Pi-hole on Fedora has issues with SELinux



  • @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

    All I did was set /var/www/html/admin to httpd_sys_content_t

    And set /var/log/pi-hole.log to dnsmasq_var_log_t.

    That got most things resolved as I can hit the webpage now.

    chcon --type=dnsmasq_var_log_t /var/log/pihole.log
    chcon --recursive --type=httpd_sys_content_t /var/www/html/admin
    

    But after a reboot, I see this when enforcing
    0_1522818097788_76c2c81c-971d-4b3a-ad73-da06a54b93b4-image.png

    But the DNS service is running.
    0_1522818212874_d5db2296-9ce9-474b-ae05-23229ea6d258-image.png



  • I purged the audit log and rebooted.

    Still this.

    [[email protected] ~]# sealert -a /var/log/audit/audit.log
    100% done
    found 1 alerts in /var/log/audit/audit.log
    --------------------------------------------------------------------------------
    
    SELinux is preventing lighttpd from map access on the file /etc/lighttpd/lighttpd.conf.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that lighttpd should be allowed map access on the lighttpd.conf file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'lighttpd' --raw | audit2allow -M my-lighttpd
    # semodule -X 300 -i my-lighttpd.pp
    


  • While I can run that command, I do not want to. I would prefer to find the right thing I need to change because there is no reason to install all the SELinux tools on an instance just to set a permission.



  • tried to load the admin page and it added some more.

    [[email protected] ~]# sealert -a /var/log/audit/audit.log
    100% done
    found 3 alerts in /var/log/audit/audit.log
    --------------------------------------------------------------------------------
    
    SELinux is preventing lighttpd from map access on the file /etc/lighttpd/lighttpd.conf.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that lighttpd should be allowed map access on the lighttpd.conf file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'lighttpd' --raw | audit2allow -M my-lighttpd
    # semodule -X 300 -i my-lighttpd.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                unconfined_u:object_r:httpd_config_t:s0
    Target Objects                /etc/lighttpd/lighttpd.conf [ file ]
    Source                        lighttpd
    Source Path                   lighttpd
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           lighttpd-1.4.49-4.fc27.x86_64
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1
    First Seen                    2018-04-04 00:10:27 CDT
    Last Seen                     2018-04-04 00:10:27 CDT
    Local ID                      c68567cd-1d33-4f99-8c8f-d185c0a0309f
    
    Raw Audit Messages
    type=AVC msg=audit(1522818627.295:87): avc:  denied  { map } for  pid=632 comm="lighttpd" path="/etc/lighttpd/lighttpd.conf" dev="dm-0" ino=17333729 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file permissive=0
    
    
    Hash: lighttpd,httpd_t,httpd_config_t,file,map
    
    --------------------------------------------------------------------------------
    
    SELinux is preventing sudo from using the setrlimit access on a process.
    
    *****  Plugin catchall_boolean (89.3 confidence) suggests   ******************
    
    If you want to allow httpd to setrlimit
    Then you must tell SELinux about this by enabling the 'httpd_setrlimit' boolean.
    
    Do
    setsebool -P httpd_setrlimit 1
    
    *****  Plugin catchall (11.6 confidence) suggests   **************************
    
    If you believe that sudo should be allowed setrlimit access on processes labeled httpd_t by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'sudo' --raw | audit2allow -M my-sudo
    # semodule -X 300 -i my-sudo.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                system_u:system_r:httpd_t:s0
    Target Objects                Unknown [ process ]
    Source                        sudo
    Source Path                   sudo
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1
    First Seen                    2018-04-04 00:13:30 CDT
    Last Seen                     2018-04-04 00:13:30 CDT
    Local ID                      8433e0d2-20ac-4b81-b135-7bcf50ca850d
    
    Raw Audit Messages
    type=AVC msg=audit(1522818810.923:196): avc:  denied  { setrlimit } for  pid=957 comm="sudo" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0
    
    
    Hash: sudo,httpd_t,httpd_t,process,setrlimit
    
    --------------------------------------------------------------------------------
    
    SELinux is preventing sudo from using the sys_resource capability.
    
