Pi-hole on Fedora has issues with SELinux

JaredBusch

@black3dynamite said in Pi-hole on Fedora has issues with SELinux:

@travisdh1 said in Pi-hole on Fedora has issues with SELinux:

I think I found the command used to fix things.

chcon -v --type=dnsmasq_var_log_t /var/log/pihole.log

That was the only thing sitting in my command history at least. Wish I could remember where I found it.

Any lighttpd errors?

Has to be. I jsut ran that to fix the context, rebooted, and I cannot access the admin interface yet.

JaredBusch

@jaredbusch said in Pi-hole on Fedora has issues with SELinux:

@black3dynamite said in Pi-hole on Fedora has issues with SELinux:

@travisdh1 said in Pi-hole on Fedora has issues with SELinux:

I think I found the command used to fix things.

chcon -v --type=dnsmasq_var_log_t /var/log/pihole.log

That was the only thing sitting in my command history at least. Wish I could remember where I found it.

Any lighttpd errors?

Has to be. I jsut ran that to fix the context, rebooted, and I cannot access the admin interface yet.

Yup.

SELinux is preventing lighttpd from map access on the file /etc/lighttpd/lighttpd.conf.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that lighttpd should be allowed map access on the lighttpd.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'lighttpd' --raw | audit2allow -M my-lighttpd
# semodule -X 300 -i my-lighttpd.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:httpd_config_t:s0
Target Objects                /etc/lighttpd/lighttpd.conf [ file ]
Source                        lighttpd
Source Path                   lighttpd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           lighttpd-1.4.49-4.fc27.x86_64
Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     pihole.jaredbusch.com
Platform                      Linux pihole.jaredbusch.com
                              4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                              UTC 2018 x86_64 x86_64
Alert Count                   2
First Seen                    2018-04-03 15:32:46 CDT
Last Seen                     2018-04-03 17:23:32 CDT
Local ID                      e99b059b-91a3-46b4-a8f5-21aabf27e9f3

Raw Audit Messages
type=AVC msg=audit(1522794212.967:99): avc:  denied  { map } for  pid=657 comm="lighttpd" path="/etc/lighttpd/lighttpd.conf" dev="dm-0" ino=17333729 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file permissive=0


Hash: lighttpd,httpd_t,httpd_config_t,file,map

JaredBusch

Should this directory have a different group or owenr aside from root?

[root@pihole ~]# ls -laZ /etc/lighttpd/
total 28
drwxr-xr-x.  4 root root system_u:object_r:httpd_config_t:s0      103 Apr  3 15:32 .
drwxr-xr-x. 87 root root system_u:object_r:etc_t:s0              8192 Apr  3 17:28 ..
drwxr-xr-x.  2 root root system_u:object_r:httpd_config_t:s0     4096 Mar 12 08:40 conf.d
-rw-r--r--.  1 root root unconfined_u:object_r:httpd_config_t:s0 3560 Apr  3 15:32 lighttpd.conf
-rw-r--r--.  1 root root unconfined_u:object_r:httpd_config_t:s0 3560 Feb 18 10:26 lighttpd.conf.orig
-rw-r--r--.  1 root root system_u:object_r:httpd_config_t:s0     3319 Mar 11 19:52 modules.conf
drwxr-xr-x.  2 root root system_u:object_r:httpd_config_t:s0       29 Mar 12 08:40 vhosts.d

stacksofplates

All I did was set /var/www/html/admin to httpd_sys_content_t

And set /var/log/pi-hole.log to dnsmasq_var_log_t.

JaredBusch

@stacksofplates said in Pi-hole on Fedora has issues with SELinux:

All I did was set /var/www/html/admin to httpd_sys_content_t

And set /var/log/pi-hole.log to dnsmasq_var_log_t.

That got most things resolved as I can hit the webpage now.

chcon --type=dnsmasq_var_log_t /var/log/pihole.log
chcon --recursive --type=httpd_sys_content_t /var/www/html/admin

But after a reboot, I see this when enforcing

But the DNS service is running.

