From 2fb0dc0a4a34ac1c4bab8aed0d5c17417d024bef Mon Sep 17 00:00:00 2001 From: bcambl Date: Fri, 23 Dec 2016 10:27:52 -0600 Subject: [PATCH 01/13] add warning if SELinux is Enforcing --- advanced/selinux/pihole.te | 87 ------------------------------ automated install/basic-install.sh | 36 ++++++------- 2 files changed, 18 insertions(+), 105 deletions(-) delete mode 100644 advanced/selinux/pihole.te diff --git a/advanced/selinux/pihole.te b/advanced/selinux/pihole.te deleted file mode 100644 index 595755dd..00000000 --- a/advanced/selinux/pihole.te +++ /dev/null @@ -1,87 +0,0 @@ -module pihole 1.0; - -require { - type var_log_t; - type unconfined_t; - type init_t; - type auditd_t; - type syslogd_t; - type NetworkManager_t; - type mdadm_t; - type tuned_t; - type avahi_t; - type irqbalance_t; - type system_dbusd_t; - type kernel_t; - type httpd_sys_script_t; - type systemd_logind_t; - type httpd_t; - type policykit_t; - type dnsmasq_t; - type udev_t; - type postfix_pickup_t; - type sshd_t; - type crond_t; - type getty_t; - type lvm_t; - type postfix_qmgr_t; - type postfix_master_t; - class dir { getattr search }; - class file { read open setattr }; -} - -#============= dnsmasq_t ============== -allow dnsmasq_t var_log_t:file { open setattr }; - -#============= httpd_t ============== -allow httpd_t var_log_t:file { read open }; - -#============= httpd_sys_script_t (class: dir) ============== -allow httpd_sys_script_t NetworkManager_t:dir { getattr search }; -allow httpd_sys_script_t auditd_t:dir { getattr search }; -allow httpd_sys_script_t avahi_t:dir { getattr search }; -allow httpd_sys_script_t crond_t:dir { getattr search }; -allow httpd_sys_script_t dnsmasq_t:dir { getattr search }; -allow httpd_sys_script_t getty_t:dir { getattr search }; -allow httpd_sys_script_t httpd_t:dir { getattr search }; -allow httpd_sys_script_t init_t:dir { getattr search }; -allow httpd_sys_script_t irqbalance_t:dir { getattr search }; -allow httpd_sys_script_t kernel_t:dir { getattr search }; -allow httpd_sys_script_t lvm_t:dir { getattr search }; -allow httpd_sys_script_t mdadm_t:dir { getattr search }; -allow httpd_sys_script_t policykit_t:dir { getattr search }; -allow httpd_sys_script_t postfix_master_t:dir { getattr search }; -allow httpd_sys_script_t postfix_pickup_t:dir { getattr search }; -allow httpd_sys_script_t postfix_qmgr_t:dir { getattr search }; -allow httpd_sys_script_t sshd_t:dir { getattr search }; -allow httpd_sys_script_t syslogd_t:dir { getattr search }; -allow httpd_sys_script_t system_dbusd_t:dir { getattr search }; -allow httpd_sys_script_t systemd_logind_t:dir { getattr search }; -allow httpd_sys_script_t tuned_t:dir { getattr search }; -allow httpd_sys_script_t udev_t:dir { getattr search }; -allow httpd_sys_script_t unconfined_t:dir { getattr search }; - -#============= httpd_sys_script_t (class: file) ============== -allow httpd_sys_script_t NetworkManager_t:file { read open }; -allow httpd_sys_script_t auditd_t:file { read open }; -allow httpd_sys_script_t avahi_t:file { read open }; -allow httpd_sys_script_t crond_t:file { read open }; -allow httpd_sys_script_t dnsmasq_t:file { read open }; -allow httpd_sys_script_t getty_t:file { read open }; -allow httpd_sys_script_t httpd_t:file { read open }; -allow httpd_sys_script_t init_t:file { read open }; -allow httpd_sys_script_t irqbalance_t:file { read open }; -allow httpd_sys_script_t kernel_t:file { read open }; -allow httpd_sys_script_t lvm_t:file { read open }; -allow httpd_sys_script_t mdadm_t:file { read open }; -allow httpd_sys_script_t policykit_t:file { read open }; -allow httpd_sys_script_t postfix_master_t:file { read open }; -allow