Zerotier failing to start after upgrade

DustinB3403

@fuznutz04

What's the output of sealert -l 1f1ceca4-4863-4718-8ea1-842c896efe6f ?

AdamF

@DustinB3403 said in Zerotier failing to start after upgrade:

sealert -l 1f1ceca4-4863-4718-8ea1-842c896efe6f

sealert -l 1f1ceca4-4863-4718-8ea1-842c896efe6f
/usr/bin/sealert:32: DeprecationWarning: Importing dbus.glib to use the GLib main loop with dbus-python is deprecated.
Instead, use this sequence:

    from dbus.mainloop.glib import DBusGMainLoop

    DBusGMainLoop(set_as_default=True)

  import dbus.glib
SELinux is preventing zerotier-one from mmap_zero access on the memprotect labeled unconfined_service_t.

*****  Plugin mmap_zero (53.1 confidence) suggests   *************************

If you do not think zerotier-one should need to mmap low memory in the kernel.
Then you may be under attack by a hacker, this is a very dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests   ******************

If you want to allow mmap to low allowed
Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.

Do
setsebool -P mmap_low_allowed 1

*****  Plugin catchall (5.76 confidence) suggests   **************************

If you believe that zerotier-one should be allowed mmap_zero access on memprotect labeled unconfined_service_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'zerotier-one' --raw | audit2allow -M my-zerotierone
# semodule -X 300 -i my-zerotierone.pp


Additional Information:
Source Context                system_u:system_r:unconfined_service_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                Unknown [ memprotect ]
Source                        zerotier-one
Source Path                   zerotier-one
Port                          <Unknown>
Host                          kvm02
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-43.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     kvm02
Platform                      Linux kvm02 5.2.7-200.fc30.x86_64 #1 SMP
                              Thu Aug 8 05:35:29 UTC 2019 x86_64 x86_64
Alert Count                   6
First Seen                    2019-08-13 15:11:56 EDT
Last Seen                     2019-08-13 15:11:58 EDT
Local ID                      1f1ceca4-4863-4718-8ea1-842c896efe6f

Raw Audit Messages
type=AVC msg=audit(1565723518.1:334): avc:  denied  { mmap_zero } for  pid=2703 comm="zerotier-one" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=memprotect permissive=0


Hash: zerotier-one,unconfined_service_t,unconfined_service_t,memprotect,mmap_zero

DustinB3403

@fuznutz04 Looks like the answer is in the details.

Either you can allow nmap_low_allowed or you can allow it anyways with 2 or you can report it as a bug.

1. setsebool -P mmap_low_allowed 1

or

2. ausearch -c 'zerotier-one' --raw | audit2allow -M my-zerotierone
semodule -X 300 -i my-zerotierone.pp

3. Report it as a bug.

AdamF

@DustinB3403 said in Zerotier failing to start after upgrade:

semodule -X 300 -i my-zerotierone.pp

Thanks Dustin. That did the trick!

JaredBusch

no zerotier adapter on my laptop this is bad juju

JaredBusch

This is definitely a bad deal. Anyone know if it has been reported to ZeroTier?

All better, but only on my laptop. All the remote systems with SELinux are going to be under the same problem.

JaredBusch

Just confirmed. This also affects CentOS 7.

DustinB3403

@JaredBusch said in Zerotier failing to start after upgrade:

Anyone know if it has been reported to ZeroTier?

Not sure, it was 1 of the 3 recommendations I made to @fuznutz04

adam.ierymenko

Do an update. We released new binary builds for Linux that should address this.

black3dynamite

@adam-ierymenko said in Zerotier failing to start after upgrade:

Do an update. We released new binary builds for Linux that should address this.

Yep, its working.

scottalanmiller

@adam-ierymenko said in Zerotier failing to start after upgrade:

Do an update. We released new binary builds for Linux that should address this.

Awesome

AdamF

@adam-ierymenko said in Zerotier failing to start after upgrade:

Do an update. We released new binary builds for Linux that should address this.

Awesome, Thanks!

JaredBusch

@adam-ierymenko said in Zerotier failing to start after upgrade:

Do an update. We released new binary builds for Linux that should address this.

Awesome, except all of my stuff alreadfy updated and is offline.
So I'm stuck for up to 24 hours until dnf-automatic rolls again.

larsen161

can the mac version be updated via zerotier-cli at all?

travisdh1

@adam-ierymenko said in Zerotier failing to start after upgrade:

Do an update. We released new binary builds for Linux that should address this.

Sorry for resurrecting an old thread, but new installs are having the same selinux issue. Took some digging for me to figure out what was going on. Multiple attempts to install on Fedora 33.