SELinux policy for Pi-Hole
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I am running Fedora Server 28 for ARM on my Raspberry and during the installation of Pi-Hole I got a warning message about SELinux being set to 'Enforced' and that because of it I cannot use Pi-Hole's admin page.
That is indeed the case, http://pi.hole/ returns a blank page, and without disabling SELinux / setting it to permissive on /etc/sysconfig/selinux Pi-Hole does not work at all.
The question is, how do I create a policy that allows Pi-Hole to work as intended while having Enforced status on?
Edit #1
I found this question:
start with the default policy, run in permissive to see what needs to
be fixed. Then modify your policies to fix potential problems. Then
restart strict enforcing.
grep hole /var/log/audit/audit.log outputs many comm="php-cgi" and comm="dnsmasq" denials.
Could this solve my problem?
$ grep hole /var/log/audit/audit.log | audit2allow -M mypolicy
******************** IMPORTANT ***********************
To make this policy package active, execute:
# /usr/sbin/semodule -i mypolicy.pp
fedora raspberry-pi selinux pi-hole
edited Jun 28 at 2:55
slm♦
233k65479652
asked Jun 21 at 7:33
Bontano
12
add a comment |Â
up vote
0
down vote
favorite
I am running Fedora Server 28 for ARM on my Raspberry and during the installation of Pi-Hole I got a warning message about SELinux being set to 'Enforced' and that because of it I cannot use Pi-Hole's admin page.
That is indeed the case, http://pi.hole/ returns a blank page, and without disabling SELinux / setting it to permissive on /etc/sysconfig/selinux Pi-Hole does not work at all.
The question is, how do I create a policy that allows Pi-Hole to work as intended while having Enforced status on?
Edit #1
I found this question:
start with the default policy, run in permissive to see what needs to
be fixed. Then modify your policies to fix potential problems. Then
restart strict enforcing.
grep hole /var/log/audit/audit.log outputs many comm="php-cgi" and comm="dnsmasq" denials.
Could this solve my problem?
$ grep hole /var/log/audit/audit.log | audit2allow -M mypolicy
******************** IMPORTANT ***********************
To make this policy package active, execute:
# /usr/sbin/semodule -i mypolicy.pp
fedora raspberry-pi selinux pi-hole
edited Jun 28 at 2:55
slm♦
233k65479652
asked Jun 21 at 7:33
Bontano
12
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I am running Fedora Server 28 for ARM on my Raspberry and during the installation of Pi-Hole I got a warning message about SELinux being set to 'Enforced' and that because of it I cannot use Pi-Hole's admin page.
That is indeed the case, http://pi.hole/ returns a blank page, and without disabling SELinux / setting it to permissive on /etc/sysconfig/selinux Pi-Hole does not work at all.
The question is, how do I create a policy that allows Pi-Hole to work as intended while having Enforced status on?
Edit #1
I found this question:
start with the default policy, run in permissive to see what needs to
be fixed. Then modify your policies to fix potential problems. Then
restart strict enforcing.
grep hole /var/log/audit/audit.log outputs many comm="php-cgi" and comm="dnsmasq" denials.
Could this solve my problem?
$ grep hole /var/log/audit/audit.log | audit2allow -M mypolicy
******************** IMPORTANT ***********************
To make this policy package active, execute:
# /usr/sbin/semodule -i mypolicy.pp
fedora raspberry-pi selinux pi-hole
edited Jun 28 at 2:55
slm♦
233k65479652
asked Jun 21 at 7:33
Bontano
12
I am running Fedora Server 28 for ARM on my Raspberry and during the installation of Pi-Hole I got a warning message about SELinux being set to 'Enforced' and that because of it I cannot use Pi-Hole's admin page.
That is indeed the case, http://pi.hole/ returns a blank page, and without disabling SELinux / setting it to permissive on /etc/sysconfig/selinux Pi-Hole does not work at all.
The question is, how do I create a policy that allows Pi-Hole to work as intended while having Enforced status on?
Edit #1
I found this question:
start with the default policy, run in permissive to see what needs to
be fixed. Then modify your policies to fix potential problems. Then
restart strict enforcing.
grep hole /var/log/audit/audit.log outputs many comm="php-cgi" and comm="dnsmasq" denials.
Could this solve my problem?
