diff --git a/install.sh b/install.sh index f07b464..68dbb6e 100755 --- a/install.sh +++ b/install.sh @@ -136,7 +136,9 @@ fi ./install_configure_selinux.sh -./install_configure_sshd.sh +if ! ./install_configure_sshd.sh; then + exit 1 +fi cat > /etc/cron.d/import_users << EOF SHELL=/bin/bash diff --git a/install_configure_selinux.sh b/install_configure_selinux.sh index a9d76f8..9e59cf2 100755 --- a/install_configure_selinux.sh +++ b/install_configure_selinux.sh @@ -14,6 +14,27 @@ if [[ "$retval" -eq "0" ]]; then retval=0 selinuxenabled || retval=$? if [[ "$retval" -eq "0" ]]; then - setsebool -P nis_enabled on + if ! setsebool -P nis_enabled on; then + if which checkmodule > /dev/null 2>&1; then + tmpdir="$(mktemp -d)" + + cat < "$tmpdir/aws-ec2-ssh.te" +module mypol 1.0; + +require { + type sshd_t; + type usr_t; + class file { execute execute_no_trans }; +} + +#============= sshd_t ============== +allow sshd_t usr_t:file { execute execute_no_trans }; +EOF + checkmodule -M -m -o "$tmpdir/aws-ec2-ssh.mod" "$tmpdir/aws-ec2-ssh.te" > /dev/null 2>&1 + semodule_package -o "$tmpdir/aws-ec2-ssh.pp" -m "$tmpdir/aws-ec2-ssh.mod" > /dev/null 2>&1 + semodule -i "$tmpdir/aws-ec2-ssh.pp" > /dev/null 2>&1 + rm -rf "$tmpdir" + fi + fi fi fi diff --git a/install_configure_sshd.sh b/install_configure_sshd.sh index e7b9564..5183670 100755 --- a/install_configure_sshd.sh +++ b/install_configure_sshd.sh @@ -8,10 +8,20 @@ else fi fi -if grep -q '#AuthorizedKeysCommandUser nobody' "$SSHD_CONFIG_FILE"; then - sed -i "s:#AuthorizedKeysCommandUser nobody:AuthorizedKeysCommandUser nobody:g" "$SSHD_CONFIG_FILE" +if grep -aq 'AuthorizedKeysCommandUser' "$SSHD_CONFIG_FILE"; then + if grep -q '#AuthorizedKeysCommandUser nobody' "$SSHD_CONFIG_FILE"; then + sed -i "s:#AuthorizedKeysCommandUser nobody:AuthorizedKeysCommandUser nobody:g" "$SSHD_CONFIG_FILE" + else + if ! grep -q 'AuthorizedKeysCommandUser nobody' "$SSHD_CONFIG_FILE"; then + echo "AuthorizedKeysCommandUser nobody" >> "$SSHD_CONFIG_FILE" + fi + fi else - if ! grep -q 'AuthorizedKeysCommandUser nobody' "$SSHD_CONFIG_FILE"; then - echo "AuthorizedKeysCommandUser nobody" >> "$SSHD_CONFIG_FILE" + if grep -q '#AuthorizedKeysCommandRunAs nobody' "$SSHD_CONFIG_FILE"; then + sed -i "s:#AuthorizedKeysCommandRunAs nobody:AuthorizedKeysCommandRunAs nobody:g" "$SSHD_CONFIG_FILE" + else + if ! grep -q 'AuthorizedKeysCommandRunAs nobody' "$SSHD_CONFIG_FILE"; then + echo "AuthorizedKeysCommandRunAs nobody" >> "$SSHD_CONFIG_FILE" + fi fi fi