    *****  Plugin sys_resource (37.5 confidence) suggests   **********************
    
    If you do not want processes to require capabilities to use up all the system resources on your system;
    Then you need to diagnose why your system is running out of system resources and fix the problem.
    
    According to /usr/include/linux/capability.h, sys_resource is required to:
    
    /* Override resource limits. Set resource limits. */
    /* Override quota limits. */
    /* Override reserved space on ext2 filesystem */
    /* Modify data journaling mode on ext3 filesystem (uses journaling
       resources) */
    /* NOTE: ext2 honors fsuid when checking for resource overrides, so
       you can override using fsuid too */
    /* Override size restrictions on IPC message queues */
    /* Allow more than 64hz interrupts from the real-time clock */
    /* Override max number of consoles on console allocation */
    /* Override max number of keymaps */
    
    Do
    fix the cause of the SYS_RESOURCE on your system.
    
    *****  Plugin catchall_boolean (30.1 confidence) suggests   ******************
    
    If you want to allow httpd to run stickshift
    Then you must tell SELinux about this by enabling the 'httpd_run_stickshift' boolean.
    
    Do
    setsebool -P httpd_run_stickshift 1
    
    *****  Plugin catchall_boolean (30.1 confidence) suggests   ******************
    
    If you want to allow httpd to setrlimit
    Then you must tell SELinux about this by enabling the 'httpd_setrlimit' boolean.
    
    Do
    setsebool -P httpd_setrlimit 1
    
    *****  Plugin catchall (4.20 confidence) suggests   **************************
    
    If you believe that sudo should have the sys_resource capability by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'sudo' --raw | audit2allow -M my-sudo
    # semodule -X 300 -i my-sudo.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                system_u:system_r:httpd_t:s0
    Target Objects                Unknown [ capability ]
    Source                        sudo
    Source Path                   sudo
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1
    First Seen                    2018-04-04 00:13:30 CDT
    Last Seen                     2018-04-04 00:13:30 CDT
    Local ID                      95178bcd-0a0e-4a2b-80b1-d6ae2637c18e
    
    Raw Audit Messages
    type=AVC msg=audit(1522818810.928:197): avc:  denied  { sys_resource } for  pid=957 comm="sudo" capability=24  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
    
    
    Hash: sudo,httpd_t,httpd_t,capability,sys_resource
    
    [[email protected] ~]# 
    


  • I’ll have to look when I get home.



  • @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

    I’ll have to look when I get home.

    The two things you did make it run on reboot, just no access to the GUI.
    I suspect just the log permission change lets the app itself run.



  • Doing a fresh install now on F27 with SEL in permissive. Where is the SELinux logs stored?



  • @aaronstuder said in Pi-hole on Fedora has issues with SELinux:

    Doing a fresh install now on F27 with SEL in permissive. Where is the SELinux logs stored?

    /var/log/audit/audit.log



  • @jaredbusch said in Pi-hole on Fedora has issues with SELinux:

    @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

    I’ll have to look when I get home.

    The two things you did make it run on reboot, just no access to the GUI.
    I suspect just the log permission change lets the app itself run.

    Yes. I didnt' look at the gui afterwards. Just noticed it was actually able to run and allowed me to get to the admin interface.



  • So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.



  • @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

    So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

    Why not permanently set SELinux to permissive instead of using Debian?



  • @black3dynamite said in Pi-hole on Fedora has issues with SELinux:

    @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

    So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

    Why not permanently set SELinux to permissive instead of using Debian?

    I could. I just deleted the instance and started over so I just chose debian. I don't ever log into this and just have the updates automatically done so it doesn't really matter what it is.



  • @black3dynamite said in Pi-hole on Fedora has issues with SELinux:

    @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

    So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

    Why not permanently set SELinux to permissive instead of using Debian?

    Confirmed working on Permissive.



  • @aaronstuder said in Pi-hole on Fedora has issues with SELinux:

    @black3dynamite said in Pi-hole on Fedora has issues with SELinux:

    @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

    So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

    Why not permanently set SELinux to permissive instead of using Debian?

    Confirmed working on Permissive.

    It always worked when set to permissive. I also preferred using permissive instead of disabling SELinux that way I can fix the errors later.



  • @black3dynamite said in Pi-hole on Fedora has issues with SELinux:

    @aaronstuder said in Pi-hole on Fedora has issues with SELinux:

    @black3dynamite said in Pi-hole on Fedora has issues with SELinux:

    @stacksofplates said in Pi-hole on Fedora has issues with SELinux:

    So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

    Why not permanently set SELinux to permissive instead of using Debian?

    Confirmed working on Permissive.

    It always worked when set to permissive. I also preferred using permissive instead of disabling SELinux that way I can fix the errors later.

    I know it works on Permissive. the point was I am trying to find what it not being liked in order to change that. I can run sealert and then do whatever it says, but that means I have to install the setroubleshoot or whatever package and I do not ever want to do that in one of my guides if I can help it because it adds a lot of packages that are only needed for this one time thing.

    I have done it, but I didn't like it. I will likely have to do it again, but I won't like it then either.



  • For some reasons flushing logs isn't working for me. It works for me when using Debian.



  • ok back to this after 14 days and just WTF with my audit.log, it took sealert 5 minutes to parse it.

    [[email protected] ~]# ls -lah /var/log/audit/audit.log
    -rw-------. 1 root root 5.4M Apr 17 21:20 /var/log/audit/audit.log
    


  • [[email protected] ~]# sealert -a /var/log/audit/audit.log
      0% donetype=AVC msg=audit(1522818810.923:196): avc:  denied  { setrlimit } for  pid=957 comm="sudo" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0
     
    **** Invalid AVC allowed in current policy ***
    
    type=AVC msg=audit(1522818810.928:197): avc:  denied  { sys_resource } for  pid=957 comm="sudo" capability=24  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
     
    **** Invalid AVC allowed in current policy ***
    
     51% done'generator' object is not subscriptable
    100% done
    found 29 alerts in /var/log/audit/audit.log
    


  • SELinux is preventing lighttpd from map access on the file /etc/lighttpd/lighttpd.conf.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that lighttpd should be allowed map access on the lighttpd.conf file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'lighttpd' --raw | audit2allow -M my-lighttpd
    # semodule -X 300 -i my-lighttpd.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                unconfined_u:object_r:httpd_config_t:s0
    Target Objects                /etc/lighttpd/lighttpd.conf [ file ]
    Source                        lighttpd
    Source Path                   lighttpd
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           lighttpd-1.4.49-4.fc27.x86_64
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1
    First Seen                    2018-04-04 00:10:27 CDT
    Last Seen                     2018-04-04 00:10:27 CDT
    Local ID                      7231bc1d-89a1-4c9b-afeb-e87e9fd42dba
    
    Raw Audit Messages
    type=AVC msg=audit(1522818627.295:87): avc:  denied  { map } for  pid=632 comm="lighttpd" path="/etc/lighttpd/lighttpd.conf" dev="dm-0" ino=17333729 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file permissive=0
    
    
    Hash: lighttpd,httpd_t,httpd_config_t,file,map
    


  • SELinux is preventing sudo from nlmsg_relay access on the netlink_audit_socket Unknown.
    
    *****  Plugin catchall_boolean (89.3 confidence) suggests   ******************
    
    If you want to allow httpd to mod auth pam
    Then you must tell SELinux about this by enabling the 'httpd_mod_auth_pam' boolean.
    
