我正在努力PiHole在 Fedora 31 Server 上使用 Podman 启动并运行。
当我将 SELinux 设置为 Permissive 模式并使用以下命令时,一切都运行正常。
sudo podman run -d --name pihole \
-p 53:53/tcp -p 53:53/udp -p 80:80 -p 443:443 \
-e TZ="America/Los Angeles" \
-v "/home/{user}/apps/pihole/etc-pihole/:/etc/pihole/" -v "/home/{user}/apps/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/" \
--dns=127.0.0.1 --dns=1.1.1.1 --hostname pi.hole \
-e VIRTUAL_HOST="pi.hole" -e PROXY_LOCATION="pi.hole" \
pihole/pihole:latest
当我将 SELinux 设置为强制执行时,如果我使用相同的 podman run 命令,容器将无法启动。
SELinux 设置为宽容后,前几行日志如下:
[s6-init] making user provided files available at /var/run/s6/etc...
[s6-init] ensuring user provided files have correct perms...
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying...
[fix-attrs.d] 01-resolver-resolv: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 20-start.sh: executing...
::: Starting docker specific checks & setup for docker pihole/pihole
OK: Checks passed for /etc/resolv.conf DNS servers
search attlocal.net server.local
nameserver 127.0.0.1
nameserver 1.1.1.1
Assigning random password: ********
[i] Existing PHP installation detected : PHP version 7.0.33-0+deb9u7
[i] Installing configs from /etc/.pihole...
[i] Existing dnsmasq.conf found...
[i] Copying 01-pihole.conf to /etc/dnsmasq.d/01-pihole.conf...
chown: cannot access '': No such file or directory
chmod: cannot access '': No such file or directory
chown: cannot access '/etc/pihole/dhcp.leases': No such file or directory
::: Pre existing WEBPASSWORD found
Using default DNS servers: 8.8.8.8 & 8.8.4.4
DNSMasq binding to default interface: eth0
Added ENV to php:
"PHP_ERROR_LOG" => "/var/log/lighttpd/error.log",
"ServerIP" => "0.0.0.0",
"VIRTUAL_HOST" => "pi.hole",
Using IPv4 and IPv6
::: Preexisting ad list /etc/pihole/adlists.list detected ((exiting setup_blocklists early))
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://mirror1.malwaredomains.com/files/justdomains
SELinux 设置为 Enforcing 后,前几行日志如下:
[s6-init] making user provided files available at /var/run/s6/etc...
[s6-init] ensuring user provided files have correct perms...
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying...
[fix-attrs.d] 01-resolver-resolv: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 20-start.sh: executing...
::: Starting docker specific checks & setup for docker pihole/pihole
OK: Checks passed for /etc/resolv.conf DNS servers
search attlocal.net server.local
nameserver 127.0.0.1
nameserver 1.1.1.1
Assigning random password: gYTWLNNA
[i] Existing PHP installation detected : PHP version 7.0.33-0+deb9u7
[i] Installing configs from /etc/.pihole...
[i] Existing dnsmasq.conf found...
[i] Copying 01-pihole.conf to /etc/dnsmasq.d/01-pihole.conf...
[cont-init.d] 20-start.sh: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
如果在将 SELinux 设置为 Enforcing 的情况下执行 podman run 命令时目录为空,则会将一个空文件写入 /home/{user}/apps/pihole/etc-dnsmasq.d/01-pihole.conf。
没有新消息记录到 Cockpit 服务器中的 SELinux 窗格。
在 podman run 命令期间,以下行记录到 /var/log/audit/audit.log:
type=USER_ACCT msg=audit(1590538685.829:4274): pid=86246 uid=1000 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="{user}" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'UID="{user}" AUID="{user}"
type=USER_CMD msg=audit(1590538685.830:4275): pid=86246 uid=1000 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/{user}/apps/pihole" cmd=706F646D616E2072756E202D64202D2D6E616D65207069686F6C65202D702035333A35332F746370202D702035333A35332F756470202D702038303A3830202D70203434333A343433202D6520545A3D416D65726963612F4C6F7320416E67656C6573202D76202F686F6D652F746F6D2F617070732F7069686F6C652F6574632D7069686F6C652F3A2F6574632F7069686F6C652F202D76202F686F6D652F746F6D2F617070732F7069686F6C652F6574632D646E736D6173712E642F3A2F6574632F646E736D6173712E642F202D2D646E733D3132372E302E302E31202D2D646E733D312E312E312E31202D2D686F73746E616D652070692E686F6C65202D65205649525455414C5F484F53543D70692E686F6C65202D652050524F58595F4C4F434154494F4E3D70692E686F6C65207069686F6C652F7069686F6C653A6C6174657374 exe="/usr/bin/sudo" terminal=pts/0 res=success'UID="{user}" AUID="{user}"
type=CRED_REFR msg=audit(1590538685.831:4276): pid=86246 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'UID="root" AUID="{user}"
type=USER_START msg=audit(1590538685.834:4277): pid=86246 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'UID="root" AUID="{user}"
type=ANOM_PROMISCUOUS msg=audit(1590538686.183:4278): dev=veth41847016 prom=256 old_prom=0 auid=1000 uid=0 gid=0 ses=4AUID="{user}" UID="root" GID="root"
type=NETFILTER_CFG msg=audit(1590538686.219:4279): table=nat family=2 entries=109
type=NETFILTER_CFG msg=audit(1590538686.223:4280): table=nat family=2 entries=111
type=NETFILTER_CFG msg=audit(1590538686.228:4281): table=nat family=2 entries=112
type=NETFILTER_CFG msg=audit(1590538686.232:4282): table=nat family=2 entries=113
type=NETFILTER_CFG msg=audit(1590538686.281:4283): table=nat family=2 entries=114
type=NETFILTER_CFG msg=audit(1590538686.288:4284): table=nat family=2 entries=116
type=NETFILTER_CFG msg=audit(1590538686.296:4285): table=nat family=2 entries=117
type=NETFILTER_CFG msg=audit(1590538686.303:4286): table=nat family=2 entries=118
type=NETFILTER_CFG msg=audit(1590538686.309:4287): table=nat family=2 entries=119
type=NETFILTER_CFG msg=audit(1590538686.315:4288): table=nat family=2 entries=120
type=NETFILTER_CFG msg=audit(1590538686.322:4289): table=nat family=2 entries=121
type=NETFILTER_CFG msg=audit(1590538686.330:4290): table=nat family=2 entries=122
type=NETFILTER_CFG msg=audit(1590538686.334:4291): table=nat family=2 entries=123
type=NETFILTER_CFG msg=audit(1590538686.338:4292): table=nat family=2 entries=124
type=NETFILTER_CFG msg=audit(1590538686.341:4293): table=nat family=2 entries=125
type=NETFILTER_CFG msg=audit(1590538686.345:4294): table=nat family=2 entries=126
type=NETFILTER_CFG msg=audit(1590538686.353:4295): table=nat family=2 entries=127
type=NETFILTER_CFG msg=audit(1590538686.360:4296): table=nat family=2 entries=128
type=NETFILTER_CFG msg=audit(1590538686.366:4297): table=nat family=2 entries=129
type=NETFILTER_CFG msg=audit(1590538686.391:4298): table=raw family=2 entries=51
type=NETFILTER_CFG msg=audit(1590538686.391:4299): table=mangle family=2 entries=63
type=NETFILTER_CFG msg=audit(1590538686.392:4300): table=nat family=2 entries=130
type=NETFILTER_CFG msg=audit(1590538686.392:4301): table=filter family=2 entries=156
type=UNKNOWN[1334] msg=audit(1590538686.479:4302): prog-id=218 op=LOAD
type=SERVICE_START msg=audit(1590538686.808:4303): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=184767b55633978955d091089a7b958f430473447ecbc5c765db60cda55c3fe3 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=USER_END msg=audit(1590538686.837:4304): pid=86246 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'UID="root" AUID="{user}"
type=CRED_DISP msg=audit(1590538686.838:4305): pid=86246 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'UID="root" AUID="{user}"
type=SERVICE_STOP msg=audit(1590538687.548:4306): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=184767b55633978955d091089a7b958f430473447ecbc5c765db60cda55c3fe3 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'UID="root" AUID="unset"
type=UNKNOWN[1334] msg=audit(1590538690.665:4307): prog-id=218 op=UNLOAD
type=NETFILTER_CFG msg=audit(1590538690.947:4308): table=raw family=2 entries=52
type=NETFILTER_CFG msg=audit(1590538690.948:4309): table=mangle family=2 entries=64
type=NETFILTER_CFG msg=audit(1590538690.948:4310): table=nat family=2 entries=132
type=NETFILTER_CFG msg=audit(1590538690.949:4311): table=filter family=2 entries=159
type=NETFILTER_CFG msg=audit(1590538690.974:4312): table=nat family=2 entries=130
type=NETFILTER_CFG msg=audit(1590538690.982:4313): table=nat family=2 entries=118
type=NETFILTER_CFG msg=audit(1590538690.986:4314): table=nat family=2 entries=117
type=NETFILTER_CFG msg=audit(1590538690.989:4315): table=nat family=2 entries=116
type=NETFILTER_CFG msg=audit(1590538690.992:4316): table=nat family=2 entries=114
type=NETFILTER_CFG msg=audit(1590538690.998:4317): table=nat family=2 entries=116
type=NETFILTER_CFG msg=audit(1590538691.001:4318): table=nat family=10 entries=98
type=NETFILTER_CFG msg=audit(1590538691.006:4319): table=nat family=10 entries=100
type=NETFILTER_CFG msg=audit(1590538691.009:4320): table=nat family=10 entries=98
type=NETFILTER_CFG msg=audit(1590538691.014:4321): table=nat family=10 entries=100
type=ANOM_PROMISCUOUS msg=audit(1590538691.036:4322): dev=veth41847016 prom=0 old_prom=256 auid=1000 uid=0 gid=0 ses=4AUID="{user}" UID="root" GID="root"
type=NETFILTER_CFG msg=audit(1590538691.070:4323): table=nat family=2 entries=114
type=NETFILTER_CFG msg=audit(1590538691.077:4324): table=nat family=2 entries=113
type=NETFILTER_CFG msg=audit(1590538691.080:4325): table=nat family=2 entries=111
type=SERVICE_START msg=audit(1590538706.795:4326): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1590538717.496:4327): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1590538898.519:4328): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=packagekit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1590538987.938:4329): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1590538987.938:4330): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
此时,我很确定我遇到的问题是 SELinux 权限……在某个地方。但是,我不确定如何继续找到要添加/删除的正确 SELinux 规则,以便成功启动 PiHole 容器。以前,所有 SELinux 警告都已添加到 Cockpit 控制台,以便我可以修复它们。
我应该采取什么后续步骤来找出 SELinux 阻止我启动此容器的原因? 确定需要哪些规则才能允许容器在这些位置写入文件系统的良好工作流程是什么? 有没有好的方法可以检查问题不是端口绑定?