httpd_sys_script_t postfix_pickup_t:file { read open }; -allow httpd_sys_script_t postfix_qmgr_t:file { read open }; -allow httpd_sys_script_t sshd_t:file { read open }; -allow httpd_sys_script_t syslogd_t:file { read open }; -allow httpd_sys_script_t system_dbusd_t:file { read open }; -allow httpd_sys_script_t systemd_logind_t:file { read open }; -allow httpd_sys_script_t tuned_t:file { read open }; -allow httpd_sys_script_t udev_t:file { read open }; -allow httpd_sys_script_t unconfined_t:file { read open }; diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index 7e4f62ef..0b32950d 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -890,7 +890,6 @@ installPihole() { installScripts installConfigs CreateLogFile - configureSelinux installPiholeWeb installCron configureFirewall @@ -921,7 +920,6 @@ updatePihole() { installScripts installConfigs CreateLogFile - configureSelinux installPiholeWeb installCron configureFirewall @@ -929,23 +927,22 @@ updatePihole() { runGravity } -configureSelinux() { +checkSelinux() { if [ -x "$(command -v getenforce)" ]; then - printf "\n::: SELinux Detected\n" - printf ":::\tChecking for SELinux policy development packages..." - package_check_install "selinux-policy-devel" > /dev/null - echo " installed!" - printf ":::\tEnabling httpd server side includes (SSI).. " - setsebool -P httpd_ssi_exec on &> /dev/null && echo "Success" || echo "SELinux not enabled" - printf "\n:::\tCompiling Pi-Hole SELinux policy..\n" - if ! [ -x "$(command -v systemctl)" ]; then - sed -i.bak '/systemd/d' /etc/.pihole/advanced/selinux/pihole.te + printf "\n::: SELinux Support Detected.." + getenforce | grep 'Enforcing' + if [ $? -eq 0 ]; then + printf "\n::: SELinux is being Enforced on your system" + printf "\n::: WARNING: PiHole does not support SELinux at this time.." + read -r -p "Continue with SELinux Enforcing? [y/N]" continue + if [[ $continue =~ ^([yY][eE][sS]|[yY])$ ]] + then + printf "\n::: Continuing installation with SELinux Enforcing.." + printf "\n::: Please refer to official SELinux documentation to create a custom policy." + else + exit 1 + fi fi - checkmodule -M -m -o /etc/pihole/pihole.mod /etc/.pihole/advanced/selinux/pihole.te - semodule_package -o /etc/pihole/pihole.pp -m /etc/pihole/pihole.mod - semodule -i /etc/pihole/pihole.pp - rm -f /etc/pihole/pihole.mod - semodule -l | grep pihole &> /dev/null && echo "::: Installed Pi-Hole SELinux policy" || echo "::: Warning: Pi-Hole SELinux policy did not install." fi } @@ -1011,7 +1008,10 @@ update_dialogs() { } main() { -# Check arguments for the undocumented flags + # Check if SELinux is Enforcing + checkSelinux + + # Check arguments for the undocumented flags for var in "$@"; do case "$var" in "--reconfigure" ) reconfigure=true;; From fdb64a57022f8ac9ff5d98aaa0a7c64d6288bbb8 Mon Sep 17 00:00:00 2001 From: Promofaux Date: Fri, 23 Dec 2016 16:53:42 +0000 Subject: [PATCH 02/13] untested convert user prompt to whiptail --- automated install/basic-install.sh | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index 15a0a868..d8899ce3 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -934,16 +934,14 @@ updatePihole() { runGravity } + + checkSelinux() { if [ -x "$(command -v getenforce)" ]; then printf "\n::: SELinux Support Detected.." getenforce | grep 'Enforcing' if [ $? -eq 0 ]; then - printf "\n::: SELinux is being Enforced on your system" - printf "\n::: WARNING: PiHole does not support SELinux at this time.." - read -r -p "Continue with SELinux Enforcing? [y/N]" continue - if [[ $continue =~ ^([yY][eE][sS]|[yY])$ ]] - then + if (whiptail --title "SELinux Detected" --yesno "SELinux is being Enforced on your system. \n Pi-hole does not support SELinux at this time...