Re: SELinux Blocking Ping

Oh I also forgot to mention that I did receive an SELinux denial alert And I did execute the commands listed in solution column but it too did not have any effect. Thank you, *Erik Boyer *Production / IT System Support *KUKA Toledo Production Operations, LLC *Tel. +1 419 727-5549, Fax +1 419 729-7085, Cell 419-438-5350 erik.boyer(a)ktpo.com <mailto:erik.boyer@ktpo.com>_ _www.ktpo.com <http://www.ktpo.com/>/ Consider the environment. If you print this email, please recycle. /This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of contents of this e-mail is strictly forbidden. *From:*Erik Boyer *Sent:* Friday, February 22, 2013 10:09 AM *To:* Selinux List *Cc:* Erik Boyer *Subject:* SELinux Blocking Ping Good Morning, I have a website written in PHP installed on a 64 bit Fedora 16 server that I am trying to have ping a host to monitor it’s availability. Because using sockets requires root access I wrote a simple shell script to handle the ping, returning simply “up” or “down” back to PHP. The problem is that SELinux seems to be stopping Ping from working correctly. The PHP page takes a long time to load (around 30 seconds or so) and even if the host is up, the shell script still reports it as down because of the exit status of ping. In the error log for PHP there are thousands of lines of: */ping: sendmsg: Permission denied/* To the point where if you ping just one host once it grows to over 200 MB. I have tried Google extensively and it seems others have this problem but there is no real answer. I have tried setting the setuid and setgid for the ping executable with chmod g+s and u+s, even giving the apache user ownership permission but to no avail. The only thing that has worked thus far is to turn off SELinux and then the scripts work fine without issue. I should also note that I can run the shell script on the shell without a problem, and the PHP exec() function can run something like “whoami” without issue. I have looked at the available binary switches for SELinux but none of them seem to do what I need. I really don’t want to have to turn off SELinux for this server, as it is a webserver and I want as much protection on it as possible. Does anyone have any suggestions? Any help is appreciated. Here is the contents of the shell script: *//bin/ping -c 1 -W 0.2 $1/* */rc=$?/* */if [[ $rc -eq 0 ]] ; then/* */ echo "up"/* */else/* */ echo "down"/* */fi/* Here is how I am calling this through PHP ($i is predetermined earlier in the script): */$ping = exec("/var/www/html/ips/ping.sh 10.0.1.".$i);/* */if ($ping == "up")/* */{/* */echo "Response time: ";/* */ echo exec("/usr/bin/perl /var/lib/cacti/scripts/ping.pl 10.0.1.".$i);/* */ echo " ms.";/* */}/* The perl script is taken from Cacti (installed separately via yum) but does not run from my scripts with SELinux enabled. Again disabled it returns values as expected, and run directly from a shell it works without issue. Could anyone shed some light on this for me? Thank you, *Erik Boyer *Production / IT System Support *KUKA Toledo Production Operations, LLC *Tel. +1 419 727-5549, Fax +1 419 729-7085, Cell 419-438-5350 erik.boyer(a)ktpo.com <mailto:erik.boyer@ktpo.com>_ _www.ktpo.com <http://www.ktpo.com/>/ Consider the environment. If you print this email, please recycle. /This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of contents of this e-mail is strictly forbidden. -- selinux mailing list selinux(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux