Pi-hole on Fedora has issues with SELinux
-
SELinux is preventing grep from read access on the file 01-pihole.conf. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that grep should be allowed read access on the 01-pihole.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'grep' --raw | audit2allow -M my-grep # semodule -X 300 -i my-grep.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects 01-pihole.conf [ file ] Source grep Source Path grep Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 20 First Seen 2018-04-04 00:16:52 CDT Last Seen 2018-04-12 20:41:40 CDT Local ID bb7f8e33-0218-4005-af39-84a179625a5e Raw Audit Messages type=AVC msg=audit(1523583700.990:11544): avc: denied { read } for pid=21644 comm="grep" name="01-pihole.conf" dev="dm-0" ino=34279554 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: grep,httpd_t,dnsmasq_etc_t,file,read
and
SELinux is preventing grep from open access on the file /etc/dnsmasq.d/01-pihole.conf. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that grep should be allowed open access on the 01-pihole.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'grep' --raw | audit2allow -M my-grep # semodule -X 300 -i my-grep.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects /etc/dnsmasq.d/01-pihole.conf [ file ] Source grep Source Path grep Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 20 First Seen 2018-04-04 00:16:52 CDT Last Seen 2018-04-12 20:41:40 CDT Local ID 2b179168-a8dd-4d1b-b00c-d3979aff916b Raw Audit Messages type=AVC msg=audit(1523583700.990:11545): avc: denied { open } for pid=21644 comm="grep" path="/etc/dnsmasq.d/01-pihole.conf" dev="dm-0" ino=34279554 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: grep,httpd_t,dnsmasq_etc_t,file,open
-
SELinux is preventing php-cgi from name_connect access on the tcp_socket port 4711. ***** Plugin connect_ports (85.9 confidence) suggests ********************* If you want to allow php-cgi to connect to network port 4711 Then you need to modify the port type. Do # semanage port -a -t PORT_TYPE -p tcp 4711 where PORT_TYPE is one of the following: dns_port_t, dnssec_port_t, kerberos_port_t, ocsp_port_t. ***** Plugin catchall_boolean (7.33 confidence) suggests ****************** If you want to allow httpd to can network connect Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean. Do setsebool -P httpd_can_network_connect 1 ***** Plugin catchall_boolean (7.33 confidence) suggests ****************** If you want to allow nis to enabled Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. Do setsebool -P nis_enabled 1 ***** Plugin catchall (1.35 confidence) suggests ************************** If you believe that php-cgi should be allowed name_connect access on the port 4711 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'php-cgi' --raw | audit2allow -M my-phpcgi # semodule -X 300 -i my-phpcgi.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:unreserved_port_t:s0 Target Objects port 4711 [ tcp_socket ] Source php-cgi Source Path php-cgi Port 4711 Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 24 First Seen 2018-04-04 00:16:52 CDT Last Seen 2018-04-12 21:34:26 CDT Local ID 01d3eb41-826d-4d3c-8d5f-8eaec761ce30 Raw Audit Messages type=AVC msg=audit(1523586866.849:11550): avc: denied { name_connect } for pid=26269 comm="php-cgi" dest=4711 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1 Hash: php-cgi,httpd_t,unreserved_port_t,tcp_socket,name_connect
and
SELinux is preventing php-cgi from name_connect access on the tcp_socket port 80. ***** Plugin catchall_boolean (24.7 confidence) suggests ****************** If you want to allow httpd to can network connect Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean. Do setsebool -P httpd_can_network_connect 1 ***** Plugin catchall_boolean (24.7 confidence) suggests ****************** If you want to allow httpd to graceful shutdown Then you must tell SELinux about this by enabling the 'httpd_graceful_shutdown' boolean. Do setsebool -P httpd_graceful_shutdown 1 ***** Plugin catchall_boolean (24.7 confidence) suggests ****************** If you want to allow httpd to can network relay Then you must tell SELinux about this by enabling the 'httpd_can_network_relay' boolean. Do setsebool -P httpd_can_network_relay 1 ***** Plugin catchall_boolean (24.7 confidence) suggests ****************** If you want to allow nis to enabled Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. Do setsebool -P nis_enabled 1 ***** Plugin catchall (3.53 confidence) suggests ************************** If you believe that php-cgi should be allowed name_connect access on the port 80 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'php-cgi' --raw | audit2allow -M my-phpcgi # semodule -X 300 -i my-phpcgi.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:http_port_t:s0 Target Objects port 80 [ tcp_socket ] Source php-cgi Source Path php-cgi Port 80 Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1325 First Seen 2018-04-04 06:59:33 CDT Last Seen 2018-04-17 19:32:29 CDT Local ID 7ac7ba27-7443-45b9-95b1-e625ab7a79f9 Raw Audit Messages type=AVC msg=audit(1524011549.891:21865): avc: denied { name_connect } for pid=8832 comm="php-cgi" dest=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1 Hash: php-cgi,httpd_t,http_port_t,tcp_socket,name_connect
-
