mirror of
https://github.com/pi-hole/pi-hole.git
synced 2024-11-15 02:42:58 +00:00
Merge pull request #2964 from bcambl/selinux_enforcing
Exit installation when SELinux in unsupported state
This commit is contained in:
commit
61d233f069
3 changed files with 103 additions and 75 deletions
|
@ -1959,20 +1959,42 @@ installPihole() {
|
||||||
|
|
||||||
# SELinux
|
# SELinux
|
||||||
checkSelinux() {
|
checkSelinux() {
|
||||||
# If the getenforce command exists,
|
local DEFAULT_SELINUX
|
||||||
if is_command getenforce ; then
|
local CURRENT_SELINUX
|
||||||
# Store the current mode in a variable
|
local SELINUX_ENFORCING=0
|
||||||
enforceMode=$(getenforce)
|
# Check if a SELinux configuration file exists
|
||||||
printf "\\n %b SELinux mode detected: %s\\n" "${INFO}" "${enforceMode}"
|
if [[ -f /etc/selinux/config ]]; then
|
||||||
|
# If a SELinux configuration file was found, check the default SELinux mode.
|
||||||
# If it's enforcing,
|
DEFAULT_SELINUX=$(awk -F= '/^SELINUX=/ {print $2}' /etc/selinux/config)
|
||||||
if [[ "${enforceMode}" == "Enforcing" ]]; then
|
case "${DEFAULT_SELINUX,,}" in
|
||||||
# Explain Pi-hole does not support it yet
|
enforcing)
|
||||||
whiptail --defaultno --title "SELinux Enforcing Detected" --yesno "SELinux is being ENFORCED on your system! \\n\\nPi-hole currently does not support SELinux, but you may still continue with the installation.\\n\\nNote: Web Admin will not be fully functional unless you set your policies correctly\\n\\nContinue installing Pi-hole?" "${r}" "${c}" || \
|
printf "%b %bDefault SELinux: %s%b\\n" "${CROSS}" "${COL_RED}" "${DEFAULT_SELINUX}" "${COL_NC}"
|
||||||
{ printf "\\n %bSELinux Enforcing detected, exiting installer%b\\n" "${COL_LIGHT_RED}" "${COL_NC}"; exit 1; }
|
SELINUX_ENFORCING=1
|
||||||
printf " %b Continuing installation with SELinux Enforcing\\n" "${INFO}"
|
;;
|
||||||
printf " %b Please refer to official SELinux documentation to create a custom policy\\n" "${INFO}"
|
*) # 'permissive' and 'disabled'
|
||||||
|
printf "%b %bDefault SELinux: %s%b\\n" "${TICK}" "${COL_GREEN}" "${DEFAULT_SELINUX}" "${COL_NC}"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
# Check the current state of SELinux
|
||||||
|
CURRENT_SELINUX=$(getenforce)
|
||||||
|
case "${CURRENT_SELINUX,,}" in
|
||||||
|
enforcing)
|
||||||
|
printf "%b %bCurrent SELinux: %s%b\\n" "${CROSS}" "${COL_RED}" "${CURRENT_SELINUX}" "${COL_NC}"
|
||||||
|
SELINUX_ENFORCING=1
|
||||||
|
;;
|
||||||
|
*) # 'permissive' and 'disabled'
|
||||||
|
printf "%b %bCurrent SELinux: %s%b\\n" "${TICK}" "${COL_GREEN}" "${CURRENT_SELINUX}" "${COL_NC}"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
else
|
||||||
|
echo -e "${INFO} ${COL_GREEN}SELinux not detected${COL_NC}";
|
||||||
fi
|
fi
|
||||||
|
# Exit the installer if any SELinux checks toggled the flag
|
||||||
|
if [[ "${SELINUX_ENFORCING}" -eq 1 ]] && [[ -z "${PIHOLE_SELINUX}" ]]; then
|
||||||
|
printf "Pi-hole does not provide an SELinux policy as the required changes modify the security of your system.\\n"
|
||||||
|
printf "Please refer to https://wiki.centos.org/HowTos/SELinux if SELinux is required for your deployment.\\n"
|
||||||
|
printf "\\n%bSELinux Enforcing detected, exiting installer%b\\n" "${COL_LIGHT_RED}" "${COL_NC}";
|
||||||
|
exit 1;
