Pi-hole on Fedora has issues with SELinux


  • Service Provider

    I meant to look into this last month when I set it up at a client and I forgot.

    I'll post the things to update here in a bit. Unless someone else already has them handy.



  • @jaredbusch said in Pi-hole on Fedora has issues with SELinux:

    I meant to look into this last month when I set it up at a client and I forgot.

    I'll post the things to update here in a bit. Unless someone else already has them handy.

    Hrm, I forget what I did with mine. I don't remember having any problems with it, but that might have been included in the installation notes I used. I'll see if I can't track those down.



  • I'm using Fedora that is provided by Vultr.
    I have 30 alerts and I would need to generate a local policy module and use the setsebool command to fix them.



  • I think I found the command used to fix things.

    chcon -v --type=dnsmasq_var_log_t /var/log/pihole.log

    That was the only thing sitting in my command history at least. Wish I could remember where I found it.



  • @travisdh1 said in Pi-hole on Fedora has issues with SELinux:

    I think I found the command used to fix things.

    chcon -v --type=dnsmasq_var_log_t /var/log/pihole.log

    That was the only thing sitting in my command history at least. Wish I could remember where I found it.

    Any lighttpd errors?



  • @black3dynamite said in Pi-hole on Fedora has issues with SELinux:

    @travisdh1 said in Pi-hole on Fedora has issues with SELinux:

    I think I found the command used to fix things.

    chcon -v --type=dnsmasq_var_log_t /var/log/pihole.log

    That was the only thing sitting in my command history at least. Wish I could remember where I found it.

    Any lighttpd errors?

    I didn't notice any.


  • Service Provider

    @black3dynamite said in Pi-hole on Fedora has issues with SELinux:

    @travisdh1 said in Pi-hole on Fedora has issues with SELinux:

    I think I found the command used to fix things.

    chcon -v --type=dnsmasq_var_log_t /var/log/pihole.log

    That was the only thing sitting in my command history at least. Wish I could remember where I found it.

    Any lighttpd errors?

    Has to be. I jsut ran that to fix the context, rebooted, and I cannot access the admin interface yet.


  • Service Provider

    @jaredbusch said in Pi-hole on Fedora has issues with SELinux:

    @black3dynamite said in Pi-hole on Fedora has issues with SELinux:

    @travisdh1 said in Pi-hole on Fedora has issues with SELinux:

    I think I found the command used to fix things.

    chcon -v --type=dnsmasq_var_log_t /var/log/pihole.log

    That was the only thing sitting in my command history at least. Wish I could remember where I found it.

    Any lighttpd errors?

    Has to be. I jsut ran that to fix the context, rebooted, and I cannot access the admin interface yet.

    Yup.

    SELinux is preventing lighttpd from map access on the file /etc/lighttpd/lighttpd.conf.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that lighttpd should be allowed map access on the lighttpd.conf file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'lighttpd' --raw | audit2allow -M my-lighttpd
    # semodule -X 300 -i my-lighttpd.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                unconfined_u:object_r:httpd_config_t:s0
    Target Objects                /etc/lighttpd/lighttpd.conf [ file ]
    Source                        lighttpd
    Source Path                   lighttpd
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           lighttpd-1.4.49-4.fc27.x86_64
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   2
    First Seen                    2018-04-03 15:32:46 CDT
    Last Seen                     2018-04-03 17:23:32 CDT
    Local ID                      e99b059b-91a3-46b4-a8f5-21aabf27e9f3
    
    Raw Audit Messages
    type=AVC msg=audit(1522794212.967:99): avc:  denied  { map } for  pid=657 comm="lighttpd" path="/etc/lighttpd/lighttpd.conf" dev="dm-0" ino=17333729 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file permissive=0
    
    
    Hash: lighttpd,httpd_t,httpd_config_t,file,map
    

  • Service Provider

    Should this directory have a different group or owenr aside from root?