    Do
    setsebool -P httpd_mod_auth_pam 1
    
    *****  Plugin catchall (11.6 confidence) suggests   **************************
    
    If you believe that sudo should be allowed nlmsg_relay access on the Unknown netlink_audit_socket by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'sudo' --raw | audit2allow -M my-sudo
    # semodule -X 300 -i my-sudo.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                system_u:system_r:httpd_t:s0
    Target Objects                Unknown [ netlink_audit_socket ]
    Source                        sudo
    Source Path                   sudo
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1446
    First Seen                    2018-04-04 00:16:52 CDT
    Last Seen                     2018-04-17 19:30:30 CDT
    Local ID                      3ba955da-bc76-40a9-8efa-50c9728c7b3b
    
    Raw Audit Messages
    type=AVC msg=audit(1524011430.537:21859): avc:  denied  { nlmsg_relay } for  pid=11201 comm="sudo" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_audit_socket permissive=1
    
    
    Hash: sudo,httpd_t,httpd_t,netlink_audit_socket,nlmsg_relay
    


  • SELinux is preventing sudo from using the audit_write capability.
    
    *****  Plugin catchall_boolean (89.3 confidence) suggests   ******************
    
    If you want to allow httpd to mod auth pam
    Then you must tell SELinux about this by enabling the 'httpd_mod_auth_pam' boolean.
    
    Do
    setsebool -P httpd_mod_auth_pam 1
    
    *****  Plugin catchall (11.6 confidence) suggests   **************************
    
    If you believe that sudo should have the audit_write capability by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'sudo' --raw | audit2allow -M my-sudo
    # semodule -X 300 -i my-sudo.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                system_u:system_r:httpd_t:s0
    Target Objects                Unknown [ capability ]
    Source                        sudo
    Source Path                   sudo
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1506
    First Seen                    2018-04-04 00:16:52 CDT
    Last Seen                     2018-04-17 19:32:30 CDT
    Local ID                      30419184-33b4-4c6a-8bd1-4f1baeb723fe
    
    Raw Audit Messages
    type=AVC msg=audit(1524011550.40:21873): avc:  denied  { audit_write } for  pid=11238 comm="sudo" capability=29  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
    
    
    Hash: sudo,httpd_t,httpd_t,capability,audit_write
    


  • SELinux is preventing grep from read access on the file 01-pihole.conf.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that grep should be allowed read access on the 01-pihole.conf file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'grep' --raw | audit2allow -M my-grep
    # semodule -X 300 -i my-grep.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                unconfined_u:object_r:dnsmasq_etc_t:s0
    Target Objects                01-pihole.conf [ file ]
    Source                        grep
    Source Path                   grep
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   20
    First Seen                    2018-04-04 00:16:52 CDT
    Last Seen                     2018-04-12 20:41:40 CDT
    Local ID                      bb7f8e33-0218-4005-af39-84a179625a5e
    
    Raw Audit Messages
    type=AVC msg=audit(1523583700.990:11544): avc:  denied  { read } for  pid=21644 comm="grep" name="01-pihole.conf" dev="dm-0" ino=34279554 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1
    
    
    Hash: grep,httpd_t,dnsmasq_etc_t,file,read
    

    and

    SELinux is preventing grep from open access on the file /etc/dnsmasq.d/01-pihole.conf.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that grep should be allowed open access on the 01-pihole.conf file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'grep' --raw | audit2allow -M my-grep
    # semodule -X 300 -i my-grep.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                unconfined_u:object_r:dnsmasq_etc_t:s0
    Target Objects                /etc/dnsmasq.d/01-pihole.conf [ file ]
    Source                        grep
    Source Path                   grep
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   20
    First Seen                    2018-04-04 00:16:52 CDT
    Last Seen                     2018-04-12 20:41:40 CDT
    Local ID                      2b179168-a8dd-4d1b-b00c-d3979aff916b
    
    Raw Audit Messages
    type=AVC msg=audit(1523583700.990:11545): avc:  denied  { open } for  pid=21644 comm="grep" path="/etc/dnsmasq.d/01-pihole.conf" dev="dm-0" ino=34279554 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1
    
    
    Hash: grep,httpd_t,dnsmasq_etc_t,file,open
    


  • SELinux is preventing php-cgi from name_connect access on the tcp_socket port 4711.
    