SELinux is preventing grep from using the execmem access on a process. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow httpd to execmem Then you must tell SELinux about this by enabling the 'httpd_execmem' boolean. Do setsebool -P httpd_execmem 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that grep should be allowed execmem access on processes labeled httpd_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'grep' --raw | audit2allow -M my-grep # semodule -X 300 -i my-grep.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:system_r:httpd_t:s0 Target Objects Unknown [ process ] Source grep Source Path grep Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 64692e75-6f36-4bd4-9fe6-45a60f1bc88c Raw Audit Messages type=AVC msg=audit(1523578079.302:11449): avc: denied { execmem } for pid=21097 comm="grep" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=1 Hash: grep,httpd_t,httpd_t,process,execmem
-
SELinux is preventing touch from write access on the directory pihole. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that touch should be allowed write access on the pihole directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'touch' --raw | audit2allow -M my-touch # semodule -X 300 -i my-touch.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:etc_t:s0 Target Objects pihole [ dir ] Source touch Source Path touch Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID f6819870-22ca-46c9-9ad9-96d24d0d447d Raw Audit Messages type=AVC msg=audit(1523578079.305:11450): avc: denied { write } for pid=21100 comm="touch" name="pihole" dev="dm-0" ino=307233 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=dir permissive=1 Hash: touch,httpd_t,etc_t,dir,write
and
SELinux is preventing touch from add_name access on the directory blacklist.txt. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that touch should be allowed add_name access on the blacklist.txt directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'touch' --raw | audit2allow -M my-touch # semodule -X 300 -i my-touch.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:etc_t:s0 Target Objects blacklist.txt [ dir ] Source touch Source Path touch Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 5fbe887d-7ce6-4ba9-a5a9-5158ecc1954f Raw Audit Messages type=AVC msg=audit(1523578079.305:11451): avc: denied { add_name } for pid=21100 comm="touch" name="blacklist.txt" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=dir permissive=1 Hash: touch,httpd_t,etc_t,dir,add_name
and
SELinux is preventing touch from create access on the file blacklist.txt. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that touch should be allowed create access on the blacklist.txt file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'touch' --raw | audit2allow -M my-touch # semodule -X 300 -i my-touch.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:etc_t:s0 Target Objects blacklist.txt [ file ] Source touch Source Path touch Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 58d2d479-f658-443f-a4c7-b45e2c9c8e3f Raw Audit Messages type=AVC msg=audit(1523578079.305:11452): avc: denied { create } for pid=21100 comm="touch" name="blacklist.txt" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 Hash: touch,httpd_t,etc_t,file,create
and
SELinux is preventing touch from write access on the file /etc/pihole/blacklist.txt. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that touch should be allowed write access on the blacklist.txt file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'touch' --raw | audit2allow -M my-touch # semodule -X 300 -i my-touch.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:etc_t:s0 Target Objects /etc/pihole/blacklist.txt [ file ] Source touch Source Path touch Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 5fae4d46-ba3f-4f66-9778-031c8a332c74 Raw Audit Messages type=AVC msg=audit(1523578079.306:11453): avc: denied { write } for pid=21100 comm="touch" path="/etc/pihole/blacklist.txt" dev="dm-0" ino=306687 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 Hash: touch,httpd_t,etc_t,file,write
-
ELinux is preventing bash from append access on the file whitelist.txt. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that bash should be allowed append access on the whitelist.txt file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'bash' --raw | audit2allow -M my-bash # semodule -X 300 -i my-bash.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:etc_t:s0 Target Objects whitelist.txt [ file ] Source bash Source Path bash Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 4aeb8a94-a723-4a49-a2de-a6efea256a7f Raw Audit Messages type=AVC msg=audit(1523578079.312:11454): avc: denied { append } for pid=21095 comm="bash" name="whitelist.txt" dev="dm-0" ino=315190 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=1 Hash: bash,httpd_t,etc_t,file,append
and
SELinux is preventing bash from append access on the file /etc/pihole/black.list.tmp. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that bash should be allowed append access on the black.list.tmp file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'bash' --raw | audit2allow -M my-bash # semodule -X 300 -i my-bash.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:etc_t:s0 Target Objects /etc/pihole/black.list.tmp [ file ] Source bash Source Path bash Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 319dcb0a-79b2-42f8-9bc8-45655b081cdf Raw Audit Messages type=AVC msg=audit(1523578079.356:11455): avc: denied { append } for pid=21132 comm="bash" path="/etc/pihole/black.list.tmp" dev="dm-0" ino=316887 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 Hash: bash,httpd_t,etc_t,file,append
-
