Merge pull request #1028 from pi-hole/bcambl-selinux_notification

Bcambl selinux notification
This commit is contained in:
Adam Warner 2016-12-23 17:36:33 +00:00 committed by GitHub
commit d12efccd0b
2 changed files with 22 additions and 105 deletions

View file

@ -1,87 +0,0 @@
module pihole 1.0;
require {
type var_log_t;
type unconfined_t;
type init_t;
type auditd_t;
type syslogd_t;
type NetworkManager_t;
type mdadm_t;
type tuned_t;
type avahi_t;
type irqbalance_t;
type system_dbusd_t;
type kernel_t;
type httpd_sys_script_t;
type systemd_logind_t;
type httpd_t;
type policykit_t;
type dnsmasq_t;
type udev_t;
type postfix_pickup_t;
type sshd_t;
type crond_t;
type getty_t;
type lvm_t;
type postfix_qmgr_t;
type postfix_master_t;
class dir { getattr search };
class file { read open setattr };
}
#============= dnsmasq_t ==============
allow dnsmasq_t var_log_t:file { open setattr };
#============= httpd_t ==============
allow httpd_t var_log_t:file { read open };
#============= httpd_sys_script_t (class: dir) ==============
allow httpd_sys_script_t NetworkManager_t:dir { getattr search };
allow httpd_sys_script_t auditd_t:dir { getattr search };
allow httpd_sys_script_t avahi_t:dir { getattr search };
allow httpd_sys_script_t crond_t:dir { getattr search };
allow httpd_sys_script_t dnsmasq_t:dir { getattr search };
allow httpd_sys_script_t getty_t:dir { getattr search };
allow httpd_sys_script_t httpd_t:dir { getattr search };
allow httpd_sys_script_t init_t:dir { getattr search };
allow httpd_sys_script_t irqbalance_t:dir { getattr search };
allow httpd_sys_script_t kernel_t:dir { getattr search };
allow httpd_sys_script_t lvm_t:dir { getattr search };
allow httpd_sys_script_t mdadm_t:dir { getattr search };
allow httpd_sys_script_t policykit_t:dir { getattr search };
allow httpd_sys_script_t postfix_master_t:dir { getattr search };
allow httpd_sys_script_t postfix_pickup_t:dir { getattr search };
allow httpd_sys_script_t postfix_qmgr_t:dir { getattr search };
allow httpd_sys_script_t sshd_t:dir { getattr search };
allow httpd_sys_script_t syslogd_t:dir { getattr search };
allow httpd_sys_script_t system_dbusd_t:dir { getattr search };
allow httpd_sys_script_t systemd_logind_t:dir { getattr search };
allow httpd_sys_script_t tuned_t:dir { getattr search };
allow httpd_sys_script_t udev_t:dir { getattr search };
allow httpd_sys_script_t unconfined_t:dir { getattr search };
#============= httpd_sys_script_t (class: file) ==============
allow httpd_sys_script_t NetworkManager_t:file { read open };
allow httpd_sys_script_t auditd_t:file { read open };
allow httpd_sys_script_t avahi_t:file { read open };
allow httpd_sys_script_t crond_t:file { read open };
allow httpd_sys_script_t dnsmasq_t:file { read open };
allow httpd_sys_script_t getty_t:file { read open };
allow httpd_sys_script_t httpd_t:file { read open };
allow httpd_sys_script_t init_t:file { read open };
allow httpd_sys_script_t irqbalance_t:file { read open };
allow httpd_sys_script_t kernel_t:file { read open };
allow httpd_sys_script_t lvm_t:file { read open };
allow httpd_sys_script_t mdadm_t:file { read open };
allow httpd_sys_script_t policykit_t:file { read open };
allow httpd_sys_script_t postfix_master_t:file { read open };
allow httpd_sys_script_t postfix_pickup_t:file { read open };
allow httpd_sys_script_t postfix_qmgr_t:file { read open };
allow httpd_sys_script_t sshd_t:file { read open };
allow httpd_sys_script_t syslogd_t:file { read open };
allow httpd_sys_script_t system_dbusd_t:file { read open };
allow httpd_sys_script_t systemd_logind_t:file { read open };
allow httpd_sys_script_t tuned_t:file { read open };
allow httpd_sys_script_t udev_t:file { read open };
allow httpd_sys_script_t unconfined_t:file { read open };

