diff options
-rw-r--r-- | preseed.cfg | 5 | ||||
-rw-r--r-- | src/fripost-postinst-udeb/debian/templates | 8 | ||||
-rwxr-xr-x | src/fripost-postinst-udeb/finish-install.d/07fripost | 37 |
3 files changed, 0 insertions, 50 deletions
diff --git a/preseed.cfg b/preseed.cfg index 05f027d..66b1426 100644 --- a/preseed.cfg +++ b/preseed.cfg @@ -47,11 +47,6 @@ d-i fripost/partition-script string /cdrom/include/partition.sh # for dropbear. (Default: false) #d-i fripost/dropbear-use-openssh-key boolean false -# Install and activate (in enforcing mode) SELinux? Note that activating -# SELinux requires a dummy reboot to label all files. So if you have full-disk -# encryption, you'll have to send the password twice to dropbear. (Default: false) -#d-i fripost/activate-selinux boolean false - # Keep /media and its kids' entries in the fstab? /media (and its related # entries in the fstab) can safely be removed on a headless server. (Default: # false) diff --git a/src/fripost-postinst-udeb/debian/templates b/src/fripost-postinst-udeb/debian/templates index 1be33c0..9adf898 100644 --- a/src/fripost-postinst-udeb/debian/templates +++ b/src/fripost-postinst-udeb/debian/templates @@ -17,14 +17,6 @@ Default: false Description: Use the same key for dropbear and OpenSSH? If False, generate a dedicated key for dropbear. -Template: fripost/activate-selinux -Type: boolean -Default: false -Description: Install and activate (in enforcing mode) SELinux? - Note that activating SELinux requires a dummy reboot to label all - files. So if you have full-disk encryption, you'll have to send the - password twice to dropbear. - Template: fripost/keep-media-directory Type: boolean Default: false diff --git a/src/fripost-postinst-udeb/finish-install.d/07fripost b/src/fripost-postinst-udeb/finish-install.d/07fripost index d4e05bb..e583d5a 100755 --- a/src/fripost-postinst-udeb/finish-install.d/07fripost +++ b/src/fripost-postinst-udeb/finish-install.d/07fripost @@ -133,43 +133,6 @@ cp /var/lib/fripost/sshd_config /target/etc/ssh/sshd_config ####################################################################### -# Install and activate SELinux -# TODO: would be better to have our own policy instead of amending the -# default one. - -db_get fripost/activate-selinux -if [ "$RET" = true ]; then - progress "Installing SELinux" - # Recommended packages include graphical tools... - /bin/in-target /usr/bin/debconf-apt-progress --no-progress -- \ - apt-get -y install --no-install-recommends \ - selinux-basics selinux-policy-default selinux-policy-dev auditd - progress "Activating SELinux" - /bin/in-target /usr/sbin/selinux-activate - - sed -ri 's/^#?\s*(FSCKFIX)=(yes|no)\s*(\s#.*)?$/\1=yes/' \ - /target/etc/default/rcS - - progress "Running update-grub" - grep -q '^GRUB_CMDLINE_LINUX=' /target/etc/default/grub \ - || fatal "Missing definition of 'GRUB_CMDLINE_LINUX' in /etc/default/grub" - GRUB_CMDLINE="console=tty0 security=selinux enforcing=1" - # ^ TODO: we should leave (non SELinux-related) existing - # configuration options - sed -ri "s/^(GRUB_CMDLINE_LINUX)=.*/\1=\"$GRUB_CMDLINE\"/" \ - /target/etc/default/grub - /bin/in-target /usr/sbin/update-grub - - if /bin/in-target /bin/sh -c "dpkg-query -s postfix >/dev/null 2>&1"; then - progress "Running postfix-nochroot" - echo 'SYNC_CHROOT=n' >> /target/etc/default/postfix - /bin/in-target /usr/sbin/postfix-nochroot - fi - # TODO: in a crontab: check-selinux-installation -fi - - -####################################################################### # Remove unnecessary packages # TODO: check for dummy packages / RCs in a weekly crontab. |