JaredBusch

I purged the audit log and rebooted.

Still this.

[root@pihole ~]# sealert -a /var/log/audit/audit.log
100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing lighttpd from map access on the file /etc/lighttpd/lighttpd.conf.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that lighttpd should be allowed map access on the lighttpd.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'lighttpd' --raw | audit2allow -M my-lighttpd
# semodule -X 300 -i my-lighttpd.pp

JaredBusch

While I can run that command, I do not want to. I would prefer to find the right thing I need to change because there is no reason to install all the SELinux tools on an instance just to set a permission.

JaredBusch

tried to load the admin page and it added some more.

[root@pihole ~]# sealert -a /var/log/audit/audit.log
100% done
found 3 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing lighttpd from map access on the file /etc/lighttpd/lighttpd.conf.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that lighttpd should be allowed map access on the lighttpd.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'lighttpd' --raw | audit2allow -M my-lighttpd
# semodule -X 300 -i my-lighttpd.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:httpd_config_t:s0
Target Objects                /etc/lighttpd/lighttpd.conf [ file ]
Source                        lighttpd
Source Path                   lighttpd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           lighttpd-1.4.49-4.fc27.x86_64
Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     pihole.jaredbusch.com
Platform                      Linux pihole.jaredbusch.com
                              4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                              UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-04-04 00:10:27 CDT
Last Seen                     2018-04-04 00:10:27 CDT
Local ID                      c68567cd-1d33-4f99-8c8f-d185c0a0309f

Raw Audit Messages
type=AVC msg=audit(1522818627.295:87): avc:  denied  { map } for  pid=632 comm="lighttpd" path="/etc/lighttpd/lighttpd.conf" dev="dm-0" ino=17333729 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file permissive=0


Hash: lighttpd,httpd_t,httpd_config_t,file,map

--------------------------------------------------------------------------------

SELinux is preventing sudo from using the setrlimit access on a process.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow httpd to setrlimit
Then you must tell SELinux about this by enabling the 'httpd_setrlimit' boolean.

Do
setsebool -P httpd_setrlimit 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that sudo should be allowed setrlimit access on processes labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sudo' --raw | audit2allow -M my-sudo
# semodule -X 300 -i my-sudo.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:system_r:httpd_t:s0
Target Objects                Unknown [ process ]
Source                        sudo
Source Path                   sudo
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     pihole.jaredbusch.com
Platform                      Linux pihole.jaredbusch.com
                              4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                              UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-04-04 00:13:30 CDT
Last Seen                     2018-04-04 00:13:30 CDT
Local ID                      8433e0d2-20ac-4b81-b135-7bcf50ca850d

Raw Audit Messages
type=AVC msg=audit(1522818810.923:196): avc:  denied  { setrlimit } for  pid=957 comm="sudo" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0


Hash: sudo,httpd_t,httpd_t,process,setrlimit

--------------------------------------------------------------------------------

SELinux is preventing sudo from using the sys_resource capability.

*****  Plugin sys_resource (37.5 confidence) suggests   **********************

If you do not want processes to require capabilities to use up all the system resources on your system;
Then you need to diagnose why your system is running out of system resources and fix the problem.

According to /usr/include/linux/capability.h, sys_resource is required to:

/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
   resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
   you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */

Do
fix the cause of the SYS_RESOURCE on your system.

*****  Plugin catchall_boolean (30.1 confidence) suggests   ******************

If you want to allow httpd to run stickshift
Then you must tell SELinux about this by enabling the 'httpd_run_stickshift' boolean.

Do
setsebool -P httpd_run_stickshift 1

*****  Plugin catchall_boolean (30.1 confidence) suggests   ******************

If you want to allow httpd to setrlimit
Then you must tell SELinux about this by enabling the 'httpd_setrlimit' boolean.

