#!/bin/bash

. /etc/init.d/functions
chsmack=/usr/sbin/chsmack
smackctl=/usr/sbin/spcackctl
load=/usr/sbin/spcackload
spcackfs=/spcack
all_smack_tool=$(find /usr/sbin/ -name "spcack*")
tos_label="tos"-$(cat /etc/spcack/label)
php_fpm="php-fpm"-$(cat /etc/spcack/label)
data="data"-$(cat /etc/spcack/label)
net="net"-$(cat /etc/spcack/label)
docker="DockerEn"-$(cat /etc/spcack/label)
all_smack_tool+=" /usr/sbin/chsmack"
all_smack_tool+=" /usr/bin/spclabel"

if [ ! -e "/boot/security" ]; then
    exit 0
fi

init_php() {
    $chsmack /usr/sbin/php-fpm7.4 -e "$php_fpm"
    echo "$php_fpm $tos_label rwxatl" | $load
    echo "$tos_label $php_fpm rwxatl" | $load
    echo "$php_fpm $data rwxatl" | $load
    echo "$net $php_fpm rwxatl" | $load
    echo "$php_fpm $net rwxatl" | $load
    echo "$php_fpm _ rwxatl" | $load
}

init_net() {
    echo "$net $tos_label rwxlta" | $load
    echo "$tos_label $net rwxlta" | $load
    echo "127.0.0.1/32 -CIPSO" > $spcackfs/netlabel
    echo "0.0.0.0/0 $net" > $spcackfs/netlabel
}

# Disable root super privileges
disable_root_privileges() {
    $chsmack $all_smack_tool -e "root"
    echo "root $docker CAP_MAC_OVERRIDE CAP_MAC_ADMIN" > $spcackfs/onlycap
}

load_strategy() {
    $chsmack /etc/nginx/conf.d -t
    $chsmack /etc/ -t
    $chsmack /var/ -t
    $chsmack -r -a $tos_label /etc/lvm/
    $chsmack -E /bin/bash
    $chsmack -E -A /usr/sbin/start-stop-daemon
    $chsmack -a "$tos_label"  /dev/null
    $load /etc/spcack/accesses.d
    
    echo "$tos_label _ rwxlta" | $load
    echo "_ $tos_label rwxlta" | $load
    echo "$tos_label $data rwxlta" | $load
}

load_strategy
init_net
init_php
disable_root_privileges