SELinux Policy for Pi-hole


I've worked on making a policy in my spare time for Pi-hole over the last few years, on and off again. This isn't a policy like that of other users that have attempted to create one by running through audit2allow to generate a generic one. This is a proper confined policy specifically for Pi-hole.

There are some caveats that go along with the policy that allow a proper separation from the default php-cgi engine and lighttpd, with the use of a wrapper script. But it isn't too far out of the ordinary. From what I gather, V6 will change this requirement.

I have also included some tweaked files, like a hardened unit file and pre-start script that I might open a PR for at a later date - but as said in the readme, are optional. I have seen some PRs talking about the same two ideas, so I might tone it down to be inline with the consensus of the devs.

Installation guide and detailed info can be found in the readme on my github page for the policy:

Currently everything works as intended for me and all that I've tested but it would be appreciated to get more eyes and testing done by anyone who is interested/runs Pi-hole on an SELinux based (RHEL)system. I'm open to PRs or suggestions. There's also a To-Do list in the readme.

Hopefully this is useful to everyone and I look forward to hearing any feedback.


1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.