#!/bin/bash

###############################################################################
# Downloads/uploads folder
###############################################################################

clear

echo "------------------------------------------------------------------------"
echo "Downloads/uploads folder (downloads_t)"
echo "------------------------------------------------------------------------"

echo "Restricted web browsers and mail clients (browser_restricted_t,
mail_restricted_t) are not allowed to access the user data, except for data
specifically labeled as download/upload data (downloads_t).

The default folder for download/upload data is ~/Downloads, but you can now
specify other folders with the same security type. The folder may or may not
already exist, but beware that this action will override the security context
of this folder."

echo ""
read -p "Do you wish to mark another folder as downloads_t? y/n: " flag

while [ "$flag" == "y" ];
do
	read -p "Enter full path to the folder name: " folderName

	if [ ! -d $folderName ]; then
		mkdir $folderName
	fi
	folderName=${folderName%/}
	semanage fcontext -a -t "downloads_t" -f d $folderName
	restorecon -R $folderName
	read -p "Do you wish to mark another folder as downloads_t? y/n: " flag
done

###############################################################################
# Private data folder
###############################################################################

clear

mkdir ~/Private

echo "------------------------------------------------------------------------"
echo "Folder for private user data (private_t)"
echo "------------------------------------------------------------------------"

echo "Sensitive user data such as encryption keys or password databases should
be stored in a folder labeled private_t. Only a limited number of applications
can read these files, even less can modify them.

The default folder for private user data is ~/Private, but you can now specify
other folders with the same security type. The folder may or may not already
exist, but beware that this action will override the security context of this
folder."

echo ""

read -p "Do you wish to mark another folder as private_t? y/n: " flag

while [ "$flag" == "y" ];
do
	read -p "Enter full path to the folder name: " folderName

	if [ ! -d $folderName ]; then
		mkdir $folderName
	fi
	folderName=${folderName%/}
	semanage fcontext -a -t "private_t" -f d $folderName
	restorecon -R $folderName
	read -p "Do you wish to mark another folder as private_t? y/n: " flag
done

###############################################################################
# Boolean values
###############################################################################

clear

echo "------------------------------------------------------------------------"
echo "Setting up boolean flags"
echo "------------------------------------------------------------------------"

echo "Boolean flags determine whether some conditional parts of the policy
should be activated. We will now configure the values of the boolean flags,
that concern the appgroups modules. The full list of booleans and their values
can be obtained using getsebool, and changed with setsebool."

echo "------------------------------------------------------------------------"

echo "1. Boolean: appgroups_allow_execmem"
echo "When this flag is set, appgroup domains are allowed to execute memory
mappings."

echo ""

read -p "This flag is set to TRUE. Do you wish to disable it? y/n: " flag

while [ "$flag" != "y" ] && [ "$flag" != "n" ];
do
	read -p "Enter y/n: " flag
done

if [ "$flag" == "y" ]; then
	setsebool -P appgroups_allow_execmem 0
fi

echo "------------------------------------------------------------------------"

echo "2. Boolean: appgroups_allow_execstack"
echo "When this flag is set, appgroup domains are allowed to execute stack.
This is a dangerous privilege but some poorly implemented user applications
will not be able to function properly without these permissions."

echo ""

read -p "This flag is set to FALSE. Do you wish to enable it? y/n: " flag

while [ "$flag" != "y" ] && [ "$flag" != "n" ];
do
	read -p "Enter y/n: " flag
done

if [ "$flag" == "y" ]; then
	setsebool -P appgroups_allow_execstack 1
fi

echo "------------------------------------------------------------------------"

echo "3. Boolean: appgroups_allow_execheap"
echo "When this flag is set, appgroup domains are allowed to execute heap.
This is a dangerous privilege but some poorly implemented user applications
will not be able to function properly without these permissions."

echo ""

read -p "This flag is set to FALSE. Do you wish to enable it? y/n: " flag

while [ "$flag" != "y" ] && [ "$flag" != "n" ];
do
	read -p "Enter y/n: " flag
done

if [ "$flag" == "y" ]; then
	setsebool -P appgroups_allow_execheap 1
fi

echo "------------------------------------------------------------------------"

echo "4. Boolean: appgroups_exec_downloads"
echo "When this flag is set, the files in download/upload folders (downloads_t)
are excutable. Otherwise they cannot be executed and must first be moved to
a different directory or relabeled. Disabling this option is a security
precaution since it protects the user from executing untrusted content from the
internet."

