Pi-hole on Fedora has issues with SELinux
-
I’ll have to look when I get home.
-
@stacksofplates said in Pi-hole on Fedora has issues with SELinux:
I’ll have to look when I get home.
The two things you did make it run on reboot, just no access to the GUI.
I suspect just the log permission change lets the app itself run. -
Doing a fresh install now on F27 with SEL in permissive. Where is the SELinux logs stored?
-
@aaronstuder said in Pi-hole on Fedora has issues with SELinux:
Doing a fresh install now on F27 with SEL in permissive. Where is the SELinux logs stored?
/var/log/audit/audit.log -
@jaredbusch said in Pi-hole on Fedora has issues with SELinux:
@stacksofplates said in Pi-hole on Fedora has issues with SELinux:
I’ll have to look when I get home.
The two things you did make it run on reboot, just no access to the GUI.
I suspect just the log permission change lets the app itself run.Yes. I didnt' look at the gui afterwards. Just noticed it was actually able to run and allowed me to get to the admin interface.
-
So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.
-
@stacksofplates said in Pi-hole on Fedora has issues with SELinux:
So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.
Why not permanently set SELinux to permissive instead of using Debian?
-
@black3dynamite said in Pi-hole on Fedora has issues with SELinux:
@stacksofplates said in Pi-hole on Fedora has issues with SELinux:
So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.
Why not permanently set SELinux to permissive instead of using Debian?
I could. I just deleted the instance and started over so I just chose debian. I don't ever log into this and just have the updates automatically done so it doesn't really matter what it is.
-
@black3dynamite said in Pi-hole on Fedora has issues with SELinux:
@stacksofplates said in Pi-hole on Fedora has issues with SELinux:
So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.
Why not permanently set SELinux to permissive instead of using Debian?
Confirmed working on Permissive.
-
@aaronstuder said in Pi-hole on Fedora has issues with SELinux:
@black3dynamite said in Pi-hole on Fedora has issues with SELinux:
@stacksofplates said in Pi-hole on Fedora has issues with SELinux:
So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.
Why not permanently set SELinux to permissive instead of using Debian?
Confirmed working on Permissive.
It always worked when set to permissive. I also preferred using permissive instead of disabling SELinux that way I can fix the errors later.
-
@black3dynamite said in Pi-hole on Fedora has issues with SELinux:
@aaronstuder said in Pi-hole on Fedora has issues with SELinux:
@black3dynamite said in Pi-hole on Fedora has issues with SELinux:
@stacksofplates said in Pi-hole on Fedora has issues with SELinux:
So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.
Why not permanently set SELinux to permissive instead of using Debian?
Confirmed working on Permissive.
It always worked when set to permissive. I also preferred using permissive instead of disabling SELinux that way I can fix the errors later.
I know it works on Permissive. the point was I am trying to find what it not being liked in order to change that. I can run sealert and then do whatever it says, but that means I have to install the
setroubleshootor whatever package and I do not ever want to do that in one of my guides if I can help it because it adds a lot of packages that are only needed for this one time thing.I have done it, but I didn't like it. I will likely have to do it again, but I won't like it then either.
-
For some reasons flushing logs isn't working for me. It works for me when using Debian.
