Fix: Handle SELinux on RHEL-based systems

- Add handle_selinux() function to detect and configure SELinux - In unattended mode, automatically set SELinux to permissive - In interactive mode, prompt user for SELinux configuration - Add --no-selinux option to skip SELinux handling - Export PIHOLE_SELINUX=true if user wants to keep enforcing mode
2026-01-18 08:20:52 +00:00
parent ce5674cb6c
commit feaa217cf8
1 changed files with 68 additions and 0 deletions
--- a/install.sh
+++ b/install.sh
@@ -45,6 +45,7 @@ IPV4_ADDRESS=""
 ADMIN_PASSWORD=""
 INSTALL_DIR="/etc/pihole"
 PIHOLE_SKIP_OS_CHECK=false
 HANDLE_SELINUX=true
 # Parse arguments
 while [ $# -gt 0 ]; do
@@ -57,6 +58,7 @@ while [ $# -gt 0 ]; do
        --dns1)          PIHOLE_DNS_1="$2"; shift 2 ;;
        --dns2)          PIHOLE_DNS_2="$2"; shift 2 ;;
        --skip-os-check) PIHOLE_SKIP_OS_CHECK=true; shift ;;
        --no-selinux)    HANDLE_SELINUX=false; shift ;;
        --help|-h)
            echo "Pi-hole Baremetal Installer"
            echo ""
@@ -71,6 +73,7 @@ while [ $# -gt 0 ]; do
            echo "  --dns1 <ip>        Upstream DNS 1 (default: 1.1.1.1)"
            echo "  --dns2 <ip>        Upstream DNS 2 (default: 1.0.0.1)"
            echo "  --skip-os-check    Skip OS compatibility check"
            echo "  --no-selinux       Don't modify SELinux (may cause issues)"
            exit 0
            ;;
        *) shift ;;
@@ -160,6 +163,70 @@ wait_for_zypper_lock() {
    done
 }
 # Handle SELinux on RHEL-based systems
 handle_selinux() {
    if [ "$HANDLE_SELINUX" != true ]; then
        return 0
    fi
    # Check if SELinux is available
    if ! command -v getenforce >/dev/null 2>&1; then
        return 0
    fi
    local selinux_status=$(getenforce 2>/dev/null)
    if [ "$selinux_status" = "Enforcing" ]; then
        log "SELinux is enforcing - configuring for Pi-hole..."
        # Set SELinux to permissive mode for installation
        # Pi-hole doesn't provide SELinux policies, so we need to either:
        # 1. Set to permissive
        # 2. Set PIHOLE_SELINUX=true to skip the check
        if [ "$UNATTENDED" = true ]; then
            # In unattended mode, set to permissive
            warn "Setting SELinux to permissive mode for Pi-hole installation"
            setenforce 0 2>/dev/null || true
            # Make it persistent
            if [ -f /etc/selinux/config ]; then
                sed -i 's/^SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config 2>/dev/null || true
            fi
            success "SELinux set to permissive"
        else
            echo ""
            echo "========================================"
            echo "  SELinux Configuration Required"
            echo "========================================"
            echo ""
            echo "SELinux is currently enforcing. Pi-hole does not provide"
            echo "SELinux policies and requires one of these options:"
            echo ""
            echo "1. Set SELinux to permissive mode (recommended for home use)"
            echo "2. Keep enforcing and acknowledge potential issues"
            echo ""
            read -p "Set SELinux to permissive? [Y/n] " -n 1 -r
            echo
            if [[ ! $REPLY =~ ^[Nn]$ ]]; then
                setenforce 0 2>/dev/null || true
                if [ -f /etc/selinux/config ]; then
                    sed -i 's/^SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config 2>/dev/null || true
                fi
                success "SELinux set to permissive"
            else
                warn "Keeping SELinux enforcing - setting PIHOLE_SELINUX=true"
                export PIHOLE_SELINUX=true
            fi
        fi
    elif [ "$selinux_status" = "Permissive" ]; then
        log "SELinux is permissive - OK"
    else
        log "SELinux is disabled - OK"
    fi
 }
 # Install prerequisites
 install_prerequisites() {
    log "Installing prerequisites..."
@@ -599,6 +666,7 @@ main() {
    echo ""
    detect_os
    handle_selinux
    install_prerequisites
    detect_interface
    detect_ip