Pi-hole on Fedora has issues with SELinux
-
@stacksofplates said in Pi-hole on Fedora has issues with SELinux:
So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.
Why not permanently set SELinux to permissive instead of using Debian?
-
@black3dynamite said in Pi-hole on Fedora has issues with SELinux:
@stacksofplates said in Pi-hole on Fedora has issues with SELinux:
So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.
Why not permanently set SELinux to permissive instead of using Debian?
I could. I just deleted the instance and started over so I just chose debian. I don't ever log into this and just have the updates automatically done so it doesn't really matter what it is.
-
@black3dynamite said in Pi-hole on Fedora has issues with SELinux:
@stacksofplates said in Pi-hole on Fedora has issues with SELinux:
So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.
Why not permanently set SELinux to permissive instead of using Debian?
Confirmed working on Permissive.
-
@aaronstuder said in Pi-hole on Fedora has issues with SELinux:
@black3dynamite said in Pi-hole on Fedora has issues with SELinux:
@stacksofplates said in Pi-hole on Fedora has issues with SELinux:
So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.
Why not permanently set SELinux to permissive instead of using Debian?
Confirmed working on Permissive.
It always worked when set to permissive. I also preferred using permissive instead of disabling SELinux that way I can fix the errors later.
-
@black3dynamite said in Pi-hole on Fedora has issues with SELinux:
@aaronstuder said in Pi-hole on Fedora has issues with SELinux:
@black3dynamite said in Pi-hole on Fedora has issues with SELinux:
@stacksofplates said in Pi-hole on Fedora has issues with SELinux:
So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.
Why not permanently set SELinux to permissive instead of using Debian?
Confirmed working on Permissive.
It always worked when set to permissive. I also preferred using permissive instead of disabling SELinux that way I can fix the errors later.
I know it works on Permissive. the point was I am trying to find what it not being liked in order to change that. I can run sealert and then do whatever it says, but that means I have to install the
setroubleshootor whatever package and I do not ever want to do that in one of my guides if I can help it because it adds a lot of packages that are only needed for this one time thing.I have done it, but I didn't like it. I will likely have to do it again, but I won't like it then either.
-
For some reasons flushing logs isn't working for me. It works for me when using Debian.
-
ok back to this after 14 days and just WTF with my
audit.log, it took sealert 5 minutes to parse it.[root@pihole ~]# ls -lah /var/log/audit/audit.log -rw-------. 1 root root 5.4M Apr 17 21:20 /var/log/audit/audit.log -
[root@pihole ~]# sealert -a /var/log/audit/audit.log 0% donetype=AVC msg=audit(1522818810.923:196): avc: denied { setrlimit } for pid=957 comm="sudo" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0 **** Invalid AVC allowed in current policy *** type=AVC msg=audit(1522818810.928:197): avc: denied { sys_resource } for pid=957 comm="sudo" capability=24 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 **** Invalid AVC allowed in current policy *** 51% done'generator' object is not subscriptable 100% done found 29 alerts in /var/log/audit/audit.log -
SELinux is preventing lighttpd from map access on the file /etc/lighttpd/lighttpd.conf. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that lighttpd should be allowed map access on the lighttpd.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'lighttpd' --raw | audit2allow -M my-lighttpd # semodule -X 300 -i my-lighttpd.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:httpd_config_t:s0 Target Objects /etc/lighttpd/lighttpd.conf [ file ] Source lighttpd Source Path lighttpd Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages lighttpd-1.4.49-4.fc27.x86_64 Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-04 00:10:27 CDT Last Seen 2018-04-04 00:10:27 CDT Local ID 7231bc1d-89a1-4c9b-afeb-e87e9fd42dba Raw Audit Messages type=AVC msg=audit(1522818627.295:87): avc: denied { map } for pid=632 comm="lighttpd" path="/etc/lighttpd/lighttpd.conf" dev="dm-0" ino=17333729 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file permissive=0 Hash: lighttpd,httpd_t,httpd_config_t,file,map -
SELinux is preventing sudo from nlmsg_relay access on the netlink_audit_socket Unknown. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow httpd to mod auth pam Then you must tell SELinux about this by enabling the 'httpd_mod_auth_pam' boolean. Do setsebool -P httpd_mod_auth_pam 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that sudo should be allowed nlmsg_relay access on the Unknown netlink_audit_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sudo' --raw | audit2allow -M my-sudo # semodule -X 300 -i my-sudo.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:system_r:httpd_t:s0 Target Objects Unknown [ netlink_audit_socket ] Source sudo Source Path sudo Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1446 First Seen 2018-04-04 00:16:52 CDT Last Seen 2018-04-17 19:30:30 CDT Local ID 3ba955da-bc76-40a9-8efa-50c9728c7b3b Raw Audit Messages type=AVC msg=audit(1524011430.537:21859): avc: denied { nlmsg_relay } for pid=11201 comm="sudo" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_audit_socket permissive=1 Hash: sudo,httpd_t,httpd_t,netlink_audit_socket,nlmsg_relay -
