Pi-hole on Fedora has issues with SELinux
-
Should this directory have a different group or owenr aside from root?
[root@pihole ~]# ls -laZ /etc/lighttpd/ total 28 drwxr-xr-x. 4 root root system_u:object_r:httpd_config_t:s0 103 Apr 3 15:32 . drwxr-xr-x. 87 root root system_u:object_r:etc_t:s0 8192 Apr 3 17:28 .. drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0 4096 Mar 12 08:40 conf.d -rw-r--r--. 1 root root unconfined_u:object_r:httpd_config_t:s0 3560 Apr 3 15:32 lighttpd.conf -rw-r--r--. 1 root root unconfined_u:object_r:httpd_config_t:s0 3560 Feb 18 10:26 lighttpd.conf.orig -rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0 3319 Mar 11 19:52 modules.conf drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0 29 Mar 12 08:40 vhosts.d -
All I did was set
/var/www/html/admintohttpd_sys_content_tAnd set
/var/log/pi-hole.logtodnsmasq_var_log_t. -
@stacksofplates said in Pi-hole on Fedora has issues with SELinux:
All I did was set
/var/www/html/admintohttpd_sys_content_tAnd set
/var/log/pi-hole.logtodnsmasq_var_log_t.That got most things resolved as I can hit the webpage now.
chcon --type=dnsmasq_var_log_t /var/log/pihole.log chcon --recursive --type=httpd_sys_content_t /var/www/html/adminBut after a reboot, I see this when enforcing
But the DNS service is running.
-
I purged the audit log and rebooted.
Still this.
[root@pihole ~]# sealert -a /var/log/audit/audit.log 100% done found 1 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing lighttpd from map access on the file /etc/lighttpd/lighttpd.conf. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that lighttpd should be allowed map access on the lighttpd.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'lighttpd' --raw | audit2allow -M my-lighttpd # semodule -X 300 -i my-lighttpd.pp -
While I can run that command, I do not want to. I would prefer to find the right thing I need to change because there is no reason to install all the SELinux tools on an instance just to set a permission.
-
tried to load the admin page and it added some more.
[root@pihole ~]# sealert -a /var/log/audit/audit.log 100% done found 3 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing lighttpd from map access on the file /etc/lighttpd/lighttpd.conf. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that lighttpd should be allowed map access on the lighttpd.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'lighttpd' --raw | audit2allow -M my-lighttpd # semodule -X 300 -i my-lighttpd.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:httpd_config_t:s0 Target Objects /etc/lighttpd/lighttpd.conf [ file ] Source lighttpd Source Path lighttpd Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages lighttpd-1.4.49-4.fc27.x86_64 Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-04 00:10:27 CDT Last Seen 2018-04-04 00:10:27 CDT Local ID c68567cd-1d33-4f99-8c8f-d185c0a0309f Raw Audit Messages type=AVC msg=audit(1522818627.295:87): avc: denied { map } for pid=632 comm="lighttpd" path="/etc/lighttpd/lighttpd.conf" dev="dm-0" ino=17333729 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file permissive=0 Hash: lighttpd,httpd_t,httpd_config_t,file,map -------------------------------------------------------------------------------- SELinux is preventing sudo from using the setrlimit access on a process. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow httpd to setrlimit Then you must tell SELinux about this by enabling the 'httpd_setrlimit' boolean. Do setsebool -P httpd_setrlimit 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that sudo should be allowed setrlimit access on processes labeled httpd_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sudo' --raw | audit2allow -M my-sudo # semodule -X 300 -i my-sudo.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:system_r:httpd_t:s0 Target Objects Unknown [ process ] Source sudo Source Path sudo Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-04 00:13:30 CDT Last Seen 2018-04-04 00:13:30 CDT Local ID 8433e0d2-20ac-4b81-b135-7bcf50ca850d Raw Audit Messages type=AVC msg=audit(1522818810.923:196): avc: denied { setrlimit } for pid=957 comm="sudo" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0 Hash: sudo,httpd_t,httpd_t,process,setrlimit -------------------------------------------------------------------------------- SELinux is preventing sudo from using the sys_resource capability. ***** Plugin sys_resource (37.5 confidence) suggests ********************** If you do not want processes to require capabilities to use up all the system resources on your system; Then you need to diagnose why your system is running out of system resources and fix the problem. According to /usr/include/linux/capability.h, sys_resource is required to: /* Override resource limits. Set resource limits. */ /* Override quota limits. */ /* Override reserved space on ext2 filesystem */ /* Modify data journaling mode on ext3 filesystem (uses journaling resources) */ /* NOTE: ext2 honors fsuid when checking for resource overrides, so you can override using fsuid too */ /* Override size restrictions on IPC message queues */ /* Allow more than 64hz interrupts from the real-time clock */ /* Override max number of consoles on console allocation */ /* Override max number of keymaps */ Do fix the cause of the SYS_RESOURCE on your system. ***** Plugin catchall_boolean (30.1 confidence) suggests ****************** If you want to allow httpd to run stickshift Then you must tell SELinux about this by enabling the 'httpd_run_stickshift' boolean. Do setsebool -P httpd_run_stickshift 1 ***** Plugin catchall_boolean (30.1 confidence) suggests ****************** If you want to allow httpd to setrlimit Then you must tell SELinux about this by enabling the 'httpd_setrlimit' boolean. Do setsebool -P httpd_setrlimit 1 ***** Plugin catchall (4.20 confidence) suggests ************************** If you believe that sudo should have the sys_resource capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sudo' --raw | audit2allow -M my-sudo # semodule -X 300 -i my-sudo.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:system_r:httpd_t:s0 Target Objects Unknown [ capability ] Source sudo Source Path sudo Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-04 00:13:30 CDT Last Seen 2018-04-04 00:13:30 CDT Local ID 95178bcd-0a0e-4a2b-80b1-d6ae2637c18e Raw Audit Messages type=AVC msg=audit(1522818810.928:197): avc: denied { sys_resource } for pid=957 comm="sudo" capability=24 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 Hash: sudo,httpd_t,httpd_t,capability,sys_resource [root@pihole ~]# -
I’ll have to look when I get home.
