Pi-hole/pi-hole
Pi-hole/pi-hole
1
0
Fork 0
mirror of https://github.com/pi-hole/pi-hole.git synced 2024-11-15 02:42:58 +00:00
Code Issues Projects Releases Packages Wiki Activity

add warning if SELinux is Enforcing

Browse source
This commit is contained in:
bcambl 2016-12-23 10:27:52 -06:00
parent 420158494d
commit 2fb0dc0a4a
2 changed files with 18 additions and 105 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

87
advanced/selinux/pihole.te
View file

@ -1,87 +0,0 @@
module pihole 1.0;
require {
type var_log_t;
type unconfined_t;
type init_t;
type auditd_t;
type syslogd_t;
type NetworkManager_t;
type mdadm_t;
type tuned_t;
type avahi_t;
type irqbalance_t;
type system_dbusd_t;
type kernel_t;
type httpd_sys_script_t;
type systemd_logind_t;
type httpd_t;
type policykit_t;
type dnsmasq_t;
type udev_t;
type postfix_pickup_t;
type sshd_t;
type crond_t;
type getty_t;
type lvm_t;
type postfix_qmgr_t;
type postfix_master_t;
class dir { getattr search };
class file { read open setattr };
}
#============= dnsmasq_t ==============
allow dnsmasq_t var_log_t:file { open setattr };
#============= httpd_t ==============
allow httpd_t var_log_t:file { read open };
#============= httpd_sys_script_t (class: dir) ==============
allow httpd_sys_script_t NetworkManager_t:dir { getattr search };
allow httpd_sys_script_t auditd_t:dir { getattr search };
allow httpd_sys_script_t avahi_t:dir { getattr search };
allow httpd_sys_script_t crond_t:dir { getattr search };
allow httpd_sys_script_t dnsmasq_t:dir { getattr search };
allow httpd_sys_script_t getty_t:dir { getattr search };
allow httpd_sys_script_t httpd_t:dir { getattr search };
allow httpd_sys_script_t init_t:dir { getattr search };
allow httpd_sys_script_t irqbalance_t:dir { getattr search };
allow httpd_sys_script_t kernel_t:dir { getattr search };
allow httpd_sys_script_t lvm_t:dir { getattr search };
allow httpd_sys_script_t mdadm_t:dir { getattr search };
allow httpd_sys_script_t policykit_t:dir { getattr search };
allow httpd_sys_script_t postfix_master_t:dir { getattr search };
allow httpd_sys_script_t postfix_pickup_t:dir { getattr search };
allow httpd_sys_script_t postfix_qmgr_t:dir { getattr search };
allow httpd_sys_script_t sshd_t:dir { getattr search };
allow httpd_sys_script_t syslogd_t:dir { getattr search };
allow httpd_sys_script_t system_dbusd_t:dir { getattr search };
allow httpd_sys_script_t systemd_logind_t:dir { getattr search };
allow httpd_sys_script_t tuned_t:dir { getattr search };
allow httpd_sys_script_t udev_t:dir { getattr search };
allow httpd_sys_script_t unconfined_t:dir { getattr search };
#============= httpd_sys_script_t (class: file) ==============
allow httpd_sys_script_t NetworkManager_t:file { read open };
allow httpd_sys_script_t auditd_t:file { read open };
allow httpd_sys_script_t avahi_t:file { read open };
allow httpd_sys_script_t crond_t:file { read open };
allow httpd_sys_script_t dnsmasq_t:file { read open };
allow httpd_sys_script_t getty_t:file { read open };
allow httpd_sys_script_t httpd_t:file { read open };
allow httpd_sys_script_t init_t:file { read open };
allow httpd_sys_script_t irqbalance_t:file { read open };
allow httpd_sys_script_t kernel_t:file { read open };
allow httpd_sys_script_t lvm_t:file { read open };
allow httpd_sys_script_t mdadm_t:file { read open };
allow httpd_sys_script_t policykit_t:file { read open };
allow httpd_sys_script_t postfix_master_t:file { read open };
allow httpd_sys_script_t postfix_pickup_t:file { read open };
allow httpd_sys_script_t postfix_qmgr_t:file { read open };
allow httpd_sys_script_t sshd_t:file { read open };
allow httpd_sys_script_t syslogd_t:file { read open };
allow httpd_sys_script_t system_dbusd_t:file { read open };
allow httpd_sys_script_t systemd_logind_t:file { read open };
allow httpd_sys_script_t tuned_t:file { read open };
allow httpd_sys_script_t udev_t:file { read open };
allow httpd_sys_script_t unconfined_t:file { read open };

36
automated install/basic-install.sh
View file

@ -890,7 +890,6 @@ installPihole() {
installScripts
installConfigs
CreateLogFile
configureSelinux
installPiholeWeb
installCron
configureFirewall
@ -921,7 +920,6 @@ updatePihole() {
installScripts
installConfigs
CreateLogFile
configureSelinux
installPiholeWeb
installCron
configureFirewall
@ -929,23 +927,22 @@ updatePihole() {
runGravity
}
configureSelinux() {
checkSelinux() {
if [ -x "$(command -v getenforce)" ]; then
printf "\n::: SELinux Detected\n"
printf ":::\tChecking for SELinux policy development packages..."
package_check_install "selinux-policy-devel" > /dev/null
echo " installed!"
printf ":::\tEnabling httpd server side includes (SSI).. "
setsebool -P httpd_ssi_exec on &> /dev/null && echo "Success" || echo "SELinux not enabled"
printf "\n:::\tCompiling Pi-Hole SELinux policy..\n"
if ! [ -x "$(command -v systemctl)" ]; then
sed -i.bak '/systemd/d' /etc/.pihole/advanced/selinux/pihole.te
printf "\n::: SELinux Support Detected.."
getenforce | grep 'Enforcing'
if [ $? -eq 0 ]; then
printf "\n::: SELinux is being Enforced on your system"
printf "\n::: WARNING: PiHole does not support SELinux at this time.."
read -r -p "Continue with SELinux Enforcing? [y/N]" continue
if [[ $continue =~ ^([yY][eE][sS]|[yY])$ ]]
then
printf "\n::: Continuing installation with SELinux Enforcing.."
printf "\n::: Please refer to official SELinux documentation to create a custom policy."
else
exit 1
fi
fi
checkmodule -M -m -o /etc/pihole/pihole.mod /etc/.pihole/advanced/selinux/pihole.te
semodule_package -o /etc/pihole/pihole.pp -m /etc/pihole/pihole.mod
semodule -i /etc/pihole/pihole.pp
rm -f /etc/pihole/pihole.mod
semodule -l | grep pihole &> /dev/null && echo "::: Installed Pi-Hole SELinux policy" || echo "::: Warning: Pi-Hole SELinux policy did not install."
fi
}
@ -1011,7 +1008,10 @@ update_dialogs() {
}
main() {
# Check arguments for the undocumented flags
# Check if SELinux is Enforcing
checkSelinux
# Check arguments for the undocumented flags
for var in "$@"; do
case "$var" in
"--reconfigure" ) reconfigure=true;;