ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Zerotier failing to start after upgrade

    Scheduled Pinned Locked Moved IT Discussion
    zerotierselinux
    16 Posts 8 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • AdamFA
      AdamF @DustinB3403
      last edited by

      @DustinB3403 said in Zerotier failing to start after upgrade:

      sealert -l 1f1ceca4-4863-4718-8ea1-842c896efe6f

      sealert -l 1f1ceca4-4863-4718-8ea1-842c896efe6f
      /usr/bin/sealert:32: DeprecationWarning: Importing dbus.glib to use the GLib main loop with dbus-python is deprecated.
      Instead, use this sequence:
      
          from dbus.mainloop.glib import DBusGMainLoop
      
          DBusGMainLoop(set_as_default=True)
      
        import dbus.glib
      SELinux is preventing zerotier-one from mmap_zero access on the memprotect labeled unconfined_service_t.
      
      *****  Plugin mmap_zero (53.1 confidence) suggests   *************************
      
      If you do not think zerotier-one should need to mmap low memory in the kernel.
      Then you may be under attack by a hacker, this is a very dangerous access.
      Do
      contact your security administrator and report this issue.
      
      *****  Plugin catchall_boolean (42.6 confidence) suggests   ******************
      
      If you want to allow mmap to low allowed
      Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.
      
      Do
      setsebool -P mmap_low_allowed 1
      
      *****  Plugin catchall (5.76 confidence) suggests   **************************
      
      If you believe that zerotier-one should be allowed mmap_zero access on memprotect labeled unconfined_service_t by default.
      Then you should report this as a bug.
      You can generate a local policy module to allow this access.
      Do
      allow this access for now by executing:
      # ausearch -c 'zerotier-one' --raw | audit2allow -M my-zerotierone
      # semodule -X 300 -i my-zerotierone.pp
      
      
      Additional Information:
      Source Context                system_u:system_r:unconfined_service_t:s0
      Target Context                system_u:system_r:unconfined_service_t:s0
      Target Objects                Unknown [ memprotect ]
      Source                        zerotier-one
      Source Path                   zerotier-one
      Port                          <Unknown>
      Host                          kvm02
      Source RPM Packages           
      Target RPM Packages           
      Policy RPM                    selinux-policy-3.14.3-43.fc30.noarch
      Selinux Enabled               True
      Policy Type                   targeted
      Enforcing Mode                Enforcing
      Host Name                     kvm02
      Platform                      Linux kvm02 5.2.7-200.fc30.x86_64 #1 SMP
                                    Thu Aug 8 05:35:29 UTC 2019 x86_64 x86_64
      Alert Count                   6
      First Seen                    2019-08-13 15:11:56 EDT
      Last Seen                     2019-08-13 15:11:58 EDT
      Local ID                      1f1ceca4-4863-4718-8ea1-842c896efe6f
      
      Raw Audit Messages
      type=AVC msg=audit(1565723518.1:334): avc:  denied  { mmap_zero } for  pid=2703 comm="zerotier-one" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=memprotect permissive=0
      
      
      Hash: zerotier-one,unconfined_service_t,unconfined_service_t,memprotect,mmap_zero
      
      DustinB3403D 1 Reply Last reply Reply Quote 0
      • DustinB3403D
        DustinB3403 @AdamF
        last edited by

        @fuznutz04 Looks like the answer is in the details.

        Either you can allow nmap_low_allowed or you can allow it anyways with 2 or you can report it as a bug.

        1. setsebool -P mmap_low_allowed 1

        or

        1. ausearch -c 'zerotier-one' --raw | audit2allow -M my-zerotierone
          semodule -X 300 -i my-zerotierone.pp

        2. Report it as a bug.

        AdamFA 1 Reply Last reply Reply Quote 2
        • AdamFA
          AdamF @DustinB3403
          last edited by

          @DustinB3403 said in Zerotier failing to start after upgrade:

          semodule -X 300 -i my-zerotierone.pp

          Thanks Dustin. That did the trick!

          1 Reply Last reply Reply Quote 0
          • JaredBuschJ
            JaredBusch
            last edited by

            no zerotier adapter on my laptop 😞 this is bad juju

            e6999c16-846b-4d94-9df9-38cc74727a3a-image.png

            1 Reply Last reply Reply Quote 1
            • JaredBuschJ
              JaredBusch
              last edited by

              This is definitely a bad deal. Anyone know if it has been reported to ZeroTier?
              a2ebf9e8-88cf-40d9-a50c-6d7bef630d8e-image.png

              All better, but only on my laptop. All the remote systems with SELinux are going to be under the same problem.
              40f7185a-036d-468f-9df8-9b6e74606f78-image.png

              DustinB3403D 1 Reply Last reply Reply Quote 1
              • JaredBuschJ
                JaredBusch
                last edited by

                Just confirmed. This also affects CentOS 7.

                1 Reply Last reply Reply Quote 2
                • DustinB3403D
                  DustinB3403 @JaredBusch
                  last edited by

                  @JaredBusch said in Zerotier failing to start after upgrade:

                  Anyone know if it has been reported to ZeroTier?

                  Not sure, it was 1 of the 3 recommendations I made to @fuznutz04

                  1 Reply Last reply Reply Quote 0
                  • A
                    adam.ierymenko
                    last edited by

                    Do an update. We released new binary builds for Linux that should address this.

                    black3dynamiteB scottalanmillerS AdamFA JaredBuschJ travisdh1T 5 Replies Last reply Reply Quote 5
                    • black3dynamiteB
                      black3dynamite @adam.ierymenko
                      last edited by

                      @adam-ierymenko said in Zerotier failing to start after upgrade:

                      Do an update. We released new binary builds for Linux that should address this.

                      Yep, its working.

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @adam.ierymenko
                        last edited by

                        @adam-ierymenko said in Zerotier failing to start after upgrade:

                        Do an update. We released new binary builds for Linux that should address this.

                        Awesome

                        1 Reply Last reply Reply Quote 0
                        • AdamFA
                          AdamF @adam.ierymenko
                          last edited by

                          @adam-ierymenko said in Zerotier failing to start after upgrade:

                          Do an update. We released new binary builds for Linux that should address this.

                          Awesome, Thanks!

                          1 Reply Last reply Reply Quote 0
                          • JaredBuschJ
                            JaredBusch @adam.ierymenko
                            last edited by

                            @adam-ierymenko said in Zerotier failing to start after upgrade:

                            Do an update. We released new binary builds for Linux that should address this.

                            Awesome, except all of my stuff alreadfy updated and is offline.
                            So I'm stuck for up to 24 hours until dnf-automatic rolls again.

                            1 Reply Last reply Reply Quote 1
                            • larsen161L
                              larsen161
                              last edited by

                              can the mac version be updated via zerotier-cli at all?

                              1 Reply Last reply Reply Quote 0
                              • travisdh1T
                                travisdh1 @adam.ierymenko
                                last edited by

                                @adam-ierymenko said in Zerotier failing to start after upgrade:

                                Do an update. We released new binary builds for Linux that should address this.

                                Sorry for resurrecting an old thread, but new installs are having the same selinux issue. Took some digging for me to figure out what was going on. Multiple attempts to install on Fedora 33.

                                1 Reply Last reply Reply Quote 0
                                • 1 / 1
                                • First post
                                  Last post