#!/bin/bash
#首次开启三权分立需要创建三权账户


#step1:判断三权账户（sysadm/secadm/audadm）是否存在，若不存在，则创建用户
#step2:配置三权账户


SYS_ADM="sysadm"
SEC_ADM="secadm"
AUD_ADM="audadm"


restore(){
    semanage boolean  -m --on open_deepin_blist
    semanage boolean  -m --on off_admins_switch

    usermod -U root

    semanage login -m -s unconfined_u root
    semanage login -m -s unconfined_u __default__
    semanage user -m user_u -r s0
    
    restorecon -FR -v /root > /dev/null 2>&1
    
    semanage login -d $SYS_ADM > /dev/null 2>&1
    semanage login -d $SEC_ADM > /dev/null 2>&1
    semanage login -d $AUD_ADM > /dev/null 2>&1

    restorecon -FR -v /home > /dev/null 2>&1   
}

user_add(){
        #创建三权用户
        for USER in sysadm secadm audadm
        do
                if ! id -u $USER > /dev/null 2>&1;then
                        sudo useradd -m -s /bin/bash $USER
                        sudo passwd $USER
                else
                        sudo passwd $USER

                fi
                if [ $? -ne 0 ];then
                        exit 3
                fi
        done

}


admin3_create(){

        if ! id -u sysadm > /dev/null 2>&1;then
                useradd -m -s /bin/bash sysadm
        fi

        if ! id -u secadm > /dev/null 2>&1;then
                useradd -m -s /bin/bash secadm
        fi

        if ! id -u audadm > /dev/null 2>&1;then
                useradd -m -s /bin/bash audadm
        fi
}


admin3_on(){
        #创建三权用户

        if ! id -u sysadm > /dev/null 2>&1;then
                useradd -m -s /bin/bash sysadm
        fi

        if ! id -u secadm > /dev/null 2>&1;then
                useradd -m -s /bin/bash secadm          
        fi

        if ! id -u audadm > /dev/null 2>&1;then
                useradd -m -s /bin/bash audadm
        fi
        chown -R secadm /var/log/uharden/

        ###selinux三权分立配置

        # selinux三权分立配置
        #sysadm
        usermod sysadm -aG wheel
        name_u=$(semanage user -l |grep -w sysadm_u | awk '{print $1}')
        if [ "$name_u" = "sysadm_u" ];then
                semanage user -m -R 'sysadm_r system_r' sysadm_u
        else    
                semanage user -a -R 'sysadm_r system_r' sysadm_u
        fi
        if [ $? -ne 0 ];then
                exit 2
        fi

        name=$(semanage login -l |grep -w sysadm | awk '{print $1}')
        if [ "$name" = "sysadm" ];then
                semanage login -m -s sysadm_u sysadm
        else
                semanage login -a -s sysadm_u sysadm
        fi
        if [ $? -ne 0 ];then
                exit 1
        fi

        #secadm
        usermod secadm -aG wheel
        name_u=$(semanage user -l |grep -w secadm_u | awk '{print $1}')
        if [ "$name_u" = "secadm_u" ];then
                semanage user -m -R 'secadm_r' secadm_u
        else
                semanage user -a -R 'secadm_r' secadm_u
        fi
        if [ $? -ne 0 ];then
                exit 2
        fi

        name=$(semanage login -l |grep -w secadm | awk '{print $1}')
        if [ "$name" = "secadm" ];then
                semanage login -m -s secadm_u secadm
        else
                semanage login -a -s secadm_u secadm
        fi
        if [ $? -ne 0 ];then
                exit 1
        fi

        #audadm
        usermod audadm -aG wheel
        name_u=$(semanage user -l |grep -w auditadm_u | awk '{print $1}')
        if [ "$name_u" = "auditadm_u" ];then
                semanage user -m -R 'auditadm_r' auditadm_u
        else
                semanage user -a -R 'auditadm_r' auditadm_u
        fi
        if [ $? -ne 0 ];then
                exit 2
        fi

        name=$(semanage login -l |grep -w audadm | awk '{print $1}')
        if [ "$name" = "audadm" ];then
                semanage login -m -s auditadm_u audadm
        else
                semanage login -a -s auditadm_u audadm
        fi 
        if [ $? -ne 0 ];then
                exit 1
        fi 
        
        semanage user -m user_u -r s0-s0:c0.c1023
        if [ $? -ne 0 ];then
                exit 1
        fi

        semanage login -m -s user_u __default__
        if [ $? -ne 0 ];then
                exit 1
        fi

        semanage boolean  -m --off off_admins_switch
        semanage boolean  -m --off open_deepin_blist

        #屏蔽root账户
        semanage login -m -s user_u root
        if [ $? -ne 0 ];then
                exit 1
        fi

        #判断何时打标签
        se_status=$(getenforce)
        if [[ "$se_status" = "Enforcing" || "$se_status" = "Permissive" ]];then
                restorecon -FR -v /home > /dev/null 2>&1
                restorecon -FR -v /root > /dev/null 2>&1
        else
        fixfiles  -F onboot   #下一次重启时打标签
        
        fi
        usermod -L root
}

case "$1" in
    on)
        echo start admin_on
        admin3_on
        exit 0
    ;;

    create)
        echo start admin_create
        admin3_create
        exit 0
    ;;
    
    off)
        echo start admin_off
        restore
        exit 0
    ;;

    user)
        user_add
        exit 0
    ;;
esac