#34 How to setup Pi-Hole without changing SE Linux
Opened 10 months ago by glb. Modified 6 months ago

Article explaining : How to setup Pi-Hole 2 in Fedora without disabling SE Linux

https://discussion.fedoraproject.org/t/article-proposal-how-to-setup-pi-hole-without-changing-se-linux/23438


Metadata Update from @glb:
- Issue tagged with: article

10 months ago

I'd also put this on my list. I've set up pihole a couple of times, although that wasn't on Fedora but RPiOS and obvs no SELinux. It was also setup with DNSCrypt IIRC for extra privacy/security.

Metadata Update from @rlengland:
- Issue assigned to glaringgibbon

6 months ago

To start with I was going to contact the devs and see if they would be co-operative with technical input, tips and tricks, etc. I'm assuming that's OK but let me know if not.

Has any work been done on this that would serve as a starter for 10?

Any informal advice that isn't in docs?

@glaringgibbon This article was proposed but no one has worked on it so it is free and clear. The original discussion is here and a couple follow-ons showed interest in reading it.

I would see this as a step-by-step with commands and screen shots showing the process.

Any contacts you can raise are perfectly all right but make sure you give them the proper attributions and perhaps a chance to review what you have written if they so desire.

@glaringgibbon This article was proposed but no one has worked on it so it is free and clear. The original discussion is here and a couple follow-ons showed interest in reading it.

I would see this as a step-by-step with commands and screen shots showing the process.

Any contacts you can raise are perfectly all right but make sure you give them the proper attributions and perhaps a chance to review what you have written if they so desire.

Looking at the original discussion dates it seems that pihole may have been in the repos at that time. Their docs note installation on F33 and F34 arm/x86. I'm waiting on confirmation but I think there's a technical reason it's no longer included.

Options appear to be downgrading or Podman/Docker.

I don't think downgrade is a sensible option. If the problem isn't fixable, or fixed in time you're left with an unsupported system. I can't imagine you'd want to promote that idea.

If all that's left is a container solution because it won't run on Fedora, then the underlying image IS NOT Fedora. I haven't checked the image but I'd imagine it's Debian or derived from Debian given Pihole originated on RPi's. Probably doesn't even have AppArmour running. SELinux only comes in to play with respect to appropriate permissions for the images to run. Which amounts to these two lines from what I can tell from the official docs

    -v "$(pwd)/etc-pihole:/etc/pihole:z" \
    -v "$(pwd)/etc-dnsmasq.d:/etc/dnsmasq.d:z" \

If I had podman running, I'd probably have cockpit too. I'd be prepared to wager a months mortgage payment that the SELinux module would take care of those two lines for me.

Long story short, I'm struggling to see much of an article here until this technical glitch is resolved and it's back in the repos.

Thoughts?

@glaringgibbon if there are major shortcomings or limitations then the article may be no-go. I note that the github repo shows relatively recent changes so it appears to be at least a relatively active project.
Depending on what response you get from the project you can make a go/nogo decision. If it is nogo then please leave a description of you decision here for the next person.
Keep in mind that the originator of the proposal did so in order to have someone explain a process they wanted to have. There was no guarantee that it could even be done.
One way or the other, your research is appreciated.

@glaringgibbon if there are major shortcomings or limitations then the article may be no-go. I note that the github repo shows relatively recent changes so it appears to be at least a relatively active project.
Depending on what response you get from the project you can make a go/nogo decision. If it is nogo then please leave a description of you decision here for the next person.
Keep in mind that the originator of the proposal did so in order to have someone explain a process they wanted to have. There was no guarantee that it could even be done.
One way or the other, your research is appreciated.

Just had an email back from the Pi-Hole team. Salient extract below;

I think you'll find that creating a working SELinux policy for Pi-hole
in it's current state will be quite difficult. We've tried in the past
but the amount of weakening needed for a functional Pi-hole with the web
interface became too great a liability. Docker became a first class
citizen to be used in these instances.

If they can't make it work then I'm sure I don't have the technical chops to do it

No go from me at present.

I'll track progress and if this becomes possible in the future I'll advise accordingly.

Login to comment on this ticket.

Metadata
Boards 1
articles Status: ideas