4

I am running Fedora Server 28 for ARM on my Raspberry and during the installation of Pi-Hole I got a warning message about SELinux being set to 'Enforced' and that because of it I cannot use Pi-Hole's admin page.

That is indeed the case, http://pi.hole/ returns a blank page, and without disabling SELinux / setting it to permissive on /etc/sysconfig/selinux Pi-Hole does not work at all.

The question is, how do I create a policy that allows Pi-Hole to work as intended while having Enforced status on?

Edit #1

I found this question:

start with the default policy, run in permissive to see what needs to be fixed. Then modify your policies to fix potential problems. Then restart strict enforcing.

grep hole /var/log/audit/audit.log outputs many comm="php-cgi" and comm="dnsmasq" denials.

Could this solve my problem?

$ grep hole /var/log/audit/audit.log | audit2allow -M mypolicy
******************** IMPORTANT ***********************
To make this policy package active, execute:

# /usr/sbin/semodule -i mypolicy.pp
slm
  • 363,520
  • 117
  • 767
  • 871
Bontano
  • 61
  • 1
  • 5

1 Answers1

1

From Pi-Hole's GitHub:

Pi-hole being a advertising-aware DNS/Web server, makes use of the following technologies:

dnsmasq - a lightweight DNS and DHCP server

Solved my problem with:

SELINUX=permissive in /etc/sysconfig/selinux

reboot

# grep dnsmasq_t /var/log/audit/audit.log | audit2allow -m dnscache > dnscache.te

# grep dnsmasq_t /var/log/audit/audit.log | audit2allow -M dnscache

semodule -i dnscache.pp

Verified with:

semodule -l | grep dns

Afterwards:

SELINUX=enforcing in /etc/sysconfig/selinux

reboot

Community
  • 1
Bontano
  • 61
  • 1
  • 5
  • I'd be grateful for any feedback or criticism that I can learn from or use to help me improve my answer – Bontano Jun 29 '18 at 08:35