Pi-hole on Fedora has issues with SELinux
-
SELinux is preventing bash from write access on the file local.list. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that bash should be allowed write access on the local.list file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'bash' --raw | audit2allow -M my-bash # semodule -X 300 -i my-bash.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:etc_t:s0 Target Objects local.list [ file ] Source bash Source Path bash Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 877e6a5f-043f-469b-97bd-b38ecba2a20f Raw Audit Messages type=AVC msg=audit(1523578079.360:11458): avc: denied { write } for pid=21120 comm="bash" name="local.list" dev="dm-0" ino=307099 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=1 Hash: bash,httpd_t,etc_t,file,write -
SELinux is preventing mv from unlink access on the file gravity.list. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mv should be allowed unlink access on the gravity.list file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'mv' --raw | audit2allow -M my-mv # semodule -X 300 -i my-mv.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:etc_t:s0 Target Objects gravity.list [ file ] Source mv Source Path mv Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID bef03d3f-49e3-4ce0-bceb-f0702ff42734 Raw Audit Messages type=AVC msg=audit(1523578079.423:11459): avc: denied { unlink } for pid=21138 comm="mv" name="gravity.list" dev="dm-0" ino=333405 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 Hash: mv,httpd_t,etc_t,file,unlink -
SELinux is preventing killall from using the signal access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that killall should be allowed signal access on processes labeled dnsmasq_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'killall' --raw | audit2allow -M my-killall # semodule -X 300 -i my-killall.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:system_r:dnsmasq_t:s0 Target Objects Unknown [ process ] Source killall Source Path killall Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 496b84f5-8bd0-4dbd-ba57-c864c76bb583 Raw Audit Messages type=AVC msg=audit(1523578079.437:11460): avc: denied { signal } for pid=21145 comm="killall" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=process permissive=1 Hash: killall,httpd_t,dnsmasq_t,process,signaland
SELinux is preventing killall from using the signal access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that killall should be allowed signal access on processes labeled initrc_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'killall' --raw | audit2allow -M my-killall # semodule -X 300 -i my-killall.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:system_r:initrc_t:s0 Target Objects Unknown [ process ] Source killall Source Path killall Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 3 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID d3c0da7f-d8f2-48dc-88b8-c61c38e001f7 Raw Audit Messages type=AVC msg=audit(1523578436.57:11527): avc: denied { signal } for pid=21345 comm="killall" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1 Hash: killall,httpd_t,initrc_t,process,signal -
finally a bunch with
sedSELinux is preventing sed from ioctl access on the file /etc/dnsmasq.d/01-pihole.conf. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed ioctl access on the 01-pihole.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects /etc/dnsmasq.d/01-pihole.conf [ file ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:55 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID f6206021-c986-4066-83b0-e407292183ac Raw Audit Messages type=AVC msg=audit(1523578436.22:11516): avc: denied { ioctl } for pid=21332 comm="sed" path="/etc/dnsmasq.d/01-pihole.conf" dev="dm-0" ino=34279073 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,file,ioctland
SELinux is preventing sed from write access on the directory dnsmasq.d. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed write access on the dnsmasq.d directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:dnsmasq_etc_t:s0 Target Objects dnsmasq.d [ dir ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:55 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID 216c555a-b747-4884-a6be-110e82d17b2f Raw Audit Messages type=AVC msg=audit(1523578436.22:11517): avc: denied { write } for pid=21332 comm="sed" name="dnsmasq.d" dev="dm-0" ino=34279099 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:dnsmasq_etc_t:s0 tclass=dir permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,dir,writeand
SELinux is preventing sed from add_name access on the directory sedcz73nA. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed add_name access on the sedcz73nA directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:dnsmasq_etc_t:s0 Target Objects sedcz73nA [ dir ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:55 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID b3c553d2-589a-441d-8b06-7de40ea34eb6 Raw Audit Messages type=AVC msg=audit(1523578436.22:11518): avc: denied { add_name } for pid=21332 comm="sed" name="sedcz73nA" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:dnsmasq_etc_t:s0 tclass=dir permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,dir,add_nameand
SELinux is preventing sed from create access on the file sedcz73nA. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed create access on the sedcz73nA file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects sedcz73nA [ file ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:55 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID 869fd7e0-c31c-4037-8032-e5917b591088 Raw Audit Messages type=AVC msg=audit(1523578436.22:11519): avc: denied { create } for pid=21332 comm="sed" name="sedcz73nA" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,file,createand
SELinux is preventing sed from write access on the file /etc/dnsmasq.d/sedcz73nA. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed write access on the sedcz73nA file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects /etc/dnsmasq.d/sedcz73nA [ file ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:55 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID d425f40d-6c3e-4e0b-9cd7-3e2e65532342 Raw Audit Messages type=AVC msg=audit(1523578436.23:11520): avc: denied { write } for pid=21332 comm="sed" path="/etc/dnsmasq.d/sedcz73nA" dev="dm-0" ino=34279554 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,file,writeand
SELinux is preventing sed from setattr access on the file sedcz73nA. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed setattr access on the sedcz73nA file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects sedcz73nA [ file ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:56 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID f6430ba2-79aa-424e-8c4c-70cdaac0e419 Raw Audit Messages type=AVC msg=audit(1523578436.23:11521): avc: denied { setattr } for pid=21332 comm="sed" name="sedcz73nA" dev="dm-0" ino=34279554 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,file,setattrand
SELinux is preventing sed from remove_name access on the directory sedcz73nA. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed remove_name access on the sedcz73nA directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:dnsmasq_etc_t:s0 Target Objects sedcz73nA [ dir ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:56 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID 72365554-6384-4eca-9da3-2cb1f29c3f59 Raw Audit Messages type=AVC msg=audit(1523578436.23:11522): avc: denied { remove_name } for pid=21332 comm="sed" name="sedcz73nA" dev="dm-0" ino=34279554 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:dnsmasq_etc_t:s0 tclass=dir permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,dir,remove_nameand
SELinux is preventing sed from rename access on the file sedcz73nA. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed rename access on the sedcz73nA file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects sedcz73nA [ file ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:56 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID c2952912-cec1-4842-8846-5e0fbf06418b Raw Audit Messages type=AVC msg=audit(1523578436.23:11523): avc: denied { rename } for pid=21332 comm="sed" name="sedcz73nA" dev="dm-0" ino=34279554 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,file,renameand
SELinux is preventing sed from unlink access on the file 01-pihole.conf. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed unlink access on the 01-pihole.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects 01-pihole.conf [ file ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:56 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID fb40dba0-042a-4270-a8e8-105571932a7d Raw Audit Messages type=AVC msg=audit(1523578436.23:11524): avc: denied { unlink } for pid=21332 comm="sed" name="01-pihole.conf" dev="dm-0" ino=34279073 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,file,unlink -
Have you tried setting
chown lighttpd:root /etc/lighttpd/lighttpd.conf
or whatever user is made for lighttpd
That seems it could be the problem. -
Just wanted to thank @stacksofplates and @JaredBusch on the SELInux part on Fedora 28 Server. I had that issue today.
The other thing I needed to do was the following:lighttpd -t sudo lighttpd -f /etc/lighttpd/lighttpd.confIf you get an error, I commented out the last line on the lighttpd.conf file
include_shell "cat external.conf 2>/dev/null" -
@dbeato don’t do that.
See my bug report
-
@jaredbusch said in Pi-hole on Fedora has issues with SELinux:
@dbeato don’t do that.
See my bug report
I will read it.
-
-