View file

@ -897,7 +897,6 @@ installPihole() {
installScripts installScripts
installConfigs installConfigs
CreateLogFile CreateLogFile
configureSelinux
installPiholeWeb installPiholeWeb
installCron installCron
configureFirewall configureFirewall
@ -928,7 +927,6 @@ updatePihole() {
installScripts installScripts
installConfigs installConfigs
CreateLogFile CreateLogFile
configureSelinux
installPiholeWeb installPiholeWeb
installCron installCron
configureFirewall configureFirewall
@ -936,23 +934,25 @@ updatePihole() {
runGravity runGravity
} }
configureSelinux() {
checkSelinux() {
if [ -x "$(command -v getenforce)" ]; then if [ -x "$(command -v getenforce)" ]; then
printf "\n::: SELinux Detected\n" echo ":::"
printf ":::\tChecking for SELinux policy development packages..." echo -n "::: SELinux Support Detected... Mode: "
package_check_install "selinux-policy-devel" > /dev/null enforceMode=$(getenforce)
echo " installed!" echo "${enforceMode}"
printf ":::\tEnabling httpd server side includes (SSI).. " if [[ "${enforceMode}" == "Enforcing" ]]; then
setsebool -P httpd_ssi_exec on &> /dev/null && echo "Success" || echo "SELinux not enabled" if (whiptail --title "SELinux Enforcing Detected" --yesno "SELinux is being Enforced on your system!\n\nPi-hole currently does not support SELinux, but you may still continue with the installation.\n\nNote: Admin UI Will not function fully without setting your policies correctly\n\nContinue installing Pi-hole?" ${r} ${c}); then
printf "\n:::\tCompiling Pi-Hole SELinux policy..\n" echo ":::"
if ! [ -x "$(command -v systemctl)" ]; then echo "::: Continuing installation with SELinux Enforcing."
sed -i.bak '/systemd/d' /etc/.pihole/advanced/selinux/pihole.te echo "::: Please refer to official SELinux documentation to create a custom policy."
else
echo ":::"
echo "::: Not continuing install after SELinux Enforcing detected."
exit 1
fi
fi fi
checkmodule -M -m -o /etc/pihole/pihole.mod /etc/.pihole/advanced/selinux/pihole.te
semodule_package -o /etc/pihole/pihole.pp -m /etc/pihole/pihole.mod
semodule -i /etc/pihole/pihole.pp
rm -f /etc/pihole/pihole.mod
semodule -l | grep pihole &> /dev/null && echo "::: Installed Pi-Hole SELinux policy" || echo "::: Warning: Pi-Hole SELinux policy did not install."
fi fi
} }
@ -1018,6 +1018,7 @@ update_dialogs() {
} }
main() { main() {
# Check arguments for the undocumented flags # Check arguments for the undocumented flags
for var in "$@"; do for var in "$@"; do
case "$var" in case "$var" in
@ -1053,6 +1054,9 @@ main() {
# Install packages used by this installation script # Install packages used by this installation script
install_dependent_packages INSTALLER_DEPS[@] install_dependent_packages INSTALLER_DEPS[@]
# Check if SELinux is Enforcing
checkSelinux
if [[ "${reconfigure}" == true ]]; then if [[ "${reconfigure}" == true ]]; then
echo "::: --reconfigure passed to install script. Not downloading/updating local repos" echo "::: --reconfigure passed to install script. Not downloading/updating local repos"
else else