SELinux is preventing mv from remove_name access on the directory black.list.tmp. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mv should be allowed remove_name access on the black.list.tmp directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'mv' --raw | audit2allow -M my-mv # semodule -X 300 -i my-mv.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:etc_t:s0 Target Objects black.list.tmp [ dir ] Source mv Source Path mv Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 6c3ac81d-96f8-4e71-a51e-fa4b338ab045 Raw Audit Messages type=AVC msg=audit(1523578079.359:11456): avc: denied { remove_name } for pid=21133 comm="mv" name="black.list.tmp" dev="dm-0" ino=316887 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=dir permissive=1 Hash: mv,httpd_t,etc_t,dir,remove_name
and
SELinux is preventing mv from rename access on the file black.list.tmp. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mv should be allowed rename access on the black.list.tmp file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'mv' --raw | audit2allow -M my-mv # semodule -X 300 -i my-mv.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:etc_t:s0 Target Objects black.list.tmp [ file ] Source mv Source Path mv Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 2cfbe815-be93-4fbc-99c1-64d8983d98fa Raw Audit Messages type=AVC msg=audit(1523578079.359:11457): avc: denied { rename } for pid=21133 comm="mv" name="black.list.tmp" dev="dm-0" ino=316887 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 Hash: mv,httpd_t,etc_t,file,rename
-
SELinux is preventing bash from write access on the file local.list. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that bash should be allowed write access on the local.list file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'bash' --raw | audit2allow -M my-bash # semodule -X 300 -i my-bash.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:etc_t:s0 Target Objects local.list [ file ] Source bash Source Path bash Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 877e6a5f-043f-469b-97bd-b38ecba2a20f Raw Audit Messages type=AVC msg=audit(1523578079.360:11458): avc: denied { write } for pid=21120 comm="bash" name="local.list" dev="dm-0" ino=307099 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=1 Hash: bash,httpd_t,etc_t,file,write
-
SELinux is preventing mv from unlink access on the file gravity.list. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mv should be allowed unlink access on the gravity.list file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'mv' --raw | audit2allow -M my-mv # semodule -X 300 -i my-mv.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:etc_t:s0 Target Objects gravity.list [ file ] Source mv Source Path mv Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID bef03d3f-49e3-4ce0-bceb-f0702ff42734 Raw Audit Messages type=AVC msg=audit(1523578079.423:11459): avc: denied { unlink } for pid=21138 comm="mv" name="gravity.list" dev="dm-0" ino=333405 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 Hash: mv,httpd_t,etc_t,file,unlink
-
SELinux is preventing killall from using the signal access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that killall should be allowed signal access on processes labeled dnsmasq_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'killall' --raw | audit2allow -M my-killall # semodule -X 300 -i my-killall.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:system_r:dnsmasq_t:s0 Target Objects Unknown [ process ] Source killall Source Path killall Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:07:59 CDT Local ID 496b84f5-8bd0-4dbd-ba57-c864c76bb583 Raw Audit Messages type=AVC msg=audit(1523578079.437:11460): avc: denied { signal } for pid=21145 comm="killall" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=process permissive=1 Hash: killall,httpd_t,dnsmasq_t,process,signal
and
SELinux is preventing killall from using the signal access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that killall should be allowed signal access on processes labeled initrc_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'killall' --raw | audit2allow -M my-killall # semodule -X 300 -i my-killall.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:system_r:initrc_t:s0 Target Objects Unknown [ process ] Source killall Source Path killall Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 3 First Seen 2018-04-12 19:07:59 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID d3c0da7f-d8f2-48dc-88b8-c61c38e001f7 Raw Audit Messages type=AVC msg=audit(1523578436.57:11527): avc: denied { signal } for pid=21345 comm="killall" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1 Hash: killall,httpd_t,initrc_t,process,signal
-
finally a bunch with
sed
SELinux is preventing sed from ioctl access on the file /etc/dnsmasq.d/01-pihole.conf. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed ioctl access on the 01-pihole.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects /etc/dnsmasq.d/01-pihole.conf [ file ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:55 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID f6206021-c986-4066-83b0-e407292183ac Raw Audit Messages type=AVC msg=audit(1523578436.22:11516): avc: denied { ioctl } for pid=21332 comm="sed" path="/etc/dnsmasq.d/01-pihole.conf" dev="dm-0" ino=34279073 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,file,ioctl
and
SELinux is preventing sed from write access on the directory dnsmasq.d. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed write access on the dnsmasq.d directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:dnsmasq_etc_t:s0 Target Objects dnsmasq.d [ dir ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:55 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID 216c555a-b747-4884-a6be-110e82d17b2f Raw Audit Messages type=AVC msg=audit(1523578436.22:11517): avc: denied { write } for pid=21332 comm="sed" name="dnsmasq.d" dev="dm-0" ino=34279099 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:dnsmasq_etc_t:s0 tclass=dir permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,dir,write