SELinux is preventing sudo from using the audit_write capability. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow httpd to mod auth pam Then you must tell SELinux about this by enabling the 'httpd_mod_auth_pam' boolean. Do setsebool -P httpd_mod_auth_pam 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that sudo should have the audit_write capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sudo' --raw | audit2allow -M my-sudo # semodule -X 300 -i my-sudo.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:system_r:httpd_t:s0 Target Objects Unknown [ capability ] Source sudo Source Path sudo Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1506 First Seen 2018-04-04 00:16:52 CDT Last Seen 2018-04-17 19:32:30 CDT Local ID 30419184-33b4-4c6a-8bd1-4f1baeb723fe Raw Audit Messages type=AVC msg=audit(1524011550.40:21873): avc: denied { audit_write } for pid=11238 comm="sudo" capability=29 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1 Hash: sudo,httpd_t,httpd_t,capability,audit_write -
SELinux is preventing grep from read access on the file 01-pihole.conf. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that grep should be allowed read access on the 01-pihole.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'grep' --raw | audit2allow -M my-grep # semodule -X 300 -i my-grep.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects 01-pihole.conf [ file ] Source grep Source Path grep Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 20 First Seen 2018-04-04 00:16:52 CDT Last Seen 2018-04-12 20:41:40 CDT Local ID bb7f8e33-0218-4005-af39-84a179625a5e Raw Audit Messages type=AVC msg=audit(1523583700.990:11544): avc: denied { read } for pid=21644 comm="grep" name="01-pihole.conf" dev="dm-0" ino=34279554 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: grep,httpd_t,dnsmasq_etc_t,file,readand
SELinux is preventing grep from open access on the file /etc/dnsmasq.d/01-pihole.conf. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that grep should be allowed open access on the 01-pihole.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'grep' --raw | audit2allow -M my-grep # semodule -X 300 -i my-grep.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects /etc/dnsmasq.d/01-pihole.conf [ file ] Source grep Source Path grep Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 20 First Seen 2018-04-04 00:16:52 CDT Last Seen 2018-04-12 20:41:40 CDT Local ID 2b179168-a8dd-4d1b-b00c-d3979aff916b Raw Audit Messages type=AVC msg=audit(1523583700.990:11545): avc: denied { open } for pid=21644 comm="grep" path="/etc/dnsmasq.d/01-pihole.conf" dev="dm-0" ino=34279554 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: grep,httpd_t,dnsmasq_etc_t,file,open -
SELinux is preventing php-cgi from name_connect access on the tcp_socket port 4711. ***** Plugin connect_ports (85.9 confidence) suggests ********************* If you want to allow php-cgi to connect to network port 4711 Then you need to modify the port type. Do # semanage port -a -t PORT_TYPE -p tcp 4711 where PORT_TYPE is one of the following: dns_port_t, dnssec_port_t, kerberos_port_t, ocsp_port_t. ***** Plugin catchall_boolean (7.33 confidence) suggests ****************** If you want to allow httpd to can network connect Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean. Do setsebool -P httpd_can_network_connect 1 ***** Plugin catchall_boolean (7.33 confidence) suggests ****************** If you want to allow nis to enabled Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. Do setsebool -P nis_enabled 1 ***** Plugin catchall (1.35 confidence) suggests ************************** If you believe that php-cgi should be allowed name_connect access on the port 4711 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'php-cgi' --raw | audit2allow -M my-phpcgi # semodule -X 300 -i my-phpcgi.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:unreserved_port_t:s0 Target Objects port 4711 [ tcp_socket ] Source php-cgi Source Path php-cgi Port 4711 Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 24 First Seen 2018-04-04 00:16:52 CDT Last Seen 2018-04-12 21:34:26 CDT Local ID 01d3eb41-826d-4d3c-8d5f-8eaec761ce30 Raw Audit Messages type=AVC msg=audit(1523586866.849:11550): avc: denied { name_connect } for pid=26269 comm="php-cgi" dest=4711 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1 Hash: php-cgi,httpd_t,unreserved_port_t,tcp_socket,name_connectand
SELinux is preventing php-cgi from name_connect access on the tcp_socket port 80. ***** Plugin catchall_boolean (24.7 confidence) suggests ****************** If you want to allow httpd to can network connect Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean. Do setsebool -P httpd_can_network_connect 1 ***** Plugin catchall_boolean (24.7 confidence) suggests ****************** If you want to allow httpd to graceful shutdown Then you must tell SELinux about this by enabling the 'httpd_graceful_shutdown' boolean. Do setsebool -P httpd_graceful_shutdown 1 ***** Plugin catchall_boolean (24.7 confidence) suggests ****************** If you want to allow httpd to can network relay Then you must tell SELinux about this by enabling the 'httpd_can_network_relay' boolean. Do setsebool -P httpd_can_network_relay 1 ***** Plugin catchall_boolean (24.7 confidence) suggests ****************** If you want to allow nis to enabled Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. Do setsebool -P nis_enabled 1 ***** Plugin catchall (3.53 confidence) suggests ************************** If you believe that php-cgi should be allowed name_connect access on the port 80 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'php-cgi' --raw | audit2allow -M my-phpcgi # semodule -X 300 -i my-phpcgi.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:http_port_t:s0 Target Objects port 80 [ tcp_socket ] Source php-cgi Source Path php-cgi Port 80 Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1325 First Seen 2018-04-04 06:59:33 CDT Last Seen 2018-04-17 19:32:29 CDT Local ID 7ac7ba27-7443-45b9-95b1-e625ab7a79f9 Raw Audit Messages type=AVC msg=audit(1524011549.891:21865): avc: denied { name_connect } for pid=8832 comm="php-cgi" dest=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1 Hash: php-cgi,httpd_t,http_port_t,tcp_socket,name_connect -