$ grep hole /var/log/audit/audit.log | audit2allow -M mypolicy
******************** IMPORTANT ***********************
To make this policy package active, execute:
# /usr/sbin/semodule -i mypolicy.pp
fedora raspberry-pi selinux pi-hole
edited Jun 28 at 2:55
slm♦
233k65479652
asked Jun 21 at 7:33
Bontano
12
edited Jun 28 at 2:55
slm♦
233k65479652
edited Jun 28 at 2:55
slm♦
233k65479652
edited Jun 28 at 2:55
slm♦
233k65479652
233k65479652
asked Jun 21 at 7:33
Bontano
12
asked Jun 21 at 7:33
Bontano
12
asked Jun 21 at 7:33
Bontano
12
12
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
-1
down vote
accepted
From Pi-Hole's GitHub:
Pi-hole being a advertising-aware DNS/Web server, makes use of the following technologies:
dnsmasq - a lightweight DNS and DHCP server
Solved my problem with:
SELINUX=permissive in /etc/sysconfig/selinux
reboot
# grep dnsmasq_t /var/log/audit/audit.log | audit2allow -m dnscache > dnscache.te
# grep dnsmasq_t /var/log/audit/audit.log | audit2allow -M dnscache
semodule -i dnscache.pp
Verified with:
semodule -l | grep dns
Afterwards:
SELINUX=enforcing in /etc/sysconfig/selinux
reboot
answered Jun 21 at 11:59
Bontano
12
I'd be grateful for any feedback or criticism that I can learn from or use to help me improve my answer
– Bontano
Jun 29 at 8:35
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
-1
down vote
accepted
From Pi-Hole's GitHub:
Pi-hole being a advertising-aware DNS/Web server, makes use of the following technologies:
dnsmasq - a lightweight DNS and DHCP server
Solved my problem with:
SELINUX=permissive in /etc/sysconfig/selinux
reboot
# grep dnsmasq_t /var/log/audit/audit.log | audit2allow -m dnscache > dnscache.te
# grep dnsmasq_t /var/log/audit/audit.log | audit2allow -M dnscache
semodule -i dnscache.pp
Verified with:
semodule -l | grep dns
Afterwards:
SELINUX=enforcing in /etc/sysconfig/selinux
reboot
answered Jun 21 at 11:59
Bontano
12
I'd be grateful for any feedback or criticism that I can learn from or use to help me improve my answer
– Bontano
Jun 29 at 8:35
add a comment |Â
up vote
-1
down vote
accepted
From Pi-Hole's GitHub:
Pi-hole being a advertising-aware DNS/Web server, makes use of the following technologies:
dnsmasq - a lightweight DNS and DHCP server
Solved my problem with:
SELINUX=permissive in /etc/sysconfig/selinux
reboot
# grep dnsmasq_t /var/log/audit/audit.log | audit2allow -m dnscache > dnscache.te
# grep dnsmasq_t /var/log/audit/audit.log | audit2allow -M dnscache
semodule -i dnscache.pp
Verified with:
semodule -l | grep dns
Afterwards:
SELINUX=enforcing in /etc/sysconfig/selinux
reboot
answered Jun 21 at 11:59
Bontano
12
I'd be grateful for any feedback or criticism that I can learn from or use to help me improve my answer
– Bontano
Jun 29 at 8:35
add a comment |Â
up vote
-1
down vote
accepted
up vote
-1
down vote
accepted
From Pi-Hole's GitHub:
Pi-hole being a advertising-aware DNS/Web server, makes use of the following technologies:
dnsmasq - a lightweight DNS and DHCP server
Solved my problem with:
SELINUX=permissive in /etc/sysconfig/selinux
reboot
# grep dnsmasq_t /var/log/audit/audit.log | audit2allow -m dnscache > dnscache.te
# grep dnsmasq_t /var/log/audit/audit.log | audit2allow -M dnscache
semodule -i dnscache.pp
Verified with:
semodule -l | grep dns
Afterwards:
SELINUX=enforcing in /etc/sysconfig/selinux
reboot
answered Jun 21 at 11:59
Bontano
12
From Pi-Hole's GitHub:
Pi-hole being a advertising-aware DNS/Web server, makes use of the following technologies:
dnsmasq - a lightweight DNS and DHCP server
Solved my problem with:
SELINUX=permissive in /etc/sysconfig/selinux
reboot
# grep dnsmasq_t /var/log/audit/audit.log | audit2allow -m dnscache > dnscache.te
# grep dnsmasq_t /var/log/audit/audit.log | audit2allow -M dnscache
semodule -i dnscache.pp
Verified with:
semodule -l | grep dns
Afterwards:
SELINUX=enforcing in /etc/sysconfig/selinux
reboot
answered Jun 21 at 11:59
Bontano
12
edited Jun 21 at 12:11
answered Jun 21 at 11:59
Bontano
12
answered Jun 21 at 11:59
Bontano
12
answered Jun 21 at 11:59
Bontano
12
12
I'd be grateful for any feedback or criticism that I can learn from or use to help me improve my answer
– Bontano
Jun 29 at 8:35
add a comment |Â
I'd be grateful for any feedback or criticism that I can learn from or use to help me improve my answer
– Bontano
Jun 29 at 8:35
I'd be grateful for any feedback or criticism that I can learn from or use to help me improve my answer
– Bontano
Jun 29 at 8:35
I'd be grateful for any feedback or criticism that I can learn from or use to help me improve my answer
– Bontano
Jun 29 at 8:35
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f451035%2fselinux-policy-for-pi-hole%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