and
SELinux is preventing sed from add_name access on the directory sedcz73nA. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed add_name access on the sedcz73nA directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:dnsmasq_etc_t:s0 Target Objects sedcz73nA [ dir ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:55 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID b3c553d2-589a-441d-8b06-7de40ea34eb6 Raw Audit Messages type=AVC msg=audit(1523578436.22:11518): avc: denied { add_name } for pid=21332 comm="sed" name="sedcz73nA" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:dnsmasq_etc_t:s0 tclass=dir permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,dir,add_name
and
SELinux is preventing sed from create access on the file sedcz73nA. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed create access on the sedcz73nA file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects sedcz73nA [ file ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:55 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID 869fd7e0-c31c-4037-8032-e5917b591088 Raw Audit Messages type=AVC msg=audit(1523578436.22:11519): avc: denied { create } for pid=21332 comm="sed" name="sedcz73nA" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,file,create
and
SELinux is preventing sed from write access on the file /etc/dnsmasq.d/sedcz73nA. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed write access on the sedcz73nA file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects /etc/dnsmasq.d/sedcz73nA [ file ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:55 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID d425f40d-6c3e-4e0b-9cd7-3e2e65532342 Raw Audit Messages type=AVC msg=audit(1523578436.23:11520): avc: denied { write } for pid=21332 comm="sed" path="/etc/dnsmasq.d/sedcz73nA" dev="dm-0" ino=34279554 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,file,write
and
SELinux is preventing sed from setattr access on the file sedcz73nA. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed setattr access on the sedcz73nA file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects sedcz73nA [ file ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:56 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID f6430ba2-79aa-424e-8c4c-70cdaac0e419 Raw Audit Messages type=AVC msg=audit(1523578436.23:11521): avc: denied { setattr } for pid=21332 comm="sed" name="sedcz73nA" dev="dm-0" ino=34279554 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,file,setattr
and
SELinux is preventing sed from remove_name access on the directory sedcz73nA. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed remove_name access on the sedcz73nA directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:dnsmasq_etc_t:s0 Target Objects sedcz73nA [ dir ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:56 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID 72365554-6384-4eca-9da3-2cb1f29c3f59 Raw Audit Messages type=AVC msg=audit(1523578436.23:11522): avc: denied { remove_name } for pid=21332 comm="sed" name="sedcz73nA" dev="dm-0" ino=34279554 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:dnsmasq_etc_t:s0 tclass=dir permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,dir,remove_name
and
SELinux is preventing sed from rename access on the file sedcz73nA. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed rename access on the sedcz73nA file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects sedcz73nA [ file ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:56 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID c2952912-cec1-4842-8846-5e0fbf06418b Raw Audit Messages type=AVC msg=audit(1523578436.23:11523): avc: denied { rename } for pid=21332 comm="sed" name="sedcz73nA" dev="dm-0" ino=34279554 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,file,rename
and
SELinux is preventing sed from unlink access on the file 01-pihole.conf. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sed should be allowed unlink access on the 01-pihole.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sed' --raw | audit2allow -M my-sed # semodule -X 300 -i my-sed.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:dnsmasq_etc_t:s0 Target Objects 01-pihole.conf [ file ] Source sed Source Path sed Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.30.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name pihole.jaredbusch.com Platform Linux pihole.jaredbusch.com 4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-04-12 19:08:56 CDT Last Seen 2018-04-12 19:13:56 CDT Local ID fb40dba0-042a-4270-a8e8-105571932a7d Raw Audit Messages type=AVC msg=audit(1523578436.23:11524): avc: denied { unlink } for pid=21332 comm="sed" name="01-pihole.conf" dev="dm-0" ino=34279073 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=file permissive=1 Hash: sed,httpd_t,dnsmasq_etc_t,file,unlink
-
Have you tried setting
chown lighttpd:root /etc/lighttpd/lighttpd.conf
or whatever user is made for lighttpd
That seems it could be the problem. -
Just wanted to thank @stacksofplates and @JaredBusch on the SELInux part on Fedora 28 Server. I had that issue today.
The other thing I needed to do was the following:lighttpd -t sudo lighttpd -f /etc/lighttpd/lighttpd.conf
If you get an error, I commented out the last line on the lighttpd.conf file
include_shell "cat external.conf 2>/dev/null"
-
@dbeato don’t do that.
See my bug report
-
@jaredbusch said in Pi-hole on Fedora has issues with SELinux:
@dbeato don’t do that.
See my bug report
I will read it.
-
-