DRCIT/snipe-it
1
0
Fork 0
mirror of https://github.com/snipe/snipe-it.git synced 2025-03-05 20:52:15 -08:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

SELinux and iptables update for installer (#2674)

Browse source 
* detect SELinux

detect SELinux is enforcing and set required security policies for
CentOS 7

* Centos 6 iptables

allow http/https if iptables is running
This commit is contained in:
tiagom62 2016-09-26 17:11:43 -04:00 committed by snipe
parent 937192f7ce
commit 03ee6b8f91
1 changed files with 24 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
snipeit.sh
View file

@ -285,7 +285,7 @@ case $distro in
#We already established MySQL root & user PWs, so we dont need to be prompted. Let's go ahead and install Apache, PHP and MySQL. #We already established MySQL root & user PWs, so we dont need to be prompted. Let's go ahead and install Apache, PHP and MySQL.
echo "## Setting up LAMP." echo "## Setting up LAMP."
sudo DEBIAN_FRONTEND=noninteractive apt-get install -y lamp-server^ >> /var/log/snipeit-install.log & pid=$! 2>&1 sudo DEBIAN_FRONTEND=noninteractive apt-get install -y lamp-server^ >> /var/log/snipeit-install.log & pid=$! 2>&1
echo "" echo ""
progress progress
if [ "$version" == "16.04" ]; then if [ "$version" == "16.04" ]; then
@ -492,14 +492,21 @@ case $distro in
sudo chmod -R 755 $webdir/$name/public/uploads sudo chmod -R 755 $webdir/$name/public/uploads
sudo chown -R apache:apache $webdir/$name sudo chown -R apache:apache $webdir/$name
#TODO detect if SELinux and firewall are enabled to decide what to do #TODO detect if SELinux is enabled to decide what to do.
#Add SELinux and firewall exception/rules. Youll have to allow 443 if you want ssl connectivity.
# chcon -R -h -t httpd_sys_script_rw_t $webdir/$name/ # chcon -R -h -t httpd_sys_script_rw_t $webdir/$name/
# firewall-cmd --zone=public --add-port=80/tcp --permanent
# firewall-cmd --reload #Check if iptables is running
/sbin/service iptables status >/dev/null 2>&1
if [ $? = 0 ]; then
#Open http/https port
iptables -I INPUT 1 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -I INPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT
#Save iptables
service iptables save
fi
service httpd restart service httpd restart
elif [ "$version" == "7" ]; then elif [ "$version" == "7" ]; then
##################################### Install for Centos/Redhat 7 ############################################## ##################################### Install for Centos/Redhat 7 ##############################################
@ -608,10 +615,17 @@ case $distro in
sudo chmod -R 755 $webdir/$name/storage/private_uploads sudo chmod -R 755 $webdir/$name/storage/private_uploads
sudo chmod -R 755 $webdir/$name/public/uploads sudo chmod -R 755 $webdir/$name/public/uploads
sudo chown -R apache:apache $webdir/$name sudo chown -R apache:apache $webdir/$name
# Make SeLinux happy
sudo chcon -R -h -t httpd_sys_script_rw_t $webdir/$name/ #Check if SELinux is enforcing
#TODO detect if SELinux and firewall are enabled to decide what to do if [ $(getenforce) == "Enforcing" ]; then
#Add SELinux and firewall exception/rules. Youll have to allow 443 if you want ssl connectivity. #Required for ldap integration
setsebool -P httpd_can_connect_ldap on
#Sets SELinux context type so that scripts running in the web server process are allowed read/write access
sudo chcon -R -h -t httpd_sys_script_rw_t $webdir/$name/
fi
#TODO detect if firewall is enabled to decide what to do
#Add firewall exception/rules. Youll have to allow 443 if you want ssl connectivity.
# chcon -R -h -t httpd_sys_script_rw_t $webdir/$name/ # chcon -R -h -t httpd_sys_script_rw_t $webdir/$name/
# firewall-cmd --zone=public --add-port=80/tcp --permanent # firewall-cmd --zone=public --add-port=80/tcp --permanent
# firewall-cmd --reload # firewall-cmd --reload