SELinux is preventing grep from using the execmem access on a process. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow httpd to execmem Then you must tell SELinux about this by enabling the 'httpd_execmem' boolean. Do setsebool -P httpd_execmem 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that grep should be allowed execmem access on processes labeled httpd_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'grep' --raw | audit2allow -M my-grep # semodule -X 300 -i my-grep.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:system_r:httpd_t:s0 Target Objects Unknown [ process ] Source grep Source Path grep Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 64692e75-6f36-4bd4-9fe6-45a60f1bc88c Raw Audit Messages type=AVC msg=audit(1523578079.302:11449): avc: denied { execmem } for pid=21097 comm="grep" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=1 Hash: grep,httpd_t,httpd_t,process,execmem -
SELinux is preventing touch from write access on the directory pihole. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that touch should be allowed write access on the pihole directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'touch' --raw | audit2allow -M my-touch # semodule -X 300 -i my-touch.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:etc_t:s0 Target Objects pihole [ dir ] Source touch Source Path touch Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID f6819870-22ca-46c9-9ad9-96d24d0d447d Raw Audit Messages type=AVC msg=audit(1523578079.305:11450): avc: denied { write } for pid=21100 comm="touch" name="pihole" dev="dm-0" ino=307233 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=dir permissive=1 Hash: touch,httpd_t,etc_t,dir,writeand
SELinux is preventing touch from add_name access on the directory blacklist.txt. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that touch should be allowed add_name access on the blacklist.txt directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'touch' --raw | audit2allow -M my-touch # semodule -X 300 -i my-touch.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:etc_t:s0 Target Objects blacklist.txt [ dir ] Source touch Source Path touch Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 5fbe887d-7ce6-4ba9-a5a9-5158ecc1954f Raw Audit Messages type=AVC msg=audit(1523578079.305:11451): avc: denied { add_name } for pid=21100 comm="touch" name="blacklist.txt" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=dir permissive=1 Hash: touch,httpd_t,etc_t,dir,add_nameand
SELinux is preventing touch from create access on the file blacklist.txt. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that touch should be allowed create access on the blacklist.txt file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'touch' --raw | audit2allow -M my-touch # semodule -X 300 -i my-touch.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:etc_t:s0 Target Objects blacklist.txt [ file ] Source touch Source Path touch Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 58d2d479-f658-443f-a4c7-b45e2c9c8e3f Raw Audit Messages type=AVC msg=audit(1523578079.305:11452): avc: denied { create } for pid=21100 comm="touch" name="blacklist.txt" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 Hash: touch,httpd_t,etc_t,file,createand
SELinux is preventing touch from write access on the file /etc/pihole/blacklist.txt. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that touch should be allowed write access on the blacklist.txt file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'touch' --raw | audit2allow -M my-touch # semodule -X 300 -i my-touch.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:etc_t:s0 Target Objects /etc/pihole/blacklist.txt [ file ] Source touch Source Path touch Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 5fae4d46-ba3f-4f66-9778-031c8a332c74 Raw Audit Messages type=AVC msg=audit(1523578079.306:11453): avc: denied { write } for pid=21100 comm="touch" path="/etc/pihole/blacklist.txt" dev="dm-0" ino=306687 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 Hash: touch,httpd_t,etc_t,file,write -
ELinux is preventing bash from append access on the file whitelist.txt. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that bash should be allowed append access on the whitelist.txt file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'bash' --raw | audit2allow -M my-bash # semodule -X 300 -i my-bash.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:etc_t:s0 Target Objects whitelist.txt [ file ] Source bash Source Path bash Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 4aeb8a94-a723-4a49-a2de-a6efea256a7f Raw Audit Messages type=AVC msg=audit(1523578079.312:11454): avc: denied { append } for pid=21095 comm="bash" name="whitelist.txt" dev="dm-0" ino=315190 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=1 Hash: bash,httpd_t,etc_t,file,appendand
SELinux is preventing bash from append access on the file /etc/pihole/black.list.tmp. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that bash should be allowed append access on the black.list.tmp file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'bash' --raw | audit2allow -M my-bash # semodule -X 300 -i my-bash.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:etc_t:s0 Target Objects /etc/pihole/black.list.tmp [ file ] Source bash Source Path bash Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 319dcb0a-79b2-42f8-9bc8-45655b081cdf Raw Audit Messages type=AVC msg=audit(1523578079.356:11455): avc: denied { append } for pid=21132 comm="bash" path="/etc/pihole/black.list.tmp" dev="dm-0" ino=316887 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 Hash: bash,httpd_t,etc_t,file,append -
SELinux is preventing mv from remove_name access on the directory black.list.tmp. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mv should be allowed remove_name access on the black.list.tmp directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'mv' --raw | audit2allow -M my-mv # semodule -X 300 -i my-mv.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:etc_t:s0 Target Objects black.list.tmp [ dir ] Source mv Source Path mv Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 6c3ac81d-96f8-4e71-a51e-fa4b338ab045 Raw Audit Messages type=AVC msg=audit(1523578079.359:11456): avc: denied { remove_name } for pid=21133 comm="mv" name="black.list.tmp" dev="dm-0" ino=316887 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=dir permissive=1 Hash: mv,httpd_t,etc_t,dir,remove_nameand
SELinux is preventing mv from rename access on the file black.list.tmp. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mv should be allowed rename access on the black.list.tmp file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'mv' --raw | audit2allow -M my-mv # semodule -X 300 -i my-mv.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:etc_t:s0 Target Objects black.list.tmp [ file ] Source mv Source Path mv Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 2cfbe815-be93-4fbc-99c1-64d8983d98fa Raw Audit Messages type=AVC msg=audit(1523578079.359:11457): avc: denied { rename } for pid=21133 comm="mv" name="black.list.tmp" dev="dm-0" ino=316887 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 Hash: mv,httpd_t,etc_t,file,rename -
SELinux is preventing bash from write access on the file local.list. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that bash should be allowed write access on the local.list file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'bash' --raw | audit2allow -M my-bash # semodule -X 300 -i my-bash.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:etc_t:s0 Target Objects local.list [ file ] Source bash Source Path bash Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 877e6a5f-043f-469b-97bd-b38ecba2a20f Raw Audit Messages type=AVC msg=audit(1523578079.360:11458): avc: denied { write } for pid=21120 comm="bash" name="local.list" dev="dm-0" ino=307099 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=1 Hash: bash,httpd_t,etc_t,file,write -
SELinux is preventing mv from unlink access on the file gravity.list. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mv should be allowed unlink access on the gravity.list file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'mv' --raw | audit2allow -M my-mv # semodule -X 300 -i my-mv.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:etc_t:s0 Target Objects gravity.list [ file ] Source mv Source Path mv Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID bef03d3f-49e3-4ce0-bceb-f0702ff42734 Raw Audit Messages type=AVC msg=audit(1523578079.423:11459): avc: denied { unlink } for pid=21138 comm="mv" name="gravity.list" dev="dm-0" ino=333405 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 Hash: mv,httpd_t,etc_t,file,unlink -
SELinux is preventing killall from using the signal access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that killall should be allowed signal access on processes labeled dnsmasq_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'killall' --raw | audit2allow -M my-killall # semodule -X 300 -i my-killall.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:system_r:dnsmasq_t:s0 Target Objects Unknown [ process ] Source killall Source Path killall Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 496b84f5-8bd0-4dbd-ba57-c864c76bb583 Raw Audit Messages type=AVC msg=audit(1523578079.437:11460): avc: denied { signal } for pid=21145 comm="killall" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=process permissive=1 Hash: killall,httpd_t,dnsmasq_t,process,signaland
SELinux is preventing killall from using the signal access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that killall should be allowed signal access on processes labeled initrc_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'killall' --raw | audit2allow -M my-killall # semodule -X 300 -i my-killall.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:system_r:initrc_t:s0 Target Objects Unknown [ process ] Source killall Source Path killall Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 3 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID d3c0da7f-d8f2-48dc-88b8-c61c38e001f7 Raw Audit Messages type=AVC msg=audit(1523578436.57:11527): avc: denied { signal } for pid=21345 comm="killall" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1 Hash: killall,httpd_t,initrc_t,process,signal
