mirror of
https://github.com/pi-hole/pi-hole
synced 2025-01-03 12:40:56 +00:00
exit installer if SELinux is enforcing
The Pi-hole project does not ship a custom SELinux policy as the required policy would lower the overall system security. Users who require SELinux to be enforcing are encouraged to create an custom policy on a case-by-case basis. Signed-off-by: bcambl <blayne@blaynecampbell.com>
This commit is contained in:
parent
2e138eb99f
commit
81ca78e7f4
@ -1959,20 +1959,42 @@ installPihole() {
|
|||||||
|
|
||||||
# SELinux
|
# SELinux
|
||||||
checkSelinux() {
|
checkSelinux() {
|
||||||
# If the getenforce command exists,
|
local DEFAULT_SELINUX
|
||||||
if is_command getenforce ; then
|
local CURRENT_SELINUX
|
||||||
# Store the current mode in a variable
|
local SELINUX_ENFORCING=0
|
||||||
enforceMode=$(getenforce)
|
# Check if a SELinux configuration file exists
|
||||||
printf "\\n %b SELinux mode detected: %s\\n" "${INFO}" "${enforceMode}"
|
if [[ -f /etc/selinux/config ]]; then
|
||||||
|
# If a SELinux configuration file was found, check the default SELinux mode.
|
||||||
# If it's enforcing,
|
DEFAULT_SELINUX=$(awk -F= '/^SELINUX=/ {print $2}' /etc/selinux/config)
|
||||||
if [[ "${enforceMode}" == "Enforcing" ]]; then
|
case "${DEFAULT_SELINUX,,}" in
|
||||||
# Explain Pi-hole does not support it yet
|
enforcing)
|
||||||
whiptail --defaultno --title "SELinux Enforcing Detected" --yesno "SELinux is being ENFORCED on your system! \\n\\nPi-hole currently does not support SELinux, but you may still continue with the installation.\\n\\nNote: Web Admin will not be fully functional unless you set your policies correctly\\n\\nContinue installing Pi-hole?" "${r}" "${c}" || \
|
echo -e "${CROSS} ${COL_RED}Default SELinux: $DEFAULT_SELINUX${COL_NC}"
|
||||||
{ printf "\\n %bSELinux Enforcing detected, exiting installer%b\\n" "${COL_LIGHT_RED}" "${COL_NC}"; exit 1; }
|
SELINUX_ENFORCING=1
|
||||||
printf " %b Continuing installation with SELinux Enforcing\\n" "${INFO}"
|
;;
|
||||||
printf " %b Please refer to official SELinux documentation to create a custom policy\\n" "${INFO}"
|
*) # 'permissive' and 'disabled'
|
||||||
|
echo -e "${TICK} ${COL_GREEN}Default SELinux: $DEFAULT_SELINUX${COL_NC}";
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
# Check the current state of SELinux
|
||||||
|
CURRENT_SELINUX=$(getenforce)
|
||||||
|
case "${CURRENT_SELINUX,,}" in
|
||||||
|
enforcing)
|
||||||
|
echo -e "${CROSS} ${COL_RED}Current SELinux: $CURRENT_SELINUX${COL_NC}"
|
||||||
|
SELINUX_ENFORCING=1
|
||||||
|
;;
|
||||||
|
*) # 'permissive' and 'disabled'
|
||||||
|
echo -e "${TICK} ${COL_GREEN}Current SELinux: $CURRENT_SELINUX${COL_NC}";
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
else
|
||||||
|
echo -e "${INFO} ${COL_GREEN}SELinux not detected${COL_NC}";
|
||||||
fi
|
fi
|
||||||
|
# Exit the installer if any SELinux checks toggled the flag
|
||||||
|
if [[ "${SELINUX_ENFORCING}" -eq 1 ]] && [[ -z "${PIHOLE_SELINUX}" ]]; then
|
||||||
|
echo -e "Pi-hole does not provide an SELinux policy as the required changes modify the security of your system."
|
||||||
|
echo -e "Please refer to https://wiki.centos.org/HowTos/SELinux if SELinux is required for your deployment."
|
||||||
|
printf "\\n%bSELinux Enforcing detected, exiting installer%b\\n" "${COL_LIGHT_RED}" "${COL_NC}";
|
||||||
|
exit 1;
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user