diff --git a/selinux/.vagrant-provision.sh b/selinux/.vagrant-provision.sh index 833971c..ec8ef82 100644 --- a/selinux/.vagrant-provision.sh +++ b/selinux/.vagrant-provision.sh @@ -2,21 +2,8 @@ set -ex -emerge-webrsync -eselect profile set hardened/linux/amd64/no-multilib/selinux -emerge sys-kernel/hardened-sources -echo reboot required here? -source /etc/profile -emerge -1 checkpolicy policycoreutils -echo another reboot? -FEATURES="-selinux" emerge -1 selinux-base -FEATURES="-selinux" emerge selinux-base-policy -echo and another reboot? -rlpkg -a -r -rc-update add selinux_gentoo boot -echo yet another reboot maybe? -setsebool -P global_ssp on -semanage login -a -s staff_u vagrant -restorecon -R -F /home/vagrant -semanage user -m -R "staff_r sysadm_r system_r" root -semanage user -m -R "staff_r sysadm_r system_r" staff_u +if [[ ! -e /vagrant/wipe ]] ; then + exit 0 +fi + +/vagrant/base-box-wipe.sh diff --git a/selinux/Vagrantfile b/selinux/Vagrantfile index de47028..ae92408 100644 --- a/selinux/Vagrantfile +++ b/selinux/Vagrantfile @@ -1,5 +1,6 @@ Vagrant.configure('2') do |config| - config.vm.box = 'meatballhat/gentoo-amd64' + config.vm.box = 'meatballhat/gentoo-hardened' + config.vm.box_version = '>= 0.1.2' config.vm.provision 'shell', path: '.vagrant-provision.sh' config.vm.provision 'shell', path: '.vagrant-provision-as-vagrant.sh', privileged: false diff --git a/selinux/base-box-wipe.sh b/selinux/base-box-wipe.sh new file mode 100644 index 0000000..91f1cb7 --- /dev/null +++ b/selinux/base-box-wipe.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +set -ex + +rm -rf /usr/portage /usr/src /tmp/* /var/tmp/* + +dd if=/dev/zero of=/EMPTY bs=1M || true +rm -f /EMPTY + +unset HISTFILE +rm -f /root/.bash_history +rm -f /home/vagrant/.bash_history + +find /var/log -type f | while read f; do echo -ne '' > $f; done + +count=`df --sync -kP / | tail -n1 | awk -F ' ' '{print $4}'` +let count-- +dd if=/dev/zero of=/tmp/whitespace bs=1024 count=$count || true +rm /tmp/whitespace + +count=`df --sync -kP /boot | tail -n1 | awk -F ' ' '{print $4}'` +let count-- +dd if=/dev/zero of=/boot/whitespace bs=1024 count=$count || true +rm /boot/whitespace + +swappart=`cat /proc/swaps | tail -n1 | awk -F ' ' '{print $1}'` +swapoff $swappart +dd if=/dev/zero of=$swappart || true +mkswap $swappart +swapon $swappart