    [[email protected] ~]# ls -laZ /etc/lighttpd/
    total 28
    drwxr-xr-x.  4 root root system_u:object_r:httpd_config_t:s0      103 Apr  3 15:32 .
    drwxr-xr-x. 87 root root system_u:object_r:etc_t:s0              8192 Apr  3 17:28 ..
    drwxr-xr-x.  2 root root system_u:object_r:httpd_config_t:s0     4096 Mar 12 08:40 conf.d
    -rw-r--r--.  1 root root unconfined_u:object_r:httpd_config_t:s0 3560 Apr  3 15:32 lighttpd.conf
    -rw-r--r--.  1 root root unconfined_u:object_r:httpd_config_t:s0 3560 Feb 18 10:26 lighttpd.conf.orig
    -rw-r--r--.  1 root root system_u:object_r:httpd_config_t:s0     3319 Mar 11 19:52 modules.conf
    drwxr-xr-x.  2 root root system_u:object_r:httpd_config_t:s0       29 Mar 12 08:40 vhosts.d
    
    


  • All I did was set /var/www/html/admin to httpd_sys_content_t

    And set /var/log/pi-hole.log to dnsmasq_var_log_t.


  • Service Provider

    @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

    All I did was set /var/www/html/admin to httpd_sys_content_t

    And set /var/log/pi-hole.log to dnsmasq_var_log_t.

    That got most things resolved as I can hit the webpage now.

    chcon --type=dnsmasq_var_log_t /var/log/pihole.log
    chcon --recursive --type=httpd_sys_content_t /var/www/html/admin
    

    But after a reboot, I see this when enforcing
    0_1522818097788_76c2c81c-971d-4b3a-ad73-da06a54b93b4-image.png

    But the DNS service is running.
    0_1522818212874_d5db2296-9ce9-474b-ae05-23229ea6d258-image.png


  • Service Provider

    I purged the audit log and rebooted.

    Still this.

    [[email protected] ~]# sealert -a /var/log/audit/audit.log
    100% done
    found 1 alerts in /var/log/audit/audit.log
    --------------------------------------------------------------------------------
    
    SELinux is preventing lighttpd from map access on the file /etc/lighttpd/lighttpd.conf.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that lighttpd should be allowed map access on the lighttpd.conf file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'lighttpd' --raw | audit2allow -M my-lighttpd
    # semodule -X 300 -i my-lighttpd.pp
    

  • Service Provider

    While I can run that command, I do not want to. I would prefer to find the right thing I need to change because there is no reason to install all the SELinux tools on an instance just to set a permission.


  • Service Provider

    tried to load the admin page and it added some more.

    [[email protected] ~]# sealert -a /var/log/audit/audit.log
    100% done
    found 3 alerts in /var/log/audit/audit.log
    --------------------------------------------------------------------------------
    
    SELinux is preventing lighttpd from map access on the file /etc/lighttpd/lighttpd.conf.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that lighttpd should be allowed map access on the lighttpd.conf file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'lighttpd' --raw | audit2allow -M my-lighttpd
    # semodule -X 300 -i my-lighttpd.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                unconfined_u:object_r:httpd_config_t:s0
    Target Objects                /etc/lighttpd/lighttpd.conf [ file ]
    Source                        lighttpd
    Source Path                   lighttpd
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           lighttpd-1.4.49-4.fc27.x86_64
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1
    First Seen                    2018-04-04 00:10:27 CDT
    Last Seen                     2018-04-04 00:10:27 CDT
    Local ID                      c68567cd-1d33-4f99-8c8f-d185c0a0309f
    
    Raw Audit Messages
    type=AVC msg=audit(1522818627.295:87): avc:  denied  { map } for  pid=632 comm="lighttpd" path="/etc/lighttpd/lighttpd.conf" dev="dm-0" ino=17333729 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file permissive=0
    
    
    Hash: lighttpd,httpd_t,httpd_config_t,file,map
    
    --------------------------------------------------------------------------------
    
    SELinux is preventing sudo from using the setrlimit access on a process.
    
    *****  Plugin catchall_boolean (89.3 confidence) suggests   ******************
    
    If you want to allow httpd to setrlimit
    Then you must tell SELinux about this by enabling the 'httpd_setrlimit' boolean.
    
    Do
    setsebool -P httpd_setrlimit 1
    
    *****  Plugin catchall (11.6 confidence) suggests   **************************
    
    If you believe that sudo should be allowed setrlimit access on processes labeled httpd_t by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'sudo' --raw | audit2allow -M my-sudo
    # semodule -X 300 -i my-sudo.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                system_u:system_r:httpd_t:s0
    Target Objects                Unknown [ process ]
    Source                        sudo
    Source Path                   sudo
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1
    First Seen                    2018-04-04 00:13:30 CDT
    Last Seen                     2018-04-04 00:13:30 CDT
    Local ID                      8433e0d2-20ac-4b81-b135-7bcf50ca850d
    
    Raw Audit Messages
    type=AVC msg=audit(1522818810.923:196): avc:  denied  { setrlimit } for  pid=957 comm="sudo" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0
    
    
    Hash: sudo,httpd_t,httpd_t,process,setrlimit
    
    --------------------------------------------------------------------------------
    
    SELinux is preventing sudo from using the sys_resource capability.
    