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -254,73 +254,16 @@ def test_configureFirewall_IPTables_enabled_not_exist_no_errors(Pihole):
|
||||||
assert len(re.findall(r'tcp --dport 4711:4720', firewall_calls)) == 2
|
assert len(re.findall(r'tcp --dport 4711:4720', firewall_calls)) == 2
|
||||||
|
|
||||||
|
|
||||||
def test_selinux_enforcing_default_exit(Pihole):
|
def test_selinux_not_detected(Pihole):
|
||||||
'''
|
'''
|
||||||
confirms installer prompts to exit when SELinux is Enforcing by default
|
confirms installer continues when SELinux configuration file does not exist
|
||||||
'''
|
'''
|
||||||
# getenforce returns the running state of SELinux
|
|
||||||
mock_command('getenforce', {'*': ('Enforcing', '0')}, Pihole)
|
|
||||||
# Whiptail dialog returns Cancel for user prompt
|
|
||||||
mock_command('whiptail', {'*': ('', '1')}, Pihole)
|
|
||||||
check_selinux = Pihole.run('''
|
check_selinux = Pihole.run('''
|
||||||
|
rm -f /etc/selinux/config
|
||||||
source /opt/pihole/basic-install.sh
|
source /opt/pihole/basic-install.sh
|
||||||
checkSelinux
|
checkSelinux
|
||||||
''')
|
''')
|
||||||
expected_stdout = info_box + ' SELinux mode detected: Enforcing'
|
expected_stdout = info_box + ' SELinux not detected'
|
||||||
assert expected_stdout in check_selinux.stdout
|
|
||||||
expected_stdout = 'SELinux Enforcing detected, exiting installer'
|
|
||||||
assert expected_stdout in check_selinux.stdout
|
|
||||||
assert check_selinux.rc == 1
|
|
||||||
|
|
||||||
|
|
||||||
def test_selinux_enforcing_continue(Pihole):
|
|
||||||
'''
|
|
||||||
confirms installer prompts to continue with custom policy warning
|
|
||||||
'''
|
|
||||||
# getenforce returns the running state of SELinux
|
|
||||||
mock_command('getenforce', {'*': ('Enforcing', '0')}, Pihole)
|
|
||||||
# Whiptail dialog returns Continue for user prompt
|
|
||||||
mock_command('whiptail', {'*': ('', '0')}, Pihole)
|
|
||||||
check_selinux = Pihole.run('''
|
|
||||||
source /opt/pihole/basic-install.sh
|
|
||||||
checkSelinux
|
|
||||||
''')
|
|
||||||
expected_stdout = info_box + ' SELinux mode detected: Enforcing'
|
|
||||||
assert expected_stdout in check_selinux.stdout
|
|
||||||
expected_stdout = info_box + (' Continuing installation with SELinux '
|
|
||||||
'Enforcing')
|
|
||||||
assert expected_stdout in check_selinux.stdout
|
|
||||||
expected_stdout = info_box + (' Please refer to official SELinux '
|
|
||||||
'documentation to create a custom policy')
|
|
||||||
assert expected_stdout in check_selinux.stdout
|
|
||||||
assert check_selinux.rc == 0
|
|
||||||
|
|
||||||
|
|
||||||
def test_selinux_permissive(Pihole):
|
|
||||||
'''
|
|
||||||
confirms installer continues when SELinux is Permissive
|
|
||||||
'''
|
|
||||||
# getenforce returns the running state of SELinux
|
|
||||||
mock_command('getenforce', {'*': ('Permissive', '0')}, Pihole)
|
|
||||||
check_selinux = Pihole.run('''
|
|
||||||
source /opt/pihole/basic-install.sh
|
|
||||||
checkSelinux
|
|
||||||
''')
|
|
||||||
expected_stdout = info_box + ' SELinux mode detected: Permissive'
|
|
||||||
assert expected_stdout in check_selinux.stdout
|
|
||||||
assert check_selinux.rc == 0
|
|
||||||
|
|
||||||
|
|
||||||
def test_selinux_disabled(Pihole):
|
|
||||||
'''
|
|
||||||
confirms installer continues when SELinux is Disabled
|
|
||||||
'''
|
|
||||||
mock_command('getenforce', {'*': ('Disabled', '0')}, Pihole)
|
|
||||||
