Pi-hole on Fedora has issues with SELinux
- 
 finally a bunch with sedSELinux is preventing sed from ioctl access on the file /etc/dnsmasq.d/01-pihole.conf. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed ioctl access on the 01-pihole.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects /etc/dnsmasq.d/01-pihole.conf [ file ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:55 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID f6206021-c986-4066-83b0-e407292183ac Raw Audit Messages type=AVC msg=audit(1523578436.22:11516): avc: denied { ioctl } for pid=21332 comm="sed" path="/etc/dnsmasq.d/01-pihole.conf" dev="dm-0" ino=34279073 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,file,ioctland SELinux is preventing sed from write access on the directory dnsmasq.d. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed write access on the dnsmasq.d directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:dnsmasq_etc_t:s0 Target Objects dnsmasq.d [ dir ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:55 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID 216c555a-b747-4884-a6be-110e82d17b2f Raw Audit Messages type=AVC msg=audit(1523578436.22:11517): avc: denied { write } for pid=21332 comm="sed" name="dnsmasq.d" dev="dm-0" ino=34279099 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:dnsmasq_etc_t:s0 tclass=dir permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,dir,writeand SELinux is preventing sed from add_name access on the directory sedcz73nA. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed add_name access on the sedcz73nA directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:dnsmasq_etc_t:s0 Target Objects sedcz73nA [ dir ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:55 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID b3c553d2-589a-441d-8b06-7de40ea34eb6 Raw Audit Messages type=AVC msg=audit(1523578436.22:11518): avc: denied { add_name } for pid=21332 comm="sed" name="sedcz73nA" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:dnsmasq_etc_t:s0 tclass=dir permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,dir,add_nameand SELinux is preventing sed from create access on the file sedcz73nA. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed create access on the sedcz73nA file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects sedcz73nA [ file ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:55 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID 869fd7e0-c31c-4037-8032-e5917b591088 Raw Audit Messages type=AVC msg=audit(1523578436.22:11519): avc: denied { create } for pid=21332 comm="sed" name="sedcz73nA" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,file,createand SELinux is preventing sed from write access on the file /etc/dnsmasq.d/sedcz73nA. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed write access on the sedcz73nA file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects /etc/dnsmasq.d/sedcz73nA [ file ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:55 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID d425f40d-6c3e-4e0b-9cd7-3e2e65532342 Raw Audit Messages type=AVC msg=audit(1523578436.23:11520): avc: denied { write } for pid=21332 comm="sed" path="/etc/dnsmasq.d/sedcz73nA" dev="dm-0" ino=34279554 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,file,writeand SELinux is preventing sed from setattr access on the file sedcz73nA. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed setattr access on the sedcz73nA file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects sedcz73nA [ file ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:56 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID f6430ba2-79aa-424e-8c4c-70cdaac0e419 Raw Audit Messages type=AVC msg=audit(1523578436.23:11521): avc: denied { setattr } for pid=21332 comm="sed" name="sedcz73nA" dev="dm-0" ino=34279554 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,file,setattrand SELinux is preventing sed from remove_name access on the directory sedcz73nA. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed remove_name access on the sedcz73nA directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:dnsmasq_etc_t:s0 Target Objects sedcz73nA [ dir ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:56 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID 72365554-6384-4eca-9da3-2cb1f29c3f59 Raw Audit Messages type=AVC msg=audit(1523578436.23:11522): avc: denied { remove_name } for pid=21332 comm="sed" name="sedcz73nA" dev="dm-0" ino=34279554 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:dnsmasq_etc_t:s0 tclass=dir permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,dir,remove_nameand SELinux is preventing sed from rename access on the file sedcz73nA. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed rename access on the sedcz73nA file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects sedcz73nA [ file ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:56 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID c2952912-cec1-4842-8846-5e0fbf06418b Raw Audit Messages type=AVC msg=audit(1523578436.23:11523): avc: denied { rename } for pid=21332 comm="sed" name="sedcz73nA" dev="dm-0" ino=34279554 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,file,renameand SELinux is preventing sed from unlink access on the file 01-pihole.conf. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed unlink access on the 01-pihole.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects 01-pihole.conf [ file ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:56 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID fb40dba0-042a-4270-a8e8-105571932a7d Raw Audit Messages type=AVC msg=audit(1523578436.23:11524): avc: denied { unlink } for pid=21332 comm="sed" name="01-pihole.conf" dev="dm-0" ino=34279073 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,file,unlink
- 
 Have you tried setting 
 chown lighttpd:root /etc/lighttpd/lighttpd.conf
 or whatever user is made for lighttpd
 That seems it could be the problem.
- 
 Just wanted to thank @stacksofplates and @JaredBusch on the SELInux part on Fedora 28 Server. I had that issue today. 
 The other thing I needed to do was the following:lighttpd -t sudo lighttpd -f /etc/lighttpd/lighttpd.confIf you get an error, I commented out the last line on the lighttpd.conf file include_shell "cat external.conf 2>/dev/null"
- 
 @dbeato don’t do that. See my bug report 
- 
 @jaredbusch said in Pi-hole on Fedora has issues with SELinux: @dbeato don’t do that. See my bug report I will read it. 
- 
 
- 
 


