#736: Installer script no longer disables firewall or SELinux, and recommends using {{{security-config}}} script.

installer/opengnsys_installer.sh

@@ -145,7 +145,6 @@ OPENGNSYS_DB_CREATION_FILE=opengnsys/admin/Database/${OPENGNSYS_DATABASE}.sql
 # - APACHEENABLEOG, APACHEOGSITE, - habilitar sitio web de OpenGnsys
 # - PHPFPMSERV - servicio PHP FastCGI Process Manager para Apache
 # - INETDSERV - servicio Inetd
-# - FIREWALLSERV - servicio de cortabuegos IPTables/FirewallD
 # - DHCPSERV, DHCPCFGDIR - servicio y configuración de DHCP
 # - MYSQLSERV, TMPMYCNF - servicio MySQL y fichero temporal con credenciales de acceso
 # - MARIADBSERV - servicio MariaDB (sustituto de MySQL en algunas distribuciones)
@@ -232,11 +231,6 @@ case "$OSDISTRIB" in
 		APACHEREWRITEMOD="sed -i '/rewrite/s/^#//' $APACHECFGDIR/../*.conf"
 		DHCPSERV=dhcpd
 		DHCPCFGDIR=/etc/dhcp
-		if firewall-cmd --state &>/dev/null; then
-			FIREWALLSERV=firewalld
-		else
-			FIREWALLSERV=iptables
-		fi
 		INETDSERV=xinetd
 		INETDCFGDIR=/etc/xinetd.d
 		MYSQLSERV=mysqld
@@ -268,13 +262,6 @@ local f
 # Configuraciones específicas para Samba y TFTP en Debian 6.
 [ -z "$SYSTEMD" -a ! -e /etc/init.d/$SAMBASERV ] && SAMBASERV=samba
 [ ! -e $TFTPCFGDIR ] && TFTPCFGDIR=/srv/tftp
-
-# Configuraciones específicas para SELinux permisivo en distintas versiones.
-[ -f /selinux/enforce ] && echo 0 > /selinux/enforce
-for f in /etc/sysconfig/selinux /etc/selinux/config; do
-	[ -f $f ] && perl -pi -e 's/SELINUX=enforcing/SELINUX=permissive/g' $f
-done
-selinuxenabled 2>/dev/null && setenforce 0 2>/dev/null
 }
 
 
@@ -823,13 +810,7 @@ function downloadCode()
 # Comprobar si existe conexión.
 function checkNetworkConnection()
 {
-	echoAndLog "${FUNCNAME}(): Disabling Firewall: $FIREWALLSERV."
-	if [ -n "$FIREWALLSERV" ]; then
-		service=$FIREWALLSERV
-		$STOPSERVICE; $DISABLESERVICE
-	fi
-
-	echoAndLog "${FUNCNAME}(): Checking OpenGnsys server conectivity."
+	echoAndLog "${FUNCNAME}(): Checking OpenGnsys server connectivity."
 	OPENGNSYS_SERVER=${OPENGNSYS_SERVER:-"opengnsys.es"}
 	if which wget &>/dev/null; then
 		wget --spider -q $OPENGNSYS_SERVER
@@ -1576,16 +1557,15 @@ function installationSummary()
 	echoAndLog "Installed ogLive client(s):       $(oglivecli list | awk '{print $2}')"
 	echoAndLog "Samba configuration directory:    $SAMBACFGDIR"
 	echoAndLog "Web Console URL:                  $OPENGNSYS_CONSOLEURL"
-	echoAndLog "Web Console access data:          specified in installer script"
+	echoAndLog "Web Console access data:          entered by the user"
 	if grep -q "^RUN_BTTRACK.*no" /etc/default/opengnsys; then
 		echoAndLog "BitTorrent service is disabled."
 	fi
 	echo
 	echoAndLog "Post-Installation Instructions:"
 	echo       "==============================="
-	echoAndLog "Firewall service has been disabled and SELinux mode set to"
-	echoAndLog "   permissive during OpenGnsys installation. Please check"
-	echoAndLog "   ${FIREWALLSERV:-firewall} and SELinux configuration, if needed."
+	echoAndLog "You can improve server security by configuring firewall and SELinux,"
+	echoAndLog "   running \"$INSTALL_TARGET/lib/security-config\" script as root."
 	echoAndLog "It's strongly recommended to synchronize this server with an NTP server."
 	echoAndLog "Review or edit all configuration files."
 	echoAndLog "Insert DHCP configuration data and restart service."

server/lib/security-config

@@ -73,7 +73,7 @@ fi
 
 # SELinux configuration.
 if which setsebool &>/dev/null; then
-	if [ "$(getenforce)" != "Disabled" ]; then
+	if selinuxenabled; then
 		echo "Configuring SELinux."
 		# Configuring Apache.
 		setsebool -P httpd_can_connect_ldap on