-
@stacksofplates said in Pi-hole on Fedora has issues with SELinux:
I’ll have to look when I get home.
The two things you did make it run on reboot, just no access to the GUI.
I suspect just the log permission change lets the app itself run. -
Doing a fresh install now on F27 with SEL in permissive. Where is the SELinux logs stored?
-
@aaronstuder said in Pi-hole on Fedora has issues with SELinux:
Doing a fresh install now on F27 with SEL in permissive. Where is the SELinux logs stored?
/var/log/audit/audit.log -
@jaredbusch said in Pi-hole on Fedora has issues with SELinux:
@stacksofplates said in Pi-hole on Fedora has issues with SELinux:
I’ll have to look when I get home.
The two things you did make it run on reboot, just no access to the GUI.
I suspect just the log permission change lets the app itself run.Yes. I didnt' look at the gui afterwards. Just noticed it was actually able to run and allowed me to get to the admin interface.
-
So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.
-
@stacksofplates said in Pi-hole on Fedora has issues with SELinux:
So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.
Why not permanently set SELinux to permissive instead of using Debian?
-
@black3dynamite said in Pi-hole on Fedora has issues with SELinux:
@stacksofplates said in Pi-hole on Fedora has issues with SELinux:
So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.
Why not permanently set SELinux to permissive instead of using Debian?
I could. I just deleted the instance and started over so I just chose debian. I don't ever log into this and just have the updates automatically done so it doesn't really matter what it is.
-
@black3dynamite said in Pi-hole on Fedora has issues with SELinux:
@stacksofplates said in Pi-hole on Fedora has issues with SELinux:
So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.
Why not permanently set SELinux to permissive instead of using Debian?
Confirmed working on Permissive.
-
@aaronstuder said in Pi-hole on Fedora has issues with SELinux:
@black3dynamite said in Pi-hole on Fedora has issues with SELinux:
@stacksofplates said in Pi-hole on Fedora has issues with SELinux:
So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.
Why not permanently set SELinux to permissive instead of using Debian?
Confirmed working on Permissive.
It always worked when set to permissive. I also preferred using permissive instead of disabling SELinux that way I can fix the errors later.
-
@black3dynamite said in Pi-hole on Fedora has issues with SELinux:
@aaronstuder said in Pi-hole on Fedora has issues with SELinux:
@black3dynamite said in Pi-hole on Fedora has issues with SELinux:
@stacksofplates said in Pi-hole on Fedora has issues with SELinux:
So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.
Why not permanently set SELinux to permissive instead of using Debian?
Confirmed working on Permissive.
It always worked when set to permissive. I also preferred using permissive instead of disabling SELinux that way I can fix the errors later.
I know it works on Permissive. the point was I am trying to find what it not being liked in order to change that. I can run sealert and then do whatever it says, but that means I have to install the
setroubleshootor whatever package and I do not ever want to do that in one of my guides if I can help it because it adds a lot of packages that are only needed for this one time thing.I have done it, but I didn't like it. I will likely have to do it again, but I won't like it then either.
-
For some reasons flushing logs isn't working for me. It works for me when using Debian.
-
ok back to this after 14 days and just WTF with my
audit.log, it took sealert 5 minutes to parse it.[root@pihole ~]# ls -lah /var/log/audit/audit.log -rw-------. 1 root root 5.4M Apr 17 21:20 /var/log/audit/audit.log -
[root@pihole ~]# sealert -a /var/log/audit/audit.log 0% donetype=AVC msg=audit(1522818810.923:196): avc: denied { setrlimit } for pid=957 comm="sudo" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0 **** Invalid AVC allowed in current policy *** type=AVC msg=audit(1522818810.928:197): avc: denied { sys_resource } for pid=957 comm="sudo" capability=24 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 **** Invalid AVC allowed in current policy *** 51% done'generator' object is not subscriptable 100% done found 29 alerts in /var/log/audit/audit.log
