#!/bin/sh

PREREQ="security_set"
prereqs()
{
	echo "$PREREQ"
}

case $1 in
	prereqs)
		prereqs
		exit 0
		;;
esac

. /scripts/functions

#sysfs_entry=/sys/kernel/security/kysec/3adm
kysec_tmp=${rootmnt}/etc/kysec/tmp
kysec_init=/usr/sbin/kysec-init

#change system exectl mode to softmode
securityfs_mnt=/sys/kernel/security
kysec_status_path="$securityfs_mnt/ksaf/status"

kysec_is_enabled(){
        if [ -e "$kysec_status_path" ]; then
                cat "$kysec_status_path"
        else
                echo 0
        fi
}

kysec_enabled=`kysec_is_enabled`

set_kysec_status(){
        echo $1 > $kysec_status_path
}


set_3adm_env()
{
	[ -z "$1" ] && echo 0

	if [ x"$1" = x"0" ]; then
		user="root"
		uid="0"
	elif [ x"$1" = x"1" ]; then
		user="secadm"
		uid="600"
		auduid="700"
	fi

	[ -f ${rootmnt}/etc/kysec/kysec.conf ] && chown "$uid":"$uid" ${rootmnt}/etc/kysec/kysec.conf
	###[ -f ${rootmnt}/etc/kysec/netctl/netctl.xml ] && chown "$uid":"$uid" ${rootmnt}/etc/kysec/netctl/netctl.xml
	[ -d ${rootmnt}/etc/selinux ] && chown -R "$uid":"$uid" ${rootmnt}/etc/selinux
	[ -d ${rootmnt}/usr/share/selinux ] && chown -R "$uid":"$uid" ${rootmnt}/usr/share/selinux > /dev/null 2>&1
	[ -d ${rootmnt}/var/lib/sepolgen ] && chown -R "$uid":"$uid" ${rootmnt}/var/lib/sepolgen
	[ -d ${rootmnt}/var/lib/selinux ] && chown -R "$uid":"$uid" ${rootmnt}/var/lib/selinux
	if [ x"$auduid" = x"700" ]; then
		chown -R "$auduid":"$auduid" ${rootmnt}/etc/audi*
		[ -d ${rootmnt}/var/log/audit ] && chown -R "$auduid":"$auduid" ${rootmnt}/var/log/audit
	else
		chown -R "$uid":"$uid" ${rootmnt}/etc/audi*
		[ -d ${rootmnt}/var/log/audit ] && chown -R "$uid":"$uid" ${rootmnt}/var/log/audit
	fi
}

# set permissive mode for kysec when kysec is enable
if [ x"${kysec_enabled}" != x"0" ];then
	set_kysec_status 4
fi

# .3admin_stauts文件后续由selinux-policy-common中的 selinux.service使用完成后删除
if [ -f "${kysec_tmp}/.3adm_status" ];then
	adm_status=$(cat "${kysec_tmp}/.3adm_status")
	set_3adm_env "${adm_status}"
	if [ "x${new_3adm}" = "x1" ]; then
		# enable 3adm
		#echo "$new_3adm" > "$sysfs_entry"
		#rm -rf /.3adm
		log_success_msg "kysec 3adm enabled"
	fi
fi

# recovery kysec status 
if [ x"${kysec_enabled}" != x"0" ];then
	set_kysec_status ${kysec_enabled}
fi

