tcp ${VAR_SSH_PORT}
+    "
+
+    ### Enable PAM SELinux modules in common-session configs
+    sed -i '/^session.*required.*pam_selinux\.so/d' "${TARGET}/etc/pam.d/common-session"
+    sed -i '/^session.*required.*pam_selinux\.so/d' "${TARGET}/etc/pam.d/common-session-noninteractive"
+
+    cat << 'EOF' >> "${TARGET}/etc/pam.d/common-session"
+session    required     pam_selinux.so close
+session    required     pam_selinux.so open
+EOF
+
+    cat << 'EOF' >> "${TARGET}/etc/pam.d/common-session-noninteractive"
+session    required     pam_selinux.so close
+session    required     pam_selinux.so open
+EOF
+
+  fi
+
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh