PiHole container on Podman fails to start with SELinux enabled on Fedora 31

Question

I'm trying to get PiHole up and running using Podman on Fedora 31 Server.

When I set SELinux to Permissive mode, and I use the following command, everything works perfectly.

sudo podman run -d --name pihole \
-p 53:53/tcp -p 53:53/udp -p 80:80 -p 443:443 \
-e TZ="America/Los Angeles" \
-v "/home/{user}/apps/pihole/etc-pihole/:/etc/pihole/" -v "/home/{user}/apps/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/" \
--dns=127.0.0.1 --dns=1.1.1.1 --hostname pi.hole \
-e VIRTUAL_HOST="pi.hole" -e PROXY_LOCATION="pi.hole" \
pihole/pihole:latest

When I set SELinux to Enforcing, if I use the same podman run command, the container fails to come up.

The first few log lines with SELinux set to permissive are as follows:

[s6-init] making user provided files available at /var/run/s6/etc...
[s6-init] ensuring user provided files have correct perms...
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying... 
[fix-attrs.d] 01-resolver-resolv: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 20-start.sh: executing... 
 ::: Starting docker specific checks & setup for docker pihole/pihole
OK: Checks passed for /etc/resolv.conf DNS servers

search attlocal.net server.local
nameserver 127.0.0.1
nameserver 1.1.1.1
Assigning random password: ********
  [i] Existing PHP installation detected : PHP version 7.0.33-0+deb9u7

  [i] Installing configs from /etc/.pihole...
  [i] Existing dnsmasq.conf found...
  [i] Copying 01-pihole.conf to /etc/dnsmasq.d/01-pihole.conf...
chown: cannot access '': No such file or directory
chmod: cannot access '': No such file or directory
chown: cannot access '/etc/pihole/dhcp.leases': No such file or directory
::: Pre existing WEBPASSWORD found
Using default DNS servers: 8.8.8.8 & 8.8.4.4
DNSMasq binding to default interface: eth0
Added ENV to php:
                        "PHP_ERROR_LOG" => "/var/log/lighttpd/error.log",
                        "ServerIP" => "0.0.0.0",
                        "VIRTUAL_HOST" => "pi.hole",
Using IPv4 and IPv6
::: Preexisting ad list /etc/pihole/adlists.list detected ((exiting setup_blocklists early))
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://mirror1.malwaredomains.com/files/justdomains

The first few log lines with SELinux set to Enforcing are as follows:

[s6-init] making user provided files available at /var/run/s6/etc...
[s6-init] ensuring user provided files have correct perms...
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying... 
[fix-attrs.d] 01-resolver-resolv: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 20-start.sh: executing... 
 ::: Starting docker specific checks & setup for docker pihole/pihole
OK: Checks passed for /etc/resolv.conf DNS servers

search attlocal.net server.local
nameserver 127.0.0.1
nameserver 1.1.1.1
Assigning random password: gYTWLNNA
  [i] Existing PHP installation detected : PHP version 7.0.33-0+deb9u7

  [i] Installing configs from /etc/.pihole...
  [i] Existing dnsmasq.conf found...
  [i] Copying 01-pihole.conf to /etc/dnsmasq.d/01-pihole.conf...
[cont-init.d] 20-start.sh: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

If the directories were empty when the podman run command was executed with SELinux set to Enforcing, an empty file is written to /home/{user}/apps/pihole/etc-dnsmasq.d/01-pihole.conf.

There are no new messages being logged to the SELinux pane in the Cockpit server.

The following lines are logged to /var/log/audit/audit.log during the podman run command:

type=USER_ACCT msg=audit(1590538685.829:4274): pid=86246 uid=1000 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="{user}" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'UID="{user}" AUID="{user}"
type=USER_CMD msg=audit(1590538685.830:4275): pid=86246 uid=1000 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/{user}/apps/pihole" cmd=706F646D616E2072756E202D64202D2D6E616D65207069686F6C65202D702035333A35332F746370202D702035333A35332F756470202D702038303A3830202D70203434333A343433202D6520545A3D416D65726963612F4C6F7320416E67656C6573202D76202F686F6D652F746F6D2F617070732F7069686F6C652F6574632D7069686F6C652F3A2F6574632F7069686F6C652F202D76202F686F6D652F746F6D2F617070732F7069686F6C652F6574632D646E736D6173712E642F3A2F6574632F646E736D6173712E642F202D2D646E733D3132372E302E302E31202D2D646E733D312E312E312E31202D2D686F73746E616D652070692E686F6C65202D65205649525455414C5F484F53543D70692E686F6C65202D652050524F58595F4C4F434154494F4E3D70692E686F6C65207069686F6C652F7069686F6C653A6C6174657374 exe="/usr/bin/sudo" terminal=pts/0 res=success'UID="{user}" AUID="{user}"
type=CRED_REFR msg=audit(1590538685.831:4276): pid=86246 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'UID="root" AUID="{user}"
type=USER_START msg=audit(1590538685.834:4277): pid=86246 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'UID="root" AUID="{user}"
type=ANOM_PROMISCUOUS msg=audit(1590538686.183:4278): dev=veth41847016 prom=256 old_prom=0 auid=1000 uid=0 gid=0 ses=4AUID="{user}" UID="root" GID="root"
type=NETFILTER_CFG msg=audit(1590538686.219:4279): table=nat family=2 entries=109
type=NETFILTER_CFG msg=audit(1590538686.223:4280): table=nat family=2 entries=111
type=NETFILTER_CFG msg=audit(1590538686.228:4281): table=nat family=2 entries=112
type=NETFILTER_CFG msg=audit(1590538686.232:4282): table=nat family=2 entries=113
type=NETFILTER_CFG msg=audit(1590538686.281:4283): table=nat family=2 entries=114
type=NETFILTER_CFG msg=audit(1590538686.288:4284): table=nat family=2 entries=116
type=NETFILTER_CFG msg=audit(1590538686.296:4285): table=nat family=2 entries=117
type=NETFILTER_CFG msg=audit(1590538686.303:4286): table=nat family=2 entries=118
type=NETFILTER_CFG msg=audit(1590538686.309:4287): table=nat family=2 entries=119
type=NETFILTER_CFG msg=audit(1590538686.315:4288): table=nat family=2 entries=120
type=NETFILTER_CFG msg=audit(1590538686.322:4289): table=nat family=2 entries=121
type=NETFILTER_CFG msg=audit(1590538686.330:4290): table=nat family=2 entries=122
type=NETFILTER_CFG msg=audit(1590538686.334:4291): table=nat family=2 entries=123
type=NETFILTER_CFG msg=audit(1590538686.338:4292): table=nat family=2 entries=124
type=NETFILTER_CFG msg=audit(1590538686.341:4293): table=nat family=2 entries=125
type=NETFILTER_CFG msg=audit(1590538686.345:4294): table=nat family=2 entries=126
type=NETFILTER_CFG msg=audit(1590538686.353:4295): table=nat family=2 entries=127
type=NETFILTER_CFG msg=audit(1590538686.360:4296): table=nat family=2 entries=128
type=NETFILTER_CFG msg=audit(1590538686.366:4297): table=nat family=2 entries=129
type=NETFILTER_CFG msg=audit(1590538686.391:4298): table=raw family=2 entries=51
type=NETFILTER_CFG msg=audit(1590538686.391:4299): table=mangle family=2 entries=63
type=NETFILTER_CFG msg=audit(1590538686.392:4300): table=nat family=2 entries=130
type=NETFILTER_CFG msg=audit(1590538686.392:4301): table=filter family=2 entries=156
type=UNKNOWN[1334] msg=audit(1590538686.479:4302): prog-id=218 op=LOAD
type=SERVICE_START msg=audit(1590538686.808:4303): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=184767b55633978955d091089a7b958f430473447ecbc5c765db60cda55c3fe3 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=USER_END msg=audit(1590538686.837:4304): pid=86246 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'UID="root" AUID="{user}"
type=CRED_DISP msg=audit(1590538686.838:4305): pid=86246 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'UID="root" AUID="{user}"
type=SERVICE_STOP msg=audit(1590538687.548:4306): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=184767b55633978955d091089a7b958f430473447ecbc5c765db60cda55c3fe3 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'UID="root" AUID="unset"
type=UNKNOWN[1334] msg=audit(1590538690.665:4307): prog-id=218 op=UNLOAD
type=NETFILTER_CFG msg=audit(1590538690.947:4308): table=raw family=2 entries=52
type=NETFILTER_CFG msg=audit(1590538690.948:4309): table=mangle family=2 entries=64
type=NETFILTER_CFG msg=audit(1590538690.948:4310): table=nat family=2 entries=132
type=NETFILTER_CFG msg=audit(1590538690.949:4311): table=filter family=2 entries=159
type=NETFILTER_CFG msg=audit(1590538690.974:4312): table=nat family=2 entries=130
type=NETFILTER_CFG msg=audit(1590538690.982:4313): table=nat family=2 entries=118
type=NETFILTER_CFG msg=audit(1590538690.986:4314): table=nat family=2 entries=117
type=NETFILTER_CFG msg=audit(1590538690.989:4315): table=nat family=2 entries=116
type=NETFILTER_CFG msg=audit(1590538690.992:4316): table=nat family=2 entries=114
type=NETFILTER_CFG msg=audit(1590538690.998:4317): table=nat family=2 entries=116
type=NETFILTER_CFG msg=audit(1590538691.001:4318): table=nat family=10 entries=98
type=NETFILTER_CFG msg=audit(1590538691.006:4319): table=nat family=10 entries=100
type=NETFILTER_CFG msg=audit(1590538691.009:4320): table=nat family=10 entries=98
type=NETFILTER_CFG msg=audit(1590538691.014:4321): table=nat family=10 entries=100
type=ANOM_PROMISCUOUS msg=audit(1590538691.036:4322): dev=veth41847016 prom=0 old_prom=256 auid=1000 uid=0 gid=0 ses=4AUID="{user}" UID="root" GID="root"
type=NETFILTER_CFG msg=audit(1590538691.070:4323): table=nat family=2 entries=114
type=NETFILTER_CFG msg=audit(1590538691.077:4324): table=nat family=2 entries=113
type=NETFILTER_CFG msg=audit(1590538691.080:4325): table=nat family=2 entries=111
type=SERVICE_START msg=audit(1590538706.795:4326): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1590538717.496:4327): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1590538898.519:4328): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=packagekit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1590538987.938:4329): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1590538987.938:4330): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"

At this point I'm pretty sure that the problem I'm running into is an SELinux permission... somewhere. However, I'm not sure how to proceed with finding the correct SELinux rules to add/remove in order to get the PiHole container to successfully come up. Previously, all the SELinux warnings were added to the Cockpit console so that I could remediate them.

What next steps should I take to find out why SELinux is preventing me from starting this container? What is a good workflow to determine what rules are needed to permit the container to write to the filesystem in these locations? Is there a good way to check that the problem isn't a port bind?

Have you tried adding the `:Z` flag to the volumes? Something like: `-v /home/{user}/apps/pihole/etc-pihole/:/etc/pihole/":Z` — grilix, Jun 19 '20 at 20:20
I have not - I'm not sure how effective I'll be at answering this question, since I took that server down a few weeks ago. I'll let you know if this fixes things when I get some time to work on that again. — distortedsignal, Jun 19 '20 at 20:52

PiHole container on Podman fails to start with SELinux enabled on Fedora 31

0 Answers0