check_selinux = Pihole.run('''
|
|
||||||
source /opt/pihole/basic-install.sh
|
|
||||||
checkSelinux
|
|
||||||
''')
|
|
||||||
expected_stdout = info_box + ' SELinux mode detected: Disabled'
|
|
||||||
assert expected_stdout in check_selinux.stdout
|
assert expected_stdout in check_selinux.stdout
|
||||||
assert check_selinux.rc == 0
|
assert check_selinux.rc == 0
|
||||||
|
|
||||||
|
|
|
@ -8,6 +8,69 @@ from conftest import (
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def mock_selinux_config(state, Pihole):
|
||||||
|
'''
|
||||||
|
Creates a mock SELinux config file with expected content
|
||||||
|
'''
|
||||||
|
# validate state string
|
||||||
|
valid_states = ['enforcing', 'permissive', 'disabled']
|
||||||
|
assert state in valid_states
|
||||||
|
# getenforce returns the running state of SELinux
|
||||||
|
mock_command('getenforce', {'*': (state.capitalize(), '0')}, Pihole)
|
||||||
|
# create mock configuration with desired content
|
||||||
|
Pihole.run('''
|
||||||
|
mkdir /etc/selinux
|
||||||
|
echo "SELINUX={state}" > /etc/selinux/config
|
||||||
|
'''.format(state=state.lower()))
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.parametrize("tag", [('centos'), ('fedora'), ])
|
||||||
|
def test_selinux_enforcing_exit(Pihole):
|
||||||
|
'''
|
||||||
|
confirms installer prompts to exit when SELinux is Enforcing by default
|
||||||
|
'''
|
||||||
|
mock_selinux_config("enforcing", Pihole)
|
||||||
|
check_selinux = Pihole.run('''
|
||||||
|
source /opt/pihole/basic-install.sh
|
||||||
|
checkSelinux
|
||||||
|
''')
|
||||||
|
expected_stdout = cross_box + ' Current SELinux: Enforcing'
|
||||||
|
assert expected_stdout in check_selinux.stdout
|
||||||
|
expected_stdout = 'SELinux Enforcing detected, exiting installer'
|
||||||
|
assert expected_stdout in check_selinux.stdout
|
||||||
|
assert check_selinux.rc == 1
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.parametrize("tag", [('centos'), ('fedora'), ])
|
||||||
|
def test_selinux_permissive(Pihole):
|
||||||
|
'''
|
||||||
|
confirms installer continues when SELinux is Permissive
|
||||||
|
'''
|
||||||
|
mock_selinux_config("permissive", Pihole)
|
||||||
|
check_selinux = Pihole.run('''
|
||||||
|
source /opt/pihole/basic-install.sh
|
||||||
|
checkSelinux
|
||||||
|
''')
|
||||||
|
expected_stdout = tick_box + ' Current SELinux: Permissive'
|
||||||
|
assert expected_stdout in check_selinux.stdout
|
||||||
|
assert check_selinux.rc == 0
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.parametrize("tag", [('centos'), ('fedora'), ])
|
||||||
|
def test_selinux_disabled(Pihole):
|
||||||
|
'''
|
||||||
|
confirms installer continues when SELinux is Disabled
|
||||||
|
'''
|
||||||
|
mock_selinux_config("disabled", Pihole)
|
||||||
|
check_selinux = Pihole.run('''
|
||||||
|
source /opt/pihole/basic-install.sh
|
||||||
|
checkSelinux
|
||||||
|
''')
|
||||||
|
expected_stdout = tick_box + ' Current SELinux: Disabled'
|
||||||
|
assert expected_stdout in check_selinux.stdout
|
||||||
|
assert check_selinux.rc == 0
|
||||||
|
|
||||||
|
|
||||||
@pytest.mark.parametrize("tag", [('fedora'), ])
|
@pytest.mark.parametrize("tag", [('fedora'), ])
|
||||||
def test_epel_and_remi_not_installed_fedora(Pihole):
|
def test_epel_and_remi_not_installed_fedora(Pihole):
|
||||||
'''
|
'''
|
||||||
|
|
Loading…
Reference in a new issue