Oh I also forgot
to mention that I did receive an SELinux denial alert
And I did execute
the commands listed in solution column but it too did not
have any effect.
Thank
you,
Erik Boyer
Production / IT System Support
KUKA
Toledo Production Operations, LLC
Tel.
+1 419 727-5549, Fax +1 419 729-7085, Cell 419-438-5350
erik.boyer@ktpo.com
www.ktpo.com
Consider the environment. If you print this email,
please recycle.
This
e-mail may contain confidential and/or privileged
information. If you are not the intended recipient (or
have received this e-mail in error) please notify the
sender immediately and destroy this e-mail. Any
unauthorized copying, disclosure or distribution of
contents of this e-mail is strictly forbidden.
From:
Erik Boyer
Sent: Friday, February 22, 2013 10:09 AM
To: Selinux List
Cc: Erik Boyer
Subject: SELinux Blocking Ping
Good Morning,
I have a website written in PHP installed
on a 64 bit Fedora 16 server that I am trying to have ping a
host to monitor it’s availability.
Because using sockets requires root access
I wrote a simple shell script to handle the ping, returning
simply “up” or “down” back to PHP.
The problem is that SELinux seems to be
stopping Ping from working correctly. The PHP page takes a
long time to load (around 30 seconds or so) and even if the
host is up, the shell script still reports it as down because
of the exit status of ping. In the error log for PHP there are
thousands of lines of:
ping: sendmsg: Permission denied
To the point where if you ping just one
host once it grows to over 200 MB. I have tried Google
extensively and it seems others have this problem but there is
no real answer. I have tried setting the setuid and setgid for
the ping executable with chmod g+s and u+s, even giving the
apache user ownership permission but to no avail. The only
thing that has worked thus far is to turn off SELinux and then
the scripts work fine without issue. I should also note that I
can run the shell script on the shell without a problem, and
the PHP exec() function can run something like “whoami”
without issue.
I have looked at the available binary
switches for SELinux but none of them seem to do what I need.
I really don’t want to have to turn off SELinux for this
server, as it is a webserver and I want as much protection on
it as possible.
Does anyone have any suggestions? Any help
is appreciated.
Here is the contents of the shell script:
/bin/ping -c 1 -W 0.2 $1
rc=$?
if [[ $rc -eq 0 ]] ; then
echo "up"
else
echo "down"
fi
Here is how I am calling this through PHP
($i is predetermined earlier in the script):
$ping =
exec("/var/www/html/ips/ping.sh 10.0.1.".$i);
if ($ping == "up")
{
echo
"Response time: ";
echo
exec("/usr/bin/perl /var/lib/cacti/scripts/ping.pl
10.0.1.".$i);
echo " ms.";
}
The perl script is taken from Cacti
(installed separately via yum) but does not run from my
scripts with SELinux enabled. Again disabled it returns values
as expected, and run directly from a shell it works without
issue.
Could anyone shed some light on this for
me?
Thank
you,
Erik Boyer
Production / IT System Support
KUKA
Toledo Production Operations, LLC
Tel.
+1 419 727-5549, Fax +1 419 729-7085, Cell 419-438-5350
erik.boyer@ktpo.com
www.ktpo.com
Consider the environment. If you print this email, please
recycle.
This
e-mail may contain confidential and/or privileged
information. If you are not the intended recipient (or have
received this e-mail in error) please notify the sender
immediately and destroy this e-mail. Any unauthorized
copying, disclosure or distribution of contents of this
e-mail is strictly forbidden.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux