mirror of
https://github.com/pi-hole/pi-hole.git
synced 2024-12-25 06:10:20 +00:00
Merge pull request #1028 from pi-hole/bcambl-selinux_notification
Bcambl selinux notification
This commit is contained in:
commit
d12efccd0b
2 changed files with 22 additions and 105 deletions
|
@ -1,87 +0,0 @@
|
||||||
module pihole 1.0;
|
|
||||||
|
|
||||||
require {
|
|
||||||
type var_log_t;
|
|
||||||
type unconfined_t;
|
|
||||||
type init_t;
|
|
||||||
type auditd_t;
|
|
||||||
type syslogd_t;
|
|
||||||
type NetworkManager_t;
|
|
||||||
type mdadm_t;
|
|
||||||
type tuned_t;
|
|
||||||
type avahi_t;
|
|
||||||
type irqbalance_t;
|
|
||||||
type system_dbusd_t;
|
|
||||||
type kernel_t;
|
|
||||||
type httpd_sys_script_t;
|
|
||||||
type systemd_logind_t;
|
|
||||||
type httpd_t;
|
|
||||||
type policykit_t;
|
|
||||||
type dnsmasq_t;
|
|
||||||
type udev_t;
|
|
||||||
type postfix_pickup_t;
|
|
||||||
type sshd_t;
|
|
||||||
type crond_t;
|
|
||||||
type getty_t;
|
|
||||||
type lvm_t;
|
|
||||||
type postfix_qmgr_t;
|
|
||||||
type postfix_master_t;
|
|
||||||
class dir { getattr search };
|
|
||||||
class file { read open setattr };
|
|
||||||
}
|
|
||||||
|
|
||||||
#============= dnsmasq_t ==============
|
|
||||||
allow dnsmasq_t var_log_t:file { open setattr };
|
|
||||||
|
|
||||||
#============= httpd_t ==============
|
|
||||||
allow httpd_t var_log_t:file { read open };
|
|
||||||
|
|
||||||
#============= httpd_sys_script_t (class: dir) ==============
|
|
||||||
allow httpd_sys_script_t NetworkManager_t:dir { getattr search };
|
|
||||||
allow httpd_sys_script_t auditd_t:dir { getattr search };
|
|
||||||
allow httpd_sys_script_t avahi_t:dir { getattr search };
|
|
||||||
allow httpd_sys_script_t crond_t:dir { getattr search };
|
|
||||||
allow httpd_sys_script_t dnsmasq_t:dir { getattr search };
|
|
||||||
allow httpd_sys_script_t getty_t:dir { getattr search };
|
|
||||||
allow httpd_sys_script_t httpd_t:dir { getattr search };
|
|
||||||
allow httpd_sys_script_t init_t:dir { getattr search };
|
|
||||||
allow httpd_sys_script_t irqbalance_t:dir { getattr search };
|
|
||||||
allow httpd_sys_script_t kernel_t:dir { getattr search };
|
|
||||||
allow httpd_sys_script_t lvm_t:dir { getattr search };
|
|
||||||
allow httpd_sys_script_t mdadm_t:dir { getattr search };
|
|
||||||
allow httpd_sys_script_t policykit_t:dir { getattr search };
|
|
||||||
allow httpd_sys_script_t postfix_master_t:dir { getattr search };
|
|
||||||
allow httpd_sys_script_t postfix_pickup_t:dir { getattr search };
|
|
||||||
allow httpd_sys_script_t postfix_qmgr_t:dir { getattr search };
|
|
||||||
allow httpd_sys_script_t sshd_t:dir { getattr search };
|
|
||||||
allow httpd_sys_script_t syslogd_t:dir { getattr search };
|
|
||||||
allow httpd_sys_script_t system_dbusd_t:dir { getattr search };
|
|
||||||
allow httpd_sys_script_t systemd_logind_t:dir { getattr search };
|
|
||||||
allow httpd_sys_script_t tuned_t:dir { getattr search };
|
|
||||||
allow httpd_sys_script_t udev_t:dir { getattr search };
|
|
||||||
allow httpd_sys_script_t unconfined_t:dir { getattr search };
|
|
||||||
|
|
||||||
#============= httpd_sys_script_t (class: file) ==============
|
|
||||||
allow httpd_sys_script_t NetworkManager_t:file { read open };
|
|
||||||
allow httpd_sys_script_t auditd_t:file { read open };
|
|
||||||
allow httpd_sys_script_t avahi_t:file { read open };
|
|
||||||
allow httpd_sys_script_t crond_t:file { read open };
|
|
||||||
allow httpd_sys_script_t dnsmasq_t:file { read open };
|
|
||||||
allow httpd_sys_script_t getty_t:file { read open };
|
|
||||||
allow httpd_sys_script_t httpd_t:file { read open };
|
|
||||||
allow httpd_sys_script_t init_t:file { read open };
|
|
||||||
allow httpd_sys_script_t irqbalance_t:file { read open };
|
|
||||||
allow httpd_sys_script_t kernel_t:file { read open };
|
|
||||||
allow httpd_sys_script_t lvm_t:file { read open };
|
|
||||||
allow httpd_sys_script_t mdadm_t:file { read open };
|
|
||||||
allow httpd_sys_script_t policykit_t:file { read open };
|
|
||||||
allow httpd_sys_script_t postfix_master_t:file { read open };
|
|
||||||
allow httpd_sys_script_t postfix_pickup_t:file { read open };
|
|
||||||
allow httpd_sys_script_t postfix_qmgr_t:file { read open };
|
|
||||||
allow httpd_sys_script_t sshd_t:file { read open };
|
|
||||||
allow httpd_sys_script_t syslogd_t:file { read open };
|
|
||||||
allow httpd_sys_script_t system_dbusd_t:file { read open };
|
|
||||||
allow httpd_sys_script_t systemd_logind_t:file { read open };
|
|
||||||
allow httpd_sys_script_t tuned_t:file { read open };
|
|
||||||
allow httpd_sys_script_t udev_t:file { read open };
|
|
||||||
allow httpd_sys_script_t unconfined_t:file { read open };
|
|
|
@ -897,7 +897,6 @@ installPihole() {
|
||||||
installScripts
|
installScripts
|
||||||
installConfigs
|
installConfigs
|
||||||
CreateLogFile
|
CreateLogFile
|
||||||
configureSelinux
|
|
||||||
installPiholeWeb
|
installPiholeWeb
|
||||||
installCron
|
installCron
|
||||||
configureFirewall
|
configureFirewall
|
||||||
|
@ -928,7 +927,6 @@ updatePihole() {
|
||||||
installScripts
|
installScripts
|
||||||
installConfigs
|
installConfigs
|
||||||
CreateLogFile
|
CreateLogFile
|
||||||
configureSelinux
|
|
||||||
installPiholeWeb
|
installPiholeWeb
|
||||||
installCron
|
installCron
|
||||||
configureFirewall
|
configureFirewall
|
||||||
|
@ -936,23 +934,25 @@ updatePihole() {
|
||||||
runGravity
|
runGravity
|
||||||
}
|
}
|
||||||
|
|
||||||
configureSelinux() {
|
|
||||||
|
|
||||||
|
checkSelinux() {
|
||||||
if [ -x "$(command -v getenforce)" ]; then
|
if [ -x "$(command -v getenforce)" ]; then
|
||||||
printf "\n::: SELinux Detected\n"
|
echo ":::"
|
||||||
printf ":::\tChecking for SELinux policy development packages..."
|
echo -n "::: SELinux Support Detected... Mode: "
|
||||||
package_check_install "selinux-policy-devel" > /dev/null
|
enforceMode=$(getenforce)
|
||||||
echo " installed!"
|
echo "${enforceMode}"
|
||||||
printf ":::\tEnabling httpd server side includes (SSI).. "
|
if [[ "${enforceMode}" == "Enforcing" ]]; then
|
||||||
setsebool -P httpd_ssi_exec on &> /dev/null && echo "Success" || echo "SELinux not enabled"
|
if (whiptail --title "SELinux Enforcing Detected" --yesno "SELinux is being Enforced on your system!\n\nPi-hole currently does not support SELinux, but you may still continue with the installation.\n\nNote: Admin UI Will not function fully without setting your policies correctly\n\nContinue installing Pi-hole?" ${r} ${c}); then
|
||||||
printf "\n:::\tCompiling Pi-Hole SELinux policy..\n"
|
echo ":::"
|
||||||
if ! [ -x "$(command -v systemctl)" ]; then
|
echo "::: Continuing installation with SELinux Enforcing."
|
||||||
sed -i.bak '/systemd/d' /etc/.pihole/advanced/selinux/pihole.te
|
echo "::: Please refer to official SELinux documentation to create a custom policy."
|
||||||
|
else
|
||||||
|
echo ":::"
|
||||||
|
echo "::: Not continuing install after SELinux Enforcing detected."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
checkmodule -M -m -o /etc/pihole/pihole.mod /etc/.pihole/advanced/selinux/pihole.te
|
|
||||||
semodule_package -o /etc/pihole/pihole.pp -m /etc/pihole/pihole.mod
|
|
||||||
semodule -i /etc/pihole/pihole.pp
|
|
||||||
rm -f /etc/pihole/pihole.mod
|
|
||||||
semodule -l | grep pihole &> /dev/null && echo "::: Installed Pi-Hole SELinux policy" || echo "::: Warning: Pi-Hole SELinux policy did not install."
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1018,6 +1018,7 @@ update_dialogs() {
|
||||||
}
|
}
|
||||||
|
|
||||||
main() {
|
main() {
|
||||||
|
|
||||||
# Check arguments for the undocumented flags
|
# Check arguments for the undocumented flags
|
||||||
for var in "$@"; do
|
for var in "$@"; do
|
||||||
case "$var" in
|
case "$var" in
|
||||||
|
@ -1053,6 +1054,9 @@ main() {
|
||||||
# Install packages used by this installation script
|
# Install packages used by this installation script
|
||||||
install_dependent_packages INSTALLER_DEPS[@]
|
install_dependent_packages INSTALLER_DEPS[@]
|
||||||
|
|
||||||
|
# Check if SELinux is Enforcing
|
||||||
|
checkSelinux
|
||||||
|
|
||||||
if [[ "${reconfigure}" == true ]]; then
|
if [[ "${reconfigure}" == true ]]; then
|
||||||
echo "::: --reconfigure passed to install script. Not downloading/updating local repos"
|
echo "::: --reconfigure passed to install script. Not downloading/updating local repos"
|
||||||
else
|
else
|
||||||
|
|
Loading…
Reference in a new issue