<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 02/25/2013 11:16 AM, Miroslav Grepl
wrote:<br>
</div>
<blockquote cite="mid:512B39EE.1040407@redhat.com" type="cite">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<div class="moz-cite-prefix">On 02/22/2013 04:31 PM, Erik Boyer
wrote:<br>
</div>
<blockquote
cite="mid:5027491AD7C1C34CAAEAC8CF4EBF85EF04B64809@KTPO83.ktpo.ops"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
span.EmailStyle17
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:black;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:black">Oh I also
forgot to mention that I did receive an SELinux denial
alert<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><img id="Picture_x0020_2"
src="cid:part1.02070909.06040006@redhat.com" height="396"
width="661"><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:black">And I did
execute the commands listed in solution column but it too
did not have any effect.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">Thank
you,<br>
<br>
<b>Erik Boyer<br>
</b>Production / IT System Support<br>
<br>
</span><b><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#FF8000">KUKA
Toledo Production Operations, LLC<br>
<br>
</span></b><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";color:black"> </span><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">Tel.
+1 419 727-5549, Fax +1 419 729-7085, Cell 419-438-5350<br>
</span><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";color:black"><a
moz-do-not-send="true"
href="mailto:erik.boyer@ktpo.com"
title="mailto:erik.boyer@ktpo.com"><span
style="font-size:10.0pt;color:black">erik.boyer@ktpo.com</span></a></span><u><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"><br>
</span></u><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";color:black"><a
moz-do-not-send="true" href="http://www.ktpo.com/"><span
style="font-size:10.0pt;color:black">www.ktpo.com</span></a></span><i><span
style="font-size:10.0pt;font-family:"Times New
Roman","serif";color:green"><br>
<br>
Consider the environment. If you print this email,
please recycle.<br>
<br>
</span></i><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:black">This
e-mail may contain confidential and/or privileged
information. If you are not the intended recipient (or
have received this e-mail in error) please notify the
sender immediately and destroy this e-mail. Any
unauthorized copying, disclosure or distribution of
contents of this e-mail is strictly forbidden.</span><span
style="color:black"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
Erik Boyer <br>
<b>Sent:</b> Friday, February 22, 2013 10:09 AM<br>
<b>To:</b> Selinux List<br>
<b>Cc:</b> Erik Boyer<br>
<b>Subject:</b> SELinux Blocking Ping<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Good Morning,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have a website written in PHP installed
on a 64 bit Fedora 16 server that I am trying to have ping a
host to monitor it’s availability.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Because using sockets requires root
access I wrote a simple shell script to handle the ping,
returning simply “up” or “down” back to PHP.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The problem is that SELinux seems to be
stopping Ping from working correctly. The PHP page takes a
long time to load (around 30 seconds or so) and even if the
host is up, the shell script still reports it as down
because of the exit status of ping. In the error log for PHP
there are thousands of lines of:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><i>ping: sendmsg: Permission denied<o:p></o:p></i></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">To the point where if you ping just one
host once it grows to over 200 MB. I have tried Google
extensively and it seems others have this problem but there
is no real answer. I have tried setting the setuid and
setgid for the ping executable with chmod g+s and u+s, even
giving the apache user ownership permission but to no avail.
The only thing that has worked thus far is to turn off
SELinux and then the scripts work fine without issue. I
should also note that I can run the shell script on the
shell without a problem, and the PHP exec() function can run
something like “whoami” without issue.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have looked at the available binary
switches for SELinux but none of them seem to do what I
need. I really don’t want to have to turn off SELinux for
this server, as it is a webserver and I want as much
protection on it as possible.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Does anyone have any suggestions? Any
help is appreciated.<o:p></o:p></p>
<p class="MsoNormal"><br>
Here is the contents of the shell script:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><i>/bin/ping -c 1 -W 0.2 $1<o:p></o:p></i></b></p>
<p class="MsoNormal"><b><i>rc=$?<o:p></o:p></i></b></p>
<p class="MsoNormal"><b><i>if [[ $rc -eq 0 ]] ; then<o:p></o:p></i></b></p>
<p class="MsoNormal"><b><i> echo "up"<o:p></o:p></i></b></p>
<p class="MsoNormal"><b><i>else<o:p></o:p></i></b></p>
<p class="MsoNormal"><b><i> echo "down"<o:p></o:p></i></b></p>
<p class="MsoNormal"><b><i>fi<o:p></o:p></i></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Here is how I am calling this through PHP
($i is predetermined earlier in the script):<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><i>$ping =
exec("/var/www/html/ips/ping.sh 10.0.1.".$i);<o:p></o:p></i></b></p>
<p class="MsoNormal"><b><i>if ($ping == "up")<o:p></o:p></i></b></p>
<p class="MsoNormal"><b><i>{<o:p></o:p></i></b></p>
<p class="MsoNormal" style="text-indent:.5in"><b><i>echo
"Response time: ";<o:p></o:p></i></b></p>
<p class="MsoNormal"><b><i> echo
exec("/usr/bin/perl /var/lib/cacti/scripts/ping.pl
10.0.1.".$i);<o:p></o:p></i></b></p>
<p class="MsoNormal"><b><i> echo " ms.";<o:p></o:p></i></b></p>
<p class="MsoNormal"><b><i>}</i></b><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The perl script is taken from Cacti
(installed separately via yum) but does not run from my
scripts with SELinux enabled. Again disabled it returns
values as expected, and run directly from a shell it works
without issue.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Could anyone shed some light on this for
me?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">Thank
you,<br>
<br>
<b>Erik Boyer<br>
</b>Production / IT System Support<br>
<br>
</span><b><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#FF8000">KUKA
Toledo Production Operations, LLC<br>
<br>
</span></b><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";color:black"> </span><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">Tel.
+1 419 727-5549, Fax +1 419 729-7085, Cell 419-438-5350<br>
</span><span style="font-size:12.0pt;font-family:"Times
New Roman","serif""><a
moz-do-not-send="true" href="mailto:erik.boyer@ktpo.com"
title="mailto:erik.boyer@ktpo.com"><span
style="font-size:10.0pt;color:black">erik.boyer@ktpo.com</span></a></span><u><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"><br>
</span></u><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><a moz-do-not-send="true"
href="http://www.ktpo.com/"><span
style="font-size:10.0pt;color:black">www.ktpo.com</span></a></span><i><span
style="font-size:10.0pt;font-family:"Times New
Roman","serif";color:green"><br>
<br>
Consider the environment. If you print this email,
please recycle.<br>
<br>
</span></i><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:black">This
e-mail may contain confidential and/or privileged
information. If you are not the intended recipient (or
have received this e-mail in error) please notify the
sender immediately and destroy this e-mail. Any
unauthorized copying, disclosure or distribution of
contents of this e-mail is strictly forbidden.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
selinux mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
Exactly this example Dan Walsh mentioned on DevConf in Brno which
we had.<br>
<br>
The point is this is pretty powerful access which we don't want to
add for httpd_t by default. You can always use audit2allow and add
a local policy for your case.<br>
<br>
1. semange permissive -a httpd_t<br>
2. Re-test it<br>
3. ausearch -m avc -ts recent | audit2allow -R -M myapache<br>
4. semodule -i myapache.pp<br>
5. semange permissive -d httpd_t<br>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
But yes, the following solution is much better.<br>
<br>
<pre wrap="">policy_module(localhttpping, 1.0.4)
require {
type httpd_sys_script_t;
type httpd_t;
}
netutils_domtrans_ping(httpd_sys_script_t)
netutils_domtrans_ping(httpd_t)
</pre>
<br>
</body>
</html>