Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Selinux rewrite #900

Closed
wants to merge 6 commits into from
Closed

Selinux rewrite #900

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
cc56f49
selinux policy rewrite
bcambl Nov 3, 2016
d7a0bec
enable selinux httpd_execmem boolean
bcambl Nov 3, 2016
20f057b
tabs to spaces
bcambl Nov 3, 2016
4ee9870
remove systemd policy workaround
bcambl Nov 3, 2016
0d72f81
cleanup selinux compiled bins
bcambl Nov 3, 2016
7f91aa7
Merge branch 'development' into selinux_rewrite
bcambl Dec 20, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
99 changes: 26 additions & 73 deletions advanced/selinux/pihole.te
View file
Open in desktop
Expand Up @@ -2,32 +2,22 @@ module pihole 1.0;

require {
type var_log_t;
type unconfined_t;
type init_t;
type auditd_t;
type syslogd_t;
type NetworkManager_t;
type mdadm_t;
type tuned_t;
type avahi_t;
type irqbalance_t;
type system_dbusd_t;
type kernel_t;
type httpd_sys_script_t;
type systemd_logind_t;
type httpd_t;
type policykit_t;
type httpd_sys_script_t;
type dnsmasq_t;
type udev_t;
type postfix_pickup_t;
type sshd_t;
type crond_t;
type getty_t;
type lvm_t;
type postfix_qmgr_t;
type postfix_master_t;
class dir { getattr search };
class file { read open setattr };
type init_t;
type sysfs_t;
type shadow_t;
type pam_var_run_t;
type sudo_db_t;
type system_dbusd_var_run_t;
class dir { search add_name write create getattr };
class file { read write open create lock setattr getattr };
class process { setrlimit };
class netlink_audit_socket { create nlmsg_relay };
class unix_stream_socket { ioctl };
class sock_file { write };
class capability { setgid setuid dac_override dac_read_search sys_resource audit_write };
}

#============= dnsmasq_t ==============
Expand All @@ -36,52 +26,15 @@ allow dnsmasq_t var_log_t:file { open setattr };
#============= httpd_t ==============
allow httpd_t var_log_t:file { read open };

#============= httpd_sys_script_t (class: dir) ==============
allow httpd_sys_script_t NetworkManager_t:dir { getattr search };
allow httpd_sys_script_t auditd_t:dir { getattr search };
allow httpd_sys_script_t avahi_t:dir { getattr search };
allow httpd_sys_script_t crond_t:dir { getattr search };
allow httpd_sys_script_t dnsmasq_t:dir { getattr search };
allow httpd_sys_script_t getty_t:dir { getattr search };
allow httpd_sys_script_t httpd_t:dir { getattr search };
allow httpd_sys_script_t init_t:dir { getattr search };
allow httpd_sys_script_t irqbalance_t:dir { getattr search };
allow httpd_sys_script_t kernel_t:dir { getattr search };
allow httpd_sys_script_t lvm_t:dir { getattr search };
allow httpd_sys_script_t mdadm_t:dir { getattr search };
allow httpd_sys_script_t policykit_t:dir { getattr search };
allow httpd_sys_script_t postfix_master_t:dir { getattr search };
allow httpd_sys_script_t postfix_pickup_t:dir { getattr search };
allow httpd_sys_script_t postfix_qmgr_t:dir { getattr search };
allow httpd_sys_script_t sshd_t:dir { getattr search };
allow httpd_sys_script_t syslogd_t:dir { getattr search };
allow httpd_sys_script_t system_dbusd_t:dir { getattr search };
allow httpd_sys_script_t systemd_logind_t:dir { getattr search };
allow httpd_sys_script_t tuned_t:dir { getattr search };
allow httpd_sys_script_t udev_t:dir { getattr search };
allow httpd_sys_script_t unconfined_t:dir { getattr search };

#============= httpd_sys_script_t (class: file) ==============
allow httpd_sys_script_t NetworkManager_t:file { read open };
allow httpd_sys_script_t auditd_t:file { read open };
allow httpd_sys_script_t avahi_t:file { read open };
allow httpd_sys_script_t crond_t:file { read open };
allow httpd_sys_script_t dnsmasq_t:file { read open };
allow httpd_sys_script_t getty_t:file { read open };
allow httpd_sys_script_t httpd_t:file { read open };
allow httpd_sys_script_t init_t:file { read open };
allow httpd_sys_script_t irqbalance_t:file { read open };
allow httpd_sys_script_t kernel_t:file { read open };
allow httpd_sys_script_t lvm_t:file { read open };
allow httpd_sys_script_t mdadm_t:file { read open };
allow httpd_sys_script_t policykit_t:file { read open };
allow httpd_sys_script_t postfix_master_t:file { read open };
allow httpd_sys_script_t postfix_pickup_t:file { read open };
allow httpd_sys_script_t postfix_qmgr_t:file { read open };
allow httpd_sys_script_t sshd_t:file { read open };
allow httpd_sys_script_t syslogd_t:file { read open };
allow httpd_sys_script_t system_dbusd_t:file { read open };
allow httpd_sys_script_t systemd_logind_t:file { read open };
allow httpd_sys_script_t tuned_t:file { read open };
allow httpd_sys_script_t udev_t:file { read open };
allow httpd_sys_script_t unconfined_t:file { read open };
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t dnsmasq_t:dir getattr;
allow httpd_sys_script_t sysfs_t:file { read open getattr };
allow httpd_sys_script_t pam_var_run_t:dir { write create add_name };
allow httpd_sys_script_t pam_var_run_t:file { read write open create lock getattr };
allow httpd_sys_script_t self:capability { setgid setuid dac_override dac_read_search sys_resource audit_write };
allow httpd_sys_script_t self:netlink_audit_socket { create nlmsg_relay };
allow httpd_sys_script_t sudo_db_t:dir { search getattr };
allow httpd_sys_script_t shadow_t:file { read open create getattr };
allow httpd_sys_script_t self:process setrlimit;
allow httpd_sys_script_t init_t:unix_stream_socket { ioctl };
allow httpd_sys_script_t system_dbusd_var_run_t:sock_file { write };
7 changes: 3 additions & 4 deletions automated install/basic-install.sh
View file
Open in desktop
Expand Up @@ -950,14 +950,13 @@ configureSelinux() {
echo " installed!"
printf ":::\tEnabling httpd server side includes (SSI).. "
setsebool -P httpd_ssi_exec on &> /dev/null && echo "Success" || echo "SELinux not enabled"
printf ":::\tEnabling httpd execmem.. "
setsebool -P httpd_execmem on &> /dev/null && echo "Success" || echo "SELinux not enabled"
printf "\n:::\tCompiling Pi-Hole SELinux policy..\n"
if ! [ -x "$(command -v systemctl)" ]; then
sed -i.bak '/systemd/d' /etc/.pihole/advanced/selinux/pihole.te
fi
checkmodule -M -m -o /etc/pihole/pihole.mod /etc/.pihole/advanced/selinux/pihole.te
semodule_package -o /etc/pihole/pihole.pp -m /etc/pihole/pihole.mod
semodule -i /etc/pihole/pihole.pp
rm -f /etc/pihole/pihole.mod
rm -f /etc/pihole/pihole.mod /etc/pihole/pihole.pp
semodule -l | grep pihole &> /dev/null && echo "::: Installed Pi-Hole SELinux policy" || echo "::: Warning: Pi-Hole SELinux policy did not install."
fi
}
Expand Down