    *****  Plugin connect_ports (85.9 confidence) suggests   *********************
    
    If you want to allow php-cgi to connect to network port 4711
    Then you need to modify the port type.
    Do
    # semanage port -a -t PORT_TYPE -p tcp 4711
        where PORT_TYPE is one of the following: dns_port_t, dnssec_port_t, kerberos_port_t, ocsp_port_t.
    
    *****  Plugin catchall_boolean (7.33 confidence) suggests   ******************
    
    If you want to allow httpd to can network connect
    Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean.
    
    Do
    setsebool -P httpd_can_network_connect 1
    
    *****  Plugin catchall_boolean (7.33 confidence) suggests   ******************
    
    If you want to allow nis to enabled
    Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
    
    Do
    setsebool -P nis_enabled 1
    
    *****  Plugin catchall (1.35 confidence) suggests   **************************
    
    If you believe that php-cgi should be allowed name_connect access on the port 4711 tcp_socket by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'php-cgi' --raw | audit2allow -M my-phpcgi
    # semodule -X 300 -i my-phpcgi.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                system_u:object_r:unreserved_port_t:s0
    Target Objects                port 4711 [ tcp_socket ]
    Source                        php-cgi
    Source Path                   php-cgi
    Port                          4711
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   24
    First Seen                    2018-04-04 00:16:52 CDT
    Last Seen                     2018-04-12 21:34:26 CDT
    Local ID                      01d3eb41-826d-4d3c-8d5f-8eaec761ce30
    
    Raw Audit Messages
    type=AVC msg=audit(1523586866.849:11550): avc:  denied  { name_connect } for  pid=26269 comm="php-cgi" dest=4711 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1
    
    
    Hash: php-cgi,httpd_t,unreserved_port_t,tcp_socket,name_connect
    

    and

    SELinux is preventing php-cgi from name_connect access on the tcp_socket port 80.
    
    *****  Plugin catchall_boolean (24.7 confidence) suggests   ******************
    
    If you want to allow httpd to can network connect
    Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean.
    
    Do
    setsebool -P httpd_can_network_connect 1
    
    *****  Plugin catchall_boolean (24.7 confidence) suggests   ******************
    
    If you want to allow httpd to graceful shutdown
    Then you must tell SELinux about this by enabling the 'httpd_graceful_shutdown' boolean.
    
    Do
    setsebool -P httpd_graceful_shutdown 1
    
    *****  Plugin catchall_boolean (24.7 confidence) suggests   ******************
    
    If you want to allow httpd to can network relay
    Then you must tell SELinux about this by enabling the 'httpd_can_network_relay' boolean.
    
    Do
    setsebool -P httpd_can_network_relay 1
    
    *****  Plugin catchall_boolean (24.7 confidence) suggests   ******************
    
    If you want to allow nis to enabled
    Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
    
    Do
    setsebool -P nis_enabled 1
    
    *****  Plugin catchall (3.53 confidence) suggests   **************************
    
    If you believe that php-cgi should be allowed name_connect access on the port 80 tcp_socket by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'php-cgi' --raw | audit2allow -M my-phpcgi
    # semodule -X 300 -i my-phpcgi.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                system_u:object_r:http_port_t:s0
    Target Objects                port 80 [ tcp_socket ]
    Source                        php-cgi
    Source Path                   php-cgi
    Port                          80
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1325
    First Seen                    2018-04-04 06:59:33 CDT
    Last Seen                     2018-04-17 19:32:29 CDT
    Local ID                      7ac7ba27-7443-45b9-95b1-e625ab7a79f9
    
    Raw Audit Messages
    type=AVC msg=audit(1524011549.891:21865): avc:  denied  { name_connect } for  pid=8832 comm="php-cgi" dest=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1
    
    
    Hash: php-cgi,httpd_t,http_port_t,tcp_socket,name_connect
    


  • SELinux is preventing grep from using the execmem access on a process.
    
