ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Pi-hole on Fedora has issues with SELinux

    Scheduled Pinned Locked Moved IT Discussion
    pi-holeselinuxfedora
    47 Posts 7 Posters 9.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JaredBusch @JaredBusch
      last edited by

      @jaredbusch said in Pi-hole on Fedora has issues with SELinux:

      @black3dynamite said in Pi-hole on Fedora has issues with SELinux:

      @travisdh1 said in Pi-hole on Fedora has issues with SELinux:

      I think I found the command used to fix things.

      chcon -v --type=dnsmasq_var_log_t /var/log/pihole.log

      That was the only thing sitting in my command history at least. Wish I could remember where I found it.

      Any lighttpd errors?

      Has to be. I jsut ran that to fix the context, rebooted, and I cannot access the admin interface yet.

      Yup.

      SELinux is preventing lighttpd from map access on the file /etc/lighttpd/lighttpd.conf.
      
      *****  Plugin catchall (100. confidence) suggests   **************************
      
      If you believe that lighttpd should be allowed map access on the lighttpd.conf file by default.
      Then you should report this as a bug.
      You can generate a local policy module to allow this access.
      Do
      allow this access for now by executing:
      # ausearch -c 'lighttpd' --raw | audit2allow -M my-lighttpd
      # semodule -X 300 -i my-lighttpd.pp
      
      
      Additional Information:
      Source Context                system_u:system_r:httpd_t:s0
      Target Context                unconfined_u:object_r:httpd_config_t:s0
      Target Objects                /etc/lighttpd/lighttpd.conf [ file ]
      Source                        lighttpd
      Source Path                   lighttpd
      Port                          <Unknown>
      Host                          <Unknown>
      Source RPM Packages           
      Target RPM Packages           lighttpd-1.4.49-4.fc27.x86_64
      Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
      Selinux Enabled               True
      Policy Type                   targeted
      Enforcing Mode                Enforcing
      Host Name                     pihole.jaredbusch.com
      Platform                      Linux pihole.jaredbusch.com
                                    4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                    UTC 2018 x86_64 x86_64
      Alert Count                   2
      First Seen                    2018-04-03 15:32:46 CDT
      Last Seen                     2018-04-03 17:23:32 CDT
      Local ID                      e99b059b-91a3-46b4-a8f5-21aabf27e9f3
      
      Raw Audit Messages
      type=AVC msg=audit(1522794212.967:99): avc:  denied  { map } for  pid=657 comm="lighttpd" path="/etc/lighttpd/lighttpd.conf" dev="dm-0" ino=17333729 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file permissive=0
      
      
      Hash: lighttpd,httpd_t,httpd_config_t,file,map
      
      1 Reply Last reply Reply Quote 0
      • J
        JaredBusch
        last edited by JaredBusch

        Should this directory have a different group or owenr aside from root?

        [root@pihole ~]# ls -laZ /etc/lighttpd/
        total 28
        drwxr-xr-x.  4 root root system_u:object_r:httpd_config_t:s0      103 Apr  3 15:32 .
        drwxr-xr-x. 87 root root system_u:object_r:etc_t:s0              8192 Apr  3 17:28 ..
        drwxr-xr-x.  2 root root system_u:object_r:httpd_config_t:s0     4096 Mar 12 08:40 conf.d
        -rw-r--r--.  1 root root unconfined_u:object_r:httpd_config_t:s0 3560 Apr  3 15:32 lighttpd.conf
        -rw-r--r--.  1 root root unconfined_u:object_r:httpd_config_t:s0 3560 Feb 18 10:26 lighttpd.conf.orig
        -rw-r--r--.  1 root root system_u:object_r:httpd_config_t:s0     3319 Mar 11 19:52 modules.conf
        drwxr-xr-x.  2 root root system_u:object_r:httpd_config_t:s0       29 Mar 12 08:40 vhosts.d
        
        
        1 Reply Last reply Reply Quote 0
        • S
          stacksofplates
          last edited by

          All I did was set /var/www/html/admin to httpd_sys_content_t

          And set /var/log/pi-hole.log to dnsmasq_var_log_t.

          J 1 Reply Last reply Reply Quote 1
          • J
            JaredBusch @stacksofplates
            last edited by

            @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

            All I did was set /var/www/html/admin to httpd_sys_content_t

            And set /var/log/pi-hole.log to dnsmasq_var_log_t.

