SELinux Support

2024-11-15 02:42:58 +00:00 · 2016-06-05 14:43:18 -06:00 · 2016-06-05 14:43:18 -06:00 · 376eb81181
commit 376eb81181
parent 4fc40d96d9
2 changed files with 116 additions and 0 deletions
--- a/advanced/selinux/pihole.te
+++ b/advanced/selinux/pihole.te
@ -0,0 +1,87 @@
+module pihole 1.0;
+
+require {
+        type var_log_t;
+        type unconfined_t;
+        type init_t;
+        type auditd_t;
+        type syslogd_t;
+        type NetworkManager_t;
+        type mdadm_t;
+        type tuned_t;
+        type avahi_t;
+        type irqbalance_t;
+        type system_dbusd_t;
+        type kernel_t;
+        type httpd_sys_script_t;
+        type systemd_logind_t;
+        type httpd_t;
+        type policykit_t;
+        type dnsmasq_t;
+        type udev_t;
+        type postfix_pickup_t;
+        type sshd_t;
+        type crond_t;
+        type getty_t;
+        type lvm_t;
+        type postfix_qmgr_t;
+        type postfix_master_t;
+        class dir { getattr search };
+        class file { read open setattr };
+}
+
+#============= dnsmasq_t ==============
+allow dnsmasq_t var_log_t:file { open setattr };
+
+#============= httpd_t ==============
+allow httpd_t var_log_t:file { read open };
+
+#============= httpd_sys_script_t (class: dir) ==============
+allow httpd_sys_script_t NetworkManager_t:dir { getattr search };
+allow httpd_sys_script_t auditd_t:dir { getattr search };
+allow httpd_sys_script_t avahi_t:dir { getattr search };
+allow httpd_sys_script_t crond_t:dir { getattr search };
+allow httpd_sys_script_t dnsmasq_t:dir { getattr search };
+allow httpd_sys_script_t getty_t:dir { getattr search };
+allow httpd_sys_script_t httpd_t:dir { getattr search };
+allow httpd_sys_script_t init_t:dir { getattr search };
+allow httpd_sys_script_t irqbalance_t:dir { getattr search };
+allow httpd_sys_script_t kernel_t:dir { getattr search };
+allow httpd_sys_script_t lvm_t:dir { getattr search };
+allow httpd_sys_script_t mdadm_t:dir { getattr search };
+allow httpd_sys_script_t policykit_t:dir { getattr search };
+allow httpd_sys_script_t postfix_master_t:dir { getattr search };
+allow httpd_sys_script_t postfix_pickup_t:dir { getattr search };
+allow httpd_sys_script_t postfix_qmgr_t:dir { getattr search };
+allow httpd_sys_script_t sshd_t:dir { getattr search };
+allow httpd_sys_script_t syslogd_t:dir { getattr search };
+allow httpd_sys_script_t system_dbusd_t:dir { getattr search };
+allow httpd_sys_script_t systemd_logind_t:dir { getattr search };
+allow httpd_sys_script_t tuned_t:dir { getattr search };
+allow httpd_sys_script_t udev_t:dir { getattr search };
+allow httpd_sys_script_t unconfined_t:dir { getattr search };
+
+#============= httpd_sys_script_t (class: file) ==============
+allow httpd_sys_script_t NetworkManager_t:file { read open };
+allow httpd_sys_script_t auditd_t:file { read open };
+allow httpd_sys_script_t avahi_t:file { read open };
+allow httpd_sys_script_t crond_t:file { read open };
+allow httpd_sys_script_t dnsmasq_t:file { read open };
+allow httpd_sys_script_t getty_t:file { read open };
+allow httpd_sys_script_t httpd_t:file { read open };
+allow httpd_sys_script_t init_t:file { read open };
+allow httpd_sys_script_t irqbalance_t:file { read open };
+allow httpd_sys_script_t kernel_t:file { read open };
+allow httpd_sys_script_t lvm_t:file { read open };
+allow httpd_sys_script_t mdadm_t:file { read open };
+allow httpd_sys_script_t policykit_t:file { read open };
+allow httpd_sys_script_t postfix_master_t:file { read open };
+allow httpd_sys_script_t postfix_pickup_t:file { read open };
+allow httpd_sys_script_t postfix_qmgr_t:file { read open };
+allow httpd_sys_script_t sshd_t:file { read open };
+allow httpd_sys_script_t syslogd_t:file { read open };
+allow httpd_sys_script_t system_dbusd_t:file { read open };
+allow httpd_sys_script_t systemd_logind_t:file { read open };
+allow httpd_sys_script_t tuned_t:file { read open };
+allow httpd_sys_script_t udev_t:file { read open };
+allow httpd_sys_script_t unconfined_t:file { read open };
--- a/install/basic-install.sh
+++ b/install/basic-install.sh
@ -788,6 +788,32 @@ installPihole() {
 	configureFirewall
 }

+configureSelinux() {
+	if [ -x "$(command -v getenforce)" ]; then
+		printf "\n::: SELinux Detected\n"
+		printf ":::\tChecking for SELinux policy development packages..."
+		package_check "selinux-policy-devel" > /dev/null
+		if ! [ $? -eq 0 ]; then
+			echo -n " Not found! Installing...."
+			$SUDO $PKG_INSTALL "selinux-policy-devel" > /dev/null & spinner $!
+			echo " done!"
+		else
+			echo " already installed!"
+		fi
+		printf ":::\tCompiling Pi-Hole SELinux policy..\n"
+		$SUDO checkmodule -M -m -o /etc/pihole/pihole.mod /etc/.pihole/advanced/selinux/pihole.te
+		$SUDO semodule_package -o /etc/pihole/pihole.pp -m /etc/pihole/pihole.mod
+		$SUDO semodule -i /etc/pihole/pihole.pp
+		$SUDO rm -f /etc/pihole/pihole.mod
+		$SUDO semodule -l | grep pihole > /dev/null
+		if [ $? -eq 0 ]; then
+			printf "::: Successfully installed Pi-Hole SELinux policy\n"
+		else
+			printf "::: Warning: Pi-Hole SELinux policy did not install correctly!\n"
+		fi
+	fi
+}
+
 displayFinalMessage() {
 	# Final completion message to user
 	whiptail --msgbox --backtitle "Make it so." --title "Installation Complete!" "Configure your devices to use the Pi-hole as their DNS server using:
@ -831,6 +857,9 @@ installPihole | tee $tmpLog
 # Move the log file into /etc/pihole for storage
 $SUDO mv $tmpLog $instalLogLoc

+# Configure SELinux (if applicable)
+configureSelinux
+
 displayFinalMessage

 echo -n "::: Restarting services..."