    *****  Plugin catchall_boolean (89.3 confidence) suggests   ******************
    
    If you want to allow httpd to execmem
    Then you must tell SELinux about this by enabling the 'httpd_execmem' boolean.
    
    Do
    setsebool -P httpd_execmem 1
    
    *****  Plugin catchall (11.6 confidence) suggests   **************************
    
    If you believe that grep should be allowed execmem access on processes labeled httpd_t by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'grep' --raw | audit2allow -M my-grep
    # semodule -X 300 -i my-grep.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                system_u:system_r:httpd_t:s0
    Target Objects                Unknown [ process ]
    Source                        grep
    Source Path                   grep
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1
    First Seen                    2018-04-12 19:07:59 CDT
    Last Seen                     2018-04-12 19:07:59 CDT
    Local ID                      64692e75-6f36-4bd4-9fe6-45a60f1bc88c
    
    Raw Audit Messages
    type=AVC msg=audit(1523578079.302:11449): avc:  denied  { execmem } for  pid=21097 comm="grep" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=1
    
    
    Hash: grep,httpd_t,httpd_t,process,execmem
    
    


  • SELinux is preventing touch from write access on the directory pihole.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that touch should be allowed write access on the pihole directory by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'touch' --raw | audit2allow -M my-touch
    # semodule -X 300 -i my-touch.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                unconfined_u:object_r:etc_t:s0
    Target Objects                pihole [ dir ]
    Source                        touch
    Source Path                   touch
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1
    First Seen                    2018-04-12 19:07:59 CDT
    Last Seen                     2018-04-12 19:07:59 CDT
    Local ID                      f6819870-22ca-46c9-9ad9-96d24d0d447d
    
    Raw Audit Messages
    type=AVC msg=audit(1523578079.305:11450): avc:  denied  { write } for  pid=21100 comm="touch" name="pihole" dev="dm-0" ino=307233 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=dir permissive=1
    
    
    Hash: touch,httpd_t,etc_t,dir,write
    

    and

    SELinux is preventing touch from add_name access on the directory blacklist.txt.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that touch should be allowed add_name access on the blacklist.txt directory by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'touch' --raw | audit2allow -M my-touch
    # semodule -X 300 -i my-touch.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                unconfined_u:object_r:etc_t:s0
    Target Objects                blacklist.txt [ dir ]
    Source                        touch
    Source Path                   touch
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1
    First Seen                    2018-04-12 19:07:59 CDT
    Last Seen                     2018-04-12 19:07:59 CDT
    Local ID                      5fbe887d-7ce6-4ba9-a5a9-5158ecc1954f
    
    Raw Audit Messages
    type=AVC msg=audit(1523578079.305:11451): avc:  denied  { add_name } for  pid=21100 comm="touch" name="blacklist.txt" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=dir permissive=1
    
    
    Hash: touch,httpd_t,etc_t,dir,add_name
    

    and

    SELinux is preventing touch from create access on the file blacklist.txt.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that touch should be allowed create access on the blacklist.txt file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'touch' --raw | audit2allow -M my-touch
    # semodule -X 300 -i my-touch.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                system_u:object_r:etc_t:s0
    Target Objects                blacklist.txt [ file ]
    Source                        touch
    Source Path                   touch
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1
    First Seen                    2018-04-12 19:07:59 CDT
    Last Seen                     2018-04-12 19:07:59 CDT
    Local ID                      58d2d479-f658-443f-a4c7-b45e2c9c8e3f
    
    Raw Audit Messages
    type=AVC msg=audit(1523578079.305:11452): avc:  denied  { create } for  pid=21100 comm="touch" name="blacklist.txt" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
    