            That got most things resolved as I can hit the webpage now.

            chcon --type=dnsmasq_var_log_t /var/log/pihole.log
            chcon --recursive --type=httpd_sys_content_t /var/www/html/admin
            

            But after a reboot, I see this when enforcing
            0_1522818097788_76c2c81c-971d-4b3a-ad73-da06a54b93b4-image.png

            But the DNS service is running.
            0_1522818212874_d5db2296-9ce9-474b-ae05-23229ea6d258-image.png

            1 Reply Last reply Reply Quote 1
            • J
              JaredBusch
              last edited by JaredBusch

              I purged the audit log and rebooted.

              Still this.

              [root@pihole ~]# sealert -a /var/log/audit/audit.log
              100% done
              found 1 alerts in /var/log/audit/audit.log
              --------------------------------------------------------------------------------
              
              SELinux is preventing lighttpd from map access on the file /etc/lighttpd/lighttpd.conf.
              
              *****  Plugin catchall (100. confidence) suggests   **************************
              
              If you believe that lighttpd should be allowed map access on the lighttpd.conf file by default.
              Then you should report this as a bug.
              You can generate a local policy module to allow this access.
              Do
              allow this access for now by executing:
              # ausearch -c 'lighttpd' --raw | audit2allow -M my-lighttpd
              # semodule -X 300 -i my-lighttpd.pp
              
              1 Reply Last reply Reply Quote 0
              • J
                JaredBusch
                last edited by

                While I can run that command, I do not want to. I would prefer to find the right thing I need to change because there is no reason to install all the SELinux tools on an instance just to set a permission.

                1 Reply Last reply Reply Quote 1
                • J
                  JaredBusch
                  last edited by

                  tried to load the admin page and it added some more.

                  [root@pihole ~]# sealert -a /var/log/audit/audit.log
                  100% done
                  found 3 alerts in /var/log/audit/audit.log
                  --------------------------------------------------------------------------------
                  
                  SELinux is preventing lighttpd from map access on the file /etc/lighttpd/lighttpd.conf.
                  
                  *****  Plugin catchall (100. confidence) suggests   **************************
                  
                  If you believe that lighttpd should be allowed map access on the lighttpd.conf file by default.
                  Then you should report this as a bug.
                  You can generate a local policy module to allow this access.
                  Do
                  allow this access for now by executing:
                  # ausearch -c 'lighttpd' --raw | audit2allow -M my-lighttpd
                  # semodule -X 300 -i my-lighttpd.pp
                  
                  
                  Additional Information:
                  Source Context                system_u:system_r:httpd_t:s0
                  Target Context                unconfined_u:object_r:httpd_config_t:s0
                  Target Objects                /etc/lighttpd/lighttpd.conf [ file ]
                  Source                        lighttpd
                  Source Path                   lighttpd
                  Port                          <Unknown>
                  Host                          <Unknown>
                  Source RPM Packages           
                  Target RPM Packages           lighttpd-1.4.49-4.fc27.x86_64
                  Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
                  Selinux Enabled               True
                  Policy Type                   targeted
                  Enforcing Mode                Enforcing
                  Host Name                     pihole.jaredbusch.com
                  Platform                      Linux pihole.jaredbusch.com
                                                4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                                UTC 2018 x86_64 x86_64
                  Alert Count                   1
                  First Seen                    2018-04-04 00:10:27 CDT
                  Last Seen                     2018-04-04 00:10:27 CDT
                  Local ID                      c68567cd-1d33-4f99-8c8f-d185c0a0309f
                  
                  Raw Audit Messages
                  type=AVC msg=audit(1522818627.295:87): avc:  denied  { map } for  pid=632 comm="lighttpd" path="/etc/lighttpd/lighttpd.conf" dev="dm-0" ino=17333729 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file permissive=0
                  
                  
                  Hash: lighttpd,httpd_t,httpd_config_t,file,map
                  
                  --------------------------------------------------------------------------------
                  
                  SELinux is preventing sudo from using the setrlimit access on a process.
                  
                  *****  Plugin catchall_boolean (89.3 confidence) suggests   ******************
                  
                  If you want to allow httpd to setrlimit
                  Then you must tell SELinux about this by enabling the 'httpd_setrlimit' boolean.
                  
