<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:black">Oh I also forgot to mention that I did receive an SELinux denial alert<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><img width="661" height="396" id="Picture_x0020_2" src="cid:image003.jpg@01CE10E7.CD652210"><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:black">And I did execute the commands listed in solution column but it too did not have any effect.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">Thank you,<br>
<br>
<b>Erik Boyer<br>
</b>Production / IT System Support<br>
<br>
</span><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#FF8000">KUKA Toledo Production Operations, LLC<br>
<br>
</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif";color:black"> </span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">Tel. +1 419 727-5549, Fax +1 419 729-7085, Cell 419-438-5350<br>
</span><span style="font-size:12.0pt;font-family:"Times New Roman","serif";color:black"><a href="mailto:erik.boyer@ktpo.com" title="mailto:erik.boyer@ktpo.com"><span style="font-size:10.0pt;color:black">erik.boyer@ktpo.com</span></a></span><u><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"><br>
</span></u><span style="font-size:12.0pt;font-family:"Times New Roman","serif";color:black"><a href="http://www.ktpo.com/"><span style="font-size:10.0pt;color:black">www.ktpo.com</span></a></span><i><span style="font-size:10.0pt;font-family:"Times New Roman","serif";color:green"><br>
<br>
Consider the environment. If you print this email, please recycle.<br>
<br>
</span></i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:black">This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender
immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of contents of this e-mail is strictly forbidden.</span><span style="color:black"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Erik Boyer
<br>
<b>Sent:</b> Friday, February 22, 2013 10:09 AM<br>
<b>To:</b> Selinux List<br>
<b>Cc:</b> Erik Boyer<br>
<b>Subject:</b> SELinux Blocking Ping<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Good Morning,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have a website written in PHP installed on a 64 bit Fedora 16 server that I am trying to have ping a host to monitor it’s availability.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Because using sockets requires root access I wrote a simple shell script to handle the ping, returning simply “up” or “down” back to PHP.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The problem is that SELinux seems to be stopping Ping from working correctly. The PHP page takes a long time to load (around 30 seconds or so) and even if the host is up, the shell script still reports it as down because of the exit status
of ping. In the error log for PHP there are thousands of lines of:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><i>ping: sendmsg: Permission denied<o:p></o:p></i></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">To the point where if you ping just one host once it grows to over 200 MB. I have tried Google extensively and it seems others have this problem but there is no real answer. I have tried setting the setuid and setgid for the ping executable
with chmod g+s and u+s, even giving the apache user ownership permission but to no avail. The only thing that has worked thus far is to turn off SELinux and then the scripts work fine without issue. I should also note that I can run the shell script on the
shell without a problem, and the PHP exec() function can run something like “whoami” without issue.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have looked at the available binary switches for SELinux but none of them seem to do what I need. I really don’t want to have to turn off SELinux for this server, as it is a webserver and I want as much protection on it as possible.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Does anyone have any suggestions? Any help is appreciated.<o:p></o:p></p>
<p class="MsoNormal"><br>
Here is the contents of the shell script:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><i>/bin/ping -c 1 -W 0.2 $1<o:p></o:p></i></b></p>
<p class="MsoNormal"><b><i>rc=$?<o:p></o:p></i></b></p>
<p class="MsoNormal"><b><i>if [[ $rc -eq 0 ]] ; then<o:p></o:p></i></b></p>
<p class="MsoNormal"><b><i> echo "up"<o:p></o:p></i></b></p>
<p class="MsoNormal"><b><i>else<o:p></o:p></i></b></p>
<p class="MsoNormal"><b><i> echo "down"<o:p></o:p></i></b></p>
<p class="MsoNormal"><b><i>fi<o:p></o:p></i></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Here is how I am calling this through PHP ($i is predetermined earlier in the script):<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><i>$ping = exec("/var/www/html/ips/ping.sh 10.0.1.".$i);<o:p></o:p></i></b></p>
<p class="MsoNormal"><b><i>if ($ping == "up")<o:p></o:p></i></b></p>
<p class="MsoNormal"><b><i>{<o:p></o:p></i></b></p>
<p class="MsoNormal" style="text-indent:.5in"><b><i>echo "Response time: ";<o:p></o:p></i></b></p>
<p class="MsoNormal"><b><i> echo exec("/usr/bin/perl /var/lib/cacti/scripts/ping.pl 10.0.1.".$i);<o:p></o:p></i></b></p>
<p class="MsoNormal"><b><i> echo " ms.";<o:p></o:p></i></b></p>
<p class="MsoNormal"><b><i>}</i></b><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The perl script is taken from Cacti (installed separately via yum) but does not run from my scripts with SELinux enabled. Again disabled it returns values as expected, and run directly from a shell it works without issue.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Could anyone shed some light on this for me?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">Thank you,<br>
<br>
<b>Erik Boyer<br>
</b>Production / IT System Support<br>
<br>
</span><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#FF8000">KUKA Toledo Production Operations, LLC<br>
<br>
</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif";color:black"> </span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">Tel. +1 419 727-5549, Fax +1 419 729-7085, Cell 419-438-5350<br>
</span><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><a href="mailto:erik.boyer@ktpo.com" title="mailto:erik.boyer@ktpo.com"><span style="font-size:10.0pt;color:black">erik.boyer@ktpo.com</span></a></span><u><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"><br>
</span></u><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><a href="http://www.ktpo.com/"><span style="font-size:10.0pt;color:black">www.ktpo.com</span></a></span><i><span style="font-size:10.0pt;font-family:"Times New Roman","serif";color:green"><br>
<br>
Consider the environment. If you print this email, please recycle.<br>
<br>
</span></i><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:black">This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender
immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of contents of this e-mail is strictly forbidden.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>