SOPHAL/MYSOPHAL
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5c733eac6bdbb977a5cc66d7870e116ab1a98ee0
MYSOPHAL/inc/system/requirement/selinux.class.php
BACHIR SOULDI 5c733eac6b Save new folder
2025-11-09 10:02:18 +01:00

139 lines
4.4 KiB
PHP
Raw Blame History

<?php
/**
* ---------------------------------------------------------------------
* GLPI - Gestionnaire Libre de Parc Informatique
* Copyright (C) 2015-2020 Teclib' and contributors.
*
* http://glpi-project.org
*
* based on GLPI - Gestionnaire Libre de Parc Informatique
* Copyright (C) 2003-2014 by the INDEPNET Development Team.
*
* ---------------------------------------------------------------------
*
* LICENSE
*
* This file is part of GLPI.
*
* GLPI is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* GLPI is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with GLPI. If not, see <http://www.gnu.org/licenses/>.
* ---------------------------------------------------------------------
*/
namespace Glpi\System\Requirement;
if (!defined('GLPI_ROOT')) {
die("Sorry. You can't access this file directly");
}
/**
* @since 9.5.0
*/
class SeLinux extends AbstractRequirement {
public function __construct() {
$this->title = __('Check SELinux configuration');
$this->optional = true;
}
protected function check() {
$is_slash_separator = DIRECTORY_SEPARATOR == '/';
$are_bin_existing = file_exists('/usr/sbin/getenforce') && file_exists('/usr/sbin/getsebool');
$are_functions_existing = function_exists('selinux_is_enabled')
&& function_exists('selinux_getenforce')
&& function_exists('selinux_get_boolean_active');
if (!$is_slash_separator || (!$are_bin_existing && !$are_functions_existing)) {
// This is not a SELinux system
$this->out_of_context = true;
$this->validated = false;
return;
}
if (function_exists('selinux_is_enabled') && function_exists('selinux_getenforce')) {
// Use https://pecl.php.net/package/selinux
if (!selinux_is_enabled()) {
$mode = 'disabled';
} else {
$mode = selinux_getenforce();
// Make it human readable, with same output as the command
if ($mode == 1) {
$mode = 'enforcing';
} else if ($mode == 0) {
$mode = 'permissive';
}
}
} else {
$mode = strtolower(exec('/usr/sbin/getenforce'));
}
if (!in_array($mode, ['enforcing', 'permissive', 'disabled'])) {
$mode = 'unknown';
}
//TRANS: %s is mode name (Permissive, Enforcing, Disabled or Unknown)
$this->title = sprintf(__('SELinux mode is %s'), ucfirst($mode));
if ('enforcing' !== $mode) {
$this->validated = false;
$this->validation_messages[] = __('For security reasons, SELinux mode should be Enforcing.');
return;
}
// No need to check file context as DirectoryWriteAccess requirements will show issues
$bools = [
'httpd_can_network_connect',
'httpd_can_network_connect_db',
'httpd_can_sendmail',
];
$has_missing_boolean = false;
foreach ($bools as $bool) {
if (function_exists('selinux_get_boolean_active')) {
$state = selinux_get_boolean_active($bool);
if ($state == 1) {
$state = 'on';
} else if ($state == 0) {
$state = 'off';
}
} else {
// command result is something like "httpd_can_network_connect --> on"
$state = preg_replace(
'/^.*(on|off)$/',
'$1',
strtolower(exec('/usr/sbin/getsebool ' . $bool))
);
}
if (!in_array($state, ['on', 'off'])) {
$state = 'unknown';
}
if ('on' !== $state) {
$has_missing_boolean = true;
$this->validation_messages[] = sprintf(
__('SELinux boolean %s is %s, some features may require this to be on.'),
$bool,
$state
);
}
}
$this->validated = !$has_missing_boolean;
if (!$has_missing_boolean) {
$this->validation_messages[] = __('SELinux configuration is OK.');
}
}
}
Reference in New Issue View Git Blame Copy Permalink