Do
setsebool -P httpd_setrlimit 1

*****  Plugin catchall (4.20 confidence) suggests   **************************

If you believe that sudo should have the sys_resource capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sudo' --raw | audit2allow -M my-sudo
# semodule -X 300 -i my-sudo.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:system_r:httpd_t:s0
Target Objects                Unknown [ capability ]
Source                        sudo
Source Path                   sudo
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     pihole.jaredbusch.com
Platform                      Linux pihole.jaredbusch.com
                              4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                              UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-04-04 00:13:30 CDT
Last Seen                     2018-04-04 00:13:30 CDT
Local ID                      95178bcd-0a0e-4a2b-80b1-d6ae2637c18e

Raw Audit Messages
type=AVC msg=audit(1522818810.928:197): avc:  denied  { sys_resource } for  pid=957 comm="sudo" capability=24  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0


Hash: sudo,httpd_t,httpd_t,capability,sys_resource

[root@pihole ~]# 

stacksofplates

I’ll have to look when I get home.

JaredBusch

@stacksofplates said in Pi-hole on Fedora has issues with SELinux:

I’ll have to look when I get home.

The two things you did make it run on reboot, just no access to the GUI.
I suspect just the log permission change lets the app itself run.

Alex Sage

Doing a fresh install now on F27 with SEL in permissive. Where is the SELinux logs stored?

black3dynamite

@aaronstuder said in Pi-hole on Fedora has issues with SELinux:

Doing a fresh install now on F27 with SEL in permissive. Where is the SELinux logs stored?

/var/log/audit/audit.log

stacksofplates

@jaredbusch said in Pi-hole on Fedora has issues with SELinux:

@stacksofplates said in Pi-hole on Fedora has issues with SELinux:

I’ll have to look when I get home.

The two things you did make it run on reboot, just no access to the GUI.
I suspect just the log permission change lets the app itself run.

Yes. I didnt' look at the gui afterwards. Just noticed it was actually able to run and allowed me to get to the admin interface.

stacksofplates

So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

black3dynamite

@stacksofplates said in Pi-hole on Fedora has issues with SELinux:

So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

Why not permanently set SELinux to permissive instead of using Debian?

stacksofplates

@black3dynamite said in Pi-hole on Fedora has issues with SELinux:

@stacksofplates said in Pi-hole on Fedora has issues with SELinux:

So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

Why not permanently set SELinux to permissive instead of using Debian?

I could. I just deleted the instance and started over so I just chose debian. I don't ever log into this and just have the updates automatically done so it doesn't really matter what it is.

Alex Sage

@black3dynamite said in Pi-hole on Fedora has issues with SELinux:

@stacksofplates said in Pi-hole on Fedora has issues with SELinux:

So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

Why not permanently set SELinux to permissive instead of using Debian?

Confirmed working on Permissive.

black3dynamite

@aaronstuder said in Pi-hole on Fedora has issues with SELinux:

@black3dynamite said in Pi-hole on Fedora has issues with SELinux:

@stacksofplates said in Pi-hole on Fedora has issues with SELinux:

So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

Why not permanently set SELinux to permissive instead of using Debian?

Confirmed working on Permissive.

It always worked when set to permissive. I also preferred using permissive instead of disabling SELinux that way I can fix the errors later.

JaredBusch

@black3dynamite said in Pi-hole on Fedora has issues with SELinux:

@aaronstuder said in Pi-hole on Fedora has issues with SELinux:

@black3dynamite said in Pi-hole on Fedora has issues with SELinux:

@stacksofplates said in Pi-hole on Fedora has issues with SELinux:

So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

Why not permanently set SELinux to permissive instead of using Debian?

Confirmed working on Permissive.

It always worked when set to permissive. I also preferred using permissive instead of disabling SELinux that way I can fix the errors later.

I know it works on Permissive. the point was I am trying to find what it not being liked in order to change that. I can run sealert and then do whatever it says, but that means I have to install the setroubleshoot or whatever package and I do not ever want to do that in one of my guides if I can help it because it adds a lot of packages that are only needed for this one time thing.

I have done it, but I didn't like it. I will likely have to do it again, but I won't like it then either.

black3dynamite

For some reasons flushing logs isn't working for me. It works for me when using Debian.