mirror of
https://github.com/pi-hole/pi-hole.git
synced 2024-11-15 02:42:58 +00:00
SELinux Support
This commit is contained in:
parent
4fc40d96d9
commit
376eb81181
2 changed files with 116 additions and 0 deletions
87
advanced/selinux/pihole.te
Normal file
87
advanced/selinux/pihole.te
Normal file
|
@ -0,0 +1,87 @@
|
||||||
|
module pihole 1.0;
|
||||||
|
|
||||||
|
require {
|
||||||
|
type var_log_t;
|
||||||
|
type unconfined_t;
|
||||||
|
type init_t;
|
||||||
|
type auditd_t;
|
||||||
|
type syslogd_t;
|
||||||
|
type NetworkManager_t;
|
||||||
|
type mdadm_t;
|
||||||
|
type tuned_t;
|
||||||
|
type avahi_t;
|
||||||
|
type irqbalance_t;
|
||||||
|
type system_dbusd_t;
|
||||||
|
type kernel_t;
|
||||||
|
type httpd_sys_script_t;
|
||||||
|
type systemd_logind_t;
|
||||||
|
type httpd_t;
|
||||||
|
type policykit_t;
|
||||||
|
type dnsmasq_t;
|
||||||
|
type udev_t;
|
||||||
|
type postfix_pickup_t;
|
||||||
|
type sshd_t;
|
||||||
|
type crond_t;
|
||||||
|
type getty_t;
|
||||||
|
type lvm_t;
|
||||||
|
type postfix_qmgr_t;
|
||||||
|
type postfix_master_t;
|
||||||
|
class dir { getattr search };
|
||||||
|
class file { read open setattr };
|
||||||
|
}
|
||||||
|
|
||||||
|
#============= dnsmasq_t ==============
|
||||||
|
allow dnsmasq_t var_log_t:file { open setattr };
|
||||||
|
|
||||||
|
#============= httpd_t ==============
|
||||||
|
allow httpd_t var_log_t:file { read open };
|
||||||
|
|
||||||
|
#============= httpd_sys_script_t (class: dir) ==============
|
||||||
|
allow httpd_sys_script_t NetworkManager_t:dir { getattr search };
|
||||||
|
allow httpd_sys_script_t auditd_t:dir { getattr search };
|
||||||
|
allow httpd_sys_script_t avahi_t:dir { getattr search };
|
||||||
|
allow httpd_sys_script_t crond_t:dir { getattr search };
|
||||||
|
allow httpd_sys_script_t dnsmasq_t:dir { getattr search };
|
||||||
|
allow httpd_sys_script_t getty_t:dir { getattr search };
|
||||||
|
allow httpd_sys_script_t httpd_t:dir { getattr search };
|
||||||
|
allow httpd_sys_script_t init_t:dir { getattr search };
|
||||||
|
allow httpd_sys_script_t irqbalance_t:dir { getattr search };
|
||||||
|
allow httpd_sys_script_t kernel_t:dir { getattr search };
|
||||||
|
allow httpd_sys_script_t lvm_t:dir { getattr search };
|
||||||
|
allow httpd_sys_script_t mdadm_t:dir { getattr search };
|
||||||
|
allow httpd_sys_script_t policykit_t:dir { getattr search };
|
||||||
|
allow httpd_sys_script_t postfix_master_t:dir { getattr search };
|
||||||
|
allow httpd_sys_script_t postfix_pickup_t:dir { getattr search };
|
||||||
|
allow httpd_sys_script_t postfix_qmgr_t:dir { getattr search };
|
||||||
|
allow httpd_sys_script_t sshd_t:dir { getattr search };
|
||||||
|
allow httpd_sys_script_t syslogd_t:dir { getattr search };
|
||||||
|
allow httpd_sys_script_t system_dbusd_t:dir { getattr search };
|
||||||
|
allow httpd_sys_script_t systemd_logind_t:dir { getattr search };
|
||||||
|
allow httpd_sys_script_t tuned_t:dir { getattr search };
|
||||||
|
allow httpd_sys_script_t udev_t:dir { getattr search };
|
||||||
|
allow httpd_sys_script_t unconfined_t:dir { getattr search };
|
||||||
|
|
||||||
|
#============= httpd_sys_script_t (class: file) ==============
|
||||||
|
allow httpd_sys_script_t NetworkManager_t:file { read open };
|
||||||
|
allow httpd_sys_script_t auditd_t:file { read open };
|
||||||
|
allow httpd_sys_script_t avahi_t:file { read open };
|
||||||
|
allow httpd_sys_script_t crond_t:file { read open };
|
||||||
|
allow httpd_sys_script_t dnsmasq_t:file { read open };
|
||||||
|
allow httpd_sys_script_t getty_t:file { read open };
|
||||||
|
allow httpd_sys_script_t httpd_t:file { read open };
|
||||||
|
allow httpd_sys_script_t init_t:file { read open };
|
||||||
|
allow httpd_sys_script_t irqbalance_t:file { read open };
|
||||||
|
allow httpd_sys_script_t kernel_t:file { read open };
|
||||||
|
allow httpd_sys_script_t lvm_t:file { read open };
|
||||||
|
allow httpd_sys_script_t mdadm_t:file { read open };
|
||||||
|
allow httpd_sys_script_t policykit_t:file { read open };
|
||||||
|
allow httpd_sys_script_t postfix_master_t:file { read open };
|
||||||
|
allow httpd_sys_script_t postfix_pickup_t:file { read open };
|
||||||
|
allow httpd_sys_script_t postfix_qmgr_t:file { read open };
|
||||||
|
allow httpd_sys_script_t sshd_t:file { read open };
|
||||||
|
allow httpd_sys_script_t syslogd_t:file { read open };
|
||||||
|
allow httpd_sys_script_t system_dbusd_t:file { read open };
|
||||||
|
allow httpd_sys_script_t systemd_logind_t:file { read open };
|
||||||
|
allow httpd_sys_script_t tuned_t:file { read open };
|
||||||
|
allow httpd_sys_script_t udev_t:file { read open };
|
||||||
|
allow httpd_sys_script_t unconfined_t:file { read open };
|
|
@ -788,6 +788,32 @@ installPihole() {
|
||||||
configureFirewall
|
configureFirewall
|
||||||
}
|
}
|
||||||
|
|
||||||
|
configureSelinux() {
|
||||||
|
if [ -x "$(command -v getenforce)" ]; then
|
||||||
|
printf "\n::: SELinux Detected\n"
|
||||||
|
printf ":::\tChecking for SELinux policy development packages..."
|
||||||
|
package_check "selinux-policy-devel" > /dev/null
|
||||||
|
if ! [ $? -eq 0 ]; then
|
||||||
|
echo -n " Not found! Installing...."
|
||||||
|
$SUDO $PKG_INSTALL "selinux-policy-devel" > /dev/null & spinner $!
|
||||||
|
echo " done!"
|
||||||
|
else
|
||||||
|
echo " already installed!"
|
||||||
|
fi
|
||||||
|
printf ":::\tCompiling Pi-Hole SELinux policy..\n"
|
||||||
|
$SUDO checkmodule -M -m -o /etc/pihole/pihole.mod /etc/.pihole/advanced/selinux/pihole.te
|
||||||
|
$SUDO semodule_package -o /etc/pihole/pihole.pp -m /etc/pihole/pihole.mod
|
||||||
|
$SUDO semodule -i /etc/pihole/pihole.pp
|
||||||
|
$SUDO rm -f /etc/pihole/pihole.mod
|
||||||
|
$SUDO semodule -l | grep pihole > /dev/null
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
printf "::: Successfully installed Pi-Hole SELinux policy\n"
|
||||||
|
else
|
||||||
|
printf "::: Warning: Pi-Hole SELinux policy did not install correctly!\n"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
displayFinalMessage() {
|
displayFinalMessage() {
|
||||||
# Final completion message to user
|
# Final completion message to user
|
||||||
whiptail --msgbox --backtitle "Make it so." --title "Installation Complete!" "Configure your devices to use the Pi-hole as their DNS server using:
|
whiptail --msgbox --backtitle "Make it so." --title "Installation Complete!" "Configure your devices to use the Pi-hole as their DNS server using:
|
||||||
|
@ -831,6 +857,9 @@ installPihole | tee $tmpLog
|
||||||
# Move the log file into /etc/pihole for storage
|
# Move the log file into /etc/pihole for storage
|
||||||
$SUDO mv $tmpLog $instalLogLoc
|
$SUDO mv $tmpLog $instalLogLoc
|
||||||
|
|
||||||
|
# Configure SELinux (if applicable)
|
||||||
|
configureSelinux
|
||||||
|
|
||||||
displayFinalMessage
|
displayFinalMessage
|
||||||
|
|
||||||
echo -n "::: Restarting services..."
|
echo -n "::: Restarting services..."
|
||||||
|
|
Loading…
Reference in a new issue