    
    Hash: touch,httpd_t,etc_t,file,create
    

    and

    SELinux is preventing touch from write access on the file /etc/pihole/blacklist.txt.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that touch should be allowed write access on the blacklist.txt file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'touch' --raw | audit2allow -M my-touch
    # semodule -X 300 -i my-touch.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                system_u:object_r:etc_t:s0
    Target Objects                /etc/pihole/blacklist.txt [ file ]
    Source                        touch
    Source Path                   touch
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1
    First Seen                    2018-04-12 19:07:59 CDT
    Last Seen                     2018-04-12 19:07:59 CDT
    Local ID                      5fae4d46-ba3f-4f66-9778-031c8a332c74
    
    Raw Audit Messages
    type=AVC msg=audit(1523578079.306:11453): avc:  denied  { write } for  pid=21100 comm="touch" path="/etc/pihole/blacklist.txt" dev="dm-0" ino=306687 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
    
    
    Hash: touch,httpd_t,etc_t,file,write
    
    


  • ELinux is preventing bash from append access on the file whitelist.txt.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that bash should be allowed append access on the whitelist.txt file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'bash' --raw | audit2allow -M my-bash
    # semodule -X 300 -i my-bash.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                unconfined_u:object_r:etc_t:s0
    Target Objects                whitelist.txt [ file ]
    Source                        bash
    Source Path                   bash
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1
    First Seen                    2018-04-12 19:07:59 CDT
    Last Seen                     2018-04-12 19:07:59 CDT
    Local ID                      4aeb8a94-a723-4a49-a2de-a6efea256a7f
    
    Raw Audit Messages
    type=AVC msg=audit(1523578079.312:11454): avc:  denied  { append } for  pid=21095 comm="bash" name="whitelist.txt" dev="dm-0" ino=315190 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=1
    
    
    Hash: bash,httpd_t,etc_t,file,append
    

    and

    SELinux is preventing bash from append access on the file /etc/pihole/black.list.tmp.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that bash should be allowed append access on the black.list.tmp file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'bash' --raw | audit2allow -M my-bash
    # semodule -X 300 -i my-bash.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                system_u:object_r:etc_t:s0
    Target Objects                /etc/pihole/black.list.tmp [ file ]
    Source                        bash
    Source Path                   bash
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1
    First Seen                    2018-04-12 19:07:59 CDT
    Last Seen                     2018-04-12 19:07:59 CDT
    Local ID                      319dcb0a-79b2-42f8-9bc8-45655b081cdf
    
    Raw Audit Messages
    type=AVC msg=audit(1523578079.356:11455): avc:  denied  { append } for  pid=21132 comm="bash" path="/etc/pihole/black.list.tmp" dev="dm-0" ino=316887 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
    
    
    Hash: bash,httpd_t,etc_t,file,append
    


  • SELinux is preventing mv from remove_name access on the directory black.list.tmp.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that mv should be allowed remove_name access on the black.list.tmp directory by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'mv' --raw | audit2allow -M my-mv
    # semodule -X 300 -i my-mv.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                unconfined_u:object_r:etc_t:s0
    Target Objects                black.list.tmp [ dir ]
    Source                        mv
    Source Path                   mv
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1
    First Seen                    2018-04-12 19:07:59 CDT
    Last Seen                     2018-04-12 19:07:59 CDT
    Local ID                      6c3ac81d-96f8-4e71-a51e-fa4b338ab045
    
    Raw Audit Messages
    type=AVC msg=audit(1523578079.359:11456): avc:  denied  { remove_name } for  pid=21133 comm="mv" name="black.list.tmp" dev="dm-0" ino=316887 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=dir permissive=1
    
    
    Hash: mv,httpd_t,etc_t,dir,remove_name
    

    and

    SELinux is preventing mv from rename access on the file black.list.tmp.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that mv should be allowed rename access on the black.list.tmp file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'mv' --raw | audit2allow -M my-mv
    # semodule -X 300 -i my-mv.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                system_u:object_r:etc_t:s0
    Target Objects                black.list.tmp [ file ]
    Source                        mv
    Source Path                   mv
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1
    First Seen                    2018-04-12 19:07:59 CDT
    Last Seen                     2018-04-12 19:07:59 CDT
    Local ID                      2cfbe815-be93-4fbc-99c1-64d8983d98fa
    
