From 03ee6b8f91e0cd4e298e4d39876dc435659d7e61 Mon Sep 17 00:00:00 2001
From: tiagom62 <tiagom62@users.noreply.github.com>
Date: Mon, 26 Sep 2016 17:11:43 -0400
Subject: [PATCH] SELinux and iptables update for installer (#2674)

* detect SELinux

detect SELinux is enforcing and set required security policies for
CentOS 7

* Centos 6 iptables

allow http/https if iptables is running
---
 snipeit.sh | 34 ++++++++++++++++++++++++----------
 1 file changed, 24 insertions(+), 10 deletions(-)

diff --git a/snipeit.sh b/snipeit.sh
index ed5656c7514e..33d3af5163db 100755
--- a/snipeit.sh
+++ b/snipeit.sh
@@ -285,7 +285,7 @@ case $distro in
 
 		#We already established MySQL root & user PWs, so we dont need to be prompted. Let's go ahead and install Apache, PHP and MySQL.
 		echo "##  Setting up LAMP."
-		sudo DEBIAN_FRONTEND=noninteractive apt-get install -y lamp-server^ >> /var/log/snipeit-install.log & pid=$! 2>&1 
+		sudo DEBIAN_FRONTEND=noninteractive apt-get install -y lamp-server^ >> /var/log/snipeit-install.log & pid=$! 2>&1
 		echo ""
 		progress
 		if [ "$version" == "16.04" ]; then
@@ -492,14 +492,21 @@ case $distro in
 		sudo chmod -R 755 $webdir/$name/public/uploads
 		sudo chown -R apache:apache $webdir/$name
 
-#TODO detect if SELinux and firewall are enabled to decide what to do
-		#Add SELinux and firewall exception/rules. Youll have to allow 443 if you want ssl connectivity.
+#TODO detect if SELinux is enabled to decide what to do.
 		# chcon -R -h -t httpd_sys_script_rw_t $webdir/$name/
-		# firewall-cmd --zone=public --add-port=80/tcp --permanent
-		# firewall-cmd --reload
+
+    #Check if iptables is running
+    /sbin/service iptables status >/dev/null 2>&1
+    if [ $? = 0 ]; then
+      #Open http/https port
+      iptables -I INPUT 1 -p tcp -m tcp --dport 80 -j ACCEPT
+      iptables -I INPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT
+      #Save iptables
+      service iptables save
+    fi
 
 		service httpd restart
-		
+
 	elif [ "$version" == "7" ]; then
 		#####################################  Install for Centos/Redhat 7  ##############################################
 
@@ -608,10 +615,17 @@ case $distro in
 		sudo chmod -R 755 $webdir/$name/storage/private_uploads
 		sudo chmod -R 755 $webdir/$name/public/uploads
 		sudo chown -R apache:apache $webdir/$name
-		# Make SeLinux happy
-		sudo chcon -R -h -t httpd_sys_script_rw_t $webdir/$name/
-#TODO detect if SELinux and firewall are enabled to decide what to do
-		#Add SELinux and firewall exception/rules. Youll have to allow 443 if you want ssl connectivity.
+
+    #Check if SELinux is enforcing
+    if [ $(getenforce) == "Enforcing" ]; then
+      #Required for ldap integration
+      setsebool -P httpd_can_connect_ldap on
+      #Sets SELinux context type so that scripts running in the web server process are allowed read/write access
+      sudo chcon -R -h -t httpd_sys_script_rw_t $webdir/$name/
+    fi
+
+#TODO detect if firewall is enabled to decide what to do
+		#Add firewall exception/rules. Youll have to allow 443 if you want ssl connectivity.
 		# chcon -R -h -t httpd_sys_script_rw_t $webdir/$name/
 		# firewall-cmd --zone=public --add-port=80/tcp --permanent
 		# firewall-cmd --reload