\nContinue with SELinux Enforcing?" 8 78); then printf "\n::: Continuing installation with SELinux Enforcing.." printf "\n::: Please refer to official SELinux documentation to create a custom policy." else From a8897becd2d753ed16f8d68628e38c08f9a165c0 Mon Sep 17 00:00:00 2001 From: Promofaux Date: Fri, 23 Dec 2016 16:55:56 +0000 Subject: [PATCH 03/13] Make sure whiptail is installed... --- automated install/basic-install.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index d8899ce3..61665fdb 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -1013,8 +1013,6 @@ update_dialogs() { } main() { - # Check if SELinux is Enforcing - checkSelinux # Check arguments for the undocumented flags for var in "$@"; do @@ -1051,6 +1049,9 @@ main() { # Install packages used by this installation script install_dependent_packages INSTALLER_DEPS[@] + # Check if SELinux is Enforcing + checkSelinux + if [[ "${reconfigure}" == true ]]; then echo "::: --reconfigure passed to install script. Not downloading/updating local repos" else From 662d4506514543a596810a77b3dcf25239f438d5 Mon Sep 17 00:00:00 2001 From: Promofaux Date: Fri, 23 Dec 2016 16:58:58 +0000 Subject: [PATCH 04/13] adjust size of whiptail dialog --- automated install/basic-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index 61665fdb..1b1070e2 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -941,7 +941,7 @@ checkSelinux() { printf "\n::: SELinux Support Detected.." getenforce | grep 'Enforcing' if [ $? -eq 0 ]; then - if (whiptail --title "SELinux Detected" --yesno "SELinux is being Enforced on your system. \n Pi-hole does not support SELinux at this time...\nContinue with SELinux Enforcing?" 8 78); then + if (whiptail --title "SELinux Detected" --yesno "SELinux is being Enforced on your system. \nPi-hole does not support SELinux at this time...\nContinue with SELinux Enforcing?" ${r} ${c}); then printf "\n::: Continuing installation with SELinux Enforcing.." printf "\n::: Please refer to official SELinux documentation to create a custom policy." else From c45c3a72b517767cc7f11fc0804ce09812ae3a03 Mon Sep 17 00:00:00 2001 From: Promofaux Date: Fri, 23 Dec 2016 17:06:33 +0000 Subject: [PATCH 05/13] words words words --- automated install/basic-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index 1b1070e2..98376e76 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -941,7 +941,7 @@ checkSelinux() { printf "\n::: SELinux Support Detected.." getenforce | grep 'Enforcing' if [ $? -eq 0 ]; then - if (whiptail --title "SELinux Detected" --yesno "SELinux is being Enforced on your system. \nPi-hole does not support SELinux at this time...\nContinue with SELinux Enforcing?" ${r} ${c}); then + if (whiptail --title "SELinux Detected" --yesno "SELinux is being Enforced on your system!\n\nPi-hole currently does not support SELinux, but you may still continue with the installation.\n\nNote: Admin UI Will not function fully without setting your policies correctly\n\nContinue installing Pi-hole?" ${r} ${c}); then printf "\n::: Continuing installation with SELinux Enforcing.." printf "\n::: Please refer to official SELinux documentation to create a custom policy." else From 00aff6a906dcef87382b50c0238626b20022faa6 Mon Sep 17 00:00:00 2001 From: Promofaux Date: Fri, 23 Dec 2016 17:16:03 +0000 Subject: [PATCH 06/13] maybe --- automated install/basic-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index 98376e76..56960d24 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -939,8 +939,8 @@ updatePihole() { checkSelinux() { if [ -x "$(command -v getenforce)" ]; then printf "\n::: SELinux Support Detected.." - getenforce | grep 'Enforcing' - if [ $? -eq 0 ]; then + enforceMode=$(getenforce) + if [[ "${enforceMode}" == "Enforcing" ]]; then if (whiptail --title "SELinux Detected" --yesno "SELinux is being Enforced on your system!\n\nPi-hole currently does not support SELinux, but you may still continue with the installation.\n\nNote: Admin UI Will not function fully without setting your policies correctly\n\nContinue installing Pi-hole?" ${r} ${c}); then printf "\n::: Continuing installation with SELinux Enforcing.." printf "\n::: Please refer to official SELinux documentation to create a custom policy." From 15c674ba293b31bf45d1eb050c1ced9cb2cf430a Mon Sep 17 00:00:00 2001 From: Promofaux Date: Fri, 23 Dec 2016 17:20:33 +0000 Subject: [PATCH 07/13] verbosity --- automated install/basic-install.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index 56960d24..82ea6cb1 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -938,13 +938,16 @@ updatePihole() { checkSelinux() { if [ -x "$(command -v getenforce)" ]; then - printf "\n::: SELinux Support Detected.." + echo -n "\n::: SELinux Support Detected... Mode: " enforceMode=$(getenforce) + echo "${enforceMode}" if [[ "${enforceMode}" == "Enforcing" ]]; then - if (whiptail --title "SELinux Detected" --yesno "SELinux is being Enforced on your system!\n\nPi-hole currently does not support SELinux, but you may still continue with the installation.\n\nNote: Admin UI Will not function fully without setting your policies correctly\n\nContinue installing Pi-hole?" ${r} ${c}); then + echo "Enforcing" + if (whiptail --title "SELinux Enforcing Detected" --yesno "SELinux is being Enforced on your system!\n\nPi-hole currently does not support SELinux, but you may still continue with the installation.\n\nNote: Admin UI Will not function fully without setting your policies correctly\n\nContinue installing Pi-hole?" ${r} ${c}); then printf "\n::: Continuing installation with SELinux Enforcing.." printf "\n::: Please refer to official SELinux documentation to create a custom policy." else + printf "\n::: Not continuing install after SELinux Enforcing detected" exit 1 fi fi From 4c131b8c282465a6a7b3470f7236ba7910870922 Mon Sep 17 00:00:00 2001 From: Promofaux Date: Fri, 23 Dec 2016 17:21:23 +0000 Subject: [PATCH 08/13] newlines --- automated install/basic-install.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index 82ea6cb1..e5f37152 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -938,7 +938,8 @@ updatePihole() { checkSelinux() { if [ -x "$(command -v getenforce)" ]; then - echo -n "\n::: SELinux Support Detected... Mode: " + echo ":::" + echo -n "::: SELinux Support Detected... Mode: " enforceMode=$(getenforce) echo "${enforceMode}" if [[ "${enforceMode}" == "Enforcing" ]]; then From 754f3359ec3018d1757cc5c8684fb5bd54c3dc69 Mon Sep 17 00:00:00 2001 From: Promofaux Date: Fri, 23 Dec 2016 17:22:31 +0000 Subject: [PATCH 09/13] too many echos spoil the branch --- automated install/basic-install.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index e5f37152..7aaf470c 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -943,7 +943,6 @@ checkSelinux() { enforceMode=$(getenforce) echo "${enforceMode}" if [[ "${enforceMode}" == "Enforcing" ]]; then - echo "Enforcing" if (whiptail --title "SELinux Enforcing Detected" --yesno "SELinux is being Enforced on your system!\n\nPi-hole currently does not support SELinux, but you may still continue with the installation.\n\nNote: Admin UI Will not function fully without setting your policies correctly\n\nContinue installing Pi-hole?" ${r} ${c}); then printf "\n::: Continuing installation with SELinux Enforcing.." printf "\n::: Please refer to official SELinux documentation to create a custom policy." From 972598503769bab811811d8732f72659545cee6f Mon Sep 17 00:00:00 2001 From: Promofaux Date: Fri, 23 Dec 2016 17:24:33 +0000 Subject: [PATCH 10/13] printf to echo. idgaf --- automated install/basic-install.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index 7aaf470c..165ed5f3 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -944,10 +944,12 @@ checkSelinux() { echo "${enforceMode}" if [[ "${enforceMode}" == "Enforcing" ]]; then if (whiptail --title "SELinux Enforcing Detected" --yesno "SELinux is being Enforced on your system!\n\nPi-hole currently does not support SELinux, but you may still continue with the installation.\n\nNote: Admin UI Will not function fully without setting your policies correctly\n\nContinue installing Pi-hole?" ${r} ${c}); then - printf "\n::: Continuing installation with SELinux Enforcing.." - printf "\n::: Please refer to official SELinux documentation to create a custom policy." + echo ":::" + echo "::: Continuing installation with SELinux Enforcing.." + echo "::: Please refer to official SELinux documentation to create a custom policy." else - printf "\n::: Not continuing install after SELinux Enforcing detected" + echo ":::" + echo "::: Not continuing install after SELinux Enforcing detected" exit 1 fi fi From abd1fedc9d2e7adbc51fc3ff83a051e23dfead70 Mon Sep 17 00:00:00 2001 From: Promofaux Date: Fri, 23 Dec 2016 17:25:55 +0000 Subject: [PATCH 11/13] . --- automated install/basic-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index 165ed5f3..058a57e9 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -945,11 +945,11 @@ checkSelinux() { if [[ "${enforceMode}" == "Enforcing" ]]; then if (whiptail --title "SELinux Enforcing Detected" --yesno "SELinux is being Enforced on your system!\n\nPi-hole currently does not support SELinux, but you may still continue with the installation.\n\nNote: Admin UI Will not function fully without setting your policies correctly\n\nContinue installing Pi-hole?" ${r} ${c}); then echo ":::" - echo "::: Continuing installation with SELinux Enforcing.." + echo "::: Continuing installation with SELinux Enforcing." echo "::: Please refer to official SELinux documentation to create a custom policy." else echo ":::" - echo "::: Not continuing install after SELinux Enforcing detected" + echo "::: Not continuing install after SELinux Enforcing detected." exit 1 fi fi From fc8fcdbece3de9920c085a2d064f55b137c9893d Mon Sep 17 00:00:00 2001 From: Mcat12 Date: Fri, 23 Dec 2016 12:28:18 -0500 Subject: [PATCH 12/13] Add newline --- automated install/basic-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index 058a57e9..0c28f725 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -949,7 +949,7 @@ checkSelinux() { echo "::: Please refer to official SELinux documentation to create a custom policy." else echo ":::" - echo "::: Not continuing install after SELinux Enforcing detected." + echo "::: Not continuing install after SELinux Enforcing detected.\n" exit 1 fi fi From 54afffed19694fb24891be047c4b9d918f28a353 Mon Sep 17 00:00:00 2001 From: Mcat12 Date: Fri, 23 Dec 2016 12:30:33 -0500 Subject: [PATCH 13/13] Remove newline Issue was already fixed --- automated install/basic-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index 0c28f725..058a57e9 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -949,7 +949,7 @@ checkSelinux() { echo "::: Please refer to official SELinux documentation to create a custom policy." else echo ":::" - echo "::: Not continuing install after SELinux Enforcing detected.\n" + echo "::: Not continuing install after SELinux Enforcing detected." exit 1 fi fi