Re: SELinux Blocking Ping

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 02/22/2013 04:31 PM, Erik Boyer wrote:

Oh I also forgot to mention that I did receive an SELinux denial alert

 

 

And I did execute the commands listed in solution column but it too did not have any effect.

 

 

Thank you,

Erik Boyer
Production / IT System Support

KUKA Toledo Production Operations, LLC

 Tel. +1 419 727-5549, Fax +1 419 729-7085, Cell 419-438-5350
erik.boyer@xxxxxxxx
www.ktpo.com

Consider the environment. If you print this email, please recycle.

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of contents of this e-mail is strictly forbidden.

 

From: Erik Boyer
Sent: Friday, February 22, 2013 10:09 AM
To: Selinux List
Cc: Erik Boyer
Subject: SELinux Blocking Ping

 

Good Morning,

 

I have a website written in PHP installed on a 64 bit Fedora 16 server that I am trying to have ping a host to monitor it’s availability.

 

Because using sockets requires root access I wrote a simple shell script to handle the ping, returning simply “up” or “down” back to PHP.

 

The problem is that SELinux seems to be stopping Ping from working correctly. The PHP page takes a long time to load (around 30 seconds or so) and even if the host is up, the shell script still reports it as down because of the exit status of ping. In the error log for PHP there are thousands of lines of:

 

ping: sendmsg: Permission denied

 

To the point where if you ping just one host once it grows to over 200 MB. I have tried Google extensively and it seems others have this problem but there is no real answer. I have tried setting the setuid and setgid for the ping executable with chmod g+s and u+s, even giving the apache user ownership permission but to no avail. The only thing that has worked thus far is to turn off SELinux and then the scripts work fine without issue. I should also note that I can run the shell script on the shell without a problem, and the PHP exec() function can run something like “whoami” without issue.

 

I have looked at the available binary switches for SELinux but none of them seem to do what I need. I really don’t want to have to turn off SELinux for this server, as it is a webserver and I want as much protection on it as possible.

 

Does anyone have any suggestions? Any help is appreciated.


Here is the contents of the shell script:

 

/bin/ping -c 1 -W 0.2 $1

rc=$?

if [[ $rc -eq 0 ]] ; then

        echo "up"

else

        echo "down"

fi

 

Here is how I am calling this through PHP ($i is predetermined earlier in the script):

 

$ping = exec("/var/www/html/ips/ping.sh 10.0.1.".$i);

if ($ping == "up")

{

echo "Response time: ";

                echo exec("/usr/bin/perl /var/lib/cacti/scripts/ping.pl 10.0.1.".$i);

                echo " ms.";

}

 

The perl script is taken from Cacti (installed separately via yum) but does not run from my scripts with SELinux enabled. Again disabled it returns values as expected, and run directly from a shell it works without issue.

 

Could anyone shed some light on this for me?

 

 

Thank you,

Erik Boyer
Production / IT System Support

KUKA Toledo Production Operations, LLC

 Tel. +1 419 727-5549, Fax +1 419 729-7085, Cell 419-438-5350
erik.boyer@xxxxxxxx
www.ktpo.com

Consider the environment. If you print this email, please recycle.

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of contents of this e-mail is strictly forbidden.

 



--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
Exactly this example Dan Walsh mentioned on DevConf in Brno which we had.

The point is this is pretty powerful access which we don't want to add for httpd_t by default. You can always use audit2allow and add a local policy for your case.

1. semange permissive -a httpd_t
2. Re-test it
3. ausearch -m avc -ts recent | audit2allow -R -M myapache
4. semodule -i myapache.pp
5. semange permissive -d httpd_t


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux