SELinux policy for Pi-Hole

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite
1












I am running Fedora Server 28 for ARM on my Raspberry and during the installation of Pi-Hole I got a warning message about SELinux being set to 'Enforced' and that because of it I cannot use Pi-Hole's admin page.



That is indeed the case, http://pi.hole/ returns a blank page, and without disabling SELinux / setting it to permissive on /etc/sysconfig/selinux Pi-Hole does not work at all.



The question is, how do I create a policy that allows Pi-Hole to work as intended while having Enforced status on?



Edit #1



I found this question:




start with the default policy, run in permissive to see what needs to
be fixed. Then modify your policies to fix potential problems. Then
restart strict enforcing.




grep hole /var/log/audit/audit.log outputs many comm="php-cgi" and comm="dnsmasq" denials.



Could this solve my problem?



$ grep hole /var/log/audit/audit.log | audit2allow -M mypolicy
******************** IMPORTANT ***********************
To make this policy package active, execute:

# /usr/sbin/semodule -i mypolicy.pp






share|improve this question

























    up vote
    0
    down vote

    favorite
    1












    I am running Fedora Server 28 for ARM on my Raspberry and during the installation of Pi-Hole I got a warning message about SELinux being set to 'Enforced' and that because of it I cannot use Pi-Hole's admin page.



    That is indeed the case, http://pi.hole/ returns a blank page, and without disabling SELinux / setting it to permissive on /etc/sysconfig/selinux Pi-Hole does not work at all.



    The question is, how do I create a policy that allows Pi-Hole to work as intended while having Enforced status on?



    Edit #1



    I found this question:




    start with the default policy, run in permissive to see what needs to
    be fixed. Then modify your policies to fix potential problems. Then
    restart strict enforcing.




    grep hole /var/log/audit/audit.log outputs many comm="php-cgi" and comm="dnsmasq" denials.



    Could this solve my problem?



    $ grep hole /var/log/audit/audit.log | audit2allow -M mypolicy
    ******************** IMPORTANT ***********************
    To make this policy package active, execute:

    # /usr/sbin/semodule -i mypolicy.pp






    share|improve this question























      up vote
      0
      down vote

      favorite
      1









      up vote
      0
      down vote

      favorite
      1






      1





      I am running Fedora Server 28 for ARM on my Raspberry and during the installation of Pi-Hole I got a warning message about SELinux being set to 'Enforced' and that because of it I cannot use Pi-Hole's admin page.



      That is indeed the case, http://pi.hole/ returns a blank page, and without disabling SELinux / setting it to permissive on /etc/sysconfig/selinux Pi-Hole does not work at all.



      The question is, how do I create a policy that allows Pi-Hole to work as intended while having Enforced status on?



      Edit #1



      I found this question:




      start with the default policy, run in permissive to see what needs to
      be fixed. Then modify your policies to fix potential problems. Then
      restart strict enforcing.




      grep hole /var/log/audit/audit.log outputs many comm="php-cgi" and comm="dnsmasq" denials.



      Could this solve my problem?



      $ grep hole /var/log/audit/audit.log | audit2allow -M mypolicy
      ******************** IMPORTANT ***********************
      To make this policy package active, execute:

      # /usr/sbin/semodule -i mypolicy.pp






      share|improve this question













      I am running Fedora Server 28 for ARM on my Raspberry and during the installation of Pi-Hole I got a warning message about SELinux being set to 'Enforced' and that because of it I cannot use Pi-Hole's admin page.



      That is indeed the case, http://pi.hole/ returns a blank page, and without disabling SELinux / setting it to permissive on /etc/sysconfig/selinux Pi-Hole does not work at all.



      The question is, how do I create a policy that allows Pi-Hole to work as intended while having Enforced status on?



      Edit #1



      I found this question:




      start with the default policy, run in permissive to see what needs to
      be fixed. Then modify your policies to fix potential problems. Then
      restart strict enforcing.




      grep hole /var/log/audit/audit.log outputs many comm="php-cgi" and comm="dnsmasq" denials.



      Could this solve my problem?



      $ grep hole /var/log/audit/audit.log | audit2allow -M mypolicy
      ******************** IMPORTANT ***********************
      To make this policy package active, execute:

      # /usr/sbin/semodule -i mypolicy.pp








      share|improve this question












      share|improve this question




      share|improve this question








      edited Jun 28 at 2:55









      slm♦

      233k65479652




      233k65479652









      asked Jun 21 at 7:33









      Bontano

      12




      12




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          -1
          down vote



          accepted










          From Pi-Hole's GitHub:




          Pi-hole being a advertising-aware DNS/Web server, makes use of the following technologies:



          dnsmasq - a lightweight DNS and DHCP server




          Solved my problem with:



          SELINUX=permissive in /etc/sysconfig/selinux



          reboot



          # grep dnsmasq_t /var/log/audit/audit.log | audit2allow -m dnscache > dnscache.te



          # grep dnsmasq_t /var/log/audit/audit.log | audit2allow -M dnscache



          semodule -i dnscache.pp



          Verified with:



          semodule -l | grep dns



          Afterwards:



          SELINUX=enforcing in /etc/sysconfig/selinux



          reboot






          share|improve this answer























          • I'd be grateful for any feedback or criticism that I can learn from or use to help me improve my answer
            – Bontano
            Jun 29 at 8:35










          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );








           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f451035%2fselinux-policy-for-pi-hole%23new-answer', 'question_page');

          );

          Post as a guest






























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          -1
          down vote



          accepted










          From Pi-Hole's GitHub:




          Pi-hole being a advertising-aware DNS/Web server, makes use of the following technologies:



          dnsmasq - a lightweight DNS and DHCP server




          Solved my problem with:



          SELINUX=permissive in /etc/sysconfig/selinux



          reboot



          # grep dnsmasq_t /var/log/audit/audit.log | audit2allow -m dnscache > dnscache.te



          # grep dnsmasq_t /var/log/audit/audit.log | audit2allow -M dnscache



          semodule -i dnscache.pp



          Verified with:



          semodule -l | grep dns



          Afterwards:



          SELINUX=enforcing in /etc/sysconfig/selinux



          reboot






          share|improve this answer























          • I'd be grateful for any feedback or criticism that I can learn from or use to help me improve my answer
            – Bontano
            Jun 29 at 8:35














          up vote
          -1
          down vote



          accepted










          From Pi-Hole's GitHub:




          Pi-hole being a advertising-aware DNS/Web server, makes use of the following technologies:



          dnsmasq - a lightweight DNS and DHCP server




          Solved my problem with:



          SELINUX=permissive in /etc/sysconfig/selinux



          reboot



          # grep dnsmasq_t /var/log/audit/audit.log | audit2allow -m dnscache > dnscache.te



          # grep dnsmasq_t /var/log/audit/audit.log | audit2allow -M dnscache



          semodule -i dnscache.pp



          Verified with:



          semodule -l | grep dns



          Afterwards:



          SELINUX=enforcing in /etc/sysconfig/selinux



          reboot






          share|improve this answer























          • I'd be grateful for any feedback or criticism that I can learn from or use to help me improve my answer
            – Bontano
            Jun 29 at 8:35












          up vote
          -1
          down vote



          accepted







          up vote
          -1
          down vote



          accepted






          From Pi-Hole's GitHub:




          Pi-hole being a advertising-aware DNS/Web server, makes use of the following technologies:



          dnsmasq - a lightweight DNS and DHCP server




          Solved my problem with:



          SELINUX=permissive in /etc/sysconfig/selinux



          reboot



          # grep dnsmasq_t /var/log/audit/audit.log | audit2allow -m dnscache > dnscache.te



          # grep dnsmasq_t /var/log/audit/audit.log | audit2allow -M dnscache



          semodule -i dnscache.pp



          Verified with:



          semodule -l | grep dns



          Afterwards:



          SELINUX=enforcing in /etc/sysconfig/selinux



          reboot






          share|improve this answer















          From Pi-Hole's GitHub:




          Pi-hole being a advertising-aware DNS/Web server, makes use of the following technologies:



          dnsmasq - a lightweight DNS and DHCP server




          Solved my problem with:



          SELINUX=permissive in /etc/sysconfig/selinux



          reboot



          # grep dnsmasq_t /var/log/audit/audit.log | audit2allow -m dnscache > dnscache.te



          # grep dnsmasq_t /var/log/audit/audit.log | audit2allow -M dnscache



          semodule -i dnscache.pp



          Verified with:



          semodule -l | grep dns



          Afterwards:



          SELINUX=enforcing in /etc/sysconfig/selinux



          reboot







          share|improve this answer















          share|improve this answer



          share|improve this answer








          edited Jun 21 at 12:11


























          answered Jun 21 at 11:59









          Bontano

          12




          12











          • I'd be grateful for any feedback or criticism that I can learn from or use to help me improve my answer
            – Bontano
            Jun 29 at 8:35
















          • I'd be grateful for any feedback or criticism that I can learn from or use to help me improve my answer
            – Bontano
            Jun 29 at 8:35















          I'd be grateful for any feedback or criticism that I can learn from or use to help me improve my answer
          – Bontano
          Jun 29 at 8:35




          I'd be grateful for any feedback or criticism that I can learn from or use to help me improve my answer
          – Bontano
          Jun 29 at 8:35












           

          draft saved


          draft discarded


























           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f451035%2fselinux-policy-for-pi-hole%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?