CISS.debian.installer/func/cdi_4600_packages/4610_installation_security.sh

#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu

guard_sourcing

#######################################
# Installs the desired security extension framework.
# Globals:
#   TARGET
#   VAR_SEC_FW
#   VAR_SSH_PORT
# Arguments:
#   None
# Returns:
#   0: on success
#######################################
installation_security() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_logfile="/root/.ciss/cdi/log/4610_installation_security.log"
  declare -ar ary_apparmor=( "apparmor" "apparmor-profiles" "apparmor-profiles-extra" "apparmor-utils" )
  declare -ar ary_selinux=( "selinux-basics" "selinux-policy-default" "selinux-utils" "setools" "semodule-utils" "sepol-utils" \
    "policycoreutils" "policycoreutils-python-utils" "checkpolicy" "python3-setools" )
  declare -a  ary_fw=("${ary_selinux[@]}")

  chroot_logger "${TARGET}${var_logfile}"

  [[ "${VAR_SEC_FW}" == "apparmor" ]] && ary_fw=("${ary_apparmor[@]}")
  [[ "${VAR_SEC_FW}" == "selinux"  ]] && ary_fw=("${ary_selinux[@]}")

  chroot_script "${TARGET}" "
    export INITRD=No
    apt-get install -y --no-install-recommends --no-install-suggests ${ary_fw[*]} 2>&1 | tee -a ${var_logfile}

    if [[ ${VAR_SEC_FW} == apparmor ]]; then
      systemctl enable apparmor 2>&1 | tee -a ${var_logfile} || true
    fi
  "

  if [[ "${VAR_SEC_FW}" == "selinux" ]]; then

    mkdir -p "${TARGET}/etc/selinux" "${TARGET}/root/.ciss/cdi/backup/etc/selinux"

    [[ -f "${TARGET}/etc/selinux/config" ]] && mv "${TARGET}/etc/selinux/config" "${TARGET}/root/.ciss/cdi/backup/etc/selinux"

    insert_header   "${TARGET}/etc/selinux/config"
    insert_comments "${TARGET}/etc/selinux/config"
    cat << 'EOF' >> "${TARGET}/etc/selinux/config"
# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:
#   enforcing : SELinux security policy is enforced.
#   permissive: SELinux prints warnings instead of enforcing.
#   disabled  : SELinux policy is not loaded.
SELINUX=permissive

# SELINUXTYPE= can take one of these two values:
#   default: equivalent to the old strict and targeted policies.
#   mls    : Multi-Level Security (for military and educational use).
#   src    : Custom policy built from source.
SELINUXTYPE=default

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF

    ### Trigger a full relabeling on the first boot of the target.
    touch "${TARGET}/.autorelabel"

    chroot_script "${TARGET}" "
      semanage port -a -t ssh_port_t -p tcp ${VAR_SSH_PORT}
    "

    ### Enable PAM SELinux modules in common-session configs.
    sed -i '/^session.*required.*pam_selinux\.so/d' "${TARGET}/etc/pam.d/common-session"
    sed -i '/^session.*required.*pam_selinux\.so/d' "${TARGET}/etc/pam.d/common-session-noninteractive"

    cat << 'EOF' >> "${TARGET}/etc/pam.d/common-session"
session    required     pam_selinux.so close
session    required     pam_selinux.so open
EOF

    cat << 'EOF' >> "${TARGET}/etc/pam.d/common-session-noninteractive"
session    required     pam_selinux.so close
session    required     pam_selinux.so open
EOF

  fi

  guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f installation_security
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh