Skip to content

Commit

Permalink
SELinux and iptables update for installer (snipe#2674)
Browse files Browse the repository at this point in the history
* detect SELinux

detect SELinux is enforcing and set required security policies for
CentOS 7

* Centos 6 iptables

allow http/https if iptables is running
  • Loading branch information
tiagom62 authored and snipe committed Sep 26, 2016
1 parent 937192f commit 03ee6b8
Showing 1 changed file with 24 additions and 10 deletions.
34 changes: 24 additions & 10 deletions snipeit.sh
Original file line number Diff line number Diff line change
Expand Up @@ -285,7 +285,7 @@ case $distro in

#We already established MySQL root & user PWs, so we dont need to be prompted. Let's go ahead and install Apache, PHP and MySQL.
echo "## Setting up LAMP."
sudo DEBIAN_FRONTEND=noninteractive apt-get install -y lamp-server^ >> /var/log/snipeit-install.log & pid=$! 2>&1
sudo DEBIAN_FRONTEND=noninteractive apt-get install -y lamp-server^ >> /var/log/snipeit-install.log & pid=$! 2>&1
echo ""
progress
if [ "$version" == "16.04" ]; then
Expand Down Expand Up @@ -492,14 +492,21 @@ case $distro in
sudo chmod -R 755 $webdir/$name/public/uploads
sudo chown -R apache:apache $webdir/$name

#TODO detect if SELinux and firewall are enabled to decide what to do
#Add SELinux and firewall exception/rules. Youll have to allow 443 if you want ssl connectivity.
#TODO detect if SELinux is enabled to decide what to do.
# chcon -R -h -t httpd_sys_script_rw_t $webdir/$name/
# firewall-cmd --zone=public --add-port=80/tcp --permanent
# firewall-cmd --reload

#Check if iptables is running
/sbin/service iptables status >/dev/null 2>&1
if [ $? = 0 ]; then
#Open http/https port
iptables -I INPUT 1 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -I INPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT
#Save iptables
service iptables save
fi

service httpd restart

elif [ "$version" == "7" ]; then
##################################### Install for Centos/Redhat 7 ##############################################

Expand Down Expand Up @@ -608,10 +615,17 @@ case $distro in
sudo chmod -R 755 $webdir/$name/storage/private_uploads
sudo chmod -R 755 $webdir/$name/public/uploads
sudo chown -R apache:apache $webdir/$name
# Make SeLinux happy
sudo chcon -R -h -t httpd_sys_script_rw_t $webdir/$name/
#TODO detect if SELinux and firewall are enabled to decide what to do
#Add SELinux and firewall exception/rules. Youll have to allow 443 if you want ssl connectivity.

#Check if SELinux is enforcing
if [ $(getenforce) == "Enforcing" ]; then
#Required for ldap integration
setsebool -P httpd_can_connect_ldap on
#Sets SELinux context type so that scripts running in the web server process are allowed read/write access
sudo chcon -R -h -t httpd_sys_script_rw_t $webdir/$name/
fi

#TODO detect if firewall is enabled to decide what to do
#Add firewall exception/rules. Youll have to allow 443 if you want ssl connectivity.
# chcon -R -h -t httpd_sys_script_rw_t $webdir/$name/
# firewall-cmd --zone=public --add-port=80/tcp --permanent
# firewall-cmd --reload
Expand Down

0 comments on commit 03ee6b8

Please sign in to comment.