                  Do
                  setsebool -P httpd_setrlimit 1
                  
                  *****  Plugin catchall (11.6 confidence) suggests   **************************
                  
                  If you believe that sudo should be allowed setrlimit access on processes labeled httpd_t by default.
                  Then you should report this as a bug.
                  You can generate a local policy module to allow this access.
                  Do
                  allow this access for now by executing:
                  # ausearch -c 'sudo' --raw | audit2allow -M my-sudo
                  # semodule -X 300 -i my-sudo.pp
                  
                  
                  Additional Information:
                  Source Context                system_u:system_r:httpd_t:s0
                  Target Context                system_u:system_r:httpd_t:s0
                  Target Objects                Unknown [ process ]
                  Source                        sudo
                  Source Path                   sudo
                  Port                          <Unknown>
                  Host                          <Unknown>
                  Source RPM Packages           
                  Target RPM Packages           
                  Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
                  Selinux Enabled               True
                  Policy Type                   targeted
                  Enforcing Mode                Enforcing
                  Host Name                     pihole.jaredbusch.com
                  Platform                      Linux pihole.jaredbusch.com
                                                4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                                UTC 2018 x86_64 x86_64
                  Alert Count                   1
                  First Seen                    2018-04-04 00:13:30 CDT
                  Last Seen                     2018-04-04 00:13:30 CDT
                  Local ID                      8433e0d2-20ac-4b81-b135-7bcf50ca850d
                  
                  Raw Audit Messages
                  type=AVC msg=audit(1522818810.923:196): avc:  denied  { setrlimit } for  pid=957 comm="sudo" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0
                  
                  
                  Hash: sudo,httpd_t,httpd_t,process,setrlimit
                  
                  --------------------------------------------------------------------------------
                  
                  SELinux is preventing sudo from using the sys_resource capability.
                  
                  *****  Plugin sys_resource (37.5 confidence) suggests   **********************
                  
                  If you do not want processes to require capabilities to use up all the system resources on your system;
                  Then you need to diagnose why your system is running out of system resources and fix the problem.
                  
                  According to /usr/include/linux/capability.h, sys_resource is required to:
                  
                  /* Override resource limits. Set resource limits. */
                  /* Override quota limits. */
                  /* Override reserved space on ext2 filesystem */
                  /* Modify data journaling mode on ext3 filesystem (uses journaling
                     resources) */
                  /* NOTE: ext2 honors fsuid when checking for resource overrides, so
                     you can override using fsuid too */
                  /* Override size restrictions on IPC message queues */
                  /* Allow more than 64hz interrupts from the real-time clock */
                  /* Override max number of consoles on console allocation */
                  /* Override max number of keymaps */
                  
                  Do
                  fix the cause of the SYS_RESOURCE on your system.
                  
                  *****  Plugin catchall_boolean (30.1 confidence) suggests   ******************
                  
                  If you want to allow httpd to run stickshift
                  Then you must tell SELinux about this by enabling the 'httpd_run_stickshift' boolean.
                  
                  Do
                  setsebool -P httpd_run_stickshift 1
                  
                  *****  Plugin catchall_boolean (30.1 confidence) suggests   ******************
                  
                  If you want to allow httpd to setrlimit
                  Then you must tell SELinux about this by enabling the 'httpd_setrlimit' boolean.
                  
                  Do
                  setsebool -P httpd_setrlimit 1
                  
                  *****  Plugin catchall (4.20 confidence) suggests   **************************
                  
                  If you believe that sudo should have the sys_resource capability by default.
                  Then you should report this as a bug.
                  You can generate a local policy module to allow this access.
                  Do
                  allow this access for now by executing:
                  # ausearch -c 'sudo' --raw | audit2allow -M my-sudo
                  # semodule -X 300 -i my-sudo.pp
                  
                  
                  Additional Information:
                  Source Context                system_u:system_r:httpd_t:s0
                  Target Context                system_u:system_r:httpd_t:s0
                  Target Objects                Unknown [ capability ]
                  Source                        sudo
                  Source Path                   sudo
                  Port                          <Unknown>
                  Host                          <Unknown>
                  Source RPM Packages           
                  Target RPM Packages           
                  Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
                  Selinux Enabled               True
                  Policy Type                   targeted
                  Enforcing Mode                Enforcing
                  Host Name                     pihole.jaredbusch.com
                  Platform                      Linux pihole.jaredbusch.com
                                                4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                                UTC 2018 x86_64 x86_64
                  Alert Count                   1
                  First Seen                    2018-04-04 00:13:30 CDT
                  Last Seen                     2018-04-04 00:13:30 CDT
                  Local ID                      95178bcd-0a0e-4a2b-80b1-d6ae2637c18e
                  
                  Raw Audit Messages
                  type=AVC msg=audit(1522818810.928:197): avc:  denied  { sys_resource } for  pid=957 comm="sudo" capability=24  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
                  
                  
                  Hash: sudo,httpd_t,httpd_t,capability,sys_resource
                  
                  [root@pihole ~]# 
                  
                  1 Reply Last reply Reply Quote 0
                  • S
                    stacksofplates
                    last edited by

                    I’ll have to look when I get home.

                    J 1 Reply Last reply Reply Quote 0
                    • J
                      JaredBusch @stacksofplates
                      last edited by

                      @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

                      I’ll have to look when I get home.