    *****  Plugin sys_resource (37.5 confidence) suggests   **********************
    
    If you do not want processes to require capabilities to use up all the system resources on your system;
    Then you need to diagnose why your system is running out of system resources and fix the problem.
    
    According to /usr/include/linux/capability.h, sys_resource is required to:
    
    /* Override resource limits. Set resource limits. */
    /* Override quota limits. */
    /* Override reserved space on ext2 filesystem */
    /* Modify data journaling mode on ext3 filesystem (uses journaling
       resources) */
    /* NOTE: ext2 honors fsuid when checking for resource overrides, so
       you can override using fsuid too */
    /* Override size restrictions on IPC message queues */
    /* Allow more than 64hz interrupts from the real-time clock */
    /* Override max number of consoles on console allocation */
    /* Override max number of keymaps */
    
    Do
    fix the cause of the SYS_RESOURCE on your system.
    
    *****  Plugin catchall_boolean (30.1 confidence) suggests   ******************
    
    If you want to allow httpd to run stickshift
    Then you must tell SELinux about this by enabling the 'httpd_run_stickshift' boolean.
    
    Do
    setsebool -P httpd_run_stickshift 1
    
    *****  Plugin catchall_boolean (30.1 confidence) suggests   ******************
    
    If you want to allow httpd to setrlimit
    Then you must tell SELinux about this by enabling the 'httpd_setrlimit' boolean.
    
    Do
    setsebool -P httpd_setrlimit 1
    
    *****  Plugin catchall (4.20 confidence) suggests   **************************
    
    If you believe that sudo should have the sys_resource capability by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'sudo' --raw | audit2allow -M my-sudo
    # semodule -X 300 -i my-sudo.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                system_u:system_r:httpd_t:s0
    Target Objects                Unknown [ capability ]
    Source                        sudo
    Source Path                   sudo
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1
    First Seen                    2018-04-04 00:13:30 CDT
    Last Seen                     2018-04-04 00:13:30 CDT
    Local ID                      95178bcd-0a0e-4a2b-80b1-d6ae2637c18e
    
    Raw Audit Messages
    type=AVC msg=audit(1522818810.928:197): avc:  denied  { sys_resource } for  pid=957 comm="sudo" capability=24  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
    
    
    Hash: sudo,httpd_t,httpd_t,capability,sys_resource
    
    [[email protected] ~]# 
    


  • I’ll have to look when I get home.


  • Service Provider

    @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

    I’ll have to look when I get home.

    The two things you did make it run on reboot, just no access to the GUI.
    I suspect just the log permission change lets the app itself run.



  • Doing a fresh install now on F27 with SEL in permissive. Where is the SELinux logs stored?



  • @aaronstuder said in Pi-hole on Fedora has issues with SELinux:

    Doing a fresh install now on F27 with SEL in permissive. Where is the SELinux logs stored?

    /var/log/audit/audit.log



  • @jaredbusch said in Pi-hole on Fedora has issues with SELinux:

    @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

    I’ll have to look when I get home.

    The two things you did make it run on reboot, just no access to the GUI.
    I suspect just the log permission change lets the app itself run.

    Yes. I didnt' look at the gui afterwards. Just noticed it was actually able to run and allowed me to get to the admin interface.



  • So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.



  • @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

    So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

    Why not permanently set SELinux to permissive instead of using Debian?



  • @black3dynamite said in Pi-hole on Fedora has issues with SELinux:

    @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

    So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

    Why not permanently set SELinux to permissive instead of using Debian?

    I could. I just deleted the instance and started over so I just chose debian. I don't ever log into this and just have the updates automatically done so it doesn't really matter what it is.



  • @black3dynamite said in Pi-hole on Fedora has issues with SELinux:

    @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

    So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

    Why not permanently set SELinux to permissive instead of using Debian?

    Confirmed working on Permissive.



  • @aaronstuder said in Pi-hole on Fedora has issues with SELinux:

    @black3dynamite said in Pi-hole on Fedora has issues with SELinux:

    @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

    So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

    Why not permanently set SELinux to permissive instead of using Debian?

    Confirmed working on Permissive.

