Oh I also forgot to mention that I did receive an SELinux denial alert
And I did execute the commands listed in solution column but it too
did not have any effect.
Thank you,
*Erik Boyer
*Production / IT System Support
*KUKA Toledo Production Operations, LLC
*Tel. +1 419 727-5549, Fax +1 419 729-7085, Cell 419-438-5350
erik.boyer(a)ktpo.com <mailto:erik.boyer@ktpo.com>_
_www.ktpo.com <
http://www.ktpo.com/>/
Consider the environment. If you print this email, please recycle.
/This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail in
error) please notify the sender immediately and destroy this e-mail.
Any unauthorized copying, disclosure or distribution of contents of
this e-mail is strictly forbidden.
*From:*Erik Boyer
*Sent:* Friday, February 22, 2013 10:09 AM
*To:* Selinux List
*Cc:* Erik Boyer
*Subject:* SELinux Blocking Ping
Good Morning,
I have a website written in PHP installed on a 64 bit Fedora 16 server
that I am trying to have ping a host to monitor it’s availability.
Because using sockets requires root access I wrote a simple shell
script to handle the ping, returning simply “up” or “down” back to PHP.
The problem is that SELinux seems to be stopping Ping from working
correctly. The PHP page takes a long time to load (around 30 seconds
or so) and even if the host is up, the shell script still reports it
as down because of the exit status of ping. In the error log for PHP
there are thousands of lines of:
*/ping: sendmsg: Permission denied/*
To the point where if you ping just one host once it grows to over 200
MB. I have tried Google extensively and it seems others have this
problem but there is no real answer. I have tried setting the setuid
and setgid for the ping executable with chmod g+s and u+s, even giving
the apache user ownership permission but to no avail. The only thing
that has worked thus far is to turn off SELinux and then the scripts
work fine without issue. I should also note that I can run the shell
script on the shell without a problem, and the PHP exec() function can
run something like “whoami” without issue.
I have looked at the available binary switches for SELinux but none of
them seem to do what I need. I really don’t want to have to turn off
SELinux for this server, as it is a webserver and I want as much
protection on it as possible.
Does anyone have any suggestions? Any help is appreciated.
Here is the contents of the shell script:
*//bin/ping -c 1 -W 0.2 $1/*
*/rc=$?/*
*/if [[ $rc -eq 0 ]] ; then/*
*/ echo "up"/*
*/else/*
*/ echo "down"/*
*/fi/*
Here is how I am calling this through PHP ($i is predetermined earlier
in the script):
*/$ping = exec("/var/www/html/ips/ping.sh 10.0.1.".$i);/*
*/if ($ping == "up")/*
*/{/*
*/echo "Response time: ";/*
*/ echo exec("/usr/bin/perl
/var/lib/cacti/scripts/ping.pl 10.0.1.".$i);/*
*/ echo " ms.";/*
*/}/*
The perl script is taken from Cacti (installed separately via yum) but
does not run from my scripts with SELinux enabled. Again disabled it
returns values as expected, and run directly from a shell it works
without issue.
Could anyone shed some light on this for me?
Thank you,
*Erik Boyer
*Production / IT System Support
*KUKA Toledo Production Operations, LLC
*Tel. +1 419 727-5549, Fax +1 419 729-7085, Cell 419-438-5350
erik.boyer(a)ktpo.com <mailto:erik.boyer@ktpo.com>_
_www.ktpo.com <
http://www.ktpo.com/>/
Consider the environment. If you print this email, please recycle.
/This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail in
error) please notify the sender immediately and destroy this e-mail.
Any unauthorized copying, disclosure or distribution of contents of
this e-mail is strictly forbidden.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux Exactly this example Dan
Walsh mentioned on DevConf in Brno which we had.
The point is this is pretty powerful access which we don't want to add
for httpd_t by default. You can always use audit2allow and add a local
policy for your case.
1. semange permissive -a httpd_t
2. Re-test it
3. ausearch -m avc -ts recent | audit2allow -R -M myapache
4. semodule -i myapache.pp
5. semange permissive -d httpd_t