    Raw Audit Messages
    type=AVC msg=audit(1523578079.359:11457): avc:  denied  { rename } for  pid=21133 comm="mv" name="black.list.tmp" dev="dm-0" ino=316887 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
    
    
    Hash: mv,httpd_t,etc_t,file,rename
    


  • SELinux is preventing bash from write access on the file local.list.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that bash should be allowed write access on the local.list file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'bash' --raw | audit2allow -M my-bash
    # semodule -X 300 -i my-bash.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                unconfined_u:object_r:etc_t:s0
    Target Objects                local.list [ file ]
    Source                        bash
    Source Path                   bash
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1
    First Seen                    2018-04-12 19:07:59 CDT
    Last Seen                     2018-04-12 19:07:59 CDT
    Local ID                      877e6a5f-043f-469b-97bd-b38ecba2a20f
    
    Raw Audit Messages
    type=AVC msg=audit(1523578079.360:11458): avc:  denied  { write } for  pid=21120 comm="bash" name="local.list" dev="dm-0" ino=307099 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=1
    
    
    Hash: bash,httpd_t,etc_t,file,write
    


  • SELinux is preventing mv from unlink access on the file gravity.list.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that mv should be allowed unlink access on the gravity.list file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'mv' --raw | audit2allow -M my-mv
    # semodule -X 300 -i my-mv.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                system_u:object_r:etc_t:s0
    Target Objects                gravity.list [ file ]
    Source                        mv
    Source Path                   mv
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1
    First Seen                    2018-04-12 19:07:59 CDT
    Last Seen                     2018-04-12 19:07:59 CDT
    Local ID                      bef03d3f-49e3-4ce0-bceb-f0702ff42734
    
    Raw Audit Messages
    type=AVC msg=audit(1523578079.423:11459): avc:  denied  { unlink } for  pid=21138 comm="mv" name="gravity.list" dev="dm-0" ino=333405 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
    
    
    Hash: mv,httpd_t,etc_t,file,unlink
    


  • SELinux is preventing killall from using the signal access on a process.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that killall should be allowed signal access on processes labeled dnsmasq_t by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'killall' --raw | audit2allow -M my-killall
    # semodule -X 300 -i my-killall.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                system_u:system_r:dnsmasq_t:s0
    Target Objects                Unknown [ process ]
    Source                        killall
    Source Path                   killall
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   1
    First Seen                    2018-04-12 19:07:59 CDT
    Last Seen                     2018-04-12 19:07:59 CDT
    Local ID                      496b84f5-8bd0-4dbd-ba57-c864c76bb583
    
    Raw Audit Messages
    type=AVC msg=audit(1523578079.437:11460): avc:  denied  { signal } for  pid=21145 comm="killall" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=process permissive=1
    
    
    Hash: killall,httpd_t,dnsmasq_t,process,signal
    
    

    and

    SELinux is preventing killall from using the signal access on a process.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that killall should be allowed signal access on processes labeled initrc_t by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'killall' --raw | audit2allow -M my-killall
    # semodule -X 300 -i my-killall.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                system_u:system_r:initrc_t:s0
    Target Objects                Unknown [ process ]
    Source                        killall
    Source Path                   killall
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Host Name                     pihole.jaredbusch.com
    Platform                      Linux pihole.jaredbusch.com
                                  4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                                  UTC 2018 x86_64 x86_64
    Alert Count                   3
    First Seen                    2018-04-12 19:07:59 CDT
    Last Seen                     2018-04-12 19:13:56 CDT
    Local ID                      d3c0da7f-d8f2-48dc-88b8-c61c38e001f7
    
    Raw Audit Messages
    type=AVC msg=audit(1523578436.57:11527): avc:  denied  { signal } for  pid=21345 comm="killall" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1
    
    
    Hash: killall,httpd_t,initrc_t,process,signal