    It always worked when set to permissive. I also preferred using permissive instead of disabling SELinux that way I can fix the errors later.


  • Service Provider

    @black3dynamite said in Pi-hole on Fedora has issues with SELinux:

    @aaronstuder said in Pi-hole on Fedora has issues with SELinux:

    @black3dynamite said in Pi-hole on Fedora has issues with SELinux:

    @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

    So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

    Why not permanently set SELinux to permissive instead of using Debian?

    Confirmed working on Permissive.

    It always worked when set to permissive. I also preferred using permissive instead of disabling SELinux that way I can fix the errors later.

    I know it works on Permissive. the point was I am trying to find what it not being liked in order to change that. I can run sealert and then do whatever it says, but that means I have to install the setroubleshoot or whatever package and I do not ever want to do that in one of my guides if I can help it because it adds a lot of packages that are only needed for this one time thing.

    I have done it, but I didn't like it. I will likely have to do it again, but I won't like it then either.



  • For some reasons flushing logs isn't working for me. It works for me when using Debian.


  • Service Provider

    ok back to this after 14 days and just WTF with my audit.log, it took sealert 5 minutes to parse it.

    [[email protected] ~]# ls -lah /var/log/audit/audit.log
    -rw-------. 1 root root 5.4M Apr 17 21:20 /var/log/audit/audit.log
    

  • Service Provider

    [[email protected] ~]# sealert -a /var/log/audit/audit.log
      0% donetype=AVC msg=audit(1522818810.923:196): avc:  denied  { setrlimit } for  pid=957 comm="sudo" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0
     
    **** Invalid AVC allowed in current policy ***
    
    type=AVC msg=audit(1522818810.928:197): avc:  denied  { sys_resource } for  pid=957 comm="sudo" capability=24  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
     
    **** Invalid AVC allowed in current policy ***
    
     51% done'generator' object is not subscriptable
    100% done
    found 29 alerts in /var/log/audit/audit.log
    

  • Service Provider

    SELinux is preventing lighttpd from map access on the file /etc/lighttpd/lighttpd.conf.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that lighttpd should be allowed map access on the lighttpd.conf file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'lighttpd' --raw | audit2allow -M my-lighttpd
    # semodule -X 300 -i my-lighttpd.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                unconfined_u:object_r:httpd_config_t:s0
    Target Objects                /etc/lighttpd/lighttpd.conf [ file ]
    Source                        lighttpd
    Source Path                   lighttpd
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           lighttpd-1.4.49-4.fc27.x86_64
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1
    First Seen                    2018-04-04 00:10:27 CDT
    Last Seen                     2018-04-04 00:10:27 CDT
    Local ID                      7231bc1d-89a1-4c9b-afeb-e87e9fd42dba
    
    Raw Audit Messages
    type=AVC msg=audit(1522818627.295:87): avc:  denied  { map } for  pid=632 comm="lighttpd" path="/etc/lighttpd/lighttpd.conf" dev="dm-0" ino=17333729 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file permissive=0
    
    
    Hash: lighttpd,httpd_t,httpd_config_t,file,map
    

  • Service Provider

    SELinux is preventing sudo from nlmsg_relay access on the netlink_audit_socket Unknown.
    
    *****  Plugin catchall_boolean (89.3 confidence) suggests   ******************
    
    If you want to allow httpd to mod auth pam
    Then you must tell SELinux about this by enabling the 'httpd_mod_auth_pam' boolean.
    
    Do
    setsebool -P httpd_mod_auth_pam 1
    
    *****  Plugin catchall (11.6 confidence) suggests   **************************
    
    If you believe that sudo should be allowed nlmsg_relay access on the Unknown netlink_audit_socket by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'sudo' --raw | audit2allow -M my-sudo
    # semodule -X 300 -i my-sudo.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                system_u:system_r:httpd_t:s0
    Target Objects                Unknown [ netlink_audit_socket ]
    Source                        sudo
    Source Path                   sudo
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1446
    First Seen                    2018-04-04 00:16:52 CDT
    Last Seen                     2018-04-17 19:30:30 CDT
    Local ID                      3ba955da-bc76-40a9-8efa-50c9728c7b3b
    
    Raw Audit Messages
    type=AVC msg=audit(1524011430.537:21859): avc:  denied  { nlmsg_relay } for  pid=11201 comm="sudo" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_audit_socket permissive=1
    
    
    Hash: sudo,httpd_t,httpd_t,netlink_audit_socket,nlmsg_relay