-
ok back to this after 14 days and just WTF with my
audit.log, it took sealert 5 minutes to parse it.[root@pihole ~]# ls -lah /var/log/audit/audit.log -rw-------. 1 root root 5.4M Apr 17 21:20 /var/log/audit/audit.log -
[root@pihole ~]# sealert -a /var/log/audit/audit.log 0% donetype=AVC msg=audit(1522818810.923:196): avc: denied { setrlimit } for pid=957 comm="sudo" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0 **** Invalid AVC allowed in current policy *** type=AVC msg=audit(1522818810.928:197): avc: denied { sys_resource } for pid=957 comm="sudo" capability=24 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 **** Invalid AVC allowed in current policy *** 51% done'generator' object is not subscriptable 100% done found 29 alerts in /var/log/audit/audit.log -
SELinux is preventing lighttpd from map access on the file /etc/lighttpd/lighttpd.conf. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that lighttpd should be allowed map access on the lighttpd.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'lighttpd' --raw | audit2allow -M my-lighttpd # semodule -X 300 -i my-lighttpd.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:httpd_config_t:s0 Target Objects /etc/lighttpd/lighttpd.conf [ file ] Source lighttpd Source Path lighttpd Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages lighttpd-1.4.49-4.fc27.x86_64 Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-04 00:10:27 CDT Last Seen 2018-04-04 00:10:27 CDT Local ID 7231bc1d-89a1-4c9b-afeb-e87e9fd42dba Raw Audit Messages type=AVC msg=audit(1522818627.295:87): avc: denied { map } for pid=632 comm="lighttpd" path="/etc/lighttpd/lighttpd.conf" dev="dm-0" ino=17333729 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file permissive=0 Hash: lighttpd,httpd_t,httpd_config_t,file,map -
SELinux is preventing sudo from nlmsg_relay access on the netlink_audit_socket Unknown. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow httpd to mod auth pam Then you must tell SELinux about this by enabling the 'httpd_mod_auth_pam' boolean. Do setsebool -P httpd_mod_auth_pam 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that sudo should be allowed nlmsg_relay access on the Unknown netlink_audit_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sudo' --raw | audit2allow -M my-sudo # semodule -X 300 -i my-sudo.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:system_r:httpd_t:s0 Target Objects Unknown [ netlink_audit_socket ] Source sudo Source Path sudo Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1446 First Seen 2018-04-04 00:16:52 CDT Last Seen 2018-04-17 19:30:30 CDT Local ID 3ba955da-bc76-40a9-8efa-50c9728c7b3b Raw Audit Messages type=AVC msg=audit(1524011430.537:21859): avc: denied { nlmsg_relay } for pid=11201 comm="sudo" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_audit_socket permissive=1 Hash: sudo,httpd_t,httpd_t,netlink_audit_socket,nlmsg_relay -
SELinux is preventing sudo from using the audit_write capability. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow httpd to mod auth pam Then you must tell SELinux about this by enabling the 'httpd_mod_auth_pam' boolean. Do setsebool -P httpd_mod_auth_pam 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that sudo should have the audit_write capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sudo' --raw | audit2allow -M my-sudo # semodule -X 300 -i my-sudo.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:system_r:httpd_t:s0 Target Objects Unknown [ capability ] Source sudo Source Path sudo Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1506 First Seen 2018-04-04 00:16:52 CDT Last Seen 2018-04-17 19:32:30 CDT Local ID 30419184-33b4-4c6a-8bd1-4f1baeb723fe Raw Audit Messages type=AVC msg=audit(1524011550.40:21873): avc: denied { audit_write } for pid=11238 comm="sudo" capability=29 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1 Hash: sudo,httpd_t,httpd_t,capability,audit_write -
SELinux is preventing grep from read access on the file 01-pihole.conf. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that grep should be allowed read access on the 01-pihole.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'grep' --raw | audit2allow -M my-grep # semodule -X 300 -i my-grep.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects 01-pihole.conf [ file ] Source grep Source Path grep Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 20 First Seen 2018-04-04 00:16:52 CDT Last Seen 2018-04-12 20:41:40 CDT Local ID bb7f8e33-0218-4005-af39-84a179625a5e Raw Audit Messages type=AVC msg=audit(1523583700.990:11544): avc: denied { read } for pid=21644 comm="grep" name="01-pihole.conf" dev="dm-0" ino=34279554 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: grep,httpd_t,dnsmasq_etc_t,file,readand