                      The two things you did make it run on reboot, just no access to the GUI.
                      I suspect just the log permission change lets the app itself run.

                      S 1 Reply Last reply Reply Quote 1
                      • A
                        Alex Sage
                        last edited by

                        Doing a fresh install now on F27 with SEL in permissive. Where is the SELinux logs stored?

                        black3dynamiteB 1 Reply Last reply Reply Quote 0
                        • black3dynamiteB
                          black3dynamite @Alex Sage
                          last edited by

                          @aaronstuder said in Pi-hole on Fedora has issues with SELinux:

                          Doing a fresh install now on F27 with SEL in permissive. Where is the SELinux logs stored?

                          /var/log/audit/audit.log

                          1 Reply Last reply Reply Quote 1
                          • S
                            stacksofplates @JaredBusch
                            last edited by

                            @jaredbusch said in Pi-hole on Fedora has issues with SELinux:

                            @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

                            I’ll have to look when I get home.

                            The two things you did make it run on reboot, just no access to the GUI.
                            I suspect just the log permission change lets the app itself run.

                            Yes. I didnt' look at the gui afterwards. Just noticed it was actually able to run and allowed me to get to the admin interface.

                            1 Reply Last reply Reply Quote 0
                            • S
                              stacksofplates
                              last edited by

                              So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

                              black3dynamiteB 1 Reply Last reply Reply Quote 0
                              • black3dynamiteB
                                black3dynamite @stacksofplates
                                last edited by

                                @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

                                So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

                                Why not permanently set SELinux to permissive instead of using Debian?

                                S A 2 Replies Last reply Reply Quote 0
                                • S
                                  stacksofplates @black3dynamite
                                  last edited by

                                  @black3dynamite said in Pi-hole on Fedora has issues with SELinux:

                                  @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

                                  So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

                                  Why not permanently set SELinux to permissive instead of using Debian?

                                  I could. I just deleted the instance and started over so I just chose debian. I don't ever log into this and just have the updates automatically done so it doesn't really matter what it is.

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    Alex Sage @black3dynamite
                                    last edited by

                                    @black3dynamite said in Pi-hole on Fedora has issues with SELinux:

                                    @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

                                    So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

                                    Why not permanently set SELinux to permissive instead of using Debian?

                                    Confirmed working on Permissive.

                                    black3dynamiteB 1 Reply Last reply Reply Quote 0
                                    • black3dynamiteB
                                      black3dynamite @Alex Sage
                                      last edited by

                                      @aaronstuder said in Pi-hole on Fedora has issues with SELinux:

                                      @black3dynamite said in Pi-hole on Fedora has issues with SELinux:

                                      @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

                                      So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

                                      Why not permanently set SELinux to permissive instead of using Debian?

                                      Confirmed working on Permissive.

                                      It always worked when set to permissive. I also preferred using permissive instead of disabling SELinux that way I can fix the errors later.

                                      J 1 Reply Last reply Reply Quote 1
                                      • J
                                        JaredBusch @black3dynamite
                                        last edited by

                                        @black3dynamite said in Pi-hole on Fedora has issues with SELinux:

                                        @aaronstuder said in Pi-hole on Fedora has issues with SELinux:

                                        @black3dynamite said in Pi-hole on Fedora has issues with SELinux:

                                        @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

                                        So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

                                        Why not permanently set SELinux to permissive instead of using Debian?

                                        Confirmed working on Permissive.

                                        It always worked when set to permissive. I also preferred using permissive instead of disabling SELinux that way I can fix the errors later.

                                        I know it works on Permissive. the point was I am trying to find what it not being liked in order to change that. I can run sealert and then do whatever it says, but that means I have to install the setroubleshoot or whatever package and I do not ever want to do that in one of my guides if I can help it because it adds a lot of packages that are only needed for this one time thing.

                                        I have done it, but I didn't like it. I will likely have to do it again, but I won't like it then either.

                                        1 Reply Last reply Reply Quote 2
                                        • black3dynamiteB
                                          black3dynamite
                                          last edited by

                                          For some reasons flushing logs isn't working for me. It works for me when using Debian.

                                          1 Reply Last reply Reply Quote 0
                                          • J
                                            JaredBusch
                                            last edited by JaredBusch

                                            ok back to this after 14 days and just WTF with my audit.log, it took sealert 5 minutes to parse it.

                                            [root@pihole ~]# ls -lah /var/log/audit/audit.log
                                            -rw-------. 1 root root 5.4M Apr 17 21:20 /var/log/audit/audit.log
                                            
                                            1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 1 / 3
                                            • First post
                                              Last post