echo ""

read -p "This flag is set to FALSE. Do you wish to enable it? y/n: " flag

while [ "$flag" != "y" ] && [ "$flag" != "n" ];
do
	read -p "Enter y/n: " flag
done

if [ "$flag" == "y" ]; then
	setsebool -P appgroups_exec_downloads 1
fi

echo "------------------------------------------------------------------------"

echo "5. Boolean: appgroups_exec_shell"
echo "When this flag is set, appgroup domains are allowed to execute a shell."

echo ""

read -p "This flag is set to TRUE. Do you wish to disable it? y/n: " flag

while [ "$flag" != "y" ] && [ "$flag" != "n" ];
do
	read -p "Enter y/n: " flag
done

if [ "$flag" == "y" ]; then
	setsebool -P appgroups_exec_shell 0
fi

echo "------------------------------------------------------------------------"

echo "6. Boolean: appgroups_exec_all_readable_files"
echo "When this flag is set, appgroup domains are allowed to execute all files
to which they already have read access - for example, temporary or configuration
files."

echo ""

read -p "This flag is set to TRUE. Do you wish to disable it? y/n: " flag

while [ "$flag" != "y" ] && [ "$flag" != "n" ];
do
	read -p "Enter y/n: " flag
done

if [ "$flag" == "y" ]; then
	setsebool -P appgroups_exec_all_readable_files 0
fi

echo "------------------------------------------------------------------------"

echo "7. Boolean: appgroups_exec_all_executable_files"
echo "When this flag is set, appgroup domains are allowed to execute all files
that are marked as executable from the SELinux point of view, in the same domain
(i.e. without a domain transition)."

echo ""

read -p "This flag is set to TRUE. Do you wish to disable it? y/n: " flag

while [ "$flag" != "y" ] && [ "$flag" != "n" ];
do
	read -p "Enter y/n: " flag
done

if [ "$flag" == "y" ]; then
	setsebool -P appgroups_exec_all_executable_files 0
fi

echo "------------------------------------------------------------------------"

echo "8. Boolean: appgroups_read_app_private_files"
echo "When this flag is not set, appgroup domains are only allowed to read
generic system files such as etc_t or tmp_t. When this flag is set, they are 
also allowed to read temporary and configuration files that are created by other
applications, and marked as private by them, e.g. mozilla_etc_t. This is not
recommended."

echo ""

read -p "This flag is set to FALSE. Do you wish to enable it? y/n: " flag

while [ "$flag" != "y" ] && [ "$flag" != "n" ];
do
	read -p "Enter y/n: " flag
done

if [ "$flag" == "y" ]; then
	setsebool -P appgroups_read_app_private_files 1
fi

echo "------------------------------------------------------------------------"

echo "9. Boolean: appgroups_servers_for_network_general"
echo "When this flag is set, general network applications (network_general_t)
are allowed to create and run servers. Otherwise they are only allowed to create
and maintain network connections via TCP/UDP."

echo ""

read -p "This flag is set to TRUE. Do you wish to disable it? y/n: " flag

while [ "$flag" != "y" ] && [ "$flag" != "n" ];
do
	read -p "Enter y/n: " flag
done

if [ "$flag" == "y" ]; then
	setsebool -P appgroups_servers_for_network_general 0
fi

echo "------------------------------------------------------------------------"

echo "10. Boolean: appgroups_network_for_default_domain"
echo "When this flag is set, the default user domain (confined_t) is restricted
from network access. Otherwise it will have the same networking privileges as
general network applications (network_general_t)."

echo ""

read -p "This flag is set to FALSE. Do you wish to enable it? y/n: " flag

while [ "$flag" != "y" ] && [ "$flag" != "n" ];
do
	read -p "Enter y/n: " flag
done

if [ "$flag" == "y" ]; then
	setsebool -P appgroups_network_for_default_domain 1
fi

echo "------------------------------------------------------------------------"

echo "11. Boolean: appgroups_allow_gpg_for_default_domain"
echo "When this flag is set, the default user domain (confined_t) is allowed to
execute gpg agent and read/modify gpg files."

echo ""

read -p "This flag is set to FALSE. Do you wish to enable it? y/n: " flag

while [ "$flag" != "y" ] && [ "$flag" != "n" ];
do
	read -p "Enter y/n: " flag
done

if [ "$flag" == "y" ]; then
	setsebool -P appgroups_allow_gpg_for_default_domain 1
fi

echo "------------------------------------------------------------------------"

###############################################################################
# Fix for possibly incorrectly labeled NetworkManager data
###############################################################################

restorecon -R /var/run/NetworkManager

echo "Setup finished. Enjoy!"