SELinux is preventing grep from open access on the file /etc/dnsmasq.d/01-pihole.conf. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that grep should be allowed open access on the 01-pihole.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'grep' --raw | audit2allow -M my-grep # semodule -X 300 -i my-grep.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects /etc/dnsmasq.d/01-pihole.conf [ file ] Source grep Source Path grep Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 20 First Seen 2018-04-04 00:16:52 CDT Last Seen 2018-04-12 20:41:40 CDT Local ID 2b179168-a8dd-4d1b-b00c-d3979aff916b Raw Audit Messages type=AVC msg=audit(1523583700.990:11545): avc: denied { open } for pid=21644 comm="grep" path="/etc/dnsmasq.d/01-pihole.conf" dev="dm-0" ino=34279554 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: grep,httpd_t,dnsmasq_etc_t,file,open -
SELinux is preventing php-cgi from name_connect access on the tcp_socket port 4711. ***** Plugin connect_ports (85.9 confidence) suggests ********************* If you want to allow php-cgi to connect to network port 4711 Then you need to modify the port type. Do # semanage port -a -t PORT_TYPE -p tcp 4711 where PORT_TYPE is one of the following: dns_port_t, dnssec_port_t, kerberos_port_t, ocsp_port_t. ***** Plugin catchall_boolean (7.33 confidence) suggests ****************** If you want to allow httpd to can network connect Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean. Do setsebool -P httpd_can_network_connect 1 ***** Plugin catchall_boolean (7.33 confidence) suggests ****************** If you want to allow nis to enabled Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. Do setsebool -P nis_enabled 1 ***** Plugin catchall (1.35 confidence) suggests ************************** If you believe that php-cgi should be allowed name_connect access on the port 4711 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'php-cgi' --raw | audit2allow -M my-phpcgi # semodule -X 300 -i my-phpcgi.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:unreserved_port_t:s0 Target Objects port 4711 [ tcp_socket ] Source php-cgi Source Path php-cgi Port 4711 Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 24 First Seen 2018-04-04 00:16:52 CDT Last Seen 2018-04-12 21:34:26 CDT Local ID 01d3eb41-826d-4d3c-8d5f-8eaec761ce30 Raw Audit Messages type=AVC msg=audit(1523586866.849:11550): avc: denied { name_connect } for pid=26269 comm="php-cgi" dest=4711 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1 Hash: php-cgi,httpd_t,unreserved_port_t,tcp_socket,name_connectand
SELinux is preventing php-cgi from name_connect access on the tcp_socket port 80. ***** Plugin catchall_boolean (24.7 confidence) suggests ****************** If you want to allow httpd to can network connect Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean. Do setsebool -P httpd_can_network_connect 1 ***** Plugin catchall_boolean (24.7 confidence) suggests ****************** If you want to allow httpd to graceful shutdown Then you must tell SELinux about this by enabling the 'httpd_graceful_shutdown' boolean. Do setsebool -P httpd_graceful_shutdown 1 ***** Plugin catchall_boolean (24.7 confidence) suggests ****************** If you want to allow httpd to can network relay Then you must tell SELinux about this by enabling the 'httpd_can_network_relay' boolean. Do setsebool -P httpd_can_network_relay 1 ***** Plugin catchall_boolean (24.7 confidence) suggests ****************** If you want to allow nis to enabled Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. Do setsebool -P nis_enabled 1 ***** Plugin catchall (3.53 confidence) suggests ************************** If you believe that php-cgi should be allowed name_connect access on the port 80 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'php-cgi' --raw | audit2allow -M my-phpcgi # semodule -X 300 -i my-phpcgi.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:http_port_t:s0 Target Objects port 80 [ tcp_socket ] Source php-cgi Source Path php-cgi Port 80 Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1325 First Seen 2018-04-04 06:59:33 CDT Last Seen 2018-04-17 19:32:29 CDT Local ID 7ac7ba27-7443-45b9-95b1-e625ab7a79f9 Raw Audit Messages type=AVC msg=audit(1524011549.891:21865): avc: denied { name_connect } for pid=8832 comm="php-cgi" dest=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1 Hash: php-cgi,httpd_t,http_port_t,tcp_socket,name_connect -
SELinux is preventing grep from using the execmem access on a process. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow httpd to execmem Then you must tell SELinux about this by enabling the 'httpd_execmem' boolean. Do setsebool -P httpd_execmem 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that grep should be allowed execmem access on processes labeled httpd_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'grep' --raw | audit2allow -M my-grep # semodule -X 300 -i my-grep.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:system_r:httpd_t:s0 Target Objects Unknown [ process ] Source grep Source Path grep Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 64692e75-6f36-4bd4-9fe6-45a60f1bc88c Raw Audit Messages type=AVC msg=audit(1523578079.302:11449): avc: denied { execmem } for pid=21097 comm="grep" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=1 Hash: grep,httpd_t,httpd_t,process,execmem
